Package 'cryptography' is missing from non-amd64 images in ansible-operator images > v1.26.0

[efussi]

Bug Report

What did you do?

Use cryptography in ppc64le and s290x images based on ansible-operator. Minimal example:

RUN pip3 install python-cryptography-fernet-wrapper

What did you expect to see?

Package cryptography can be used (python-cryptography-fernet-wrapper installs successfully like it did in <= 1.26.0)

What did you see instead? Under which circumstances?

Package 'cryptography' is missing in ppc64le and s390x images (didn't check arm64), causing an installation failure because cryptography is no longer preinstalled and the rust toolchain required to build cryptography from source is missing:

v1.26.1: Pulling from operator-framework/ansible-operator
Status: Downloaded newer image for quay.io/operator-framework/ansible-operator:v1.26.1
 ---> 3b5e14e0cb90
Step 3/14 : RUN pip3 install python-cryptography-fernet-wrapper
 ---> Running in 99ac64582c30
Defaulting to user installation because normal site-packages is not writeable
Collecting python-cryptography-fernet-wrapper
  Downloading python_cryptography_fernet_wrapper-1.0.4-py3-none-any.whl (14 kB)
Collecting cryptography
  Downloading cryptography-39.0.1.tar.gz (603 kB)
  Installing build dependencies: started
  Installing build dependencies: finished with status 'done'
  Getting requirements to build wheel: started
  Getting requirements to build wheel: finished with status 'done'
    Preparing wheel metadata: started
    Preparing wheel metadata: finished with status 'done'
Requirement already satisfied: cffi>=1.12 in /usr/local/lib64/python3.8/site-packages (from cryptography->python-cryptography-fernet-wrapper) (1.15.1)
Requirement already satisfied: pycparser in /usr/local/lib/python3.8/site-packages (from cffi>=1.12->cryptography->python-cryptography-fernet-wrapper) (2.21)
Building wheels for collected packages: cryptography
  Building wheel for cryptography (PEP 517): started
  Building wheel for cryptography (PEP 517): finished with status 'error'
Failed to build cryptography
  ERROR: Command errored out with exit status 1:
: 
     =============================DEBUG ASSISTANCE=============================
      If you are seeing a compilation error please try the following steps to
      successfully install cryptography:
      1) Upgrade to the latest pip and try again. This will fix errors for most
         users. See: https://pip.pypa.io/en/stable/installing/#upgrading-pip
      2) Read https://cryptography.io/en/latest/installation/ for specific
         instructions for your platform.
      3) Check our frequently asked questions for more information:
         https://cryptography.io/en/latest/faq/
      4) Ensure you have a recent Rust toolchain installed:
         https://cryptography.io/en/latest/installation/#rust
      Python: 3.8.13
      platform: Linux-5.4.0-135-generic-ppc64le-with-glibc2.17
      pip: n/a
      setuptools: 67.2.0
      setuptools_rust: 1.5.2
      rustc: n/a
      =============================DEBUG ASSISTANCE=============================
  error: can't find Rust compiler

Environment

Operator type:

/language ansible

Kubernetes cluster type:

OpenShift

$ operator-sdk version

• v1.26.1
• v1.27.0

$ go version (if language is Go)

$ kubectl version

Possible Solution

Additional context

Seemingly a regression caused by #6269

[efussi]

I wrote a little test script to check the contents of ansible-operator images:

#!/usr/bin/env bash

version=${1:-v1.27.0}
outdir=${2:-site-packages}-${version}
image_name=quay.io/operator-framework/ansible-operator

function check() {
  local arch=$1
  docker pull --quiet --platform ${arch} ${image_name}:${version}
  docker tag ${image_name}:${version} ${image_name}:${version}-${arch}
  docker rmi ${image_name}:${version}
  mkdir -p ${outdir}/${arch}
  local container=${image_name##*/}-${arch}
  docker create --name ${container} ${image_name}:${version}-${arch}
  docker cp --quiet ${container}:/usr/local/lib64/python3.8/site-packages/. ${outdir}/${arch}
  docker rm ${container}
}

for arch in amd64 ppc64le s390x; do
  check ${arch}
done
ls -ld ${outdir}/*/crypto*

