Update to Python 3.12.x (#5736)

[dsotirho-ucsc]

Connected issues: #5736

Checklist

Author

• PR is a draft
• Target branch is develop
• Name of PR branch matches issues/<GitHub handle of author>/<issue#>-<slug>
• On ZenHub, PR is connected to all issues it (partially) resolves
• PR description links to connected issues
• PR title matches¹ that of a connected issue _{or comment in PR explains why they're different}
• PR title references all connected issues
• For each connected issue, there is at least one commit whose title references that issue

¹ when the issue title describes a problem, the corresponding PR
title is Fix: followed by the issue title

Author (partiality)

• Added p tag to titles of partial commits
• This PR is labeled partial _{or completely resolves all connected issues}
• This PR partially resolves each of the connected issues _{or does not have the partial label}

Author (chains)

• This PR is blocked by previous PR in the chain _{or is not chained to another PR}
• The blocking PR is labeled base _{or this PR is not chained to another PR}
• This PR is labeled chained _{or is not chained to another PR}

Author (reindex, API changes)

• Added r tag to commit title _{or the changes introduced by this PR will not require reindexing of any deployment}
• This PR is labeled reindex:dev _{or the changes introduced by it will not require reindexing of dev}
• This PR is labeled reindex:anvildev _{or the changes introduced by it will not require reindexing of anvildev}
• This PR is labeled reindex:anvilprod _{or the changes introduced by it will not require reindexing of anvilprod}
• This PR is labeled reindex:prod _{or the changes introduced by it will not require reindexing of prod}
• This PR is labeled reindex:partial and its description documents the specific reindexing procedure for dev, anvildev, anvilprod and prod _{or requires a full reindex or carries none of the labels reindex:dev, reindex:anvildev, reindex:anvilprod and reindex:prod}
• This PR and its connected issues are labeled API _{or this PR does not modify a REST API}
• Added a (A) tag to commit title for backwards (in)compatible changes _{or this PR does not modify a REST API}
• Updated REST API version number in app.py _{or this PR does not modify a REST API}

Author (upgrading deployments)

• Ran make docker_images.json and committed the resulting changes _{or this PR does not modify azul_docker_images, or any other variables referenced in the definition of that variable}
• Documented upgrading of deployments in UPGRADING.rst _{or this PR does not require upgrading deployments}
• Added u tag to commit title _{or this PR does not require upgrading deployments}
• This PR is labeled upgrade _{or does not require upgrading deployments}
• This PR is labeled deploy:shared _{or does not modify docker_images.json, and does not require deploying the shared component for any other reason}
• This PR is labeled deploy:gitlab _{or does not require deploying the gitlab component}
• This PR is labeled deploy:runner _{or does not require deploying the runner image}

Author (hotfixes)

• Added F tag to main commit title _{or this PR does not include permanent fix for a temporary hotfix}
• Reverted the temporary hotfixes for any connected issues _{or the none of the stable branches (anvilprod and prod) have temporary hotfixes for any of the issues connected to this PR}

Author (before every review)

• Rebased PR branch on develop, squashed old fixups
• Ran make requirements_update _{or this PR does not modify requirements*.txt, common.mk, Makefile and Dockerfile}
• Added R tag to commit title _{or this PR does not modify requirements*.txt}
• This PR is labeled reqs _{or does not modify requirements*.txt}
• make integration_test passes in personal deployment _{or this PR does not modify functionality that could affect the IT outcome}

Peer reviewer (after approval)

• PR is not a draft
• Ticket is in Review requested column
• PR is awaiting requested review from system administrator
• PR is assigned to only the system administrator

System administrator (after approval)

• Actually approved the PR
• Labeled connected issues as demo or no demo
• Commented on connected issues about demo expectations _{or all connected issues are labeled no demo}
• Decided if PR can be labeled no sandbox
• A comment to this PR details the completed security design review
• PR title is appropriate as title of merge commit
• N reviews label is accurate
• Moved connected issues to Approved column
• PR is assigned to only the operator

Operator (before pushing merge the commit)

• Checked reindex:… labels and r commit title tag
• Checked that demo expectations are clear _{or all connected issues are labeled no demo}
• Squashed PR branch and rebased onto develop
• Sanity-checked history
• Pushed PR branch to GitHub
• Ran _select dev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select dev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Ran _select anvildev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Checked the items in the next section _{or this PR is labeled deploy:gitlab}
• PR is assigned to only the system administrator _{or this PR is not labeled deploy:gitlab}

System administrator

• Background migrations for dev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• Background migrations for anvildev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• PR is assigned to only the operator

Operator (before pushing merge the commit)

