Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ImportError: PyO3 modules may only be initialized once per interpreter process #12080

Closed
linas opened this issue Dec 1, 2024 · 18 comments
Closed

Comments

@linas
Copy link

linas commented Dec 1, 2024

This is in reference to issue #9016 which is marked resolved, closed and locked. Its currently December 2024, and this remains unfixed, i.e. an open issue, in both Debian Stable (bullseye) and Debian Testing. There's no additional information I can add to this issue report that is not already noted in issue #9016. There's no obvious work-around or patch available that can be deployed. So ???

@alex
Copy link
Member

alex commented Dec 1, 2024

As discussed in that issue thread, supporting sub-interpreters requires PyO3/pyo3#3451 to be resolved in pyo3.

@linas
Copy link
Author

linas commented Dec 1, 2024

OK, closing, and redirecting my attention there.

@linas linas closed this as completed Dec 1, 2024
@linas
Copy link
Author

linas commented Dec 1, 2024

Hmm. Is there a way to revert whatever it is that is breaking, until a fix becomes available for PyO3/pyo3#3451 ? The maintainer there is posting remarks about "issues in my personal life" and "now that college classes are in session" and "this is more complicated than I thought", coupled to it being 14 months since opened with apparently no actual progress, makes me think that a patch is years away, or might never arrive.

In case that issue is never resolved, or only gets a fix years from now, is there perhaps some intermediate steps that can be taken in this project to work around that bug? Maybe just not use PyO3 at all, or not use sub-interpreters, something along those lines?

@linas linas reopened this Dec 1, 2024
@alex
Copy link
Member

alex commented Dec 1, 2024 via email

@linas
Copy link
Author

linas commented Dec 1, 2024

So the current plan is to stay broken, possibly forever? I don't get it.

@alex
Copy link
Member

alex commented Dec 1, 2024

I wouldn't call it a plan, but yes, the reality is that unless someone steps up to do the work, sub-interpreters will remain unsupported.

@linas
Copy link
Author

linas commented Dec 1, 2024

Who is using the sub-interpreters? Some blob of code somewhere in the stack decides "OK, start subinterpreter here". If I can locate that, then that would be the place to disable or bypass or mutex-lock or whatever.

I'm coming at this from the Ceph side, as a Ceph user (not developer). In the past, this message seemed to be an anoying warning that merely clogged up the error logs, but could be safely ignored. Today, I'm actually trying to do something, and this is appears to be a blocker. I think. I'll double check to see if it really is blocking, or just an annoying warning.

@alex
Copy link
Member

alex commented Dec 1, 2024

Ceph is making use of sub-interpreters. I do not know why.

@linas
Copy link
Author

linas commented Dec 1, 2024

For the record, the stack trace I'm looking at is this:

# ceph dashboard create-self-signed-cert
Error EINVAL: Traceback (most recent call last):
  File "/usr/share/ceph/mgr/mgr_module.py", line 1811, in _handle_command
    return CLICommand.COMMANDS[cmd['prefix']].call(self, cmd, inbuf)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/ceph/mgr/mgr_module.py", line 474, in call
    return self.func(mgr, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/ceph/mgr/dashboard/module.py", line 476, in set_mgr_created_self_signed_cert
    cert, pkey = create_self_signed_cert('IT', 'ceph-dashboard')
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/ceph/mgr/mgr_util.py", line 527, in create_self_signed_cert
    from OpenSSL import crypto
  File "/lib/python3/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import SSL, crypto
  File "/lib/python3/dist-packages/OpenSSL/SSL.py", line 19, in <module>
    from OpenSSL.crypto import (
  File "/lib/python3/dist-packages/OpenSSL/crypto.py", line 21, in <module>
    from cryptography import utils, x509
  File "/lib/python3/dist-packages/cryptography/x509/__init__.py", line 6, in <module>
    from cryptography.x509 import certificate_transparency
  File "/lib/python3/dist-packages/cryptography/x509/certificate_transparency.py", line 10, in <module>
    from cryptography.hazmat.bindings._rust import x509 as rust_x509
ImportError: PyO3 modules may only be initialized once per interpreter process

This looks like a straightforward naive API call to create a cert, with nothing fancy going on. The only "obvious" work-around would be some if (not already imported) import OpenSSL.crypto. Not clear if that will work, but this kind of protection from multi-imports is common in python code. I've seen it in ROS (robot operating system), and in Blender (3D animation system) which have complex multi-module cascading everybody is calling everything all the time in unpredictable order kinds of ways. Given the complexity of Ceph, its probably equally uuuhh, "stochastic" (its got a zillion daemons running on a zillion hosts, so like ROS)

Search engines report that the Ceph variant of this is being discussed on a variety of forums. The generic work-around is "revert to an earlier version of the python crypto module". I'll see if I can get the Debian maintainers to roll back to an early 2023 version of crypto, but I imagine there will be pushback. Maybe the Ceph people can do something. Sigh.

