pyrox.dev / nixpkgs
lol
fork atom

ceph: Fix tests by adding back old required python libs. See #281858.

Fixes #241482.

Also fix test putting cluster in unhealthy `POOL_APP_NOT_ENABLED` state;
this seems to be the default state with Ceph 18.2.1 at least,
and it does not hurt to fix it now already in the way the Ceph docs say.

Also revert "nixosTests.ceph-single-node: remove dashboard check"

This reverts commit 41b27d7f4b3d9609c5b80ca67925c5827322f00d.

Niklas Hambüchen 506b2151 bf2c85fa

+142 -16
unified split
+8
nixos/tests/ceph-multi-node.nix
··· 185 185 monA.succeed( 186 186 "ceph osd pool create multi-node-test 32 32", 187 187 "ceph osd pool ls | grep 'multi-node-test'", 188 + 189 + # We need to enable an application on the pool, otherwise it will 190 + # stay unhealthy in state POOL_APP_NOT_ENABLED. 191 + # Creating a CephFS would do this automatically, but we haven't done that here. 192 + # See: https://docs.ceph.com/en/reef/rados/operations/pools/#associating-a-pool-with-an-application 193 + # We use the custom application name "nixos-test" for this. 194 + "ceph osd pool application enable multi-node-test nixos-test", 195 + 188 196 "ceph osd pool rename multi-node-test multi-node-other-test", 189 197 "ceph osd pool ls | grep 'multi-node-other-test'", 190 198 )
+8
nixos/tests/ceph-single-node-bluestore.nix
··· 145 145 monA.succeed( 146 146 "ceph osd pool create single-node-test 32 32", 147 147 "ceph osd pool ls | grep 'single-node-test'", 148 + 149 + # We need to enable an application on the pool, otherwise it will 150 + # stay unhealthy in state POOL_APP_NOT_ENABLED. 151 + # Creating a CephFS would do this automatically, but we haven't done that here. 152 + # See: https://docs.ceph.com/en/reef/rados/operations/pools/#associating-a-pool-with-an-application 153 + # We use the custom application name "nixos-test" for this. 154 + "ceph osd pool application enable single-node-test nixos-test", 155 + 148 156 "ceph osd pool rename single-node-test single-node-other-test", 149 157 "ceph osd pool ls | grep 'single-node-other-test'", 150 158 )
+17 -12
nixos/tests/ceph-single-node.nix
··· 145 145 monA.succeed( 146 146 "ceph osd pool create single-node-test 32 32", 147 147 "ceph osd pool ls | grep 'single-node-test'", 148 + 149 + # We need to enable an application on the pool, otherwise it will 150 + # stay unhealthy in state POOL_APP_NOT_ENABLED. 151 + # Creating a CephFS would do this automatically, but we haven't done that here. 152 + # See: https://docs.ceph.com/en/reef/rados/operations/pools/#associating-a-pool-with-an-application 153 + # We use the custom application name "nixos-test" for this. 154 + "ceph osd pool application enable single-node-test nixos-test", 155 + 148 156 "ceph osd pool rename single-node-test single-node-other-test", 149 157 "ceph osd pool ls | grep 'single-node-other-test'", 150 158 ) ··· 182 190 monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'") 183 191 monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") 184 192 185 - # This test has been commented out due to the upstream issue with pyo3 186 - # that has broken this dashboard 187 - # Reference: https://www.spinics.net/lists/ceph-users/msg77812.html 188 193 # Enable the dashboard and recheck health 189 - # monA.succeed( 190 - # "ceph mgr module enable dashboard", 191 - # "ceph config set mgr mgr/dashboard/ssl false", 192 - # # default is 8080 but it's better to be explicit 193 - # "ceph config set mgr mgr/dashboard/server_port 8080", 194 - # ) 195 - # monA.wait_for_open_port(8080) 196 - # monA.wait_until_succeeds("curl -q --fail http://localhost:8080") 197 - # monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") 194 + monA.succeed( 195 + "ceph mgr module enable dashboard", 196 + "ceph config set mgr mgr/dashboard/ssl false", 197 + # default is 8080 but it's better to be explicit 198 + "ceph config set mgr mgr/dashboard/server_port 8080", 199 + ) 200 + monA.wait_for_open_port(8080) 201 + monA.wait_until_succeeds("curl -q --fail http://localhost:8080") 202 + monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'") 198 203 ''; 199 204 in { 200 205 name = "basic-single-node-ceph-cluster";
+1 -3
pkgs/development/python-modules/cryptography/default.nix
··· 4 4 , callPackage 5 5 , cargo 6 6 , cffi 7 + , cryptography-vectors ? (callPackage ./vectors.nix { }) 7 8 , fetchPypi 8 9 , hypothesis 9 10 , iso8601 ··· 24 25 , setuptoolsRustBuildHook 25 26 }: 26 27 27 - let 28 - cryptography-vectors = callPackage ./vectors.nix { }; 29 - in 30 28 buildPythonPackage rec { 31 29 pname = "cryptography"; 32 30 version = "41.0.7"; # Also update the hash in vectors.nix
+64 -1
pkgs/tools/filesystems/ceph/default.nix
