search

open-quantum-safe / liboqs-python

Python 3 bindings for liboqs
https://openquantumsafe.org/
MIT License
122 stars 45 forks source link

Can't pip install from docker container #48

Closed fredericoschardong closed 2 years ago

fredericoschardong commented 2 years ago

Hey,

Is it a bug or a feature that we can't use pip install with liboqs-pythons' docker? Or am I missing something? For instance, take the following Dockerfile as an example. If I don't use the intermediary pre_quantum to copy libssl.so.1.1 and libcrypto.so.1.1, then I get the errors listed below. 

FROM alpine:3.11 as pre_quantum

RUN apk update && apk add openssl

FROM openquantumsafe/python

COPY app /app
WORKDIR /app

USER root
RUN apk update && apk add python3-dev gcc libc-dev libffi-dev

COPY --from=pre_quantum /lib/libssl.so.1.1 /lib/libssl.so.1.1
COPY --from=pre_quantum /lib/libcrypto.so.1.1 /lib/libcrypto.so.1.1

RUN pip3 install --no-cache --upgrade pip setuptools
RUN pip3 install -r requirements.txt
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: UNEXPECTED_MESSAGE] unexpected message (_ssl.c:1131)'))': /simple/pip/
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: UNEXPECTED_MESSAGE] unexpected message (_ssl.c:1131)'))': /simple/pip/
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: UNEXPECTED_MESSAGE] unexpected message (_ssl.c:1131)'))': /simple/pip/
WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: UNEXPECTED_MESSAGE] unexpected message (_ssl.c:1131)'))': /simple/pip/
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: UNEXPECTED_MESSAGE] unexpected message (_ssl.c:1131)'))': /simple/pip/
Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLError(1, '[SSL: UNEXPECTED_MESSAGE] unexpected message (_ssl.c:1131)'))) - skipping
baentsch commented 2 years ago

Is it a bug or a feature that we can't use pip install

Clearly a bug. The oqs-openssl system-wide install in the Dockefile is "too destructive". Should be fixed by #49. After that landed, simply unset LD_LIBRARY_PATH to use stock openssl (and standard certificates, permitting use of `pip3).

fredericoschardong commented 2 years ago

Thank you, @baentsch. I see you have already pushed this fix to the docker hub. Would it be possible to version the images instead of only pushing changes to :latest? Although the fix is welcomed, it broke our pipeline. It would be great if we had some time to adapt.

baentsch commented 2 years ago

The push to :latest happens automatically when CI passes -- and a bit prematurely considering the PR has not received review (now fixed).... Sorry we didn't yet have others' automated/pipeline use of the image in mind.

We surely could (also) add tags to images "past". In the absence of an automated versioning system for liboqs-python and the dockerfile the most simple way would be to use the git commit ID as tag: Would that suffice for you, @fredericoschardong or do you have other suggestions?

Question to @vsoftco : Would you prefer a specific versioning scheme for the project? The current setup.py contains "string-reference" to (liboqs?) version 0.7.1 but the actual liboqs built can be/is different (0.7.2-dev, currently). Suggestions how to version docker images "on top" very welcome.

fredericoschardong commented 2 years ago

We surely could (also) add tags to images "past". In the absence of an automated versioning system for liboqs-python and the dockerfile the most simple way would be to use the git commit ID as tag: Would that suffice for you, @fredericoschardong or do you have other suggestions?

Any versioning works for me. Although not very human, git commit ID is ok.

baentsch commented 2 years ago

Any versioning works for me. Although not very human, git commit ID is ok.

So done in https://github.com/open-quantum-safe/liboqs-python/pull/49/commits/7f0fcb6b602f50c99fc9e8461a5ce45f27c81070