Centos RPM with python virtual env

Question

I am trying to deploy my python virtualenv as centos rpm.

Following steps I have taken.

1. Created virtual environment with required dependencies.

One of requirement is pyOpenSSL

2. Built rpm package.

3. Now when installed on fresh centos instance, I am getting error as 'No module named OpenSSL'.

Is there any different procedure for pyOpenSSL module or do we need to install openssl-devel and openssl explicitly on new machine.

Answer 1

Is there any different procedure for pyOpenSSL module or do we need to install openssl-devel and openssl explicitely on new machine.

First, I'm pretty sure pyOpenSSL only requires openssl-devel as a build dependency, not a runtime dependency. So, as long as you're distributing a pre-built copy (whether by tarring up a portable virtualenv, using a wheel file in a custom repo, or otherwise), openssl-devel shouldn't be a problem, only openssl.

But openssl is a problem. pyOpenSSL is a pure-Python wrapper; all it does is dlopen the .so file and call a bunch of functions out of it. Without the .so, it can't do anything useful at all.

I'm a bit surprised that any (non-embedded) linux distro doesn't come with OpenSSL. If CentOS comes with openssl pre-installed, then you already have all your dependencies, and there's nothing to do here.

But, given that, as far as I know, OpenSSL still isn't part of LSB, this is at least a conceivable problem, so let's deal with it.

---

As a brief sidebar: If you switched to a different OpenSSL wrapper (there are at least three major alternatives) that's written in C (or SWIG or SIP) rather than Python and links OpenSSL directly rather than by cffi, everything would be a lot simpler. For example, I believe with M2Crypto, all you have to do is create a static-only build of OpenSSL, then build M2Crypto with --openssl=/path/to/static/openssl, and you're done.

---

But if you're set on pyOpenSSL, is there any way around this? Yes, but it's not going to be easy.

The good news is that pyOpenSSL isn't a wrapper around OpenSSL itself, but the lower-level cryptography module. And cryptography uses cffi rather than ctypes, which means it can be distributed with a pre-built helper module, which can be statically linked against OpenSSL.

Unfortunately, while cryptography does have built-in support for pre-building its helpers with statically linked OpenSSL on Windows, last time I checked, it did not have that support on other platforms. That means you're either going to need to add that support yourself, or trick it in some way.

If you don't know much about this stuff, you're almost certainly going to need step-by-step help with this. Read the docs on cffi, and both the Building cryptography on Linux docs and the bundled INSTALL file, and make sure you understand static linking and GNU ld, and then go to the cryptography-dev mailing list. Or maybe go to the bug tracker and search for or create an issue for static linking OpenSSL on linux.

But if you know what you're doing, here's the basic idea:

1. To build in static linking support, look in the OpenSSL binding and binding utilities source to see what it does on Windows and do the equivalent on Linux.
2. To work around it, what you want to do is build OpenSSL locally, copy it inside the cryptography source tree, trick cryptography into link to libopenssl.so (and friends) with relative rather than absolute paths, and modify its setup.py to copy the .so files into the package itself.
3. If you want to get really hacky, instead of modifying setup.py, just copy the .so files into the package manually after installation. (This will obviously only work if you're using a distribution mechanism based on bundling up the virtualenv, rather than rebuilding it.)

---

Another option is to use an executable packager to automatically bundle any dependent non-system libraries into the executable. Unfortunately, the only one I know of that does that kind of thing on linux is pyInstaller, and last I checked it didn't know how to handle cryptography/pyOpenSSL, so again you'd have to figure it out and extend pyInstaller yourself. If you want to go this way, take a look at the other recipes there. Also, I believe py2app can handle pyOpenSSL; while it's Mac-specific, looking at what it does may help you do the same on linux.