Chore/contributor rollup (#1479)

* These needed to be rolled in due to various dependency changes. * Fix the URL people should set to use their Custom Server (https://github.com/mozilla-services/syncstorage-rs/pull/1453) - [Ekleog](https://github.com/Ekleog) * Make docker files more podman friendly (https://github.com/mozilla-services/syncstorage-rs/pull/1431) - [mb](https://github.com/mb) * This PR also updates a number of dependencies
2025-08-06 20:06:57 +02:00 · 2023-10-18 14:24:41 -07:00 · 2023-10-18 14:24:41 -07:00 · 1b9ebbf40f
commit 1b9ebbf40f
parent fb70128824
19 changed files with 655 additions and 432 deletions
--- a/.cargo/audit.toml
+++ b/.cargo/audit.toml
@ -7,5 +7,6 @@ ignore = [
    "RUSTSEC-2020-0071",
    "RUSTSEC-2021-0124",
    "RUSTSEC-2023-0034", # Bound by actix-http 2.2, Reqwest 0.10
+    "RUSTSEC-2023-0044", # Bound to native-tls 0.2.11, request 0.10.10, hyper-tls 0.4.3
    "RUSTSEC-2023-0052", # Bound by reqwest, various tls libs
 ]
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,19 +1,19 @@
 [workspace]
 resolver = "2"
 members = [
-    "syncserver-common",
-    "syncserver-db-common",
-    "syncserver-settings",
-    "syncstorage-db",
-    "syncstorage-db-common",
-    "syncstorage-mysql",
-    "syncstorage-settings",
-    "syncstorage-spanner",
-    "tokenserver-auth",
-    "tokenserver-common",
-    "tokenserver-db",
-    "tokenserver-settings",
-    "syncserver",
+  "syncserver-common",
+  "syncserver-db-common",
+  "syncserver-settings",
+  "syncstorage-db",
+  "syncstorage-db-common",
+  "syncstorage-mysql",
+  "syncstorage-settings",
+  "syncstorage-spanner",
+  "tokenserver-auth",
+  "tokenserver-common",
+  "tokenserver-db",
+  "tokenserver-settings",
+  "syncserver",
 ]
 default-members = ["syncserver"]

@ -28,12 +28,14 @@ edition = "2021"
 license = "MPL-2.0"

 [workspace.dependencies]
+actix-web = "3"
+
 base64 = "0.21"
 cadence = "0.29"
 backtrace = "0.3"
 chrono = "0.4"
 docopt = "1.1"
-env_logger = "0.9"
+env_logger = "0.10"
 futures = { version = "0.3", features = ["compat"] }
 hex = "0.4"
 http = "0.2"
@ -41,14 +43,12 @@ lazy_static = "1.4"
 protobuf = "=2.25.2" # pin to 2.25.2 to prevent side updating
 rand = "0.8"
 regex = "1.4"
-sentry = { version = "0.19", features = [
-  "with_curl_transport",
-] } # pin to 0.19 until on-prem sentry server is updated
-sentry-backtrace = "0.19"
+sentry = { version = "0.31", features = ["curl"] }
+sentry-backtrace = "0.31"
 serde = "1.0"
 serde_derive = "1.0"
 serde_json = { version = "1.0", features = ["arbitrary_precision"] }
-sha2 = "0.9"
+sha2 = "0.10"
 slog = { version = "2.5", features = [
  "max_level_info",
  "release_max_level_info",
--- a/10
+++ b/10
@ -1,5 +1,5 @@
 # NOTE: Ensure builder's Rust version matches CI's in .circleci/config.yml
-FROM lukemathwalker/cargo-chef:0.1.62-rust-1.72-buster as chef
+FROM docker.io/lukemathwalker/cargo-chef:0.1.62-rust-1.72-bullseye as chef
 WORKDIR /app

 FROM chef AS planner
@ -12,7 +12,7 @@ COPY --from=planner /app/mysql_pubkey.asc mysql_pubkey.asc

