-
-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create SSLContexts in the main thread. #2356
Conversation
This solves pex-tool#2355 without yet understanding why that issue exists. Fixes pex-tool#2355
With just the 1st commit (the failing test / repro):
|
retries=options.retries, | ||
timeout=options.timeout, | ||
proxy=options.proxy, | ||
cert=options.cert, | ||
client_cert=options.client_cert, | ||
) | ||
initialize_ssl_context(network_configuration=network_configuration) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not super happy with this back door way of threading in an SSLContext from the main thread, but there are alot of paths / layers as it stands right now and this is solid, since the configuration was centralized a good while ago and it unbreaks users now leaving room for improvement (explicit threading of an SSLContext from main on down) later.
"docker", | ||
"run", | ||
"--rm", | ||
"-v" "{pex_project_dir}:/code".format(pex_project_dir=pex_project_dir), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got away with weirdness here since -vfoo:bar
is the same as -v foo:bar
. I'll fix this in a follow-up where I add links to pantsbuild/pants#20467 (comment) or similar that explain how this paper-over works to solve issues with RedHat bespoke OpenSSL config options.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both fixed in #2358.
The explanation was hard won and a bit embarrasing in outcome. The original behavior was correct afaict and PBS use on a RedHat system with custom RedHat OpenSSL config keys should fail, obviously with a much better error message, and prompt OpenSSL configuration evalutaion on the machine. That said, the behavior is released now and Pex stands behind it. It may make sense to add a `--strict-ssl` option or something similar to restore the old behavior and let the (confusing) error bubble, perhaps with a pointer to what may be wrong. This should also serve to close astral-sh/python-build-standalone#207 or at least give Gregory enough information to decide what to do over in PBS.
The explanation was hard won and a bit embarrasing in outcome. The original behavior was correct afaict and PBS use on a RedHat system with custom RedHat OpenSSL config keys should fail, obviously with a much better error message, and prompt OpenSSL configuration evaluation on the machine. That said, the behavior is released now and Pex stands behind it. It may make sense to add a `--strict-ssl` option or something similar to restore the old behavior and let the (confusing) error bubble, perhaps with a pointer to what may be wrong. This should also serve to close astral-sh/python-build-standalone#207 or at least give Gregory enough information to decide what to do over in PBS. Closes the loose ends in #2355.
This solves #2355 without yet understanding why that issue exists.
Fixes #2355