Closed agit05 closed 5 years ago
larrabee
commented
5 years ago Hello.
Thank you for report.
I was update our server to FreeIPA 4.6.4 and we does not encountered this issue.
Can you provide your packages version: pip freeze |grep -E 'pycparser|cffi'
agit05
commented
5 years ago Hi Vladimir,
# pip freeze |grep -E 'pycparser|cffi'
cffi==1.6.0
pycparser==2.14
larrabee
commented
5 years ago Hmm...
Can you save this code to file (like '/tmp/test') and run it with python:
try:
from hashlibs import md5
except ImportError:
from md5 import md5
sig = md5()
sig.update('asd')It's looks like python cache problem. You can remove cached file with this command and try to run ipactl status:
find /usr/lib/python2.7/ -name '*.pyc' -delete
agit05
commented
5 years ago Yes, the same issue occurs.
So, having the exact same versions:
# for pkg incat ../../requirements.txt | cut -d"=" -f1; do pip freeze | grep $pkg; done
appdirs==1.4.3 boto3==1.4.4 botocore==1.5.71 decorator==4.0.11 dnspython==1.15.0 docutils==0.13.1 enum34==1.1.6 futures==3.1.1 idna==2.5 ipaddress==1.0.18 jmespath==0.9.3 netaddr==0.7.19 netifaces==0.10.4 packaging==16.8 pyasn1==0.2.3 pyasn1-modules==0.0.8 pyasn1-modules==0.0.8 pycparser==2.14 pyparsing==2.2.0 python-dateutil==2.6.0 pytz==2017.2 redis==2.10.5 rsa==3.4.2 s3transfer==0.1.10 six==1.10.0 uritemplate==3.0.0 Jinja2==2.10.1
# find /usr/lib/python2.7/ -name '*.pyc' -delete
# ipactl statusTraceback (most recent call last):
File "/sbin/ipactl", line 29, in <module>
from ipaserver.install import service, installutils
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 34, in <module>
from ipalib.install import certstore, sysrestore
File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in <module>
from ipalib import plugable
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 42, in <module>
from ipalib.config import Env
File "/usr/lib/python2.7/site-packages/ipalib/config.py", line 43, in <module>
from ipaplatform.tasks import tasks
File "/usr/lib/python2.7/site-packages/ipaplatform/tasks.py", line 10, in <module>
ipaplatform._importhook.fixup_module('ipaplatform.tasks')
File "/usr/lib/python2.7/site-packages/ipaplatform/_importhook.py", line 135, in load_module
platform_mod = importlib.import_module(alias)
File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module
__import__(name)
File "/usr/lib/python2.7/site-packages/ipaplatform/rhel/tasks.py", line 26, in <module>
from ipaplatform.redhat.tasks import RedHatTaskNamespace
File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/tasks.py", line 56, in <module>
""")
File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 105, in cdef
self._cdef(csource, override=override, packed=packed)
File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 119, in _cdef
self._parser.parse(csource, override=override, **options)
File "/usr/lib64/python2.7/site-packages/cffi/cparser.py", line 299, in parse
self._internal_parse(csource)
File "/usr/lib64/python2.7/site-packages/cffi/cparser.py", line 304, in _internal_parse
ast, macros, csource = self._parse(csource)
File "/usr/lib64/python2.7/site-packages/cffi/cparser.py", line 260, in _parse
ast = _get_parser().parse(csource)
File "/usr/lib64/python2.7/site-packages/cffi/cparser.py", line 40, in _get_parser
_parser_cache = pycparser.CParser()
File "/usr/lib/python2.7/site-packages/pycparser/c_parser.py", line 116, in __init__
outputdir=taboutputdir)
File "/usr/lib/python2.7/site-packages/pycparser/ply/yacc.py", line 3256, in yacc
signature = pinfo.signature()
File "/usr/lib/python2.7/site-packages/pycparser/ply/yacc.py", line 2961, in signature
digest = base64.b16encode(sig.digest())