 # cmake is required to build grpcio-sys for Spanner builds
 RUN \
-    echo "deb https://repo.mysql.com/apt/debian/ buster mysql-8.0" >> /etc/apt/sources.list && \
+    echo "deb https://repo.mysql.com/apt/debian/ bullseye mysql-8.0" >> /etc/apt/sources.list && \
    # mysql_pubkey.asc from:
    # https://dev.mysql.com/doc/refman/8.0/en/checking-gpg-signature.html
    # related:
@ -32,7 +32,7 @@ COPY --from=cacher /app/target /app/target
 COPY --from=cacher $CARGO_HOME /app/$CARGO_HOME

 RUN \
-    echo "deb https://repo.mysql.com/apt/debian/ buster mysql-8.0" >> /etc/apt/sources.list && \
+    echo "deb https://repo.mysql.com/apt/debian/ bullseye mysql-8.0" >> /etc/apt/sources.list && \
    # mysql_pubkey.asc from:
    # https://dev.mysql.com/doc/refman/8.0/en/checking-gpg-signature.html
    # related:
@ -51,7 +51,7 @@ RUN \
    cargo install --path ./syncserver --no-default-features --features=syncstorage-db/$DATABASE_BACKEND --locked --root /app && \
    if [ "$DATABASE_BACKEND" = "spanner" ] ; then cargo install --path ./syncstorage-spanner --locked --root /app --bin purge_ttl ; fi

-FROM debian:buster-slim
+FROM docker.io/library/debian:bullseye-slim
 WORKDIR /app
 COPY --from=builder /app/requirements.txt /app
 COPY --from=builder /app/mysql_pubkey.asc /app
@ -67,7 +67,7 @@ RUN \
    apt-get -q update && \
    # and ca-certificates needed for https://repo.mysql.com
    apt-get install -y gnupg ca-certificates && \
-    echo "deb https://repo.mysql.com/apt/debian/ buster mysql-8.0" >> /etc/apt/sources.list && \
+    echo "deb https://repo.mysql.com/apt/debian/ bullseye mysql-8.0" >> /etc/apt/sources.list && \
    apt-key adv --import mysql_pubkey.asc && \
    # update again now that we trust repo.mysql.com
    apt-get -q update && \
--- a/docker-compose.mysql.yaml
+++ b/docker-compose.mysql.yaml
@ -1,64 +1,70 @@
+# NOTE: This docker-compose file was constructed to create a base for
+# use by the End-to-end tests. It has not been fully tested for use in
+# constructing a true, stand-alone sync server.
+# If you're interested in doing that, please join our community in the
+# github issues and comments.
+#
 # Application runs off of port 8000.
 # you can test if it's available with
 # curl "http://localhost:8000/__heartbeat__"

-version: '3'
+version: "3"
 services:
-    sync-db:
-        image: mysql:5.7
-        volumes:
-            - sync_db_data:/var/lib/mysql
-        restart: always
-        ports:
-            - "3306"
-        environment:
-            #MYSQL_RANDOM_ROOT_PASSWORD: yes
-            MYSQL_ROOT_PASSWORD: random
-            MYSQL_DATABASE: syncstorage
-            MYSQL_USER: test
-            MYSQL_PASSWORD: test
+  sync-db:
+    image: docker.io/library/mysql:5.7
+    volumes:
+      - sync_db_data:/var/lib/mysql
+    restart: always
+    ports:
+      - "3306"
+    environment:
+      #MYSQL_RANDOM_ROOT_PASSWORD: yes
+      MYSQL_ROOT_PASSWORD: random
+      MYSQL_DATABASE: syncstorage
+      MYSQL_USER: test
+      MYSQL_PASSWORD: test

-    tokenserver-db:
-        image: mysql:5.7
-        volumes:
-            - tokenserver_db_data:/var/lib/mysql
-        restart: always
-        ports:
-            - "3306"
-        environment:
-            #MYSQL_RANDOM_ROOT_PASSWORD: yes
-            MYSQL_ROOT_PASSWORD: random
-            MYSQL_DATABASE: tokenserver
-            MYSQL_USER: test
-            MYSQL_PASSWORD: test
+  tokenserver-db:
+    image: docker.io/library/mysql:5.7
+    volumes:
+      - tokenserver_db_data:/var/lib/mysql
+    restart: always
+    ports:
+      - "3306"
+    environment:
+      #MYSQL_RANDOM_ROOT_PASSWORD: yes
+      MYSQL_ROOT_PASSWORD: random
+      MYSQL_DATABASE: tokenserver
+      MYSQL_USER: test
+      MYSQL_PASSWORD: test

