Closed Bug 1370964 Opened 5 years ago Closed 4 years ago

In one-click loaner wizard, the "Clone gecko" option fails with "current Python does not support protocol setting tls1.2"

Categories

(Taskcluster :: General, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: gbrown, Assigned: gbrown)

References

Details

root@9a961974e054:~# run-wizard
This wizard can help you get started with some common debugging workflows.
What would you like to do?
1) Resume task - Resume the original task without modification. This can be
                 useful for passively monitoring it from another shell.
2) Setup task  - Setup the task (download the application and tests) but
                 don't run the tests just yet. The tests can be run with a
                 custom configuration later. This will provide a mach
                 environment (experimental).
3) Clone gecko - Perform a clone of gecko using the task's repo and update it
                 to the task's revision.
4) Exit        - Exit this wizard and return to the shell.
Select one of the above options: 3
/usr/bin/hg robustcheckout --sharebase ~/checkouts/hg-store --purge --upstream https://hg.mozilla.org/mozilla-unified --revision 335dffbfae9da3f38f6cdb5cc8264b0184649646 https://hg.mozilla.org/try/ /home/wo
rker/gecko
ensuring https://hg.mozilla.org/try/@335dffbfae9da3f38f6cdb5cc8264b0184649646 is available at /home/worker/gecko
(cloning from upstream repo https://hg.mozilla.org/mozilla-unified)
warning: connecting to hg.mozilla.org using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
abort: current Python does not support protocol setting tls1.2
(upgrade Python or disable setting since only TLS 1.0 is supported)
Finished cloning to /home/worker/gecko at revision 335dffbfae9da3f38f6cdb5cc8264b0184649646.
Use the 'run-wizard' command to start this wizard again.
:ahal, can you have a look at this?
Flags: needinfo?(ahalberstadt)
fwiw, I think I was using a loaner for a Linux mochitest when I reported comment 0. 

I notice jobs like eslint perform a robustcheckout using practically the same command without any trouble:

https://public-artifacts.taskcluster.net/Iwm_8xqqQxaFTSbxjYYt8A/0/public/logs/live_backing.log

[setup 2017-06-08T00:43:08.640219Z] run-task started
[setup 2017-06-08T00:43:08.643423Z] running as worker:worker
[vcs 2017-06-08T00:43:08.643493Z] executing ['hg', 'robustcheckout', '--sharebase', '/home/worker/checkouts/hg-store', '--purge', '--upstream', 'https://hg.mozilla.org/mozilla-unified', '--revision', '76dd2108b4ae49d518e70a97e5070894685af41f', 'https://hg.mozilla.org/integration/mozilla-inbound/', '/home/worker/checkouts/gecko']
[vcs 2017-06-08T00:43:08.710926Z] ensuring https://hg.mozilla.org/integration/mozilla-inbound/@76dd2108b4ae49d518e70a97e5070894685af41f is available at /home/worker/checkouts/gecko
[vcs 2017-06-08T00:43:08.711110Z] (existing repository shared store: /home/worker/checkouts/hg-store/8ba995b74e18334ab3707f27e9eb8f4e37ba3d29/.hg)
[vcs 2017-06-08T00:43:08.844131Z] (pulling to obtain 76dd2108b4ae49d518e70a97e5070894685af41f)
[vcs 2017-06-08T00:43:09.692071Z] searching for changes
[vcs 2017-06-08T00:43:12.409884Z] adding changesets
[vcs 2017-06-08T00:43:12.411830Z] adding manifests
[vcs 2017-06-08T00:43:12.484177Z] adding file changes
[vcs 2017-06-08T00:43:12.779621Z] added 6 changesets with 18 changes to 18 files
[vcs 2017-06-08T00:43:12.819905Z] (purging working directory)
[vcs 2017-06-08T00:43:16.621817Z] 
[vcs 2017-06-08T00:43:17.224069Z] updating [=>                                                        ]  100/2348
[vcs 2017-06-08T00:43:17.224141Z]                                                                                 
[vcs 2017-06-08T00:43:17.250802Z] 1457 files updated, 0 files merged, 891 files removed, 0 files unresolved
[vcs 2017-06-08T00:43:17.305725Z] updated to 76dd2108b4ae49d518e70a97e5070894685af41f

Curious.
Hm, maybe mercurial recently started requiring tls1.2, but the python in the 'test' image doesn't support it. Lint tasks might be working because they might either be using a newer python or older mercurial?

I haven't had a chance to dig into this yet, but that's my best guess.
Flags: needinfo?(ahalberstadt)
Is this test job using Ubuntu 12.04 or Ubuntu 16.04?  Upgrading might be a quick fix.
What I don't understand is what changed that regressed this. Also I don't think tls1.2 is supported in any python 2.7, so why is robustcheckout trying to use it all of a sudden?

Gps, you might know what's going on here.

(Btw, I'm having trouble even loading a one-click-loaner, so haven't been able to reproduce.. shell webpage loads, but never drops me to the prompt)
Flags: needinfo?(gps)
In a try push, I ran robustcheckout from mozharness on Ubuntu 16.04 and that worked fine, so I suspect the issue is "Clone gecko" is busted on Ubuntu 12.04...not sure if that's worth fixing.
Regression from https://hg.mozilla.org/mozilla-central/rev/26b7053440a5.

The proper fix is to upgrade the Python that Mercurial is using to 2.7.9+. But we shouldn't do that for the system Python in Docker images because it could interfere with system operations. The proper way to do this is to install a Mercurial package referencing a modern Python binary.

Which Docker image is this?
Depends on: 1355624
Flags: needinfo?(gps)
Sounds like it's this one:
https://dxr.mozilla.org/mozilla-central/source/taskcluster/docker/desktop-test

I think there's only a handful of tasks that are still using it, most have migrated to the 16.06 image, which looks like it has a modern enough python.
The quick fix for this is to append the following to /etc/mercurial/hgrc when starting the ad-hoc task:

[hostsecurity]
minimumprotocol = tls1.0


This will of course reduce security protection of TLS. But as long as we're not running this for actual automation or sending sensitive credentials over the wire, I don't think it matters that much.
Lots of things have changed since this was reported. I haven't had any recent trouble.
Assignee: nobody → gbrown
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.