@alex
Copy link
Member

alex commented Dec 1, 2024 via email

@linas
Copy link
Author

linas commented Dec 1, 2024

Sigh. OK. Closing again. Here's a relevant redhat bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=2255688

I'll do some noisy posting here as I find other relevant threads, so that the next person will, auhhh be saved some time tracking this down.

@linas
Copy link
Author

linas commented Dec 1, 2024

Also-ran:

@reaperhulk
Copy link
Member

If the dep isn't needed then yes, that's a good solution. For future folks who may find this thread: subinterpreters were never explicitly supported by this project and when they "worked" they were untested and potentially unsound with our module. Subinterpreters have a long and checkered history in Python and projects that consume them ultimately need to either minimize their deps to only those who explicitly claim support or work with upstreams to create such support.

The only way forward here is by assisting the pyo3 project in explicitly supporting subinterpreters. That may take the form of direct contribution, a variety of possible sponsorships, or simply reaching out to the pyo3 maintainers on their issue tracker to reopen discussion since it previously stalled.

@bazaah
Copy link

bazaah commented Dec 2, 2024

If the dep isn't needed then yes, that's a good solution. For future folks who may find this thread: subinterpreters were never explicitly supported by this project and when they "worked" they were untested and potentially unsound with our module. Subinterpreters have a long and checkered history in Python and projects that consume them ultimately need to either minimize their deps to only those who explicitly claim support or work with upstreams to create such support.

The only way forward here is by assisting the pyo3 project in explicitly supporting subinterpreters. That may take the form of direct contribution, a variety of possible sponsorships, or simply reaching out to the pyo3 maintainers on their issue tracker to reopen discussion since it previously stalled.

I agree this is the only true solution, but I will note that use of LazyPyImport statics (src/types.rs) will require a redesign in the presence of whatever changes pyo3 makes, given that storing python objects in a static is fundamentally undefined behavior in the presence of a 1:N process:interpreter architecture. Moreover, it is possible to use other pyo3 modules (like python-bcrypt) now as they provably do not store Py<'_> objects in statics in the rust code. I have used this to overcome the pyo3 pains for the Archlinux Ceph build, excluding that which relies on python-cryptography (and other static-using pyo3 infected modules).

So, another solution is for pyo3 module maintainers to expressly opt out of the troublesome behavior (storing Python objects in static locations) in their own module design.

I'm not necessarily suggesting this for this (or any other) module; but it is a solution that doesn't require waiting for pyo3 to land official subinterpreter support. It could even be an exercise for Ceph, to fork and modify as needed the module, then depend on (a vendored variant?) of that module.

@alex
Copy link
Member

alex commented Dec 2, 2024 via email

@moula
Copy link

moula commented Dec 12, 2024

Hi guys.
I am testing the new Ceph Squid version on ubuntu 24.04.1.
The bug with ceph dashboard is still there. So still no way to make it work.
There will be good news very soon I hope.
THANKS.
Capture d’écran du 2024-12-12 11-10-10

@linas
Copy link
Author

linas commented Dec 12, 2024

Hi guys. I am testing the new Ceph Squid version on ubuntu 24.04.1. The bug with ceph dashboard is still there. So still no way to make it work.

There is "kind of" a way to make it work. It is easy to create self-signed certificates, there must be half-a-dozen or more tools that do this. What's missing is instructions for how to import such certs into Ceph. FWIW, you can even get CA-signed certs for free, from the "Let's Encrypt" project.

@moula
Copy link

moula commented Dec 12, 2024

Hi guys. I am testing the new Ceph Squid version on ubuntu 24.04.1. The bug with ceph dashboard is still there. So still no way to make it work.

There is "kind of" a way to make it work. It is easy to create self-signed certificates, there must be half-a-dozen or more tools that do this. What's missing is instructions for how to import such certs into Ceph. FWIW, you can even get CA-signed certs for free, from the "Let's Encrypt" project.
Hi, It works with my Certificates.
It's just that with the usual procedure the creation of the certificate does not work and there is always the famous error message.
Thank's.
Capture d’écran du 2024-12-12 14-01-15

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

5 participants