• Ran _select dev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}
• Ran _select anvildev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}
• Added sandbox label _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab dev _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab anvildev _{or PR is labeled no sandbox}
• Build passes in sandbox deployment _{or PR is labeled no sandbox}
• Build passes in anvilbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in sandbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in anvilbox deployment _{or PR is labeled no sandbox}
• Deleted unreferenced indices in sandbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in dev}
• Deleted unreferenced indices in anvilbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in anvildev}
• Started reindex in sandbox _{or this PR is not labeled reindex:dev}
• Started reindex in anvilbox _{or this PR is not labeled reindex:anvildev}
• Checked for failures in sandbox _{or this PR is not labeled reindex:dev}
• Checked for failures in anvilbox _{or this PR is not labeled reindex:anvildev}
• The title of the merge commit starts with the title of this PR
• Added PR # reference to merge commit title
• Collected commit title tags in merge commit title _{but only included p if the PR is also labeled partial}
• Moved connected issues to Merged lower column in ZenHub
• Moved blocked issues to Triage _{or no issues are blocked on the connected issues}
• Pushed merge commit to GitHub

Operator (chain shortening)

• Changed the target branch of the blocked PR to develop _{or this PR is not labeled base}
• Removed the chained label from the blocked PR _{or this PR is not labeled base}
• Removed the blocking relationship from the blocked PR _{or this PR is not labeled base}
• Removed the base label from this PR _{or this PR is not labeled base}

Operator (after pushing the merge commit)

• Pushed merge commit to GitLab dev
• Pushed merge commit to GitLab anvildev
• Build passes on GitLab dev
• Reviewed build logs for anomalies on GitLab dev
• Build passes on GitLab anvildev
• Reviewed build logs for anomalies on GitLab anvildev
• Ran _select dev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Deleted PR branch from GitHub
• Deleted PR branch from GitLab dev
• Deleted PR branch from GitLab anvildev

Operator (reindex)

• Deindexed all unreferenced catalogs in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Deindexed all unreferenced catalogs in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Deindexed specific sources in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Deindexed specific sources in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Indexed specific sources in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Indexed specific sources in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Started reindex in dev _{or this PR does not require reindexing dev}
• Started reindex in anvildev _{or this PR does not require reindexing anvildev}
• Checked for, triaged and possibly requeued messages in both fail queues in dev _{or this PR does not require reindexing dev}
• Checked for, triaged and possibly requeued messages in both fail queues in anvildev _{or this PR does not require reindexing anvildev}
• Emptied fail queues in dev _{or this PR does not require reindexing dev}
• Emptied fail queues in anvildev _{or this PR does not require reindexing anvildev}

Operator

• Propagated the deploy:shared, deploy:gitlab, deploy:runner, API, reindex:partial, reindex:anvilprod and reindex:prod labels to the next promotion PRs _{or this PR carries none of these labels}
• Propagated any specific instructions related to the deploy:shared, deploy:gitlab, deploy:runner, API, reindex:partial, reindex:anvilprod and reindex:prod labels, from the description of this PR to that of the next promotion PRs _{or this PR carries none of these labels}
• PR is assigned to no one

Shorthand for review comments

• L line is too long
• W line wrapping is wrong
• Q bad quotes
• F other formatting problem

[codecov]

Codecov Report

Attention: Patch coverage is 82.35294% with 3 lines in your changes missing coverage. Please review.

Project coverage is 85.34%. Comparing base (24aaa42) to head (967df55).

Files with missing lines	Patch %	Lines
...llatlas/data/metadata/helpers/schema_validation.py	85.71%	2 Missing ⚠️
test/integration_test.py	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #5951      +/-   ##
===========================================
- Coverage    85.35%   85.34%   -0.01%     
===========================================
  Files          155      155              
  Lines        20779    20789      +10     
===========================================
+ Hits         17735    17743       +8     
- Misses        3044     3046       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coveralls]

coverage: 85.366% (-0.002%) from 85.368%
when pulling 967df55 on issues/dsotirho-ucsc/5736-update-python-to-3-12
into 24aaa42 on develop.

[dsotirho-ucsc]

IT failure due to combination of FIPS mode & the new bookworm-based Python image can be replicated with these commands:

$ sudo /usr/bin/docker run -it --rm --network gitlab-runner-net --env DOCKER_HOST=tcp://gitlab-dind:2375 --dns 172.21.0.2 --dns 169.254.169.253 122796619775.dkr.ecr.us-east-1.amazonaws.com/docker.io/library/docker:27.2.1 \
docker run -it --volume /var/run/docker.sock:/var/run/docker.sock docker.gitlab.dev.singlecell.gi.ucsc.edu/ucsc/azul/runner:latest \
docker run -it docker.io/library/python:3.12.6-slim-bookworm \
bash

# apt-get update && apt-get upgrade -y && apt-get -y install build-essential curl unzip

# install -m 0755 -d /etc/apt/keyrings

# curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc

# echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list

# apt-get update

Terminal log:

