Generating lockfiles fails with: unknown error (_ssl.c:3161) #2355
Comments
jsirois
added a commit
to jsirois/pex
that referenced
this issue
Feb 7, 2024
This solves pex-tool#2355 without yet understanding why that issue exists. Fixes pex-tool#2355
jsirois
added a commit
that referenced
this issue
Feb 7, 2024
|
Light is starting to dawn on the real issue here: pantsbuild/pants#20467 (comment) I'll add more info or link to it to close this issue out as truly understood and not just papered over. |
|
Ok, #2358 contains a code comment that buttons this up and the issue can remain closed in good conscience. |
|
For posterity, the test rig used inside a import ssl
import sys
import threading
def create_ssl_context():
return ssl.create_default_context()
SSL_CONTEXT = None
def store_ssl_context():
global SSL_CONTEXT
SSL_CONTEXT = create_ssl_context()
def get_ssl_context():
global SSL_CONTEXT
return SSL_CONTEXT
def main():
args = sys.argv[1:]
if args and args[0] == "--no-thread":
print(create_ssl_context())
else:
thread = threading.Thread(target=store_ssl_context)
thread.daemon = True
thread.start()
thread.join()
print(get_ssl_context())
if __name__ == "__main__":
sys.exit(main())The only other trick was using a custom debug build of PBS with the patch: diff --git a/cpython-unix/build-openssl-3.0.sh b/cpython-unix/build-openssl-3.0.sh
index 1d1f913..cd88a0a 100755
--- a/cpython-unix/build-openssl-3.0.sh
+++ b/cpython-unix/build-openssl-3.0.sh
@@ -40,6 +40,7 @@ EXTRA_FLAGS="${EXTRA_FLAGS} ${EXTRA_TARGET_CFLAGS}"
/usr/bin/perl ./Configure \
--prefix=/tools/deps \
--libdir=lib \
+ --debug \
${OPENSSL_TARGET} \
no-legacy \
no-shared \And built via |
jsirois
added a commit
that referenced
this issue
Feb 10, 2024
The explanation was hard won and a bit embarrasing in outcome. The original behavior was correct afaict and PBS use on a RedHat system with custom RedHat OpenSSL config keys should fail, obviously with a much better error message, and prompt OpenSSL configuration evaluation on the machine. That said, the behavior is released now and Pex stands behind it. It may make sense to add a `--strict-ssl` option or something similar to restore the old behavior and let the (confusing) error bubble, perhaps with a pointer to what may be wrong. This should also serve to close indygreg/python-build-standalone#207 or at least give Gregory enough information to decide what to do over in PBS. Closes the loose ends in #2355.
jsirois
added a commit
to jsirois/lift
that referenced
this issue
Feb 10, 2024
Point readers to the result of the investigation in pantsbuild/pants#20467 and pex-tool/pex#2355 to indygreg/python-build-standalone#207.
jsirois
added a commit
to a-scie/lift
that referenced
this issue
Feb 12, 2024
Point readers to the result of the investigation in pantsbuild/pants#20467 and pex-tool/pex#2355 to indygreg/python-build-standalone#207.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As initially reported here: pantsbuild/pants#20467
A streamlined repro:
The underlying issue here is still unknown. The Python ssl docs make no mention of any special thread considerations but using PBS Python on older Fedora consistently leads to the above issue, which appears to be solved by calling
ssl.create_default_context(...)from the main application thread. In this case, it is caused from thepex.jobs.execute_parallelbackground job spawn thread here:https://github.com/pantsbuild/pex/blob/a32dd36448103570fd6c1b284164334bc68562da/pex/jobs.py#L538-L555
The text was updated successfully, but these errors were encountered: