Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE] Add support for urllib3 > v2 #628

Closed
Bialogs opened this issue Dec 12, 2023 · 20 comments · Fixed by #632
Closed

[FEATURE] Add support for urllib3 > v2 #628

Bialogs opened this issue Dec 12, 2023 · 20 comments · Fixed by #632
Labels
bug Something isn't working

Comments

@Bialogs
Copy link

Bialogs commented Dec 12, 2023

What is the bug?

When using opensearch-py v2.3.2 and greater with boto3 provided by AWS Lambda , the following error occurs:

cannot import name 'DEFAULT_CIPHERS' from 'urllib3.util.ssl_'

How can one reproduce the bug?

Dockerfile:

FROM public.ecr.aws/lambda/python:3.9
RUN pip3 install opensearch-py==2.3.1 --target ${LAMBDA_TASK_ROOT}
COPY /app/ ${LAMBDA_TASK_ROOT}/
CMD ["app.function"]

app.py:

import boto3
import opensearchpy

def function(event, ctx)
    print("hello")

What is the expected behavior?

Imports are successful and code runs.

What is your host/environment?

public.ecr.aws/lambda/python:3.9

Do you have any screenshots?

N/A

Do you have any additional context?

Downgrade to 2.3.1 successfully executes.

@Bialogs Bialogs added bug Something isn't working untriaged Need triage labels Dec 12, 2023
@dblock
Copy link
Member

dblock commented Dec 12, 2023

Did you mean 2.4.2? If not, and you meant 2.3.2, would you be so kind to confirm that this still doesn't work in 2.4.2?

I found a number of hits on Google for this, e.g. psf/requests#6443, so it sounds like this may be about versions of urllib3 or requests. Have you tried upgrading those?

@dblock dblock removed the untriaged Need triage label Dec 12, 2023
@Bialogs
Copy link
Author

Bialogs commented Dec 12, 2023

Yes from my test it failed with v2.3.2 through v2.4.2.

In terms of the runtime I'm not installing any other packages other than opensearch-py at the specified versions. I'm noticing that the commits for v2.3.2 include changes to the urllib3 version. Perhaps that introduced this?

@Bialogs
Copy link
Author

Bialogs commented Dec 12, 2023

Examining the base image, public.ecr.aws/lambda/python:3.9 the following urllib3 is bundled. I assume because it is integrated with the other software packages that the base image contains.

From Docker Scout (docker scout sbom public.ecr.aws/lambda/python:3.9)

    {
      "type": "pypi",
      "name": "urllib3",
      "version": "1.26.18",
      "purl": "pkg:pypi/[email protected]",
      "author": "Andrey Petrov",
      "licenses": [
        "MIT"
      ],
      "locations": [
        {
          "path": "/var/runtime/urllib3-1.26.18.dist-info/METADATA",
          "ordinal": 7,
          "digest": "sha256:4dd1a48d6392cbd0f03fdefc227609f129f9648bfc83a06f8435f8536eb1efbe",
          "diff_id": "sha256:8a810533d2d18a464c851d93a9aabf4ddbcdf6c171bef202acaeec45d29e9779"
        },
        {
          "path": "/var/runtime/urllib3-1.26.18.dist-info/RECORD",
          "ordinal": 7,
          "digest": "sha256:4dd1a48d6392cbd0f03fdefc227609f129f9648bfc83a06f8435f8536eb1efbe",
          "diff_id": "sha256:8a810533d2d18a464c851d93a9aabf4ddbcdf6c171bef202acaeec45d29e9779"
        },
        {
          "path": "/var/runtime/urllib3-1.26.18.dist-info/top_level.txt",
          "ordinal": 7,
          "digest": "sha256:4dd1a48d6392cbd0f03fdefc227609f129f9648bfc83a06f8435f8536eb1efbe",
          "diff_id": "sha256:8a810533d2d18a464c851d93a9aabf4ddbcdf6c171bef202acaeec45d29e9779"
        }
      ]
    }

And this PR pushed this package urllib3 version above this to "urllib3>=1.26.9"
#518

@dblock
Copy link
Member

dblock commented Dec 12, 2023

Can you compare the versions of urllib and requests you get with 1.3.1 and 1.3.2? I want to know which one causes the break, and whether it's something in our code. Also does https://stackoverflow.com/questions/76414514/cannot-import-name-default-ciphers-from-urllib3-util-ssl-on-aws-lambda-us help?

