Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Eventlet and Gunicorn version compatibility problem #16

Open
nickwest opened this issue Apr 4, 2022 · 1 comment
Open

Eventlet and Gunicorn version compatibility problem #16

nickwest opened this issue Apr 4, 2022 · 1 comment

Comments

@nickwest
Copy link
Contributor

nickwest commented Apr 4, 2022

This is more of a heads up than a required fix for this repo. The fix is happening in Gunicorn, but it has been pending release for nearly a year.

Eventlet released a breaking change that Gunicorn has not yet released a fix for.

Currently the image will build, but results in the following error when run:

saml_1        | Error: class uri 'eventlet' invalid or not found: 
saml_1        | 
saml_1        | [Traceback (most recent call last):
saml_1        |   File "/usr/local/lib/python3.7/site-packages/gunicorn/util.py", line 99, in load_class
saml_1        |     mod = importlib.import_module('.'.join(components))
saml_1        |   File "/usr/local/lib/python3.7/importlib/__init__.py", line 127, in import_module
saml_1        |     return _bootstrap._gcd_import(name[level:], package, level)
saml_1        |   File "<frozen importlib._bootstrap>", line 1006, in _gcd_import
saml_1        |   File "<frozen importlib._bootstrap>", line 983, in _find_and_load
saml_1        |   File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked
saml_1        |   File "<frozen importlib._bootstrap>", line 677, in _load_unlocked
saml_1        |   File "<frozen importlib._bootstrap_external>", line 728, in exec_module
saml_1        |   File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
saml_1        |   File "/usr/local/lib/python3.7/site-packages/gunicorn/workers/geventlet.py", line 20, in <module>
saml_1        |     from eventlet.wsgi import ALREADY_HANDLED as EVENTLET_ALREADY_HANDLED
saml_1        | ImportError: cannot import name 'ALREADY_HANDLED' from 'eventlet.wsgi' (/usr/local/lib/python3.7/site-packages/eventlet/wsgi.py)
saml_1        | ]

A Gunicorn PR has been merged to fix this, but as of today a release has not yet been published: benoitc/gunicorn#2581

The eventlet 0.30.3 release introduced the change: https://eventlet.net/doc/changelog.html#id5

Workaround

Locking the version to eventlet==0.30.2 in requirements.txt fixes this issue for this repo.

But eventlet has a known memory exhaustion vulnerability in that version: https://nvd.nist.gov/vuln/detail/CVE-2021-21419 Restricting process memory for this docker container can prevent full system memory exhaustion and weaken any attack so it can only DOS the eventlet process and this SAML container, rather than the full host.

You can do this by adding the -m 512m when calling docker run, or mem_limit: 512m on the service in docker-compose.yml
@sieira
Copy link

sieira commented Apr 12, 2022
edited
Loading

Locking version to 0.30.2 should no longer be an option given CVE-2021-21419

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nickwest @sieira