New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix exceptions thrown from cryptography import #16723
Conversation
I believe this addresses #16686, which is incorrect in its diagnosis. |
we try to keep the exception capture narrow to avoid swallowing up unknown issues. |
@@ -68,13 +68,8 @@ | |||
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC | |||
from cryptography.hazmat.backends import default_backend | |||
HAS_PBKDF2HMAC = True | |||
except ImportError: | |||
except: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
don't use a catchall, if there are other errors we need to capture here please use specific exception captures
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was considering adding a case for VersionConflict. When would you want an optional import to raise an exception? Should a warning be printed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, if something unexpected happens, you need to know about it. If it's an optional import, then printing a warning might be the best thing in that case. So rather than a catch-all that passes you probably should add one for VersionConflict that passes, keep the previous exception handler for DistributionNotFound, and change the raise case in that one into a warning.
It looks like we don't have display available here yet, so you'll need to add an import/definition for that like this code:
https://github.com/ansible/ansible/blob/devel/lib/ansible/cli/playbook.py#L39
I understand that, but its an optional dependency. I may not be interested in |
A relevant issue: |
Here is the updated output:
This change is pep8 compliant against Before: After: Now errors are not hidden so that they can be fixed in ansible or elsewhere. |
A simple import of cryptography can throw several types of errors. For example, if `setuptools` is less than cryptography's minimum requirement of 11.3, then this import of cryptography will throw a VersionConflict here. An earlier case threw a DistributionNotFound exception. An optional dependency should not stop ansible. If the error is more than an ImportError, log a warning, so that errors can be fixed in ansible or elsewhere.
Hit rebuild on the shippable job to make sure that this doesn't have any problems. @jimi-c, this is the PR that I think better fixes the cryptography with outdated setuptools behaviour, at least for now. I'd need to test more extensively but i think that ultimately the answer is going to be that pip's dep solving is mishandling this case. |
It looks like this task failed in this job in the build-ci section:
This test failed on fedora rawhide but not on fedora 22. In the job for fedora 22 there was a deprecation warning but yum still ran, I think yum in rawhide exits with an error code. |
Yeah, that particular error isn't a fault of your change. I think that it's a problem in that distribution's package repository. We're all at a meeting that will keep us from easily being able to fix things if they're broken otherwise I'd assume the other passing tests are good enough (I'm hitting rebuild again with the hope that the distro will have fixed its repo by now) |
Everything passed. Merged to devel. @jimi-c should I cherry-pick this for the 2.1.1rc4 branch or for 2.1.2? |
A simple import of cryptography can throw several types of errors. For example, if `setuptools` is less than cryptography's minimum requirement of 11.3, then this import of cryptography will throw a VersionConflict here. An earlier case threw a DistributionNotFound exception. An optional dependency should not stop ansible. If the error is more than an ImportError, log a warning, so that errors can be fixed in ansible or elsewhere.
I'm still getting this error on ansible 2.2.0 version
This is was installed via source. Machine: Mac OS X El Capitan |
@jhnferraris. This warning can be resolved by: @abadger ansible could specify setuptools>=11.3 in its dependencies. However this doesn't fix the culprit. Any pkg that depends on ansible that supplies their own version of setuptools will also need to be greater than 11.3. The culprit will be fixed when pip gets dependency resolution. |
I tried installing
|
Pip bug about its lack of dependency solving: pypa/pip#988 |
@jhnferraris If you take a look at the traceback, you'll see that the problem in your case is now that pycrypto isn't installed rather than cryptography: https://pypi.python.org/pypi/pycrypto |
A simple import of cryptography can throw several types of errors. For example, if `setuptools` is less than cryptography's minimum requirement of 11.3, then this import of cryptography will throw a VersionConflict here. An earlier case threw a DistributionNotFound exception. An optional dependency should not stop ansible. If the error is more than an ImportError, log a warning, so that errors can be fixed in ansible or elsewhere.
ISSUE TYPE
ANSIBLE VERSION
SUMMARY
Fix exceptions thrown from cryptography import
(see my reasoning below)
To reproduce:
Before:
After:
A simple import of cryptography can throw several types of errors. For example, if
setuptools
is less than cryptography's minimum requirement of 11.3, then this import of cryptography will throw aVersionConflict
here. Ansible places no restrictions onsetuptools
, so a valid install of ansible throws an exception because of an optional dependency. Ansible is making assumptions about the environment.