··· 50 50 , zlib 51 51 , zstd 52 52 53 + # Dependencies of overridden Python dependencies, hopefully we can remove these soon. 54 + , rustPlatform 55 + 53 56 # Optional Dependencies 54 57 , curl ? null 55 58 , expat ? null ··· 166 169 167 170 # Watch out for python <> boost compatibility 168 171 python = python310.override { 169 - packageOverrides = self: super: { 172 + packageOverrides = self: super: let cryptographyOverrideVersion = "40.0.1"; in { 173 + # Ceph does not support `cryptography` > 40 yet: 174 + # * https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1899358602 175 + # * Upstream issue: https://tracker.ceph.com/issues/63529 176 + # > Python Sub-Interpreter Model Used by ceph-mgr Incompatible With Python Modules Based on PyO3 177 + # 178 + # We pin the older `cryptography` 40 here; 179 + # this also forces us to pin an older `pyopenssl` because the current one 180 + # is not compatible with older `cryptography`, see: 181 + # https://github.com/pyca/pyopenssl/blob/d9752e44127ba36041b045417af8a0bf16ec4f1e/CHANGELOG.rst#2320-2023-05-30 182 + cryptography = super.cryptography.overridePythonAttrs (old: rec { 183 + version = cryptographyOverrideVersion; 184 + 185 + src = fetchPypi { 186 + inherit (old) pname; 187 + version = cryptographyOverrideVersion; 188 + hash = "sha256-KAPy+LHpX2FEGZJsfm9V2CivxhTKXtYVQ4d65mjMNHI="; 189 + }; 190 + 191 + cargoDeps = rustPlatform.fetchCargoTarball { 192 + inherit src; 193 + sourceRoot = let cargoRoot = "src/rust"; in "${old.pname}-${cryptographyOverrideVersion}/${cargoRoot}"; 194 + name = "${old.pname}-${cryptographyOverrideVersion}"; 195 + hash = "sha256-gFfDTc2QWBWHBCycVH1dYlCsWQMVcRZfOBIau+njtDU="; 196 + }; 197 + 198 + patches = (old.patches or []) ++ [ 199 + # Fix https://nvd.nist.gov/vuln/detail/CVE-2023-49083 which has no upstream backport. 200 + # See https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a#diff-f5134bf8f3cf0a5cc8601df55e50697acc866c603a38caff98802bd8e17976c5R1893 201 + ./python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch 202 + ]; 203 + 204 + # Tests would require overriding `cryptography-vectors`, which is not currently 205 + # possible/desired, see: https://github.com/NixOS/nixpkgs/pull/281858#pullrequestreview-1841421866 206 + doCheck = false; 207 + }); 208 + 209 + # This is the most recent version of `pyopenssl` that's still compatible with `cryptography` 40. 210 + # See https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1899358602 211 + pyopenssl = super.pyopenssl.overridePythonAttrs (old: rec { 212 + version = "23.1.1"; 213 + src = fetchPypi { 214 + pname = "pyOpenSSL"; 215 + inherit version; 216 + hash = "sha256-hBSYub7GFiOxtsR+u8AjZ8B9YODhlfGXkIF/EMyNsLc="; 217 + }; 218 + }); 219 + 220 + # Ceph does not support `kubernetes` >= 19, see: 221 + # https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1900324090 222 + kubernetes = super.kubernetes.overridePythonAttrs (old: rec { 223 + version = "18.20.0"; 224 + src = fetchFromGitHub { 225 + owner = "kubernetes-client"; 226 + repo = "python"; 227 + rev = "v${version}"; 228 + sha256 = "1sawp62j7h0yksmg9jlv4ik9b9i1a1w9syywc9mv8x89wibf5ql1"; 229 + fetchSubmodules = true; 230 + }; 231 + }); 232 + 170 233 }; 171 234 }; 172 235
+44
pkgs/tools/filesystems/ceph/python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch
··· 1 + commit 08dbad8552ecca85d3e38072f94eb864b143d218 2 + Author: Niklas Hambüchen <mail@nh2.me> 3 + Date: Mon Jan 22 12:52:06 2024 +0000 4 + 5 + Cherry-pick fix for CVE-2023-49083 6 + 7 + Cherry-Picked-From: f09c261ca10a31fe41b1262306db7f8f1da0e48a 8 + Cherry-Picked-By: Niklas Hambüchen <mail@nh2.me> 9 + 10 + diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py 11 + index a3fe1bce4..58e7207c4 100644 12 + --- a/src/cryptography/hazmat/backends/openssl/backend.py 13 + +++ b/src/cryptography/hazmat/backends/openssl/backend.py 14 + @@ -2383,9 +2383,12 @@ class Backend: 15 + _Reasons.UNSUPPORTED_SERIALIZATION, 16 + ) 17 + 18 + + certs: list[x509.Certificate] = [] 19 + + if p7.d.sign == self._ffi.NULL: 20 + + return certs 21 + + 22 + sk_x509 = p7.d.sign.cert 23 + num = self._lib.sk_X509_num(sk_x509) 24 + - certs = [] 25 + for i in range(num): 26 + x509 = self._lib.sk_X509_value(sk_x509, i) 27 + self.openssl_assert(x509 != self._ffi.NULL) 28 + diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py 29 + index 4e61c5ef5..d8170bfb9 100644 30 + --- a/tests/hazmat/primitives/test_pkcs7.py 31 + +++ b/tests/hazmat/primitives/test_pkcs7.py 32 + @@ -89,6 +89,12 @@ class TestPKCS7Loading: 33 + mode="rb", 34 + ) 35 + 36 + + def test_load_pkcs7_empty_certificates(self, backend): 37 + + der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" 38 + + 39 + + certificates = pkcs7.load_der_pkcs7_certificates(der) 40 + + assert certificates == [] 41 + + 42 + 43 + # We have no public verification API and won't be adding one until we get 44 + # some requirements from users so this function exists to give us basic