@Bialogs
Copy link
Author

Bialogs commented Dec 12, 2023

Can you compare the versions of urllib and requests you get with 1.3.1 and 1.3.2?

Do you mean 2.3.1 and 2.3.2 of opensearch-py?

@dblock
Copy link
Member

dblock commented Dec 12, 2023

Can you compare the versions of urllib and requests you get with 1.3.1 and 1.3.2?

Do you mean 2.3.1 and 2.3.2 of opensearch-py?

Yes, trying to narrow down where the actual problem is.

@Bialogs
Copy link
Author

Bialogs commented Dec 12, 2023

opensearch-py v2.3.1:

  • urllib3 1.26.18
  • requests 2.31.0

opensearch-py v2.3.2:

  • urllib3 1.26.18
  • urllib3 2.1.0
  • requests 2.31.0

Also does https://stackoverflow.com/questions/76414514/cannot-import-name-default-ciphers-from-urllib3-util-ssl-on-aws-lambda-us help?

When adding the additional constraint RUN pip3 install opensearch-py==2.3.2 "urllib3<2" --target ${LAMBDA_TASK_ROOT}:

  • urllib3 1.26.18
  • requests 2.31.0

Seems like that should be the way forward for me.

@dblock
Copy link
Member

dblock commented Dec 12, 2023

So this is happening because urllib3 2.x is being installed and used, but it's not compatible. I tracked it down to #466 (cc @saimedhi) which was fixing #492. I think we need to make sure the library works with urllib3 >= 2, or re-add the <2 constraint.

Want to help @Bialogs?

@dblock dblock changed the title [BUG] v2.3.2 and above incompatability with AWS Lambda [BUG] incompatibility with urllib3 > 2 (since v2.3.2, AWS Lambda) Dec 12, 2023
@Bialogs
Copy link
Author

Bialogs commented Dec 12, 2023

To be clear, I don't mean to make any claims that this library is incompatible with urllib3 2.x.

What I have found is that the Lambda base image contains at least boto3 (which comes pre-installed) which does not seem compatible with urllib3 > 1.26.18.

If opensearch-py wants to support the Lambda base image containers (i.e. this workflow using these images) I think the way forward would be re-add <2 constraint on urllib3.

Alternatively, users can reference this issue and add the <2 constraint in their own code.

I defer to the maintainers as you know your installation base better and constraining urllib3 version may be something you don't want to do.

@dblock
Copy link
Member

dblock commented Dec 12, 2023

To be clear, I don't mean to make any claims that this library is incompatible with urllib3 2.x.

But I am. I believe this is why we have this error. Because 2.x is installed, it gets picked (it satisfies >= 1.26....). However I think it also does work with 2.x for some scenarios. Either way we don't use that version in tests, so I would want to know for sure by having a test run with 2.x and seeing what breaks to begin with.

I might get to it soon, but if you have time, don't hold back on helping ;)

@dblock
Copy link
Member

dblock commented Dec 15, 2023

Reopening to add support for urllib3 >= 2.

@dblock dblock reopened this Dec 15, 2023
@github-actions github-actions bot added the untriaged Need triage label Dec 15, 2023
@dblock dblock changed the title [BUG] incompatibility with urllib3 > 2 (since v2.3.2, AWS Lambda) [FEATURE] Add support for urllib3 > v2 (since v2.3.2, AWS Lambda) Dec 15, 2023
@dblock dblock changed the title [FEATURE] Add support for urllib3 > v2 (since v2.3.2, AWS Lambda) [FEATURE] Add support for urllib3 > v2 Dec 15, 2023
@saimedhi saimedhi removed the untriaged Need triage label Dec 22, 2023
@Ousret
Copy link

Ousret commented Jan 18, 2024

Hello there,

Sorry to barge in. A bit off topic, but I wanted to recommend Niquests as a possible replacement for Requests+aiohttp. I am willing to help if this is something of potential interest.

