group_vars: repo_all: Always build cryptography from source

cryptography may bundle openssl in the wheel and that causes symbol conflicts if a different openssl is provided by the distribution. As such, it's probably safer to re-build cryptography ourselves just to be sure that the correct distro libraries are used. This has been addressed in openstack-ansible-tests/test-vars.yaml (https://review.openstack.org/#/c/486580/) to fix the CI tests but the problem is also present on regular deployments so we set it in the group_variables for the repo_all group of hosts so it's built from source in the wheel repository. Related-Bug: 1705521 Link: https://github.com/pyca/cryptography/issues/3804 Change-Id: I54ba3c1fa48a2f4c633930bc7e8cc65397f86659
2017-07-21 17:07:00 +01:00 · 2017-07-21 17:07:00 +01:00 · 9220732958
commit 9220732958
parent af5c873af4
1 changed files with 8 additions and 0 deletions
--- a/group_vars/repo_all.yml
+++ b/group_vars/repo_all.yml
@ -52,8 +52,16 @@ pip_lock_to_internal_repo: False
 # A pre-built wheel can be missing libvirt capabilities from the installed
 # version of libvirt-bin, leading to nova-compute failing to start.
 #
+# NOTE(hwoarang) cryptography may bundle openssl in the wheel and that
+# causes symbol conflicts if a different openssl is provided by the
+# distribution. As such, it's probably safer to re-build cryptography
+# ourselves just to be sure that the correct distro libraries are used
+# see https://github.com/pyca/cryptography/issues/3804
+# This keeps popping up every now and then so it might worth keeping this
+# around even if the upstream issue is resolved
 repo_build_pip_no_binary:
  - libvirt-python
+  - cryptography

 # Set the build tag and the repo version
 repo_build_release_tag: "{{ openstack_release }}"