ImportError: Error relocating /usr/lib/python3.6/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: DTLS_client_method: symbol not found

[eddyaman]

Python 3.6.9 (default, Oct 17 2019, 11:17:29) [GCC 6.4.0] on linux Type "help", "copyright", "credits" or "license" for more information.

import paramiko Traceback (most recent call last): File "", line 1, in File "/usr/lib/python3.6/site-packages/paramiko/init.py", line 22, in from paramiko.transport import SecurityOptions, Transport File "/usr/lib/python3.6/site-packages/paramiko/transport.py", line 129, in class Transport(threading.Thread, ClosingContextManager): File "/usr/lib/python3.6/site-packages/paramiko/transport.py", line 190, in Transport if KexCurve25519.is_available(): File "/usr/lib/python3.6/site-packages/paramiko/kex_curve25519.py", line 30, in is_available X25519PrivateKey.generate() File "/usr/lib/python3.6/site-packages/cryptography/hazmat/primitives/asymmetric/x25519.py", line 39, in generate from cryptography.hazmat.backends.openssl.backend import backend File "/usr/lib/python3.6/site-packages/cryptography/hazmat/backends/openssl/init.py", line 7, in from cryptography.hazmat.backends.openssl.backend import backend File "/usr/lib/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 109, in from cryptography.hazmat.bindings.openssl import binding File "/usr/lib/python3.6/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 14, in from cryptography.hazmat.bindings._openssl import ffi, lib ImportError: Error relocating /usr/lib/python3.6/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: DTLS_client_method: symbol not found```

Base system: Alpine 3.8 Python: 3.6.9 cryptograpgy: 3.1.1

[reaperhulk]

Bugs like this are almost universally due to user environment problems. Can you replicate this in a new docker container running Alpine?

[eddyaman]

Yes, I spun up a new docker environment and the bug still exists.

On Mon, 12 Oct 2020 at 1:10 PM, Paul Kehrer notifications@github.com wrote:

Bugs like this are almost universally due to user environment problems. Can you replicate this in a new docker container running Alpine?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/5485#issuecomment-706791024, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF3AIBR2XJMTX6NSCLG27DTSKJCRHANCNFSM4SMCNHYA .

-- Thanks and Best Regards, Amandeep Singh

[reaperhulk]

If you can provide a Dockerfile that replicates this behavior we're happy to take a look.

[eddyaman]

We use Dockerfile to create a jenkins container which installs paramiko which inherently installs cryptography 3.1.1 The dockerfile uses base ruby alpine image.

Dockerfile for jenkins:

ARG VERSION=2.2.10
FROM quay.io/work/ruby:${VERSION}-alpine

ENV JENKINS_SWARM_VERSION 3.14

# install netstat to allow connection health check with
# netstat -tan | grep ESTABLISHED
RUN apk add --no-cache --update --virtual .gem-deps \
build-base \
g++ \
git \
libc-dev \
libffi-dev \
libpq \
libxml2-dev \
libxslt-dev \
linux-headers \
make \
musl-dev \
nano \
net-tools \
openjdk8 \
openssh-client \
python \
postgresql-dev \
ruby-dev \
shadow \
sqlite-dev

# #install postgresql tools and aws-cli
RUN apk add --no-cache python3 python3-dev postgresql-client py2-pip cmake
RUN apk upgrade postgresql-client
RUN pip install --upgrade pip
RUN pip install awscli
RUN python3 -m ensurepip && rm -r /usr/lib/python*/ensurepip

# Install requirements for Python restore data scripts
RUN pip3 install psycopg2-binary boto3 paramiko parallel-ssh

ENV HOME /home/jenkins

RUN useradd -c "Jenkins user" -d $HOME -m jenkins

RUN curl --create-dirs -sSLo
/usr/share/jenkins/swarm-client-$JENKINS_SWARM_VERSION.jar
https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/swarm-client/$JENKINS_SWARM_VERSION/swarm-client-$JENKINS_SWARM_VERSION.jar
\
&& chmod 755 /usr/share/jenkins

COPY jenkins-agent.sh /usr/local/bin/jenkins-agent.sh

VOLUME /home/jenkins
RUN mkdir -p /home/jenkins/workspace && chown -R jenkins:jenkins
/home/jenkins

USER jenkins
ENV USER jenkins
ENTRYPOINT ["/usr/local/bin/jenkins-agent.sh"]

Base ruby image dockerfile:

ARG VERSION=3.8
FROM alpine:$VERSION

RUN apk add --no-network --no-cache --repositories-file /dev/null
"apk-tools>2.10.1"

# skip installing gem documentation
RUN mkdir -p /usr/local/etc \
&& { \
echo 'install: --no-document'; \
echo 'update: --no-document'; \
} >> /usr/local/etc/gemrc

ENV TZ "Etc/UTC"
RUN echo "Etc/UTC" > /etc/timezone

# Install system dependencies
RUN apk add --no-cache \
bash \
ca-certificates \
curl \
file \
git \
haproxy \
less \
logrotate \
nano \
nodejs \
python \
supervisor \
tzdata && \
apk add --update-cache --repository
http://dl-cdn.alpinelinux.org/alpine/v3.8/main \
postgresql-client=10.12-r0 && \
rm -fv /usr/lib/libruby* && \
sed -i 's/^\(\[supervisord\]\)$/\1\nnodaemon=true/' /etc/supervisord.conf
&& \
mkdir /etc/supervisor.d && \
echo "/opt/work/webapp/log/*.log\n {\n daily\n missingok\n rotate 7\n
compress\n delaycompress\n notifempty\n create 644 root root\n
sharedscripts\n postrotate\n /usr/bin/supervisorctl restart all\n
endscript\n}" > /etc/logrotate.d/vwork