With v1.26.0 I get:

drwxrwxrwx 1 vagrant vagrant 4096 Dec  8 22:53 site-packages-v1.26.0/amd64/cryptography
drwxrwxrwx 1 vagrant vagrant 4096 Dec  8 22:53 site-packages-v1.26.0/amd64/cryptography-3.3.2.dist-info
drwxrwxrwx 1 vagrant vagrant 4096 Dec  8 23:05 site-packages-v1.26.0/ppc64le/cryptography
drwxrwxrwx 1 vagrant vagrant 4096 Dec  8 23:05 site-packages-v1.26.0/ppc64le/cryptography-3.3.2.dist-info
drwxrwxrwx 1 vagrant vagrant 4096 Dec  8 23:05 site-packages-v1.26.0/s390x/cryptography
drwxrwxrwx 1 vagrant vagrant 4096 Dec  8 23:05 site-packages-v1.26.0/s390x/cryptography-3.3.2.dist-info

but with v1.26.1 and v1.27.0 I only get this:

drwxrwxrwx 1 vagrant vagrant 4096 Feb  2 00:12 site-packages-v1.27.0/amd64/cryptography
drwxrwxrwx 1 vagrant vagrant 4096 Feb  2 00:12 site-packages-v1.27.0/amd64/cryptography-39.0.0.dist-info

[everettraven]

@efussi Thanks for raising this issue! We updated our cryptography dependency in #6269

I would have assumed our build process would have properly built and fetched the dependencies correctly but seems this wasn't the case... I will do some digging on this to try and figure out what went wrong

/assign

[everettraven]

Interestingly enough there seems to have been an error that occurred when building the images for ppc64le (here) and s390x (here), although they say immediately after "Will try again!" and appears to succeed...

It looks like it was successful for arm64 (here).

After doing some digging, it looks like ppc64le and s390x prebuilt wheels don't exist as the maintainers of the project state they can't test these architectures (although it looks like ppc64le may be coming later this year?) :

• Wheel for Python 3.9 manylinux s390x pyca/cryptography#6189
• buildx and ppc64le wheel pyca/cryptography#7723
• ppc64le wheel pyca/cryptography#7010
• https://cryptography.io/en/latest/faq/#will-you-upload-wheels-for-my-non-x86-non-arm64-cpu-architecture

I think we have a few options here:

1. Revert unpin cryptography dependency for ansible-operator base images #6269 and release patch releases of each affected version (I didn't think this change would break stuff and was just a dependency update)
2. Update documentation around ansible operators for ppc64le and s390x architectures to mention that the cryptography package can no longer be provided prebuilt in the image for these architectures.
3. Update the base images to always build the cryptography package for all architectures (this means we are knowingly issuing the cryptography package in architectures that are unsupported and untested)

I will make sure to raise this issue for discussion in the next community issue triage meeting on Monday (02/13/2023) and gather some thoughts on what we should do.

[efussi]

Thanks @everettraven for your quick assessment!

Taking a step back, I am wondering why the missing cryptography package on ppc64le and s390x isn't causing unit test or runtime issues -- isn't cryptography a dependency that is needed at ansible-operator runtime? If yes, then I think (2) isn't a viable option. If not, may I ask why cryptography was included in the first place? If it was a courtesy to consumers, then imho option (2) is a breaking change and might require a major version bump according to semver (one could argue about this, if this courtesy wasn't officially documented :-) ).

Is it possible to do a variant of option (1), reverting just on those platforms where no prebuilt wheels are available?

To throw in one last data point: Anaconda provides cryptography for a variety of platforms, see https://anaconda.org/main/cryptography. But this is not readily installable in a plain pip environment (if at all). There might also be license considerations.

[everettraven]

Taking a step back, I am wondering why the missing cryptography package on ppc64le and s390x isn't causing unit test or runtime issues -- isn't cryptography a dependency that is needed at ansible-operator runtime?

To be honest, I'm not sure. I'm not very familiar with all the python side of things for the ansible operator but am slowly learning a bit more at a time to try and help cover a bit of a knowledge gap we have in the currently active maintainers (all of our maintainers that were SMEs on the ansible side of things have since moved on to other things). My assumption is that if the unit tests aren't failing it isn't required but more so a courtesy as you mentioned.

