Downgrading dnspython back to 1.16.0 to fix Eventlet

To: debian-python@lists.debian.org, Scott Kitterman <debian@kitterman.com>, Robert Edmonds <edmonds@debian.org>
Subject: Downgrading dnspython back to 1.16.0 to fix Eventlet
From: Thomas Goirand <zigo@debian.org>
Date: Tue, 2 Feb 2021 19:46:59 +0100
Message-id: <[🔎] c8251ccb-1fe0-a198-ad5d-1e6b6b04cf81@debian.org>

Hi Scott, Robert,

As you may know, Eventlet is at the hart of OpenStack. Unfortunately,
version 0.26.1 currently in Sid/Testing fails when connecting over SSL,
with a traceback that looks like this:

  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 392,
in connect
    self.ssl_context = create_urllib3_context(
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 303,
in create_urllib3_context
    context.options |= options
  File "/usr/lib/python3.9/ssl.py", line 602, in options
    super(SSLContext, SSLContext).options.__set__(self, value)
  File "/usr/lib/python3.9/ssl.py", line 602, in options
    super(SSLContext, SSLContext).options.__set__(self, value)
  File "/usr/lib/python3.9/ssl.py", line 602, in options
    super(SSLContext, SSLContext).options.__set__(self, value)
  [Previous line repeated 458 more times]
RecursionError: maximum recursion depth exceeded (txn:
txad38d097c88545ecbd274-0060127626)

In OpenStack, this happens whenever a service attempts to validate a
Keystone token, meaning whenever any component connects to the OpenStack
API (in most deployments: this is done over SSL). In other words: all of
OpenStack is currently completely broken because of this.

Both Eventlet and DNSPython are monkey patching the standard SSL library
in potentially conflicting ways (for those who don't know: this means
they override the standard Python SSL objects/functions to re-write /
overload them).

This incompatibility is well known upstream. Some has been addressed in
Eventlet, but not all. Currently, Eventlet has:

'dnspython >= 1.15.0, < 2.0.0'

as dependency in upstream setup.py.

So I am currently wondering if we could revert DNSPython in Sid/Testing
to 1.16.0 until this is fixed upstream. That is, unless someone here in
this list knows how to fix Eventlet, but this looks like non-trivial...

Note that Ubuntu has version 2.0.0+really1.16.0-2ubuntu2, as they
understood the above.

Scott, Robert, your thoughts? Do you think it's ok to downgrade
dnspython? Or will it break some other reverse-dependencies? Is there
another way to fix the current situation?

Cheers,

Thomas Goirand (zigo)

P.S: The current reverse-dependency tree is:

Reverse-Recommends
==================
* 2ping
* calibre
* dnstwist

Reverse-Depends
===============
* ansible
* b4
* dehydrated-hook-ddns-tsig
* designate-tempest-plugin
* dhcpy6d
* dkimpy-milter
* dnsdiag
* dnsrecon
* dnsviz
* fierce
* knockpy
* linkchecker [amd64 arm64 armel armhf i386 mips64el mipsel ppc64el s390x]
* mailman3
* patator
* python3-aioxmpp
* python3-authheaders
* python3-certbot-dns-rfc2136
* python3-designate
* python3-dkim
* python3-dnsq
* python3-electrum
* python3-email-validator
* python3-etcd
* python3-eventlet
* python3-exchangelib
* python3-formencode
* python3-kdcproxy
* python3-ldapdomaindump
* python3-sleekxmpp
* python3-spf
* recon-ng
* samba [amd64 arm64 armel armhf i386 mips64el mipsel ppc64el s390x]

Reply to:

Follow-Ups:
- Re: Downgrading dnspython back to 1.16.0 to fix Eventlet
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Re: Requesting adopter for Lollypop
Next by Date: Joining DPT
Previous by thread: Re: Requesting adopter for Lollypop
Next by thread: Re: Downgrading dnspython back to 1.16.0 to fix Eventlet
Index(es):
- Date
- Thread