# Install Ruby
ARG RUBY_MAJOR=2.2
ARG RUBY_VERSION=2.2.10
ARG RUBY_DOWNLOAD_SHA256=
bf77bcb7e6666ccae8d0882ea12b05f382f963f0a9a5285a328760c06a9ab650
ARG RUBYGEMS_VERSION=2.7.7
ARG BUNDLER_VERSION=1.16.3
ARG LIBV8_VERSION=3.16.14.19

RUN set -ex \
&& apk add --no-cache --virtual .ruby-builddeps \
autoconf \
bison \
bzip2 \
bzip2-dev \
ca-certificates \
coreutils \
dpkg-dev dpkg \
gcc \
gdbm-dev \
glib-dev \
libc-dev \
libffi-dev \
libressl \
libressl-dev \
libxml2-dev \
libxslt-dev \
linux-headers \
make \
ncurses-dev \
procps \
readline-dev \
ruby \
tar \
xz \
yaml-dev \
zlib-dev \
libffi-dev \
libstdc++ \
g++ \
musl-dev \
libstdc++ \
autoconf \
bison \
bzip2 \
bzip2-dev \
ca-certificates \
coreutils \
dpkg-dev dpkg \
gcc \
gdbm-dev \
glib-dev \
libc-dev \
libffi-dev \
libressl \
libressl-dev \
libxml2-dev \
libxslt-dev \
linux-headers \
make \
ncurses-dev \
procps \
readline-dev \
ruby \
tar \
xz \
yaml-dev \
zlib-dev \
libffi-dev \
&& wget -O ruby.tar.xz "https://cache.ruby-lang.org/pub/ruby/
${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz" \
&& echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum -c - \
&& mkdir -p /usr/src/ruby \
&& tar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1 \
&& rm ruby.tar.xz \
&& cd /usr/src/ruby \
&& { \
echo '#define ENABLE_PATH_CHECK 0'; \
echo; \
cat file.c; \
} > file.c.new \
&& mv file.c.new file.c \
&& autoconf \
&& gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
&& export ac_cv_func_isnan=yes ac_cv_func_isinf=yes \
&& ./configure \
--build="$gnuArch" \
--disable-install-doc \
--enable-shared \
&& make -j "$(nproc)" \
&& make install \
&& runDeps="$( \
scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
| tr ',' '\n' \
| sort -u \
| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:"
$1 }' \
)" \
&& apk add --no-network --virtual .ruby-rundeps $runDeps \
bzip2 \
ca-certificates \
libffi-dev \
procps \
yaml-dev \
zlib-dev \
&& gem update --system "$RUBYGEMS_VERSION" \
&& gem install bundler --version "$BUNDLER_VERSION" --force

# Install Passenger Enterprise
RUN apk add --no-cache --virtual .passenger-builddeps curl-dev
libexecinfo-dev && \
gem install rack -v 2.1.1 && \
gem source --add
https://download:10203dda44d6173e2bc6d9e6005c8c4c0f2ba92e421523e4d72bf673336b8f9d@www.phusionpassenger.com/enterprise_gems/
&& \
gem install passenger-enterprise-server -v 6.0.4 --no-rdoc --no-ri && \
export EXTRA_PRE_CFLAGS='-O' EXTRA_PRE_CXXFLAGS='-O' EXTRA_LDFLAGS=
'-lexecinfo' && \
passenger-config validate-install --auto && \
passenger-config compile-agent --auto --optimize && \
passenger-config install-standalone-runtime --auto && \
passenger-config build-native-support && \
apk del --purge .passenger-builddeps

# Install Node and NPM
RUN apk add --no-cache nodejs npm && \
npm config set unsafe-perm true && \
npm i npm@latest -g && \
bundle config build.libv8 --enable-debug && \
gem install libv8 -v "$LIBV8_VERSION" -- --with-system-v8

# Install and Configure logrotate

CMD [ "irb" ]

Thanks and Best Regards, Amandeep Singh

On Mon, Oct 12, 2020 at 1:13 PM Paul Kehrer notifications@github.com wrote:

If you can provide a Dockerfile that replicates this behavior we're happy to take a look.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/5485#issuecomment-706791357, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF3AIBX54N5W6MBDOFK57T3SKJCZNANCNFSM4SMCNHYA .

[reaperhulk]

It's not going to be feasible for us to investigate this without a minimized reproducer. Could you reduce this and then provide the minimal form?

[bayotop]

Ran into the same error with python 3.6, cryptography 3.1.1, and alpine 3.8. Using alpine 3.9 with the exact same setup solved the issue, so probably very similar to https://github.com/pyca/cryptography/issues/5180 FWIW.

[eddyaman]

I can't do the same because we are using Postgres-client-10 package which is not available in alpine3.9 onwards. Do you have any other suggestion?

On Wed, Oct 21, 2020 at 9:00 AM Martin Bajanik notifications@github.com wrote:

Ran into the same error with python 3.6, cryptography 3.1.1, and alpine 3.8. Using alpine 3.9 with the exact same setup solved the issue, so probably very similar to #5180 https://github.com/pyca/cryptography/issues/5180 FWIW.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/5485#issuecomment-713104946, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF3AIBQLRCBOT3ZV4WDYEZLSLXT63ANCNFSM4SMCNHYA .

[alex]

No minimal reproducer, closing for now. Can reopen if there is one.