mgr: fix pyO3 import issues by epuertat · Pull Request #57926 · ceph/ceph

epuertat · 2024-06-07T09:47:49Z

Caution

This change will require to refresh Dashboard user hashes. If we decide to go with this, a new CLI command should be provided to perform that task

Context

The latest versions of pyO3 (a Python binding for Rust) explicitly added a check to detect multiple imports. In subinterpreter environments, this leads to an ImportError: "PyO3 modules may only be initialized once per interpreter process" (it has been recenlty replaced with a more specific: "PyO3 modules do not yet support subinterpreters, see PyO3/pyo3#576").

Description

This is only a workaround while the root cause is fixed (see PyO3/pyo3#4162):

For Dashboard password hashes it uses hashlib's scrypt (which doesn't rely on cryptography lib, or any other std lib that imports pyO3), instead of bcrypt.
However, the password_hash() helper method from mgr_util.py is still used by cephadm for generating bcrypt hashes (required to generate Prometheus or Alertmanager password hashes).

Fixes: https://tracker.ceph.com/issues/64213

Status

After solving bcrypt issues, I'm now facing issues with cryptography library:

/usr/bin/ceph -c /etc/ceph/ceph.conf -k /etc/ceph/keyring dashboard ac-user-create admin -i /etc/ceph/dashboard-admin-secret.txt administrator --force-password 
{"username": "admin", "password": "WEeEX9zw2oQAVBYn9QWpChZJAF2brOz2dCd9MUa+gLIwDUQ+sGVBqSGcDRS3cjvMSe48BdEM2kmqSRG3Vh72VLEfkmGaYgERgsHuviBqKUyrB9dp24zaDi8N0JKc", "roles": ["administrator"], "name": null, "email": null, "lastUpdate": 1717618165, "enabled": true, "pwdExpirationDate": null, "pwdUpdateRequired": false}
/usr/bin/ceph -c /etc/ceph/ceph.conf -k /etc/ceph/keyring dashboard create-self-signed-cert 
Error EINVAL: Traceback (most recent call last):
  File "/usr/share/ceph/mgr/mgr_module.py", line 1811, in _handle_command
    return CLICommand.COMMANDS[cmd['prefix']].call(self, cmd, inbuf)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/ceph/mgr/mgr_module.py", line 474, in call
    return self.func(mgr, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/ceph/mgr/dashboard/module.py", line 476, in set_mgr_created_self_signed_cert
    cert, pkey = create_self_signed_cert('IT', 'ceph-dashboard')
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/ceph/mgr/mgr_util.py", line 526, in create_self_signed_cert
    from OpenSSL import crypto
  File "/usr/lib/python3.12/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import SSL, crypto
  File "/usr/lib/python3.12/site-packages/OpenSSL/SSL.py", line 9, in <module>
    from OpenSSL._util import (
  File "/usr/lib/python3.12/site-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/usr/lib64/python3.12/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 15, in <module>
    from cryptography.exceptions import InternalError
  File "/usr/lib64/python3.12/site-packages/cryptography/exceptions.py", line 9, in <module>
    from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions
ImportError: PyO3 modules may only be initialized once per interpreter process

dashboard module not working correctly!

Contribution Guidelines

To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an x between the brackets: [x]. Spaces and capitalization matter when checking off items this way.

Checklist

Tracker (select at least one)
- References tracker ticket
- Very recent bug; references commit where it was introduced
- New feature (ticket optional)
- Doc update (no ticket needed)
- Code cleanup (no ticket needed)
Component impact
- Affects Dashboard, opened tracker ticket
- Affects Orchestrator, opened tracker ticket
- No impact that needs to be tracked
Documentation (select at least one)
- Updates relevant documentation
- No doc update is appropriate
Tests (select at least one)
- Includes unit test(s)
- Includes integration test(s)
- Includes bug reproducer
- No tests

Show available Jenkins commands

jenkins retest this please
jenkins test classic perf
jenkins test crimson perf
jenkins test signed
jenkins test make check
jenkins test make check arm64
jenkins test submodules
jenkins test dashboard
jenkins test dashboard cephadm
jenkins test api
jenkins test docs
jenkins render docs
jenkins test ceph-volume all
jenkins test ceph-volume tox
jenkins test windows
jenkins test rook e2e

