Bug#989600: /usr/bin/swift-container-reconciler: reconciler's memcache connections fail when using hostnames

[Filippo Giunchedi]

On Fri, Sep 10, 2021 at 09:50:42PM +0200, Thomas Goirand wrote:
> On 9/10/21 11:40 AM, Filippo Giunchedi wrote:
> > On Thu, Sep 09, 2021 at 09:32:34AM +0200, Thomas Goirand wrote:
> >> Hi,
> >>
> >> Thanks a lot for working on this, it really is helpful.
> >>
> >> The pull request you're pointing at contains multiple commits. Would you
> >> be able to transform this into a patch against the Eventlet versions
> >> 0.26.1 (currently in Stable) and 0.30.2 (in Unstable and Testing)? If
> >> you provide it, then I'll be very happy to add the patches to these
> >> Debian packages. If I'm asking it's not because I don't want to do it
> >> myself, but because you wrote it, you may be better at understanding how
> >> to backport the patches.
> > 
> > Certainly, I did port the patch to our internal repo for Bullseye. You can 
> > find
> > the commit below, which modulo the changelog version obviously should work 
> > as-is.
> > 
> > https://github.com/wikimedia/operations-debs-python-eventlet/commit/a93d2e0cd2cdf3efcd7915cb781355d58e5728ab
> > 
> > I didn't change 
> > 'Replace-dnspython-_compute_expiration-by-_compute_times.patch'
> > for a cleaner diff, although that patch a whole I think can be replaced with
> > the PR's diff. What do you think?
> > 
> > best,
> > Filippo
> > 
> 
> Hi,
> 
> I'll try to get this in Bullseye proper. Thanks a lot for your work,
> this is definitively very helpful, and may solve troubles with swift's
> cname middleware also.

You are welcome, and thank you for pushing to get the update in Bullseye

> 
> I'm not sure about
> Replace-dnspython-_compute_expiration-by-_compute_times.patch, though
> it's probably better, from the Debian Stable perspective, to not touch
> the patches that are already there, so it is easier for the Stable
> release team to review it.

Agreed

> I will also need a patch against the version 0.30.2-2 currently in
> unstable/bookworms (again: otherwise the Debian Stable release team may
> complain about it). Could you provide one?

For sure, I have added the patches in this MR. Let me know what you think!

https://salsa.debian.org/python-team/packages/python-eventlet/-/merge_requests/2

best,
Filippo

Bug#989600: /usr/bin/swift-container-reconciler: reconciler's memcache connections fail when using hostnames

[Thomas Goirand]

On 9/10/21 11:40 AM, Filippo Giunchedi wrote:
> On Thu, Sep 09, 2021 at 09:32:34AM +0200, Thomas Goirand wrote:
>> Hi,
>>
>> Thanks a lot for working on this, it really is helpful.
>>
>> The pull request you're pointing at contains multiple commits. Would you
>> be able to transform this into a patch against the Eventlet versions
>> 0.26.1 (currently in Stable) and 0.30.2 (in Unstable and Testing)? If
>> you provide it, then I'll be very happy to add the patches to these
>> Debian packages. If I'm asking it's not because I don't want to do it
>> myself, but because you wrote it, you may be better at understanding how
>> to backport the patches.
> 
> Certainly, I did port the patch to our internal repo for Bullseye. You can 
> find
> the commit below, which modulo the changelog version obviously should work 
> as-is.
> 
> https://github.com/wikimedia/operations-debs-python-eventlet/commit/a93d2e0cd2cdf3efcd7915cb781355d58e5728ab
> 
> I didn't change 
> 'Replace-dnspython-_compute_expiration-by-_compute_times.patch'
> for a cleaner diff, although that patch a whole I think can be replaced with
> the PR's diff. What do you think?
> 
> best,
> Filippo
> 

Hi,

I'll try to get this in Bullseye proper. Thanks a lot for your work,
this is definitively very helpful, and may solve troubles with swift's
cname middleware also.

