Ubuntu
ceph-iscsi package

rbd-target-api will not start AttributeError: 'Context' object has no attribute 'wrap_socket'

Bug #1965280 reported by Liam Young
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ceph-iscsi (Ubuntu)
Fix Released
High
Unassigned
Impish
Won't Fix
High
Unassigned
Jammy
Fix Released
High
Unassigned

Bug Description

[Impact]
Its not possible to configure the RBD target API with TLS with newer versions of werkzeug as found in Ubuntu Impish and later.

[Test Case]
Deploy and configure the RBD target API service with TLS encryption.
(ceph-iscsi charm can be used todo this)
Service will fail to start with error reported in the original bug report

[What might go wrong]
The change proposed ensures that versions of Werkzeug >= 1.0.0 are also correctly configured to use the TLSv1.2 support. Its fairly simple in approach to regression potential is fairly low.

[Original Bug Report]
The rbd-target-api fails to start on Ubuntu Impish (21.10) and later. This appears to be caused by a werkzeug package revision check in rbd-target-api. The check is used to decide whather to add an OpenSSL.SSL.Context or a ssl.SSLContext. The code comment suggests that ssl.SSLContext is used for werkzeug 0.9 so that TLSv1.2 can be used. It is also worth noting that support for OpenSSL.SSL.Context was dropped in werkzeug 0.10. The intention of the check appears to be to add OpenSSL.SSL.Context if the version of is werkzeug is below 0.9 otherwise use ssl.SSLContext. When rbd-target-api checks the werkzeug revision it only looks at the minor revision number and Ubuntu Impish contains werkzeug 1.0.1 which obviously has a minor revision number of 0 which causes rbd-target-api to use an OpenSSL.SSL.Context which is not supported by werkzeug which causes:

# /usr/bin/rbd-target-api
 * Serving Flask app 'rbd-target-api' (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off
Traceback (most recent call last):
  File "/usr/bin/rbd-target-api", line 3022, in <module>
    main()
  File "/usr/bin/rbd-target-api", line 2952, in main
    app.run(host=settings.config.api_host,
  File "/usr/lib/python3/dist-packages/flask/app.py", line 922, in run
    run_simple(t.cast(str, host), port, self, **options)
  File "/usr/lib/python3/dist-packages/werkzeug/serving.py", line 1010, in run_simple
    inner()
  File "/usr/lib/python3/dist-packages/werkzeug/serving.py", line 950, in inner
    srv = make_server(
  File "/usr/lib/python3/dist-packages/werkzeug/serving.py", line 782, in make_server
    return ThreadedWSGIServer(
  File "/usr/lib/python3/dist-packages/werkzeug/serving.py", line 708, in __init__
    self.socket = ssl_context.wrap_socket(self.socket, server_side=True)
AttributeError: 'Context' object has no attribute 'wrap_socket'

Reported upstream here: https://github.com/ceph/ceph-iscsi/issues/255

See original description
Tags: patch
Revision history for this message
Liam Young (gnuoy) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "ceph-iscsi-deb.diff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
James Page (james-page)
Changed in ceph-iscsi (Ubuntu Impish):
status: New → Triaged
Changed in ceph-iscsi (Ubuntu Jammy):
status: New → Triaged
Changed in ceph-iscsi (Ubuntu Impish):
importance: Undecided → High
Changed in ceph-iscsi (Ubuntu Jammy):
importance: Undecided → High
James Page (james-page)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ceph-iscsi - 3.5-2ubuntu1

---------------
ceph-iscsi (3.5-2ubuntu1) jammy; urgency=medium

  * d/p/fix-werkzeug-version-check.patch: Improve werkzeug version
    checking to resolve TLS configuration issues (LP: #1965280).

 -- Liam Young <email address hidden> Thu, 17 Mar 2022 10:39:37 +0000

Changed in ceph-iscsi (Ubuntu Jammy):
status: Triaged → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote :

Ubuntu 21.10 (Impish Indri) has reached end of life, so this bug will not be fixed for that specific release.

Changed in ceph-iscsi (Ubuntu Impish):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.