The latest versions of pyO3 (a Python binding for Rust) explicitly added a check to detect multiple imports. In subinterpreter environments, this leads to an ImportError: "PyO3 modules may only be initialized once per interpreter process" (it has been recenlty replaced with a more specific: "PyO3 modules may only be initialized once per interpreter process". This is only a workaround while the root cause is fixed (see PyO3/pyo3#4162). Fixes: https://tracker.ceph.com/issues/64213 Signed-off-by: Ernesto Puerta <[email protected]>

Signed-off-by: Nizamudeen A <[email protected]>

nizamial09 · 2024-06-11T08:36:41Z

@epuertat: when I tested this locally (both with ceph-dev and cephadm), it went successfully for me with the login and also the secure monitoring stack feature as well. Only problem I faced was some typos which I fixed here...

Update: I just realized that I also need to test this on an evironment where pyo3 issues are present so will give it a go again...

github-actions · 2024-08-10T10:01:32Z

This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days.
If you are a maintainer or core committer, please follow-up on this pull request to identify what steps should be taken by the author to move this proposed change forward.
If you are the author of this pull request, thank you for your proposed contribution. If you believe this change is still appropriate, please ensure that any feedback has been addressed and ask for a code review.

jecluis · 2024-09-01T16:13:28Z

I can also confirm this fixes the issue on opensuse tumbleweed.

Apparently something must have changed in the distro recently (my suspicion is on some library) that was making running the mgr modules impossible due to pyO3. Applying the patches on this PR made the mgr a happy panda again.

epuertat · 2024-09-02T08:54:50Z

I can also confirm this fixes the issue on opensuse tumbleweed.

Apparently something must have changed in the distro recently (my suspicion is on some library) that was making running the mgr modules impossible due to pyO3. Applying the patches on this PR made the mgr a happy panda again.

@jecluis have you actively operated the Dashboard and/or Cephadm? Part of this change simply shifts the bcrypt import from global to function scope, but eventually that might end up being triggered (e.g.: when Prometheus or Alertmanager services are deployed). Personally, I prefer the fail fast approach, as the issue pops up on mgr start without further steps.

epuertat · 2024-09-02T09:35:02Z

jenkins retest this please

jecluis · 2024-09-02T10:05:38Z

I can also confirm this fixes the issue on opensuse tumbleweed.
Apparently something must have changed in the distro recently (my suspicion is on some library) that was making running the mgr modules impossible due to pyO3. Applying the patches on this PR made the mgr a happy panda again.

@jecluis have you actively operated the Dashboard and/or Cephadm?

Not in this context, no. I should have mentioned it "fixed it" in the sense that now the ceph-mgr's modules don't bail out because of PyO3, and it's feasible to bring up a vstart cluster -- especially because the MDSs no longer refuse to work.

But that's a good shout. I'll try a cephadm deployment at some point this week to validate it.

epuertat · 2024-09-02T16:44:32Z

I can also confirm this fixes the issue on opensuse tumbleweed.
Apparently something must have changed in the distro recently (my suspicion is on some library) that was making running the mgr modules impossible due to pyO3. Applying the patches on this PR made the mgr a happy panda again.

@jecluis have you actively operated the Dashboard and/or Cephadm?

Not in this context, no. I should have mentioned it "fixed it" in the sense that now the ceph-mgr's modules don't bail out because of PyO3, and it's feasible to bring up a vstart cluster -- especially because the MDSs no longer refuse to work.

But that's a good shout. I'll try a cephadm deployment at some point this week to validate it.

Thank you! 🙏🏼😅

Rico29 · 2024-09-24T13:05:08Z

Hello, any news on that ?

Rico29 · 2024-10-28T09:48:10Z

up ?!