I'm not sure about
Replace-dnspython-_compute_expiration-by-_compute_times.patch, though
it's probably better, from the Debian Stable perspective, to not touch
the patches that are already there, so it is easier for the Stable
release team to review it.

I will also need a patch against the version 0.30.2-2 currently in
unstable/bookworms (again: otherwise the Debian Stable release team may
complain about it). Could you provide one?

Cheers,

Thomas Goirand (zigo)

Bug#989600: /usr/bin/swift-container-reconciler: reconciler's memcache connections fail when using hostnames

[Filippo Giunchedi]

On Thu, Sep 09, 2021 at 09:32:34AM +0200, Thomas Goirand wrote:
> Hi,
> 
> Thanks a lot for working on this, it really is helpful.
> 
> The pull request you're pointing at contains multiple commits. Would you
> be able to transform this into a patch against the Eventlet versions
> 0.26.1 (currently in Stable) and 0.30.2 (in Unstable and Testing)? If
> you provide it, then I'll be very happy to add the patches to these
> Debian packages. If I'm asking it's not because I don't want to do it
> myself, but because you wrote it, you may be better at understanding how
> to backport the patches.

Certainly, I did port the patch to our internal repo for Bullseye. You can find
the commit below, which modulo the changelog version obviously should work 
as-is.

https://github.com/wikimedia/operations-debs-python-eventlet/commit/a93d2e0cd2cdf3efcd7915cb781355d58e5728ab

I didn't change 'Replace-dnspython-_compute_expiration-by-_compute_times.patch'
for a cleaner diff, although that patch a whole I think can be replaced with
the PR's diff. What do you think?

best,
Filippo

Bug#989600: /usr/bin/swift-container-reconciler: reconciler's memcache connections fail when using hostnames

[Thomas Goirand]

On 9/7/21 10:05 AM, Filippo Giunchedi wrote:
> On Tue, Aug 24, 2021 at 02:32 PM, Filippo Giunchedi wrote:
>> I was able to get python3-eventlet to play nice with dnspython2 by
>> integrating https://github.com/eventlet/eventlet/pull/722 from upstream.
> 
> Upstream has merged the PR, please consider updating the patch in the
> package. Possibily for a point release too?
> 
> best,
> Filippo
> 

Hi,

Thanks a lot for working on this, it really is helpful.

The pull request you're pointing at contains multiple commits. Would you
be able to transform this into a patch against the Eventlet versions
0.26.1 (currently in Stable) and 0.30.2 (in Unstable and Testing)? If
you provide it, then I'll be very happy to add the patches to these
Debian packages. If I'm asking it's not because I don't want to do it
myself, but because you wrote it, you may be better at understanding how
to backport the patches.

Cheers,

Thomas Goirand (zigo)

Bug#989600: /usr/bin/swift-container-reconciler: reconciler's memcache connections fail when using hostnames

[Filippo Giunchedi]

On Tue, Aug 24, 2021 at 02:32 PM, Filippo Giunchedi wrote:
> I was able to get python3-eventlet to play nice with dnspython2 by
> integrating https://github.com/eventlet/eventlet/pull/722 from upstream.

Upstream has merged the PR, please consider updating the patch in the
package. Possibily for a point release too?

best,
Filippo

Bug#989600: /usr/bin/swift-container-reconciler: reconciler's memcache connections fail when using hostnames

[Filippo Giunchedi]

On Tue, Aug 24, 2021 at 09:52 AM, Filippo Giunchedi wrote:
> On Tue, Jun 08, 2021 at 10:03 AM, Filippo Giunchedi wrote:
> > Package: swift-container
> > Version: 2.26.0-10
> > Severity: important
> > File: /usr/bin/swift-container-reconciler
> > 
> > Dear Maintainer,
> > I'm experimenting with Swift on Bullseye and came across a problem with
> > container-reconciler (possibly others) when using hostnames in
> > memcache_servers. Namely these errors:
> 
> In the "possibly others" category, swift-dispersion-report is also 100%
> broken in Bullseye:

I was able to get python3-eventlet to play nice with dnspython2 by
integrating https://github.com/eventlet/eventlet/pull/722 from upstream.