UnboundLocalError: local variable 'sig' referenced before assignmentAfter his command, if I look again for the cached packages I see mainly from:
/usr/lib/python2.7/site-packages/pyasn1/type/error.pyc /usr/lib/python2.7/site-packages/netaddr/ip/sets.pyc /usr/lib/python2.7/site-packages/custodia/init.pyc /usr/lib/python2.7/site-packages/pycparser/plyparser.pyc /usr/lib/python2.7/site-packages/ipaddress.pyc /usr/lib/python2.7/site-packages/pyasn1_modules/init.pyc /usr/lib/python2.7/site-packages/enum/init.pyc /usr/lib/python2.7/site-packages/idna/init.pyc /usr/lib/python2.7/site-packages/six.pyc /usr/lib/python2.7/site-packages/dns/init.pyc /usr/lib/python2.7/site-packages/ipalib/errors.pyc /usr/lib/python2.7/site-packages/ipaplatform/tasks.pyc /usr/lib/python2.7/site-packages/ipapython/errors.pyc /usr/lib/python2.7/site-packages/ipaserver/init.pyc
larrabee
commented
5 years ago Can you show version of package pycrypto? I found related issue in another project https://github.com/saltstack/salt-pack/issues/261. So maybe problem in pycrypto module.
agit05
commented
5 years ago Not sure this is the root cause: I have installed this module:
# pip freeze | grep -i crypto
cryptography==1.7.2
jwcrypto==0.4.2
M2Crypto==0.21.1
pycrypto==2.6.1But still, the ipactl fail with the same error.
agit05
commented
5 years ago So I identified the issue, it's due to the cryptographic modules delivered with FIP. Once this is disabled ipactl status works, so:
larrabee
commented
5 years ago Did you have enabled FIPS mode in kernel? (cat /proc/sys/crypto/fips_enabled)
agit05
commented
5 years ago Yes, it was enabled.
larrabee
commented
5 years ago Please try following:
rpm -e --nodeps python2-pycryptodomex
yum install python-cryptoAnyway, as a side note, I have also tried installing python packages delivered from the RHEL & EPEL repos (not the exact version from the requirements file) and IPA was working well with FIP being enabled.
agit05
commented
5 years ago Please try following:
rpm -e --nodeps python2-pycryptodomex yum install python-crypto
I have tried that already:
# rpm -e --nodeps python2-pycryptodomex
error: package python2-pycryptodomex is not installed# yum install python-crypto
Package python2-crypto-2.6.1-16.el7.x86_64 already installed and latest versionI think pip was update some packages from its repo and break it.
Maybe module reinstalling will solve yum reinstall python-crypto
agit05
commented
5 years ago I think pip was update some packages from its repo and break it. Maybe module reinstalling will solve
yum reinstall python-crypto
No, the same result with FIP enabled.
larrabee
commented
5 years ago You can run rpm verify to check that files changed.
rpm -Va |grep -E '^([^ ]*)5([^ ]*)'
harrydevine
commented
5 years ago I'm having the same issue on a RHEL 7.7 FIPS enable machine with IDM 4.6.5. I wrote up Issue #3 earlier before realizing that the error was a FIPS error. We MUST have FIPS enabled, so is there a fix that will let this service work for IDM/IPA with FIPS enabled?
larrabee
commented
5 years ago Hello. Currently i don't know how to fix this issue on FIPS enabled systems.
The possible solution is pack the service into docker container. I will try to reproduce and fix this issue on next week.
larrabee
commented
5 years ago Fix for this problem:
rpm -e --nodeps python-pycparser
rm /usr/lib/python2.7/site-packages/pycparser* -rf
yum install python-pycparser -y
Environment; OS: RHEL 7.6 Kernel: 3.10.0-957.21.3.el7.x86_64 IPA Version: VERSION: 4.6.4, API_VERSION: 2.230
Problem: Can I know why we have these strict requirements on the Python modules:
These modules brake the IPA functionality:
# ipactl statusHas this been tested on these version at all or at least on CentOS 7.6? Or does anyone else encoutered this issue?