Hi Scott, Robert,
As you may know, Eventlet is at the hart of OpenStack. Unfortunately,
version 0.26.1 currently in Sid/Testing fails when connecting over SSL,
with a traceback that looks like this:
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 392,
in connect
self.ssl_context = create_urllib3_context(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 303,
in create_urllib3_context
context.options |= options
File "/usr/lib/python3.9/ssl.py", line 602, in options
super(SSLContext, SSLContext).options.__set__(self, value)
File "/usr/lib/python3.9/ssl.py", line 602, in options
super(SSLContext, SSLContext).options.__set__(self, value)
File "/usr/lib/python3.9/ssl.py", line 602, in options
super(SSLContext, SSLContext).options.__set__(self, value)
[Previous line repeated 458 more times]
RecursionError: maximum recursion depth exceeded (txn:
txad38d097c88545ecbd274-0060127626)
In OpenStack, this happens whenever a service attempts to validate a
Keystone token, meaning whenever any component connects to the OpenStack
API (in most deployments: this is done over SSL). In other words: all of
OpenStack is currently completely broken because of this.
Both Eventlet and DNSPython are monkey patching the standard SSL library
in potentially conflicting ways (for those who don't know: this means
they override the standard Python SSL objects/functions to re-write /
overload them).
This incompatibility is well known upstream. Some has been addressed in
Eventlet, but not all. Currently, Eventlet has:
'dnspython >= 1.15.0, < 2.0.0'
as dependency in upstream setup.py.
So I am currently wondering if we could revert DNSPython in Sid/Testing
to 1.16.0 until this is fixed upstream. That is, unless someone here in
this list knows how to fix Eventlet, but this looks like non-trivial...
Note that Ubuntu has version 2.0.0+really1.16.0-2ubuntu2, as they
understood the above.
Scott, Robert, your thoughts? Do you think it's ok to downgrade
dnspython? Or will it break some other reverse-dependencies? Is there
another way to fix the current situation?
Cheers,
Thomas Goirand (zigo)
P.S: The current reverse-dependency tree is:
Reverse-Recommends
==================
* 2ping
* calibre
* dnstwist
Reverse-Depends
===============
* ansible
* b4
* dehydrated-hook-ddns-tsig
* designate-tempest-plugin
* dhcpy6d
* dkimpy-milter
* dnsdiag
* dnsrecon
* dnsviz
* fierce
* knockpy
* linkchecker [amd64 arm64 armel armhf i386 mips64el mipsel ppc64el s390x]
* mailman3
* patator
* python3-aioxmpp
* python3-authheaders
* python3-certbot-dns-rfc2136
* python3-designate
* python3-dkim
* python3-dnsq
* python3-electrum
* python3-email-validator
* python3-etcd
* python3-eventlet
* python3-exchangelib
* python3-formencode
* python3-kdcproxy
* python3-ldapdomaindump
* python3-sleekxmpp
* python3-spf
* recon-ng
* samba [amd64 arm64 armel armhf i386 mips64el mipsel ppc64el s390x]