See debdiff attached for the result against Bullseye's python-eventlet
diff -Nru python-eventlet-0.26.1/debian/changelog python-eventlet-0.26.1/debian/changelog
--- python-eventlet-0.26.1/debian/changelog	2021-05-11 08:03:43.0 +0200
+++ python-eventlet-0.26.1/debian/changelog	2021-08-24 14:04:54.0 +0200
@@ -1,3 +1,10 @@
+python-eventlet (0.26.1-8~wmf1) bullseye; urgency=medium
+
+  * Fix dnspython 2 compat
+  ** See also https://github.com/eventlet/eventlet/pull/722
+
+ -- Filippo Giunchedi   Tue, 24 Aug 2021 14:04:54 +0200
+
 python-eventlet (0.26.1-7) unstable; urgency=medium
 
   * CVE-2021-21419: Malicious peer may exhaust memory on Eventlet side
diff -Nru python-eventlet-0.26.1/debian/greendns.orig.py python-eventlet-0.26.1/debian/greendns.orig.py
--- python-eventlet-0.26.1/debian/greendns.orig.py	2021-05-11 08:03:43.0 +0200
+++ python-eventlet-0.26.1/debian/greendns.orig.py	2021-08-24 14:04:54.0 +0200
@@ -120,12 +120,13 @@
 return is_ipv4_addr(host) or is_ipv6_addr(host)
 
 
-def compute_expiration(query, timeout):
-# NOTE(ralonsoh): in dnspython v2.0.0, "_compute_expiration" was replaced
-# by "_compute_times".
-if hasattr(query, '_compute_expiration'):
+# NOTE(ralonsoh): in dnspython v2.0.0, "_compute_expiration" was replaced
+# by "_compute_times".
+if hasattr(dns.query, '_compute_expiration'):
+def compute_expiration(query, timeout):
 return query._compute_expiration(timeout)
-else:
+else:
+def compute_expiration(query, timeout):
 return query._compute_times(timeout)[1]
 
 
@@ -669,8 +670,21 @@
 raise dns.exception.Timeout
 
 
+# Test if raise_on_truncation is an argument we should handle.
+# It was newly added in dnspython 2.0
+try:
+dns.message.from_wire("", raise_on_truncation=True)
+except dns.message.ShortHeader:
+_handle_raise_on_truncation = True
+except TypeError:
+# Argument error, there is no argument "raise_on_truncation"
+_handle_raise_on_truncation = False
+
+
 def udp(q, where, timeout=DNS_QUERY_TIMEOUT, port=53,
-af=None, source=None, source_port=0, ignore_unexpected=False):
+af=None, source=None, source_port=0, ignore_unexpected=False,
+one_rr_per_rrset=False, ignore_trailing=False,
+raise_on_truncation=False, sock=None):
 """coro friendly replacement for dns.query.udp
 Return the response obtained after sending a query via UDP.
 
@@ -695,7 +709,21 @@
 @type source_port: int
 @param ignore_unexpected: If True, ignore responses from unexpected
 sources.  The default is False.
-@type ignore_unexpected: bool"""
+@type ignore_unexpected: bool
+@param one_rr_per_rrset: If True, put each RR into its own
+RRset.
+@type one_rr_per_rrset: bool
+@param ignore_trailing: If True, ignore trailing
+junk at end of the received message.
+@type ignore_trailing: bool
+@param raise_on_truncation: If True, raise an exception if
+the TC bit is set.
+@type raise_on_truncation: bool
+@param sock: the socket to use for the
+query.  If None, the default, a socket is created.  Note that
+if a socket is provided, it must be a nonblocking datagram socket,
+and the source and source_port are ignored.
+@type sock: socket.socket | None"""
 
 wire = q.to_wire()
 if af is None:
@@ -717,7 +745,10 @@
 if source is not None:
 source = (source, source_port, 0, 0)
 
-s = socket.socket(af, socket.SOCK_DGRAM)
+if sock:
+s = sock
+else:
+s = socket.socket(af, socket.SOCK_DGRAM)
 s.settimeout(timeout)
 try:
 expiration = compute_expiration(dns.query, timeout)
@@ -765,14 +796,23 @@
 finally:
 s.close()
 