-    mock-fxa-server:
-        image: app:build
-        restart: "no"
-        entrypoint: python3 /app/tools/integration_tests/tokenserver/mock_fxa_server.py
-        environment:
-            MOCK_FXA_SERVER_HOST: 0.0.0.0
-            MOCK_FXA_SERVER_PORT: 6000
+  mock-fxa-server:
+    image: app:build
+    restart: "no"
+    entrypoint: python3 /app/tools/integration_tests/tokenserver/mock_fxa_server.py
+    environment:
+      MOCK_FXA_SERVER_HOST: 0.0.0.0
+      MOCK_FXA_SERVER_PORT: 6000

-    syncserver:
-        # NOTE: The naming in the rest of this repository has been updated to reflect the fact
-        # that Syncstorage and Tokenserver are now part of one repository/server called
-        # "Syncserver" (updated from "syncstorage-rs"). We keep the legacy naming below for
-        # backwards compatibility with previous Docker images.
-        image: ${SYNCSTORAGE_RS_IMAGE:-syncstorage-rs:latest}
-        restart: always
-        ports:
-            - "8000:8000"
-        depends_on:
-            - sync-db
-            - tokenserver-db
-        environment:
-            SYNC_HOST: 0.0.0.0
-            SYNC_MASTER_SECRET: secret0
-            SYNC_SYNCSTORAGE__DATABASE_URL: mysql://test:test@sync-db:3306/syncstorage
-            SYNC_TOKENSERVER__DATABASE_URL: mysql://test:test@tokenserver-db:3306/tokenserver
-            SYNC_TOKENSERVER__RUN_MIGRATIONS: "true"
+  syncserver:
+    # NOTE: The naming in the rest of this repository has been updated to reflect the fact
+    # that Syncstorage and Tokenserver are now part of one repository/server called
+    # "Syncserver" (updated from "syncstorage-rs"). We keep the legacy naming below for
+    # backwards compatibility with previous Docker images.
+    image: ${SYNCSTORAGE_RS_IMAGE:-syncstorage-rs:latest}
+    restart: always
+    ports:
+      - "8000:8000"
+    depends_on:
+      - sync-db
+      - tokenserver-db
+    environment:
+      SYNC_HOST: 0.0.0.0
+      SYNC_MASTER_SECRET: secret0
+      SYNC_SYNCSTORAGE__DATABASE_URL: mysql://test:test@sync-db:3306/syncstorage
+      SYNC_TOKENSERVER__DATABASE_URL: mysql://test:test@tokenserver-db:3306/tokenserver
+      SYNC_TOKENSERVER__RUN_MIGRATIONS: "true"

 volumes:
-    sync_db_data:
-    tokenserver_db_data:
+  sync_db_data:
+  tokenserver_db_data:
--- a/syncserver-common/Cargo.toml
+++ b/syncserver-common/Cargo.toml
@ -1,18 +1,18 @@
 [package]
 name = "syncserver-common"
-version.workspace=true
-license.workspace=true
-authors.workspace=true
-edition.workspace=true
+version.workspace = true
+license.workspace = true
+authors.workspace = true
+edition.workspace = true

 [dependencies]
-cadence.workspace=true
-futures.workspace=true
-sha2.workspace=true
-serde.workspace=true
-serde_json.workspace=true
-slog.workspace=true
-slog-scope.workspace=true
+cadence.workspace = true
+futures.workspace = true
+sha2.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+slog.workspace = true
+slog-scope.workspace = true
+actix-web.workspace = true