$ ssh gitlab.hcadev

[ec2-user@ip-172-21-0-99 ~]$ sudo /usr/bin/docker run -it --rm --network gitlab-runner-net --env DOCKER_HOST=tcp://gitlab-dind:2375 --dns 172.21.0.2 --dns 169.254.169.253 122796619775.dkr.ecr.us-east-1.amazonaws.com/docker.io/library/docker:27.2.1 \
> docker run -it --volume /var/run/docker.sock:/var/run/docker.sock docker.gitlab.dev.singlecell.gi.ucsc.edu/ucsc/azul/runner:latest \
> docker run -it docker.io/library/python:3.12.6-slim-bookworm \
> bash

root@02a62aa013df:/# apt-get update && apt-get upgrade -y && apt-get -y install build-essential curl unzip
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8787 kB]
Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [2468 B]
Get:6 http://deb.debian.org/debian-security bookworm-security/main amd64 Packages [188 kB]
Fetched 9232 kB in 2s (4113 kB/s)
Reading package lists... Done
Reading package lists... Done
...

root@02a62aa013df:/# install -m 0755 -d /etc/apt/keyrings

root@02a62aa013df:/# curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc

root@02a62aa013df:/# echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list
deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian bookworm stable

root@02a62aa013df:/# apt-get update
Hit:1 http://deb.debian.org/debian bookworm InRelease
Hit:2 http://deb.debian.org/debian bookworm-updates InRelease
Hit:3 http://deb.debian.org/debian-security bookworm-security InRelease
Get:4 https://download.docker.com/linux/debian bookworm InRelease [43.3 kB]
Get:5 https://download.docker.com/linux/debian bookworm/stable amd64 Packages [31.3 kB]
Fetched 74.6 kB in 1s (64.9 kB/s)
fatal error in libgcrypt, file ../../src/misc.c, line 92, function _gcry_fatal_error: requested algo not in md context

Fatal error: requested algo not in md context
Aborted

[dsotirho-ucsc]

Successful test mounting to /proc/sys/crypto/fips_enabled (run on gitlab dev):

sudo /usr/bin/docker run \
-it \
--rm \
--network gitlab-runner-net \
--env DOCKER_HOST=tcp://gitlab-dind:2375 \
--dns 172.21.0.2 \
--dns 169.254.169.253 \
122796619775.dkr.ecr.us-east-1.amazonaws.com/docker.io/library/docker:27.3.1 \
docker run \
-it \
--volume /var/run/docker.sock:/var/run/docker.sock \
docker.gitlab.dev.singlecell.gi.ucsc.edu/ucsc/azul/runner:latest \
docker run \
-it \
--volume /var/run/docker.sock:/var/run/docker.sock \
--env DOCKER_BUILDKIT=1 docker.gitlab.dev.singlecell.gi.ucsc.edu/ucsc/azul/runner:latest \
bash -c 'echo 0 > /root/zero; \
printf "FROM docker.io/library/python:3.12.6-slim-bookworm\n\
RUN --mount=type=bind,source=zero,target=/proc/sys/crypto/fips_enabled cat /proc/sys/crypto/fips_enabled\n\
RUN cat /proc/sys/crypto/fips_enabled\n" > /root/Dockerfile; \
docker build --no-cache --progress=plain /root'

Output:

...
#6 [stage-0 2/3] RUN --mount=type=bind,source=zero,target=/proc/sys/crypto/fips_enabled cat /proc/sys/crypto/fips_enabled
#6 0.523 0
#6 DONE 0.7s
...

[hannes-ucsc]

Simplified version below.

• removed DOCKER_BUILDKIT=1 since that is the default anyways
• converted the bash -c to just bash with a heredoc
• converted the printf for the Dockerfile to a heredoc
• removed the intermediate docker run of the runner image (I don't think it reflects reality)
• removed the second RUN instruction (the one without the mount) from the Dockerfile

sudo /usr/bin/docker run \
    --interactive \
    --rm \
    --network gitlab-runner-net \
    --env DOCKER_HOST=tcp://gitlab-dind:2375 \
    --dns 172.21.0.2 \
    --dns 169.254.169.253 \
    122796619775.dkr.ecr.us-east-1.amazonaws.com/docker.io/library/docker:27.3.1 \
    docker run \
        --interactive \
        --rm \
        --volume /var/run/docker.sock:/var/run/docker.sock \
        docker.gitlab.dev.singlecell.gi.ucsc.edu/ucsc/azul/runner:latest \
        bash <<EOF1
            echo 0 > zero
            docker build --no-cache --progress=plain -f - . <<EOF2
                FROM docker.io/library/python:3.12.6-slim-bookworm
                RUN cat /proc/sys/crypto/fips_enabled
                RUN --mount=type=bind,source=zero,target=/proc/sys/crypto/fips_enabled cat /proc/sys/crypto/fips_enabled
EOF2
EOF1

