pyrox.dev
ceph: Fix tests by adding back old required python libs. See #281858.
Fixes #241482.
Also fix test putting cluster in unhealthy `POOL_APP_NOT_ENABLED` state;
this seems to be the default state with Ceph 18.2.1 at least,
and it does not hurt to fix it now already in the way the Ceph docs say.
Also revert "nixosTests.ceph-single-node: remove dashboard check"
This reverts commit 41b27d7f4b3d9609c5b80ca67925c5827322f00d.
+8
nixos/tests/ceph-multi-node.nix
+8
nixos/tests/ceph-multi-node.nix
···
185
monA.succeed(
186
"ceph osd pool create multi-node-test 32 32",
187
"ceph osd pool ls | grep 'multi-node-test'",
188
+
189
+
# We need to enable an application on the pool, otherwise it will
190
+
# stay unhealthy in state POOL_APP_NOT_ENABLED.
191
+
# Creating a CephFS would do this automatically, but we haven't done that here.
192
+
# See: https://docs.ceph.com/en/reef/rados/operations/pools/#associating-a-pool-with-an-application
193
+
# We use the custom application name "nixos-test" for this.
194
+
"ceph osd pool application enable multi-node-test nixos-test",
195
+
196
"ceph osd pool rename multi-node-test multi-node-other-test",
197
"ceph osd pool ls | grep 'multi-node-other-test'",
198
)
+8
nixos/tests/ceph-single-node-bluestore.nix
+8
nixos/tests/ceph-single-node-bluestore.nix
···
145
monA.succeed(
146
"ceph osd pool create single-node-test 32 32",
147
"ceph osd pool ls | grep 'single-node-test'",
148
+
149
+
# We need to enable an application on the pool, otherwise it will
150
+
# stay unhealthy in state POOL_APP_NOT_ENABLED.
151
+
# Creating a CephFS would do this automatically, but we haven't done that here.
152
+
# See: https://docs.ceph.com/en/reef/rados/operations/pools/#associating-a-pool-with-an-application
153
+
# We use the custom application name "nixos-test" for this.
154
+
"ceph osd pool application enable single-node-test nixos-test",
155
+
156
"ceph osd pool rename single-node-test single-node-other-test",
157
"ceph osd pool ls | grep 'single-node-other-test'",
158
)
+17
-12
nixos/tests/ceph-single-node.nix
+17
-12
nixos/tests/ceph-single-node.nix
···
145
monA.succeed(
146
"ceph osd pool create single-node-test 32 32",
147
"ceph osd pool ls | grep 'single-node-test'",
148
"ceph osd pool rename single-node-test single-node-other-test",
149
"ceph osd pool ls | grep 'single-node-other-test'",
150
)
···
182
monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'")
183
monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'")
184
185
-
# This test has been commented out due to the upstream issue with pyo3
186
-
# that has broken this dashboard
187
-
# Reference: https://www.spinics.net/lists/ceph-users/msg77812.html
188
# Enable the dashboard and recheck health
189
-
# monA.succeed(
190
-
# "ceph mgr module enable dashboard",
191
-
# "ceph config set mgr mgr/dashboard/ssl false",
192
-
# # default is 8080 but it's better to be explicit
193
-
# "ceph config set mgr mgr/dashboard/server_port 8080",
194
-
# )
195
-
# monA.wait_for_open_port(8080)
196
-
# monA.wait_until_succeeds("curl -q --fail http://localhost:8080")
197
-
# monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'")
198
'';
199
in {
200
name = "basic-single-node-ceph-cluster";