…ng code from ceph#57926. Tests were failing because of the hardcoded password hashes. This highlights how diffrent in spec the hashlib generated passwords are from bcrypt. 7: self = <dashboard.tests.test_access_control.AccessControlTest testMethod=test_set_user_password_hash> 7: 7: def test_set_user_password_hash(self): 7: user_orig = self.test_create_user() 7: user = self.exec_cmd('ac-user-set-password-hash', username='admin', 7: inbuf='b2/rDt2y9glTPSV.VFegiLkQeIpddtkhoFetNApYmIJOY8gau2') 7: pass_hash = calculate_password_hash('newpass', user['password']) 7: > self.assertDictEqual(user, { 7: 'username': 'admin', 7: 'password': pass_hash, 7: 'pwdExpirationDate': None, 7: 'pwdUpdateRequired': False, 7: 'name': 'admin User', 7: 'email': '[email protected]', 7: 'lastUpdate': user['lastUpdate'], 7: 'roles': [], 7: 'enabled': True 7: }) 7: E AssertionError: {'use[25 chars]d': 'b2/rDt2y9glTPSV.VFegiLkQeIpddtk[176 chars]alse} != {'use[25 chars]d': '2b12Pt3Vq/rDt2y9glTPSVVFegiLkQeIpddtkhoKb[240 chars]True } 7: E {'email': '[email protected]', 7: E 'enabled': True, 7: E 'lastUpdate': 1732135247, 7: E 'name': 'admin User', 7: E - 'password': 'b2/rDt2y9glTPSV.VFegiLkQeIpddtkhoFetNApYmIJOY8gau2', 7: E + 'password': '2b12Pt3Vq/rDt2y9glTPSVVFegiLkQeIpddtkhoKbMQHMtDsOzPCTNwvPBoY+1xJX0kHZKblZeVcAOjeIh+pweEf0J8o1obBujPFb7NORgpy8pfl5GuSzJEum1NE', 7: E 'pwdExpirationDate': None, 7: E 'pwdUpdateRequired': False, 7: E 'roles': [], 7: E 'username': 'admin'} Signed-off-by: Paulo E. Castro <[email protected]>

…ng code from ceph#57926. Tests were failing because of the hardcoded password hashes. This highlights how different in spec the hashlib generated passwords are from bcrypt. 7: self = <dashboard.tests.test_access_control.AccessControlTest testMethod=test_set_user_password_hash> 7: 7: def test_set_user_password_hash(self): 7: user_orig = self.test_create_user() 7: user = self.exec_cmd('ac-user-set-password-hash', username='admin', 7: inbuf='b2/rDt2y9glTPSV.VFegiLkQeIpddtkhoFetNApYmIJOY8gau2') 7: pass_hash = calculate_password_hash('newpass', user['password']) 7: > self.assertDictEqual(user, { 7: 'username': 'admin', 7: 'password': pass_hash, 7: 'pwdExpirationDate': None, 7: 'pwdUpdateRequired': False, 7: 'name': 'admin User', 7: 'email': '[email protected]', 7: 'lastUpdate': user['lastUpdate'], 7: 'roles': [], 7: 'enabled': True 7: }) 7: E AssertionError: {'use[25 chars]d': 'b2/rDt2y9glTPSV.VFegiLkQeIpddtk[176 chars]alse} != {'use[25 chars]d': '2b12Pt3Vq/rDt2y9glTPSVVFegiLkQeIpddtkhoKb[240 chars]True } 7: E {'email': '[email protected]', 7: E 'enabled': True, 7: E 'lastUpdate': 1732135247, 7: E 'name': 'admin User', 7: E - 'password': 'b2/rDt2y9glTPSV.VFegiLkQeIpddtkhoFetNApYmIJOY8gau2', 7: E + 'password': '2b12Pt3Vq/rDt2y9glTPSVVFegiLkQeIpddtkhoKbMQHMtDsOzPCTNwvPBoY+1xJX0kHZKblZeVcAOjeIh+pweEf0J8o1obBujPFb7NORgpy8pfl5GuSzJEum1NE', 7: E 'pwdExpirationDate': None, 7: E 'pwdUpdateRequired': False, 7: E 'roles': [], 7: E 'username': 'admin'} Signed-off-by: Paulo E. Castro <[email protected]>

prazumovsky · 2024-12-20T15:09:26Z

hello! Is there any updates?

github-actions · 2025-02-18T16:02:01Z

This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days.
If you are a maintainer or core committer, please follow-up on this pull request to identify what steps should be taken by the author to move this proposed change forward.
If you are the author of this pull request, thank you for your proposed contribution. If you believe this change is still appropriate, please ensure that any feedback has been addressed and ask for a code review.

Rico29 · 2025-02-19T12:27:13Z

Hello
still waiting for a fix !

github-actions · 2025-04-20T15:01:29Z

This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days.
If you are a maintainer or core committer, please follow-up on this pull request to identify what steps should be taken by the author to move this proposed change forward.
If you are the author of this pull request, thank you for your proposed contribution. If you believe this change is still appropriate, please ensure that any feedback has been addressed and ask for a code review.