-actix-web = "3"
-hkdf = "0.11"
+hkdf = "0.12"
--- a/syncserver/Cargo.toml
+++ b/syncserver/Cargo.toml
@ -1,51 +1,49 @@
 [package]
 name = "syncserver"
 default-run = "syncserver"
-version.workspace=true
-license.workspace=true
-authors.workspace=true
-edition.workspace=true
+version.workspace = true
+license.workspace = true
+authors.workspace = true
+edition.workspace = true

 [dependencies]
-backtrace.workspace=true
-base64.workspace=true
-cadence.workspace=true
-chrono.workspace=true
-docopt.workspace=true
-env_logger.workspace=true
-futures.workspace=true
-hex.workspace=true
-lazy_static.workspace=true
-rand.workspace=true
-regex.workspace=true
-sentry-backtrace.workspace=true
-serde.workspace=true
-serde_derive.workspace=true
-serde_json.workspace=true
-sha2.workspace=true
-slog.workspace=true
-slog-async.workspace=true
-slog-envlogger.workspace=true
-slog-mozlog-json.workspace=true
-slog-scope.workspace=true
-slog-stdlog.workspace=true
-slog-term.workspace=true
+actix-web.workspace = true
+backtrace.workspace = true
+base64.workspace = true
+cadence.workspace = true
+chrono.workspace = true
+docopt.workspace = true
+env_logger.workspace = true
+futures.workspace = true
+hex.workspace = true
+lazy_static.workspace = true
+rand.workspace = true
+regex.workspace = true
+sentry.workspace = true
+sentry-backtrace.workspace = true
+serde.workspace = true
+serde_derive.workspace = true
+serde_json.workspace = true
+sha2.workspace = true
+slog.workspace = true
+slog-async.workspace = true
+slog-envlogger.workspace = true
+slog-mozlog-json.workspace = true
+slog-scope.workspace = true
+slog-stdlog.workspace = true
+slog-term.workspace = true

 actix-http = "2"
-actix-web = "3"
 actix-rt = "1"                                                       # Pin to 1.0, due to dependencies on Tokio
 actix-cors = "0.5"
 async-trait = "0.1.40"
 dyn-clone = "1.0.4"
 hostname = "0.3.1"
 hawk = "3.2"
-hmac = "0.11"
+hmac = "0.12"
 mime = "0.3"
 reqwest = { version = "0.10.10", features = ["json", "rustls-tls"] }
 # pin to 0.19: https://github.com/getsentry/sentry-rust/issues/277
-sentry = { version = "0.19", features = [
-  "with_curl_transport",
-] } # pin to 0.19 until on-prem sentry server is updated
 syncserver-common = { path = "../syncserver-common" }
 syncserver-db-common = { path = "../syncserver-db-common" }
 syncserver-settings = { path = "../syncserver-settings" }
@ -60,9 +58,9 @@ tokenserver-settings = { path = "../tokenserver-settings" }
 # pinning to 0.2.4 due to high number of dependencies (actix, bb8, deadpool, etc.)
 tokio = { version = "0.2.4", features = ["macros", "sync"] }
 urlencoding = "2.1"
-validator = "0.14"
-validator_derive = "0.14"
-woothee = "0.11"
+validator = "0.16"
+validator_derive = "0.16"
+woothee = "0.13"