···
145
monA.succeed(
146
"ceph osd pool create single-node-test 32 32",
147
"ceph osd pool ls | grep 'single-node-test'",
148
+
149
+
# We need to enable an application on the pool, otherwise it will
150
+
# stay unhealthy in state POOL_APP_NOT_ENABLED.
151
+
# Creating a CephFS would do this automatically, but we haven't done that here.
152
+
# See: https://docs.ceph.com/en/reef/rados/operations/pools/#associating-a-pool-with-an-application
153
+
# We use the custom application name "nixos-test" for this.
154
+
"ceph osd pool application enable single-node-test nixos-test",
155
+
156
"ceph osd pool rename single-node-test single-node-other-test",
157
"ceph osd pool ls | grep 'single-node-other-test'",
158
)
···
190
monA.wait_until_succeeds("ceph -s | grep 'mgr: ${cfg.monA.name}(active,'")
191
monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'")
192
193
# Enable the dashboard and recheck health
194
+
monA.succeed(
195
+
"ceph mgr module enable dashboard",
196
+
"ceph config set mgr mgr/dashboard/ssl false",
197
+
# default is 8080 but it's better to be explicit
198
+
"ceph config set mgr mgr/dashboard/server_port 8080",
199
+
)
200
+
monA.wait_for_open_port(8080)
201
+
monA.wait_until_succeeds("curl -q --fail http://localhost:8080")
202
+
monA.wait_until_succeeds("ceph -s | grep 'HEALTH_OK'")
203
'';
204
in {
205
name = "basic-single-node-ceph-cluster";
+1
-3
pkgs/development/python-modules/cryptography/default.nix
+1
-3
pkgs/development/python-modules/cryptography/default.nix
···
4
, callPackage
5
, cargo
6
, cffi
7
, fetchPypi
8
, hypothesis
9
, iso8601
···
24
, setuptoolsRustBuildHook
25
}:
26
27
-
let
28
-
cryptography-vectors = callPackage ./vectors.nix { };
29
-
in
30
buildPythonPackage rec {
31
pname = "cryptography";
32
version = "41.0.7"; # Also update the hash in vectors.nix
+64
-1
pkgs/tools/filesystems/ceph/default.nix
+64
-1
pkgs/tools/filesystems/ceph/default.nix
···
50
, zlib
51
, zstd
52
53
+
# Dependencies of overridden Python dependencies, hopefully we can remove these soon.
54
+
, rustPlatform
55
+
56
# Optional Dependencies
57
, curl ? null
58
, expat ? null
···
169
170
# Watch out for python <> boost compatibility
171
python = python310.override {
172
+
packageOverrides = self: super: let cryptographyOverrideVersion = "40.0.1"; in {
173
+
# Ceph does not support `cryptography` > 40 yet:
174
+
# * https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1899358602
175
+
# * Upstream issue: https://tracker.ceph.com/issues/63529
176
+
# > Python Sub-Interpreter Model Used by ceph-mgr Incompatible With Python Modules Based on PyO3
177
+
#
178
+
# We pin the older `cryptography` 40 here;
179
+
# this also forces us to pin an older `pyopenssl` because the current one
180
+
# is not compatible with older `cryptography`, see:
181
+
# https://github.com/pyca/pyopenssl/blob/d9752e44127ba36041b045417af8a0bf16ec4f1e/CHANGELOG.rst#2320-2023-05-30
182
+
cryptography = super.cryptography.overridePythonAttrs (old: rec {
183
+
version = cryptographyOverrideVersion;
184
+
185
+
src = fetchPypi {
186
+
inherit (old) pname;
187
+
version = cryptographyOverrideVersion;
188
+
hash = "sha256-KAPy+LHpX2FEGZJsfm9V2CivxhTKXtYVQ4d65mjMNHI=";
189
+
};
190
+
191
+
cargoDeps = rustPlatform.fetchCargoTarball {
192
+
inherit src;
193
+
sourceRoot = let cargoRoot = "src/rust"; in "${old.pname}-${cryptographyOverrideVersion}/${cargoRoot}";
194
+
name = "${old.pname}-${cryptographyOverrideVersion}";
195
+
hash = "sha256-gFfDTc2QWBWHBCycVH1dYlCsWQMVcRZfOBIau+njtDU=";
196
+
};