-r = dns.message.from_wire(wire, keyring=q.keyring, request_mac=q.mac)
+if _handle_raise_on_truncation:
+r = dns.message.from_wire(wire, keyring=q.keyring, request_mac=q.mac,
+  one_rr_per_rrset=one_rr_per_rrset,
+  ignore_trailing=ignore_trailing,
+  raise_on_truncation=raise_on_truncation)
+else:
+r = dns.message.from_wire(wire, keyring=q.keyring, request_mac=q.mac,
+  

Bug#989600: /usr/bin/swift-container-reconciler: reconciler's memcache connections fail when using hostnames

[Filippo Giunchedi]

On Tue, Jun 08, 2021 at 10:03 AM, Filippo Giunchedi wrote:
> Package: swift-container
> Version: 2.26.0-10
> Severity: important
> File: /usr/bin/swift-container-reconciler
> 
> Dear Maintainer,
> I'm experimenting with Swift on Bullseye and came across a problem with
> container-reconciler (possibly others) when using hostnames in
> memcache_servers. Namely these errors:

In the "possibly others" category, swift-dispersion-report is also 100%
broken in Bullseye:

$ swift-dispersion-report --dump-json
swift-dispersion-report --dump-json -d
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/eventlet/support/greendns.py", line 435, 
in resolve
return _proxy.query(name, rdtype, raise_on_no_answer=raises,
  File "/usr/lib/python3/dist-packages/eventlet/support/greendns.py", line 391, 
in query
return end()
  File "/usr/lib/python3/dist-packages/eventlet/support/greendns.py", line 370, 
in end
raise result[1]
  File "/usr/lib/python3/dist-packages/eventlet/support/greendns.py", line 351, 
in step
a = fun(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/dns/resolver.py", line 1089, in query
return self.resolve(qname, rdtype, rdclass, tcp, source,
  File "/usr/lib/python3/dist-packages/dns/resolver.py", line 1043, in resolve
timeout = self._compute_timeout(start, lifetime)
  File "/usr/lib/python3/dist-packages/dns/resolver.py", line 950, in 
_compute_timeout
raise Timeout(timeout=duration)
dns.exception.Timeout: The DNS operation timed out after 5.1069724559783936 
seconds

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.9/urllib/request.py", line 1346, in do_open
h.request(req.get_method(), req.selector, req.data, headers,
  File "/usr/lib/python3/dist-packages/eventlet/green/http/client.py", line 
1310, in request
self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib/python3/dist-packages/eventlet/green/http/client.py", line 
1380, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib/python3/dist-packages/eventlet/green/http/client.py", line 
1301, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib/python3/dist-packages/eventlet/green/http/client.py", line 
1089, in _send_output
self.send(msg)
  File "/usr/lib/python3/dist-packages/eventlet/green/http/client.py", line 
1018, in send
self.connect()
  File "/usr/lib/python3/dist-packages/eventlet/green/http/client.py", line 
1481, in connect
super().connect()
  File "/usr/lib/python3/dist-packages/eventlet/green/http/client.py", line 
989, in connect
self.sock = self._create_connection(
  File "/usr/lib/python3/dist-packages/eventlet/green/socket.py", line 44, in 
create_connection
for res in getaddrinfo(host, port, 0, SOCK_STREAM):
  File "/usr/lib/python3/dist-packages/eventlet/support/greendns.py", line 528, 
in getaddrinfo
qname, addrs = _getaddrinfo_lookup(host, family, flags)
  File "/usr/lib/python3/dist-packages/eventlet/support/greendns.py", line 501, 
in _getaddrinfo_lookup
raise err
  File "/usr/lib/python3/dist-packages/eventlet/support/greendns.py", line 490, 
in _getaddrinfo_lookup
answer = resolve(host, qfamily, False, use_network=use_network)
  File "/usr/lib/python3/dist-packages/eventlet/support/greendns.py", line 443, 
in resolve
raise EAI_EAGAIN_ERROR
  File "/usr/lib/python3/dist-packages/eventlet/support/greendns.py", line 490, 
in _getaddrinfo_lookup
answer = resolve(host, qfamily, False, use_network=use_network)
  File "/usr/lib/python3/dist-packages/eventlet/support/greendns.py", line 443, 
in resolve
raise EAI_EAGAIN_ERROR
  File "/usr/lib/python3.9/urllib/request.py", line 1346, in do_open
h.request(req.get_method(), req.selector, req.data, headers,
  File "/usr/lib/python3/dist-packages/eventlet/green/http/client.py", line 
1310, in request
self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib/python3/dist-packages/eventlet/green/http/client.py", line 
1380, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib/python3/dist-packages/eventlet/green/http/client.py", line 
1301, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib/python3/dist-packages/eventlet/green/http/client.py", line 
1089, in _send_output
self.send(msg)
  File "/usr/lib/python3/dist-packages/eventlet/green/http/client.py", line 
1018, in send
self.connect()
  File "/usr/lib/python3/dist-packages/eventlet/green/http/client.py", line 
1481, in connect
super().connect()
  File "/usr/lib/python3/dist-packages/eventlet/green/http/client.py", line 
989, in connect
self.sock = self._create_connection(
  File "/usr/lib/python3/dist-packages/eventlet/green/socket.py", line 44, in 
create_connection
for res in getaddrinfo(host, port, 0, 