 [features]
 default = ["syncstorage-db/mysql"]
--- a/syncserver/src/main.rs
+++ b/syncserver/src/main.rs
@ -36,8 +36,7 @@ async fn main() -> Result<(), Box<dyn Error>> {
    // Avoid its default reqwest transport for now due to issues w/
    // likely grpcio's boringssl
    let curl_transport_factory = |options: &sentry::ClientOptions| {
-        Arc::new(sentry::transports::CurlHttpTransport::new(options))
-            as Arc<dyn sentry::internals::Transport>
+        Arc::new(sentry::transports::CurlHttpTransport::new(options)) as Arc<dyn sentry::Transport>
    };
    let _sentry = sentry::init(sentry::ClientOptions {
        // Note: set "debug: true," to diagnose sentry issues
--- a/syncserver/src/server/test.rs
+++ b/syncserver/src/server/test.rs
@ -10,7 +10,7 @@ use actix_web::{
 use base64::{engine, Engine};
 use chrono::offset::Utc;
 use hawk::{self, Credentials, Key, RequestBuilder};
-use hmac::{Hmac, Mac, NewMac};
+use hmac::{Hmac, Mac};
 use lazy_static::lazy_static;
 use rand::{thread_rng, Rng};
 use serde::de::DeserializeOwned;
--- a/syncserver/src/tokenserver/extractors.rs
+++ b/syncserver/src/tokenserver/extractors.rs
@ -16,7 +16,7 @@ use actix_web::{
 use base64::{engine, Engine};
 use futures::future::LocalBoxFuture;
 use hex;
-use hmac::{Hmac, Mac, NewMac};
+use hmac::{Hmac, Mac};
 use lazy_static::lazy_static;
 use regex::Regex;
 use serde::Deserialize;
--- a/syncserver/src/web/auth.rs
+++ b/syncserver/src/web/auth.rs
@ -11,7 +11,7 @@ use std::convert::TryInto;
 use base64::{engine, Engine};
 use chrono::offset::Utc;
 use hawk::{self, Header as HawkHeader, Key, RequestBuilder};
-use hmac::{Hmac, Mac, NewMac};
+use hmac::{Hmac, Mac};
 use serde::{Deserialize, Serialize};
 use sha2::Sha256;
 use syncserver_common;
@ -201,7 +201,7 @@ impl HawkPayload {
 fn verify_hmac(info: &[u8], key: &[u8], expected: &[u8]) -> ApiResult<()> {
    let mut hmac = Hmac::<Sha256>::new_from_slice(key)?;
    hmac.update(info);
-    hmac.verify(expected).map_err(From::from)
+    hmac.verify(expected.into()).map_err(From::from)
 }

 #[cfg(test)]
--- a/syncserver/src/web/error.rs
+++ b/syncserver/src/web/error.rs
@ -7,7 +7,7 @@ use actix_web::Error as ActixError;
 use base64::DecodeError;

 use hawk::Error as ParseError;
-use hmac::crypto_mac::{InvalidKeyLength, MacError};
+use hmac::digest::{InvalidLength, MacError};
 use serde::{
    ser::{SerializeSeq, Serializer},
    Serialize,
@ -69,7 +69,7 @@ pub enum HawkErrorKind {
    InvalidHeader,

    #[error("{}", _0)]
-    InvalidKeyLength(InvalidKeyLength),
+    InvalidKeyLength(InvalidLength),

    #[error("{}", _0)]
    Json(JsonError),
@ -166,7 +166,7 @@ impl_fmt_display!(HawkError, HawkErrorKind);
 impl_fmt_display!(ValidationError, ValidationErrorKind);

 from_error!(DecodeError, ApiError, HawkErrorKind::Base64);
-from_error!(InvalidKeyLength, ApiError, HawkErrorKind::InvalidKeyLength);
+from_error!(InvalidLength, ApiError, HawkErrorKind::InvalidKeyLength);
 from_error!(JsonError, ApiError, HawkErrorKind::Json);
 from_error!(MacError, ApiError, HawkErrorKind::Hmac);
 from_error!(ToStrError, ApiError, HawkErrorKind::Header);
--- a/syncserver/src/web/extractors.rs
+++ b/syncserver/src/web/extractors.rs
@ -1749,7 +1749,7 @@ mod tests {
        Error, HttpResponse,
    };
    use hawk::{Credentials, Key, RequestBuilder};
-    use hmac::{Hmac, Mac, NewMac};
+    use hmac::{Hmac, Mac};
    use rand::{thread_rng, Rng};
    use serde_json::{self, json};
    use sha2::Sha256;
--- a/syncstorage-spanner/Cargo.toml
+++ b/syncstorage-spanner/Cargo.toml
@ -1,39 +1,42 @@
 [package]
 name = "syncstorage-spanner"
-version.workspace=true
-license.workspace=true
-authors.workspace=true
-edition.workspace=true
+version.workspace = true
+license.workspace = true
+authors.workspace = true
+edition.workspace = true