@dblock
Copy link
Member

dblock commented Jan 18, 2024

@Ousret yes would love some help. Generally we want all these libraries to be switchable.

@SamStephens
Copy link

SamStephens commented Apr 1, 2024

So the issue here is that the botocore packaged with the AWS Lambda Python 3.9 image (at least at the time this issue was created) requires urlllib3 < 2. The relevant versions of botocore actually specify this dependency in their requirements.txt.

However because this is the version of botocore packaged with the image, when users install their own dependencies using pip, the urlllib3 < 2 constraint botocore has is not taken into account.

The thing is, AWS Lambda best practices are to not use prepackaged libraries, to explicitly install all your dependencies:

Control the dependencies in your function's deployment package. The AWS Lambda execution environment contains a number of libraries such as the AWS SDK for the Node.js and Python runtimes (a full list can be found here: Lambda runtimes). To enable the latest set of features and security updates, Lambda will periodically update these libraries. These updates may introduce subtle changes to the behavior of your Lambda function. To have full control of the dependencies your function uses, package all of your dependencies with your deployment package.

From https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html#function-code. Although the best practice here doesn't make it explicit, another reason to package all of your dependencies with your deployment package is that if you don't, the dependency graph your package manager is using is incomplete (missing packages included with your runtime), and you see issues like this.

As such, I would argue opensearch-py should not be pinning on urllib3 < 2.

Apart from anything else, if you're going to pin to urllib3 < 2 as long as the AWS Lambda Python 3.9 image does not support urllib3 >= 2, you will be keeping that pin for the lifetime of the AWS Lambda Python 3.9 runtime as the OpenSSL provided in that runtime is < 1.1.1 and will never be upgraded to 1.1.1 to the best of my knowledge.

@iherasymenko
Copy link
Contributor

Perhaps a similar constraint can be applied to opensearch-py 🤔

   urllib3>=1.25.4,<1.27; python_version<"3.10"
   urllib3>=1.25.4,!=2.2.0,<3; python_version>="3.10"

boto/botocore#3141

@james-certn
Copy link

Subjectively speaking, this feels like something relatively urgent. The longer the delay, the bigger the versioning dependency problem will get. I'm currently seeing:

The conflict is caused by:
    auth0-python 4.7.1 depends on urllib3<3.0.0 and >=2.0.7
    opensearch-py 2.5.0 depends on urllib3<2 and >=1.26.18

@dblock
Copy link
Member

dblock commented Apr 17, 2024

@james-certn There's an open PR in #719 that needs some tests. Want to help?

@gabfelp
Copy link

gabfelp commented May 22, 2024

Subjectively speaking, this feels like something relatively urgent. The longer the delay, the bigger the versioning dependency problem will get. I'm currently seeing:

The conflict is caused by:
    auth0-python 4.7.1 depends on urllib3<3.0.0 and >=2.0.7
    opensearch-py 2.5.0 depends on urllib3<2 and >=1.26.18

I faced this same problem today.

Great that the PR supporting urllib3 > v2 has already been merged!

As I'm new to the repository, I'm unsure of how the release process works. Is there any estimate of when the next release (with this code) will come out?

@dblock
Copy link
Member

dblock commented May 22, 2024

As I'm new to the repository, I'm unsure of how the release process works. Is there any estimate of when the next release (with this code) will come out?

Open an issue to "release v. next" and we can do it quickly.

@SamStephens
Copy link

Should this issue be resolved, now version 2.6.0 has been released?

@dblock dblock closed this as completed Jun 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

8 participants