Rico29 · 2025-04-22T05:57:26Z

Hello
still waiting for a fix !

nizamial09 · 2025-04-22T05:59:06Z

Hello still waiting for a fix !

@Rico29 you can follow #61737 where people are actively trying to fix it.

github-actions · 2025-06-21T08:02:04Z

This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days.
If you are a maintainer or core committer, please follow-up on this pull request to identify what steps should be taken by the author to move this proposed change forward.
If you are the author of this pull request, thank you for your proposed contribution. If you believe this change is still appropriate, please ensure that any feedback has been addressed and ask for a code review.

github-actions · 2025-07-17T21:23:33Z

This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved

github-actions · 2025-09-15T22:01:45Z

This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days.
If you are a maintainer or core committer, please follow-up on this pull request to identify what steps should be taken by the author to move this proposed change forward.
If you are the author of this pull request, thank you for your proposed contribution. If you believe this change is still appropriate, please ensure that any feedback has been addressed and ask for a code review.

github-actions · 2025-10-15T23:01:43Z

This pull request has been automatically closed because there has been no activity for 90 days. Please feel free to reopen this pull request (or open a new one) if the proposed change is still appropriate. Thank you for your contribution!

epuertat requested a review from a team as a code owner June 7, 2024 09:47

epuertat requested review from aaSharma14 and cloudbehl and removed request for a team June 7, 2024 09:47

github-actions bot added dashboard mgr pybind labels Jun 7, 2024

epuertat requested a review from nizamial09 June 7, 2024 09:48

mgr/dashboard: fix typos

f0b51a0

Signed-off-by: Nizamudeen A <[email protected]>

github-actions bot added the stale label Aug 10, 2024

github-actions bot removed the stale label Sep 1, 2024

epuertat mentioned this pull request Nov 18, 2024

Fedora 40 build fix #60719

Closed

14 tasks

pecastro mentioned this pull request Feb 9, 2025

pybind/mgr: Hack around the 'ImportError: PyO3 modules may only be in… #61737

Closed

14 tasks

github-actions bot added the stale label Feb 18, 2025

github-actions bot removed the stale label Feb 19, 2025

github-actions bot added the stale label Apr 20, 2025

github-actions bot removed the stale label Apr 22, 2025

github-actions bot added the stale label Jun 21, 2025

github-actions bot added the needs-rebase label Jul 17, 2025

github-actions bot removed the stale label Jul 17, 2025

github-actions bot added the stale label Sep 15, 2025

github-actions bot closed this Oct 15, 2025

github-project-automation bot moved this from New to Done in Ceph-Dashboard Oct 15, 2025

epuertat mentioned this pull request Dec 4, 2025

mgr/dashboard: add logs to help debugging mtls related issues #66476

Open

14 tasks

Conversation

epuertat commented Jun 7, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Context

Description

Status

Contribution Guidelines

Checklist

Uh oh!

nizamial09 commented Jun 11, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Aug 10, 2024

Uh oh!

jecluis commented Sep 1, 2024

Uh oh!

epuertat commented Sep 2, 2024

Uh oh!

epuertat commented Sep 2, 2024

Uh oh!

jecluis commented Sep 2, 2024

Uh oh!

epuertat commented Sep 2, 2024

Uh oh!

Rico29 commented Sep 24, 2024

Uh oh!

Rico29 commented Oct 28, 2024

Uh oh!

prazumovsky commented Dec 20, 2024

Uh oh!

github-actions bot commented Feb 18, 2025

Uh oh!

Rico29 commented Feb 19, 2025

Uh oh!

github-actions bot commented Apr 20, 2025

Uh oh!

Rico29 commented Apr 22, 2025

Uh oh!

nizamial09 commented Apr 22, 2025

Uh oh!

github-actions bot commented Jun 21, 2025

Uh oh!

github-actions bot commented Jul 17, 2025

Uh oh!

github-actions bot commented Sep 15, 2025

Uh oh!

github-actions bot commented Oct 15, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

epuertat commented Jun 7, 2024 •

edited

Loading

nizamial09 commented Jun 11, 2024 •

edited

Loading