If it was a courtesy to consumers, then imho option (2) is a breaking change and might require a major version bump according to semver (one could argue about this, if this courtesy wasn't officially documented :-) )

I 100% agree here and option 2 is my least favorite option but figured I would include it since it is one path that could be taken.

Is it possible to do a variant of option (1), reverting just on those platforms where no prebuilt wheels are available?

IIUC how we currently build the images it uses the same Dockerfile and uses docker buildx for building for multiple architectures. Unfortunately I think this limits us to either reverting for all platforms (option 1) or updating the build process for all platforms (essentially option 3). If we tried to do a bit of a hybrid revert I feel it would add way more complexity to our build/release process.

To throw in one last data point: Anaconda provides cryptography for a variety of platforms, see https://anaconda.org/main/cryptography. But this is not readily installable in a plain pip environment (if at all). There might also be license considerations.

That's good to know, thanks for sharing!

[efussi]

I ran another quick test using this small Dockerfile based on the ones in https://github.com/operator-framework/operator-sdk/blob/master/images/ansible-operator:

FROM registry.access.redhat.com/ubi8/ubi
RUN yum update -y \
 && yum install -y python38-devel python38-pip python38-setuptools \
 && pip3 install ansible~=2.9.15

This installs plain ansible and the build output is as follows:

WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3 install --user` instead.
Collecting ansible~=2.9.15
  Downloading https://files.pythonhosted.org/packages/5b/99/ce005d0314840e1a6eef34e0faf0ba4f7bccd8172b33cc84fee21afab7ad/ansible-2.9.27.tar.gz (14.8MB)
Collecting jinja2
  Downloading https://files.pythonhosted.org/packages/bc/c3/f068337a370801f372f2f8f6bad74a5c140f6fda3d9de154052708dd3c65/Jinja2-3.1.2-py3-none-any.whl (133kB)
Collecting PyYAML
  Downloading https://files.pythonhosted.org/packages/d7/42/7ad4b6d67a16229496d4f6e74201bdbebcf4bc1e87d5a70c9297d4961bd2/PyYAML-6.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (701kB)
Collecting cryptography
  Downloading https://files.pythonhosted.org/packages/bb/03/20b85e10571c919fd4862465c53ae40b6494fa7f82fd74131f401ce504f6/cryptography-39.0.1-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.2MB)
Collecting MarkupSafe>=2.0
  Downloading https://files.pythonhosted.org/packages/9d/80/8320f182d06a9b289b1a9f266f593feb91d3781c7e104bbe09e0c4c11439/MarkupSafe-2.1.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Collecting cffi>=1.12
  Downloading https://files.pythonhosted.org/packages/b7/8b/06f30caa03b5b3ac006de4f93478dbd0239e2a16566d81a106c322dc4f79/cffi-1.15.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (442kB)
Collecting pycparser
  Downloading https://files.pythonhosted.org/packages/62/d5/5f610ebe421e85889f2e55e33b7f9a6795bd982198517d912eb1c76e1a53/pycparser-2.21-py2.py3-none-any.whl (118kB)
Installing collected packages: MarkupSafe, jinja2, PyYAML, pycparser, cffi, cryptography, ansible
    Running setup.py install for ansible: started
    Running setup.py install for ansible: finished with status 'done'
Successfully installed MarkupSafe-2.1.2 PyYAML-6.0 ansible-2.9.27 cffi-1.15.1 cryptography-39.0.1 jinja2-3.1.2 pycparser-2.21

We see that this installs cryptography even though cryptography is not explicitly requested. That is, ansible itself must declare it as a dependency package. Could be indirect, though. Trying to get more details by explicitly installing cryptography first:

FROM registry.access.redhat.com/ubi8/ubi
RUN yum update -y \
 && yum install -y python38-devel python38-pip python38-setuptools \
 && pip3 install cryptography==3.3.2 \
 && pip3 install ansible~=2.9.15

We get this output:

WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3 install --user` instead.
Collecting cryptography==3.3.2
  Downloading https://files.pythonhosted.org/packages/c6/d1/800ec785c9e66cc6d0ac587bd666eb22f7b2ff6c150e053d35881acd2f57/cryptography-3.3.2-cp36-abi3-manylinux2010_x86_64.whl (2.6MB)
Collecting six>=1.4.1
  Downloading https://files.pythonhosted.org/packages/d9/5a/e7c31adbe875f2abbb91bd84cf2dc52d792b5a01506781dbcf25c91daf11/six-1.16.0-py2.py3-none-any.whl
Collecting cffi>=1.12
  Downloading https://files.pythonhosted.org/packages/b7/8b/06f30caa03b5b3ac006de4f93478dbd0239e2a16566d81a106c322dc4f79/cffi-1.15.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (442kB)
Collecting pycparser
  Downloading https://files.pythonhosted.org/packages/62/d5/5f610ebe421e85889f2e55e33b7f9a6795bd982198517d912eb1c76e1a53/pycparser-2.21-py2.py3-none-any.whl (118kB)
Installing collected packages: six, pycparser, cffi, cryptography
Successfully installed cffi-1.15.1 cryptography-3.3.2 pycparser-2.21 six-1.16.0
WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3 install --user` instead.
Collecting ansible~=2.9.15
  Downloading https://files.pythonhosted.org/packages/5b/99/ce005d0314840e1a6eef34e0faf0ba4f7bccd8172b33cc84fee21afab7ad/ansible-2.9.27.tar.gz (14.8MB)
Collecting jinja2
  Downloading https://files.pythonhosted.org/packages/bc/c3/f068337a370801f372f2f8f6bad74a5c140f6fda3d9de154052708dd3c65/Jinja2-3.1.2-py3-none-any.whl (133kB)
Collecting PyYAML
  Downloading https://files.pythonhosted.org/packages/d7/42/7ad4b6d67a16229496d4f6e74201bdbebcf4bc1e87d5a70c9297d4961bd2/PyYAML-6.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (701kB)
Requirement already satisfied: cryptography in /usr/local/lib64/python3.8/site-packages (from ansible~=2.9.15) (3.3.2)
Collecting MarkupSafe>=2.0
  Downloading https://files.pythonhosted.org/packages/9d/80/8320f182d06a9b289b1a9f266f593feb91d3781c7e104bbe09e0c4c11439/MarkupSafe-2.1.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Requirement already satisfied: cffi>=1.12 in /usr/local/lib64/python3.8/site-packages (from cryptography->ansible~=2.9.15) (1.15.1)
Requirement already satisfied: six>=1.4.1 in /usr/local/lib/python3.8/site-packages (from cryptography->ansible~=2.9.15) (1.16.0)
Requirement already satisfied: pycparser in /usr/local/lib/python3.8/site-packages (from cffi>=1.12->cryptography->ansible~=2.9.15) (2.21)
Installing collected packages: MarkupSafe, jinja2, PyYAML, ansible
    Running setup.py install for ansible: started
    Running setup.py install for ansible: finished with status 'done'
Successfully installed MarkupSafe-2.1.2 PyYAML-6.0 ansible-2.9.27 jinja2-3.1.2

The relevant line is

Requirement already satisfied: cryptography in /usr/local/lib64/python3.8/site-packages (from ansible~=2.9.15) (3.3.2)

So cryptography is a direct dependency of ansible which means option (2) might (partially) break the ppc64le and s390x ansible-operator images because a dependency of ansible itself is missing.

[efussi]

I think the Pipfile is (also) a flattened dependency tree for the purpose of pinning versions.

[jberkhahn]

Going to bring this up at the ansible community call next week, will report back.

[everettraven]

We discussed this in the ansible community meeting and it was recommended that we first try updating our pip version that we install when building the images from 21.1.0 to the latest (currently 23.0.1).

[ppadashe]

@everettraven Do we have any updates on this ?

[everettraven]

@ppadashe This was closed by #6333 which updated our image build process to ensure that all images produced contain the cryptography package. This fix should be included in the next release.

[efussi]

fwiw, #6333 was reverted through #6348, see also #6342 (comment).