 [dependencies]
-backtrace.workspace=true
-cadence.workspace=true
-env_logger.workspace=true
-futures.workspace=true
-http.workspace=true
-slog-scope.workspace=true
+backtrace.workspace = true
+cadence.workspace = true
+env_logger.workspace = true
+futures.workspace = true
+http.workspace = true
+slog-scope.workspace = true

 async-trait = "0.1.40"
 # Pin to 0.5 for now, to keep it under tokio 0.2 (issue977).
 # Fix for #803 (deadpool#92) points to our fork for now
 #deadpool = "0.5"  # pin to 0.5
 deadpool = { git = "https://github.com/mozilla-services/deadpool", branch = "deadpool-v0.5.2-issue92" }
-google-cloud-rust-raw = "0.14.0"
+google-cloud-rust-raw = "0.15.0"
 # Some versions of OpenSSL 1.1.1 conflict with grpcio's built-in boringssl which can cause
 # syncserver to either fail to either compile, or start. In those cases, try
 # `cargo build --features grpcio/openssl ...`
-grpcio = { version = "0.12.0" }
+grpcio = { version = "0.12.1" }
 log = { version = "0.4", features = [
  "max_level_debug",
  "release_max_level_info",
 ] }
-protobuf = {version="2.25.2"} # must match what's used by googleapis-raw
+protobuf = { version = "2.28.0" } # must match what's used by googleapis-raw
 syncserver-common = { path = "../syncserver-common" }
 syncserver-db-common = { path = "../syncserver-db-common" }
 syncstorage-db-common = { path = "../syncstorage-db-common" }
 syncstorage-settings = { path = "../syncstorage-settings" }
 thiserror = "1.0.26"
-tokio = { version = "0.2.4", features = ["macros", "sync"] } # pinning to 0.2.4 due to high number of dependencies (actix, bb8, deadpool, etc.)
+tokio = { version = "0.2.4", features = [
+  "macros",
+  "sync",
+] } # pinning to 0.2.4 due to high number of dependencies (actix, bb8, deadpool, etc.)
 url = "2.1"
 uuid = { version = "0.8.2", features = ["serde", "v4"] }

--- a/tokenserver-common/Cargo.toml
+++ b/tokenserver-common/Cargo.toml
@ -1,15 +1,15 @@
 [package]
 name = "tokenserver-common"
-version.workspace=true
-license.workspace=true
-authors.workspace=true
-edition.workspace=true
+version.workspace = true
+license.workspace = true
+authors.workspace = true
+edition.workspace = true

 [dependencies]
-backtrace.workspace=true
-serde.workspace=true
-serde_json.workspace=true
+actix-web.workspace = true
+backtrace.workspace = true
+serde.workspace = true
+serde_json.workspace = true

-actix-web = "3"
 syncserver-common = { path = "../syncserver-common" }
 thiserror = "1.0.26"
--- a/tools/integration_tests/requirements.txt
+++ b/tools/integration_tests/requirements.txt
@ -7,10 +7,10 @@ pyjwt
 pyramid
 pyramid_hawkauth
 pyfxa
+pytest
 requests
 simplejson
 sqlalchemy
 tokenlib
-unittest2
 webtest
 wsgiproxy2
--- a/tools/integration_tests/test_storage.py
+++ b/tools/integration_tests/test_storage.py
@ -14,7 +14,8 @@ consider it a bug.

 """

-import unittest2
+# unittest imported by pytest requirement
+import unittest


 import re
@ -701,7 +702,7 @@ class TestStorage(StorageFunctionalTestCase):
    def test_x_timestamp_header(self):
        # This can't be run against a live server.
        if self.distant:
-            raise unittest2.SkipTest
+            raise unittest.SkipTest

        bsos = [{"id": str(i).zfill(2), "payload": "xxx"} for i in range(5)]
        self.retry_post_json(self.root + "/storage/xxx_col2", bsos)
@ -839,9 +840,9 @@ class TestStorage(StorageFunctionalTestCase):

    def test_overquota(self):
        # This can't be run against a live server.
-        raise unittest2.SkipTest
+        raise unittest.SkipTest
        if self.distant:
-            raise unittest2.SkipTest
+            raise unittest.SkipTest

