In python2, there is a bug/feature that causes a variable from list comprehension to be rebound the variable and leak out of the scope.
{{{#!python
[x for x in [1, 2]] x
This caused an resource leak in the test cases in otp token import test cases:
{{{#!python def test_figure6(self): nss.nss_init_nodb() try: doc = PSKCDocument(os.path.join(basename, "pskc-figure6.xml")) assert doc.keyname == 'Pre-shared-key' doc.setKey('12345678901234567890123456789012'.decode('hex')) assert [(t.id, t.options) for t in doc.getKeyPackages()] == \ [(u'12345678', { 'ipatokenotpkey': u'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ', 'ipatokenvendor': u'Manufacturer', 'ipatokenserial': u'987654321', 'ipatokenhotpcounter': 0, 'ipatokenotpdigits': 8, 'type': u'hotp'})]
finally: nss.nss_shutdown()
The label t holding an nss object, the finally clause throws an exception:
t
NSPRError: (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.
This failed shutdown call or the subsequent inits done on the nss object cause a corruption of the NSS database resulting in cryptic errors like
{{{NSPRError: (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Unknown PKCS #11 error.}}}
and
NetworkError: cannot connect to 'https://vm-032.idm.lab.eng.brq.redhat.com/ipa/session/json': (SSL_ERROR_SSL_DISABLED) Cannot connect: SSL is disabled.
in the rest of the test run, rendering the test run useless.
The fix for this problem is to identify the places where the leak occurs and delete the object.
Many thanks to Jan Cholasta for helping to debug this problem.
One of the suggestions, a decorator, didn't work very well.
{{{#!python def nss_initialized_nodb(func): """Provides a nss nodb context to a function.
The decorator is intended to isolate the nss context from the function local variables that use it. """ @wraps(func) def decorated(*args, **kwargs): nss.nss_init_nodb() try: func(*args, **kwargs) finally: nss.nss_shutdown() return decorated
Failing with:
args = (<ipatests.test_ipaserver.test_otptoken_import.test_otptoken_import object at 0x7fdbf1bb2e50>,) kwargs = {} @wraps(func) def decorated(*args, **kwargs): nss.nss_init_nodb() try: func(*args, **kwargs) finally: > nss.nss_shutdown() E NSPRError: (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. /var/lib/jenkins/workspace/mkubik-intree-tests-f22master/ipatests/test_ipaserver/test_otptoken_import.py:42: NSPRError
The NSS objects are used only inside of the func (a method) so by the time {{{nss.nss_shutdown}}} is being called, they should be deallocated (it's possible that they hang somewhere not garbage collected, though).
master:
ipa-4-2:
This is temporal workaround, ticket should stay opened until issue is fixed by proper fix.
Decreasing priority, it is not test blocker anymore.
FreeIPA 4.2.1 was released, moving to 4.2.x.
Metadata Update from @mkubik: - Issue assigned to mkubik - Issue set to the milestone: FreeIPA 4.5 backlog
No longer relevant. FreeIPA now uses Python 3 and no longer utilizes NSS here.
Metadata Update from @cheimes: - Issue close_status updated to: fixed
Login to comment on this ticket.