[hannes-ucsc]

Here's a simplified version of the reproduction as a paste-able one-liner for GitLab dev:

sudo /usr/bin/docker run \
    --interactive \
    --rm \
    --network gitlab-runner-net \
    --env DOCKER_HOST=tcp://gitlab-dind:2375 \
    --dns 172.21.0.2 \
    --dns 169.254.169.253 \
    122796619775.dkr.ecr.us-east-1.amazonaws.com/docker.io/library/docker:27.3.1 \
        docker run \
            --interactive \
            --rm \
            --volume /var/run/docker.sock:/var/run/docker.sock \
            docker.gitlab.dev.singlecell.gi.ucsc.edu/ucsc/azul/runner:latest \
                docker run \
                    --interactive \
                    docker.io/library/python:3.12.6-slim-bookworm \
                    bash <<'EOF'
                        set -ex
                        apt-get update && apt-get -y install curl
                        install -m 0755 -d /etc/apt/keyrings
                        curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
                        echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list
                        apt-get update
EOF

This ends in

+ apt-get update
Hit:1 http://deb.debian.org/debian bookworm InRelease
Hit:2 http://deb.debian.org/debian bookworm-updates InRelease
Hit:3 http://deb.debian.org/debian-security bookworm-security InRelease
Get:4 https://download.docker.com/linux/debian bookworm InRelease [43.3 kB]
Get:5 https://download.docker.com/linux/debian bookworm/stable amd64 Packages [31.3 kB]
Fetched 74.6 kB in 1s (87.5 kB/s)
Reading package lists...fatal error in libgcrypt, file ../../src/misc.c, line 92, function _gcry_fatal_error: requested algo not in md context

Fatal error: requested algo not in md context
bash: line 6:   274 Aborted                 apt-get update

The reason is that the InRelease file from Docker's package repository contains MD5 hashes of the files in the release. It also includes a SHA1 and SHA256 hash for each file. The file is signed so when apt-get tries to verify the signature, it must accumulate all the hashes, including the MD5s into the overall digest, using libgcrypt20 for that. Debian bookworm updated libgcrypt20. The previous version had an exception for MD5, in FIPS mode. The new version does not. A bug report was filed against Debian.

Most InRelease files from upstream don't contain MD5 hashes anymore and that's why the first apt-get update in the above reproduction succeeds.

[hannes-ucsc]

As to why the RUN --mount work-around fails with Docker Desktop on macOS: The host's /proc FS is mounted in all containers. This is the case even with our DinD setup on the EC2 instance with Amazon Linux, since all containers ultimately share the kernel, and therefore the /proc filesystem, with the host, even containers managed by the DinD daemon rather than the hosts Docker daemon.

With Docker Desktop with macOS the host is not the physical machine but a VM running a minimal Linux distro (LinuxKit). This distro and kernel don't provide /proc/sys/crypto and faking it is not easy. Even if we got it to work, runc would then refuse the mount. It only allows certain bind mounts in /proc, like /proc/sys/net. I am unsure as to why the DinD runc on the instance allows it but the workaround proves that it does.

The key observation is that we don't need the RUN --mount workaround when building the Dockerfile on macOS. The problem is not reproducible there because /proc/sys/crypto is completely absent and libgcrypt therefore doesn't attempt to enforce any FIPS restrictions.

We can

Index: Dockerfile
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/Dockerfile b/Dockerfile
--- a/Dockerfile	(revision 70f573de7639abf1180a0d78b575ea7b71a7a64a)
+++ b/Dockerfile	(date 1730396147875)
@@ -46,7 +46,8 @@
 RUN install -m 0755 -d /etc/apt/keyrings
 COPY --chmod=0644 bin/keys/docker-apt-keyring.pgp /etc/apt/keyrings/docker.gpg
 ARG azul_docker_version
-RUN --mount=type=bind,source=fips_enabled,target=/proc/sys/crypto/fips_enabled \
+ARG azul_proc_sys_crypto=/tmp
+RUN --mount=type=bind,source=fips_enabled,target=${azul_proc_sys_crypto}/fips_enabled \
     set -o pipefail \
     && ( \
       echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" \

and then override azul_proc_sys_crypto on the EC2 instance to actually point to /proc/sys/crypto.

Alternatively, we could disable FIPS mode on the instance.

Independently, we should ask Docker to remove the MD5 hashes from their InRelease file for bookworm. Either workaround (RUN --mount … target=${azul_proc_sys_crypto}/fips_enabled … or the FIPS mode disablement) could be reverted when they do.

Assignee to try the first workaround on tempdev. I verified it on my local Mac already.

[hannes-ucsc]

Independently, we should ask Docker to remove the MD5 hashes from their InRelease file for bookworm.

docker/docker-ce-packaging#1096

I also created #6675 so that we can add a FIXME referring to it in this PR.