        # Clear out any data that's already in the store.
        self.retry_delete(self.root + "/storage")
@ -897,7 +898,7 @@ class TestStorage(StorageFunctionalTestCase):
            # Can't run against live server if it doesn't
            # report the right config options.
            if self.distant:
-                raise unittest2.SkipTest
+                raise unittest.SkipTest
            max_bytes = get_limit_config(self.config, "max_post_bytes")
            max_count = get_limit_config(self.config, "max_post_records")
            max_req_bytes = get_limit_config(self.config, "max_request_bytes")
@ -1483,7 +1484,7 @@ class TestStorage(StorageFunctionalTestCase):
        # This can't be run against a live server because we
        # have to forge an auth token to test things properly.
        if self.distant:
-            raise unittest2.SkipTest
+            raise unittest.SkipTest

        # Write some items while we've got a good token.
        bsos = [{"id": str(i).zfill(2), "payload": "xxx"} for i in range(3)]
@ -2122,7 +2123,7 @@ class TestStorage(StorageFunctionalTestCase):
            if batch1 == batch2:
                break
        else:
-            raise unittest2.SkipTest("failed to generate conflicting batchid")
+            raise unittest.SkipTest("failed to generate conflicting batchid")

    def test_that_we_dont_resurrect_committed_batches(self):
        # This retry loop tries to trigger a situation where we:
@ -2146,7 +2147,7 @@ class TestStorage(StorageFunctionalTestCase):
            if batch1 == batch2:
                break
        else:
-            raise unittest2.SkipTest("failed to trigger re-use of batchid")
+            raise unittest.SkipTest("failed to trigger re-use of batchid")
        # Despite having the same batchid, the second batch should
        # be completely independent of the first.
        resp = self.app.get(self.root + "/storage/xxx_col2")
--- a/tools/integration_tests/test_support.py
+++ b/tools/integration_tests/test_support.py
@ -25,7 +25,8 @@ import sys
 import time
 import tokenlib
 import urllib.parse as urlparse
-import unittest2
+# unittest imported by pytest requirement
+import unittest
 import uuid
 from webtest import TestApp
 from zope.interface import implementer
@ -234,7 +235,7 @@ def restore_env(*keys):
    return decorator


-class TestCase(unittest2.TestCase):
+class TestCase(unittest.TestCase):
    """TestCase with some generic helper methods."""

    def setUp(self):
@ -420,7 +421,7 @@ class StorageFunctionalTestCase(FunctionalTestCase, StorageTestCase):
    def _switch_user(self):
        # It's hard to reliably switch users when testing a live server.
        if self.distant:
-            raise unittest2.SkipTest("Skipped when testing a live server")
+            raise unittest.SkipTest("Skipped when testing a live server")
        # Temporarily authenticate as a different user.
        orig_user_id = self.user_id
        orig_auth_token = self.auth_token
@ -866,13 +867,13 @@ def run_live_functional_tests(TestCaseClass, argv=None):
    os.environ["MOZSVC_TEST_REMOTE"] = "localhost"

    # Now use the unittest2 runner to execute them.
-    suite = unittest2.TestSuite()
+    suite = unittest.TestSuite()
    import test_storage

    test_prefix = os.environ.get("SYNC_TEST_PREFIX", "test")
-    suite.addTest(unittest2.findTestCases(test_storage, test_prefix))
-    # suite.addTest(unittest2.makeSuite(LiveTestCases, prefix=test_prefix))
-    runner = unittest2.TextTestRunner(
+    suite.addTest(unittest.findTestCases(test_storage, test_prefix))
+    # suite.addTest(unittest.makeSuite(LiveTestCases, prefix=test_prefix))
+    runner = unittest.TextTestRunner(
        stream=sys.stderr,
        failfast=opts.failfast,
        verbosity=2,
--- a/tools/spanner/Dockerfile
+++ b/tools/spanner/Dockerfile
@ -1,4 +1,4 @@
-FROM python:3.7.7-buster
+FROM python:3.11-bullseye

 COPY purge_ttl.py count_expired_rows.py count_users.py requirements.txt /app/