Bug#989600: /usr/bin/swift-container-reconciler: reconciler's memcache connections fail when using hostnames

[Filippo Giunchedi]

Package: swift-container
Version: 2.26.0-10
Severity: important
File: /usr/bin/swift-container-reconciler

Dear Maintainer,
I'm experimenting with Swift on Bullseye and came across a problem with
container-reconciler (possibly others) when using hostnames in
memcache_servers. Namely these errors:

Jun 08 09:54:08 ms-be-01 swift-container-reconciler[70736]: Timeout getting a 
connection to memcached: HOST1:11211: MemcachePoolTimeout (1.0s) (txn: 
txf2bfe46649374ed6b1a47-0060bf3e3f)
Jun 08 09:54:09 ms-be-01 swift-container-reconciler[70736]: Timeout getting a 
connection to memcached: HOST2:11211: MemcachePoolTimeout (1.0s) (txn: 
txf2bfe46649374ed6b1a47-0060bf3e3f)

and I have HOST1 HOST2 in container-reconciler.conf:

memcache_servers = HOST1:11211,HOST2:11211

Manually testing the connection works as expected, and after some debugging it
looks like using ip addresses in the configuration works, unlike using
hostnames. In this case hostname resolution happens via DNS, which makes me
think this is related to #971530. The bug is possibly affecting other parts of
swift + memcache, though I haven't been able to find other examples in my
testing so far.

best,
Filippo

-- System Information:
Debian Release: 11.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing-debug'), (500, 
'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-6-cloud-amd64 (SMP w/1 CPU thread)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages swift-container depends on:
ii  init-system-helpers   1.60
ii  lsb-base  11.1.0
ii  openstack-pkg-tools   117
ii  python3   3.9.2-3
ii  python3-pastescript   2.0.2-4
ii  python3-swift 2.26.0-10
ii  rsync 3.2.3-4
ii  swift 2.26.0-10
ii  uwsgi-plugin-python3  2.0.19.1-6

Versions of packages swift-container recommends:
pn  swift-drive-audit  

swift-container suggests no packages.

-- Configuration Files:
/etc/swift/container-reconciler.conf [Errno 13] Permission denied: 
'/etc/swift/container-reconciler.conf'
/etc/swift/container-server.conf [Errno 13] Permission denied: 
'/etc/swift/container-server.conf'
/etc/swift/internal-client.conf [Errno 13] Permission denied: 
'/etc/swift/internal-client.conf'
/etc/swift/swift-container-server-uwsgi.ini [Errno 13] Permission denied: 
'/etc/swift/swift-container-server-uwsgi.ini'

-- no debconf information