197
+
198
+
patches = (old.patches or []) ++ [
199
+
# Fix https://nvd.nist.gov/vuln/detail/CVE-2023-49083 which has no upstream backport.
200
+
# See https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a#diff-f5134bf8f3cf0a5cc8601df55e50697acc866c603a38caff98802bd8e17976c5R1893
201
+
./python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch
202
+
];
203
+
204
+
# Tests would require overriding `cryptography-vectors`, which is not currently
205
+
# possible/desired, see: https://github.com/NixOS/nixpkgs/pull/281858#pullrequestreview-1841421866
206
+
doCheck = false;
207
+
});
208
+
209
+
# This is the most recent version of `pyopenssl` that's still compatible with `cryptography` 40.
210
+
# See https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1899358602
211
+
pyopenssl = super.pyopenssl.overridePythonAttrs (old: rec {
212
+
version = "23.1.1";
213
+
src = fetchPypi {
214
+
pname = "pyOpenSSL";
215
+
inherit version;
216
+
hash = "sha256-hBSYub7GFiOxtsR+u8AjZ8B9YODhlfGXkIF/EMyNsLc=";
217
+
};
218
+
});
219
+
220
+
# Ceph does not support `kubernetes` >= 19, see:
221
+
# https://github.com/NixOS/nixpkgs/pull/281858#issuecomment-1900324090
222
+
kubernetes = super.kubernetes.overridePythonAttrs (old: rec {
223
+
version = "18.20.0";
224
+
src = fetchFromGitHub {
225
+
owner = "kubernetes-client";
226
+
repo = "python";
227
+
rev = "v${version}";
228
+
sha256 = "1sawp62j7h0yksmg9jlv4ik9b9i1a1w9syywc9mv8x89wibf5ql1";
229
+
fetchSubmodules = true;
230
+
};
231
+
});
232
+
233
};
234
};
235
+44
pkgs/tools/filesystems/ceph/python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch
+44
pkgs/tools/filesystems/ceph/python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch
···
···
1
+
commit 08dbad8552ecca85d3e38072f94eb864b143d218
2
+
Author: Niklas Hambüchen <mail@nh2.me>
3
+
Date: Mon Jan 22 12:52:06 2024 +0000
4
+
5
+
Cherry-pick fix for CVE-2023-49083
6
+
7
+
Cherry-Picked-From: f09c261ca10a31fe41b1262306db7f8f1da0e48a
8
+
Cherry-Picked-By: Niklas Hambüchen <mail@nh2.me>
9
+
10
+
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
11
+
index a3fe1bce4..58e7207c4 100644
12
+
--- a/src/cryptography/hazmat/backends/openssl/backend.py
13
+
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
14
+
@@ -2383,9 +2383,12 @@ class Backend:
15
+
_Reasons.UNSUPPORTED_SERIALIZATION,
16
+
)
17
+
18
+
+ certs: list[x509.Certificate] = []
19
+
+ if p7.d.sign == self._ffi.NULL:
20
+
+ return certs
21
+
+
22
+
sk_x509 = p7.d.sign.cert
23
+
num = self._lib.sk_X509_num(sk_x509)
24
+
- certs = []
25
+
for i in range(num):
26
+
x509 = self._lib.sk_X509_value(sk_x509, i)
27
+
self.openssl_assert(x509 != self._ffi.NULL)
28
+
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
29
+
index 4e61c5ef5..d8170bfb9 100644
30
+
--- a/tests/hazmat/primitives/test_pkcs7.py
31
+
+++ b/tests/hazmat/primitives/test_pkcs7.py
32
+
@@ -89,6 +89,12 @@ class TestPKCS7Loading:
33
+
mode="rb",
34
+
)
35
+
36
+
+ def test_load_pkcs7_empty_certificates(self, backend):
37
+
+ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
38
+
+
39
+
+ certificates = pkcs7.load_der_pkcs7_certificates(der)
40
+
+ assert certificates == []
41
+
+
42
+
43
+
# We have no public verification API and won't be adding one until we get
44
+
# some requirements from users so this function exists to give us basic