From 9220732958c2d0303e5a4b77a484a412ef6d605b Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Fri, 21 Jul 2017 17:07:00 +0100 Subject: [PATCH] group_vars: repo_all: Always build cryptography from source cryptography may bundle openssl in the wheel and that causes symbol conflicts if a different openssl is provided by the distribution. As such, it's probably safer to re-build cryptography ourselves just to be sure that the correct distro libraries are used. This has been addressed in openstack-ansible-tests/test-vars.yaml (https://review.openstack.org/#/c/486580/) to fix the CI tests but the problem is also present on regular deployments so we set it in the group_variables for the repo_all group of hosts so it's built from source in the wheel repository. Related-Bug: 1705521 Link: https://github.com/pyca/cryptography/issues/3804 Change-Id: I54ba3c1fa48a2f4c633930bc7e8cc65397f86659 --- group_vars/repo_all.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/group_vars/repo_all.yml b/group_vars/repo_all.yml index 532bd9490d..049c35de72 100644 --- a/group_vars/repo_all.yml +++ b/group_vars/repo_all.yml @@ -52,8 +52,16 @@ pip_lock_to_internal_repo: False # A pre-built wheel can be missing libvirt capabilities from the installed # version of libvirt-bin, leading to nova-compute failing to start. # +# NOTE(hwoarang) cryptography may bundle openssl in the wheel and that +# causes symbol conflicts if a different openssl is provided by the +# distribution. As such, it's probably safer to re-build cryptography +# ourselves just to be sure that the correct distro libraries are used +# see https://github.com/pyca/cryptography/issues/3804 +# This keeps popping up every now and then so it might worth keeping this +# around even if the upstream issue is resolved repo_build_pip_no_binary: - libvirt-python + - cryptography # Set the build tag and the repo version repo_build_release_tag: "{{ openstack_release }}"