charm-octavia-diskimage-retrofit

retrofit-image action fails on jammy due to cryptography "undefined symbol: FIPS_mode"

Bug #1981334 reported by Corey Bryant
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
charm-octavia-diskimage-retrofit
Fix Committed
Undecided
Unassigned

Bug Description

zaza.model.ActionFailed: Run of action "retrofit-image" with parameters "{'force': False, 'source-image': ''}" on "octavia-diskimage-retrofit/0" failed with "/var/lib/juju/agents/unit-octavia-diskimage-retrofit-0/.venv/lib/python3.10/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: undefined symbol: FIPS_mode"

This issue can be recreated by deploying the jammy-yoga bundle from charmed-openstack-tester.

ubuntu@juju-3786d8-zaza-d2d97a26f602-14:/var/lib/juju/agents/unit-octavia-diskimage-retrofit-0/charm/wheelhouse$ /var/lib/juju/agents/unit-octavia-diskimage-retrofit-0/.venv/bin/pip3 freeze|grep cryptography
cryptography==3.3.2

ubuntu@juju-3786d8-zaza-d2d97a26f602-14:/var/lib/juju/agents/unit-octavia-diskimage-retrofit-0/.venv/lib/python3.10/site-packages/cryptography$ grep -r FIPS_mode
hazmat/backends/openssl/backend.py: fips_mode = getattr(self._lib, "FIPS_mode", lambda: 0)
grep: hazmat/backends/openssl/__pycache__/backend.cpython-310.pyc: binary file matches
grep: hazmat/bindings/openssl/__pycache__/_conditional.cpython-310.pyc: binary file matches
hazmat/bindings/openssl/_conditional.py: "FIPS_mode_set",
hazmat/bindings/openssl/_conditional.py: "FIPS_mode",
grep: hazmat/bindings/_openssl.abi3.so: binary file matches

130 corey@corey-ThinkPad-T450:/tmp/cryptography$ git branch
* (HEAD detached at 3.3.2)
  main
corey@corey-ThinkPad-T450:/tmp/cryptography$ grep -r FIPS_mode
src/_cffi_src/openssl/fips.py:int FIPS_mode_set(int);
src/_cffi_src/openssl/fips.py:int FIPS_mode(void);
src/_cffi_src/openssl/fips.py:int (*FIPS_mode_set)(int) = NULL;
src/_cffi_src/openssl/fips.py:int (*FIPS_mode)(void) = NULL;
src/cryptography/hazmat/backends/openssl/backend.py: fips_mode = getattr(self._lib, "FIPS_mode", lambda: 0)
src/cryptography/hazmat/bindings/openssl/_conditional.py: "FIPS_mode_set",
src/cryptography/hazmat/bindings/openssl/_conditional.py: "FIPS_mode",

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Very similar error seen at https://bugs.gentoo.org/814773 that says "Bump to 37.x sorted this".

OpenStack Infra (hudson-openstack)
Changed in charm-octavia-diskimage-retrofit:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-octavia-diskimage-retrofit (master)

Reviewed: https://review.opendev.org/c/openstack/charm-octavia-diskimage-retrofit/+/852747
Committed: https://opendev.org/openstack/charm-octavia-diskimage-retrofit/commit/2fb0cf125028b3e164741afcdbff466038de134a
Submitter: "Zuul (22348)"
Branch: master

commit 2fb0cf125028b3e164741afcdbff466038de134a
Author: Frode Nordahl <email address hidden>
Date: Wed Aug 10 16:44:55 2022 +0200

    Build separately for each supported series and use binary builds

    Charms for OpenStack Yoga supports both Ubuntu Focal and Jammy
    which means Python 3.8 and Python 3.10. Managing dependencies
    across those two versions is non-trivial and we need to build
    the charm on the series the charm is supposed to support.

    Switch to using a binary build which allows pip's dependency
    resolution to work.

    Update charm to consume the 1.0/stable track for the snap.

    Bundles:
    - Drop the renaming of the charm artifact and reference the
      series specific charm artifact in the bundles instead.
    - Fix gss mirror list, jammy retrofit-series and use 8.0/stable
      for MySQL.

    Closes-Bug: #1981334
    Closes-Bug: #1970653
    Closes-Bug: #1975491
    Change-Id: I8c924038ee1c5ff258c41a44ad14ebc86a107b1b

Changed in charm-octavia-diskimage-retrofit:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-octavia-diskimage-retrofit (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/charm-octavia-diskimage-retrofit/+/860979

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-octavia-diskimage-retrofit (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/charm-octavia-diskimage-retrofit/+/860979
Committed: https://opendev.org/openstack/charm-octavia-diskimage-retrofit/commit/5fd698d29757df7603691078fff80cb38edb9cb6
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 5fd698d29757df7603691078fff80cb38edb9cb6
Author: Frode Nordahl <email address hidden>
Date: Wed Aug 10 16:44:55 2022 +0200

    Build separately for each supported series and use binary builds

    Charms for OpenStack Yoga supports both Ubuntu Focal and Jammy
    which means Python 3.8 and Python 3.10. Managing dependencies
    across those two versions is non-trivial and we need to build
    the charm on the series the charm is supposed to support.

    Switch to using a binary build which allows pip's dependency
    resolution to work.

    Update charm to consume the 1.0/stable track for the snap.

    Bundles:
    - Drop the renaming of the charm artifact and reference the
      series specific charm artifact in the bundles instead.
    - Fix gss mirror list, jammy retrofit-series and use 8.0/stable
      for MySQL.

    Closes-Bug: #1981334
    Closes-Bug: #1970653
    Closes-Bug: #1975491
    Change-Id: I8c924038ee1c5ff258c41a44ad14ebc86a107b1b
    (cherry picked from commit 2fb0cf125028b3e164741afcdbff466038de134a)

tags: added: in-stable-yoga
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.