-
-
Notifications
You must be signed in to change notification settings - Fork 30.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disallow fork in a subinterpreter broke subprocesses in mod_wsgi daemon mode #82132
Comments
BPO https://bugs.python.org/issue34651 disabled fork in subinterpreters. The patch also disabled fork() in _posixsubprocess.fork_exec(). This broke the ability to spawn subprocesses in mod_wsgi daemons, which use subinterpreters. Any attempt to spawn (fork + exec) a subprocess fails with "RuntimeError: fork not supported for subinterpreters": ... Also see https://bugzilla.redhat.com/show_bug.cgi?id=1745450 |
subprocess still work in subinterpreters in Python 3.8 if posix_spawn() can be used, but posix_spawn() is only used under some conditions: "The subprocess module can now use the os.posix_spawn() function in some cases for better performance. Currently, it is only used on macOS and Linux (using glibc 2.24 or newer) if all these conditions are met:
-- It seems like FreeIPA uses ctypes and ctypes calls subprocess.Popen(['/sbin/ldconfig', '-p'], ...) to locale libcrypto. I see different options:
I understand that FreeIPA is run as WSGI using mod_wsgi in Apache. |
It's a bit more complicated. FreeIPA uses cryptography, which uses asn1crypto, which uses ctypes, which is broken in mod_wsgi due to bpo-34651. It's not just FreeIPA that is affected by the issue. Any application running in mod_wsgi is potentially affected and broken by bpo-34651. 1a) (modify FreeIPA) is not possible. IPA requires the additional features of the subprocess module. bpo-34651 is a backwards incompatible change that breaks existing applications that uses mod_wsgi. At least _posixsubprocess.fork_exec() should be reverted and the removal of fork() support should go through a proper deprecation cycle of two releases. I'm bumping this up to release blocker and CC Łukasz. |
Christian, you're right to treat this as Release Blocker. Let's have this fixed. Assigning Eric? |
FWIW, _posixsubprocess.fork_exec() should be safe to allow. The only thing within it to disallow, if you're going to bother to check this at all, is any use of the legacy preexec_fn support. |
I have created a PR that implements Greg's proposal https://bugs.python.org/issue34651#msg325302 |
Thanks Victor and Gregory! I'm reducing the severity from release blocker to high and keep the ticket in pending to give Eric a change to review the commits. |
Well, now our (Fedora QA's) automated testing of FreeIPA is showing what looks like a problem with preexec_fn (rather than fork) being disallowed: https://bugzilla.redhat.com/show_bug.cgi?id=1759290 Login to the FreeIPA webUI is failing, and at the time it fails we see this error message on the server end: [Mon Oct 07 09:22:19.521604 2019] [wsgi:error] [pid 32989:tid 139746234119936] [remote 10.0.2.102:56054] ipa: DEBUG: args=['/usr/bin/kinit', 'admin', '-c', '/run/ipa/ccaches/kinit_32989', '-E'] |
preexec_fn is fundamentally unsupportable. what code is using it, there should be a way not to rely on that. |
It's this function: https://github.com/freeipa/freeipa/blob/master/ipalib/install/kinit.py#L66 The function https://github.com/freeipa/freeipa/blob/master/ipapython/ipautil.py#L391 all of this is being run inside a WSGI. |
I'll address the issue in FreeIPA. The ipautil.run() function is a helper around subprocess.Popen. The function always installs a preexec_fn in case it needs to change umask or drop priviliges. The WSGI server does not need these features. |
freeipa/freeipa#3769 should address the issue. |
Python 3.8.0 is released with the fix. It's now time to close the issue. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: