Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] onedir blocks installation of shared libraries for pygit2 gitfs in 3006.0 #64121

Open
2 of 9 tasks
DaAwesomeP opened this issue Apr 20, 2023 · 55 comments · Fixed by openSUSE/salt#588 · May be fixed by #67186
Open
2 of 9 tasks

[BUG] onedir blocks installation of shared libraries for pygit2 gitfs in 3006.0 #64121

DaAwesomeP opened this issue Apr 20, 2023 · 55 comments · Fixed by openSUSE/salt#588 · May be fixed by #67186
Assignees
@dwoz
Labels
Bug broken, incorrect, or confusing behavior dependency underlying Salt dependency issue Regression The issue is a bug that breaks functionality known to work in previous releases. Sulfur v3006.0 release code name and version

Comments

@DaAwesomeP
Copy link
Contributor

Description
I did not change any configuration between 3005.1 and 3006.0 but suddently salt-master cannot find my public keys.

Setup

fileserver_backend:
  - gitfs

gitfs_provider: pygit2
gitfs_remotes:
  - ssh://[email protected]/myorg/mysalt.git:
    - base: main
    - root: salt
    - pubkey: /root/.ssh/id_salt.pub
    - privkey: /root/.ssh/id_salt
  - https://github.com/saltstack/salt-winrepo-ng.git:
    - all_saltenvs: master
    - mountpoint: salt://win/repo-ng/salt-winrepo-ng

ext_pillar:
  - git:
    - main ssh://[email protected]/myorg/mypillar.git:
      - env: base
      - root: pillar
      - pubkey: /root/.ssh/id_pillar.pub
      - privkey: /root/.ssh/id_pillar
  • on-prem machine
  • VM (Virtualbox, KVM, etc. please specify)
  • VM running on a cloud service, please be explicit and add details
  • container (Kubernetes, Docker, containerd, etc. please specify)
  • or a combination, please be explicit
  • jails if it is FreeBSD
  • classic packaging
  • onedir packaging
  • used bootstrap to install

Steps to Reproduce the behavior
Upgrade from 3005.1 to 3006.0. Run salt-pip install pygit2.

Expected behavior
Should fetch gitfs normally.

Screenshots

[CRITICAL] SSH pubkey (/root/.ssh/id_salt.pub) for gitfs remote 'ssh://[email protected]/myorg/mysalt.git' could not be found, path may be incorrect. Note that it may be necessary to clear git_pillar locks to proceed once this is resolved and the master has been started back up. A warning will be logged if this is the case, with instructions.
[CRITICAL] SSH pubkey (/root/.ssh/id_pillar.pub) for git_pillar remote 'main ssh://[email protected]/myorg/mypillar.git' could not be found, path may be incorrect. Note that it may be necessary to clear git_pillar locks to proceed once this is resolved and the master has been started back up. A warning will be logged if this is the case, with instructions.
[CRITICAL] Failed to load gitfs
[CRITICAL] Failed to load git_pillar
[CRITICAL] Master failed pre flight checks, exiting

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) 
Salt Version:
          Salt: 3006.0
 
Python Version:
        Python: 3.10.11 (main, Apr 14 2023, 05:57:16) [GCC 11.2.0]
 
Dependency Versions:
          cffi: 1.15.1
      cherrypy: unknown
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.2
       libgit2: 1.6.3
  looseversion: 1.0.2
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 22.0
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.9.8
        pygit2: 1.12.0
  python-gnupg: 0.4.8
        PyYAML: 5.4.1
         PyZMQ: 23.2.0
        relenv: 0.11.2
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4
 
System Versions:
          dist: debian 11 bullseye
        locale: utf-8
       machine: x86_64
       release: 5.10.0-21-cloud-amd64
        system: Linux
       version: Debian GNU/Linux 11 bullseye

Additional context
Running cat and ls on those files show they exist fine. The files have permission 0400/-r-------- and are owned by root:root.
@DaAwesomeP DaAwesomeP added Bug broken, incorrect, or confusing behavior needs-triage labels Apr 20, 2023
@lkubb
Copy link
Contributor

lkubb commented Apr 20, 2023

The Salt master does not not run as root anymore, see the release notes:

https://docs.saltproject.io/en/latest/topics/releases/3006.0.html#linux-packaging-salt-master-salt-user-and-group

@DaAwesomeP
Copy link
Contributor Author

Ah, well that was half of it. I moved them to a directory owned by root and readable by the new salt user.

Now I am getting an error probably because the salt user doesn't have a home directory it also doesn't have a known_hosts file or a place to create one:

[ERROR   ] Error occurred fetching gitfs remote 'ssh://[email protected]/myorg/mysalt.git': error loading known_hosts:
Traceback (most recent call last):
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/gitfs.py", line 1870, in _fetch
    fetch_results = origin.fetch(**fetch_kwargs)
  File "/opt/saltstack/salt/extras-3.10/pygit2/remote.py", line 146, in fetch
    payload.check_error(err)
  File "/opt/saltstack/salt/extras-3.10/pygit2/callbacks.py", line 98, in check_error
    check_error(error_code)
  File "/opt/saltstack/salt/extras-3.10/pygit2/errors.py", line 65, in check_error
    raise GitError(message)
_pygit2.GitError: error loading known_hosts:

The known_hosts functionality should probably be disabled or a specific path should be chosen for it.

@DaAwesomeP DaAwesomeP changed the title [BUG] gitfs cannot find public keys after upgrading to 3006.0 [BUG] gitfs known_hosts error from no home folder for salt user in 3006.0 Apr 21, 2023
@DaAwesomeP DaAwesomeP changed the title [BUG] gitfs known_hosts error from no home folder for salt user in 3006.0 [BUG] gitfs known_hosts error for salt user in 3006.0 Apr 21, 2023
@DaAwesomeP
Copy link
Contributor Author

DaAwesomeP commented Apr 21, 2023
edited
Loading

I stand corrected, there is a home directory assigned to it at the default /home/salt. I do find this odd since it is a system user. Often (at least on Debian) system users do not have home folders or they are put somewhere else like /var (at least this is what I have found).

EDIT: See #64141

@DaAwesomeP
Copy link
Contributor Author

DaAwesomeP commented Apr 21, 2023
edited
Loading

Running sudo -u salt ssh github.com and accepting the host does not appear to resolve the issue. I also tried sudo -u salt bash -c "ssh-keyscan github.com >> ~/.ssh/known_hosts" and salt [MASTER_ID] ssh.set_known_host user=salt hostname=github.com.

I verified that the /home/salt/.ssh/known_hosts file existed and contained some contents after running these commands.

@DaAwesomeP
Copy link
Contributor Author

OK, I found a version inconsistency that may make dealing this this quite horrible:

  • Debian 11 stable (Bullseye) includes libgit2 v1.1.0 in the libgit2-1.1 package
  • Saltstack uses Python 3.10 in onedir in 3006.0
  • pygit2 versions v1.4 through v1.6 support libgit2 v1.1
  • pygit2 versions v1.4 through v1.6 only support Python 3.6 through 3.9
  • pygit versions v1.7 through v1.8 are the first to support Python 3.10 and onward, but these only support libgit2 v1.3 and onward
  • See https://www.pygit2.org/install.html#version-numbers

So it seems you have to pick libgit2 compatibility or Python 3.10 compatibility or build libgit2 from source?

Was gitfs on Debian stable tested as a part of the 3006.0 release? I'm sure this is a very common configuration. If not, how can we be sure this sort of thing is tested going forward? I imagine this is also a mess on RHEL 6 and other older stable platforms.

@DaAwesomeP
Copy link
Contributor Author

DaAwesomeP commented Apr 21, 2023
edited
Loading

I tried salt-pip install 'pygit2>=1.4,<1.7' but since there is no wheel available for pygit2 v1.6.1 with Python 3.10 it has to build the wheel on install. This effectively requires installing build-essential on the machine (not a solution for production machines) or building the wheel offline.

I also tried salt-pip install 'pygit2>=1.7,<1.9' but this resulted in pip warning of many linked library versions not available on Debian 11, and the known_hosts issue persisted.

I will try building the wheel separately and see if pygit2 v1.6.1 works with Python 3.10, but this is clearly not supported by the pygit2 developers and would be a temporary workaround.

I see why Salt moved to Python 3.10 but I'm sure this is not the only package version inconsistency that will be found on other stable/LTS distros.

@DaAwesomeP
Copy link
Contributor Author

Another workaround: Since Salstack still support Python 3.9 just fine and Debian 11 packages are built around Python 3.9 as the latest available version, then the Salt packages could use Python 3.9 on Debian 11.

@OrangeDog
Copy link
Contributor

you have to pick libgit2 compatibility or Python 3.10 compatibility or build libgit2 from source?

No, you have to install pygit2 via wheel: salt-pip install --only-binary=:all: pygit2

The system package of libgit2 does not usually work, as it doesn't have SSH support included.

@DaAwesomeP
Copy link
Contributor Author

DaAwesomeP commented Apr 24, 2023
edited
Loading

@OrangeDog To try that out I removed salt, wiped the Python 3.10 and package folders to start afresh, and reinstalled. Pip installs pygit2 but it complains of missing libssl, libcrypto, libpcre, and libssh2 presumably because the versions that the libgit2 bundled with pygit2 v1.12 relies on are not available in Debian 11.

I have verified that package libssh2-1 is installed which should provide libssh2.so.1.0.1 is installed on the system. It seems in Debian 11 libcrypto.so.3 should really link to libmbedcrypto.so.3 from the libmbedcrypto3 package or just libssl3 is not available on Debian 11. I stopped checking the rest

Given that it can't find libssh2.so.1.0.1, is the issue really that all of these are missing from /opt/saltstack/salt/lib/ and not from the system?

# uninstall 3006
$ rm -rf /opt/saltstack/salt/lib/python3.10 /opt/saltstack/salt/extras-3.10
# install 3006
$ salt-pip install --only-binary=:all: pygit2
Collecting pygit2
  Using cached pygit2-1.12.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.9 MB)
Collecting cffi>=1.9.1
  Using cached cffi-1.15.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (441 kB)
Collecting pycparser
  Using cached pycparser-2.21-py2.py3-none-any.whl (118 kB)
Installing collected packages: pycparser, cffi, pygit2
  Do not adjust rpath of /tmp/pip-target-mvjvbnk5/lib/python/_cffi_backend.cpython-310-x86_64-linux-gnu.so
  Do not adjust rpath of /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libcrypto-1b9ded14.so.3
  WARNING: Unable to find library libssl-d3387b0f.so.3 linked from /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  WARNING: Unable to find library libcrypto-1b9ded14.so.3 linked from /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  WARNING: Unable to find library libpcre-9513aab5.so.1.2.0 linked from /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  WARNING: Unable to find library libssh2-3ed487a7.so.1.0.1 linked from /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  Do not adjust rpath of /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  Do not adjust rpath of /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libpcre-9513aab5.so.1.2.0
  WARNING: Unable to find library libssl-d3387b0f.so.3 linked from /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  WARNING: Unable to find library libcrypto-1b9ded14.so.3 linked from /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  Do not adjust rpath of /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  WARNING: Unable to find library libcrypto-1b9ded14.so.3 linked from /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libssl-d3387b0f.so.3
  Do not adjust rpath of /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libssl-d3387b0f.so.3
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libgit2-dc37b70b.so.1.6.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libssl-d3387b0f.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libcrypto-1b9ded14.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libssh2-3ed487a7.so.1.0.1 is not in /opt/saltstack/salt
  Do not adjust rpath of /tmp/pip-target-mvjvbnk5/lib/python/pygit2/_libgit2.abi3.so
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libgit2-dc37b70b.so.1.6.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libssl-d3387b0f.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libcrypto-1b9ded14.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libssh2-3ed487a7.so.1.0.1 is not in /opt/saltstack/salt
  Do not adjust rpath of /tmp/pip-target-mvjvbnk5/lib/python/pygit2/_pygit2.cpython-310-x86_64-linux-gnu.so
ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
salt 3006.0 requires cffi==1.14.6, but you have cffi 1.15.1 which is incompatible.
Successfully installed cffi-1.15.1 pycparser-2.21 pygit2-1.12.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
$ systemctl restart salt-master.service

Resulting log:

systemd[1]: Started The Salt Master Server.
salt-master[211397]: [ERROR   ] Error occurred fetching gitfs remote 'ssh://[email protected]/mysalt.git': error loading known_hosts:
salt-master[211397]: Traceback (most recent call last):
salt-master[211397]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/gitfs.py", line 1870, in _fetch
salt-master[211397]:     fetch_results = origin.fetch(**fetch_kwargs)
salt-master[211397]:   File "/opt/saltstack/salt/extras-3.10/pygit2/remote.py", line 146, in fetch
salt-master[211397]:     payload.check_error(err)
salt-master[211397]:   File "/opt/saltstack/salt/extras-3.10/pygit2/callbacks.py", line 98, in check_error
salt-master[211397]:     check_error(error_code)
salt-master[211397]:   File "/opt/saltstack/salt/extras-3.10/pygit2/errors.py", line 65, in check_error
salt-master[211397]:     raise GitError(message)
salt-master[211397]: _pygit2.GitError: error loading known_hosts:

@OrangeDog
Copy link
Contributor

It's not looking for libssh2.so.1.0.1, it's looking for libssh2-3ed487a7.so.1.0.1.
It has unpacked that from the .whl into /tmp, but the onedir environment appears to be blocking it from loading during installation.

@DaAwesomeP DaAwesomeP changed the title [BUG] gitfs known_hosts error for salt user in 3006.0 [BUG] onedir blocks installation of shared libraries for pygit2 gitfs in 3006.0 Apr 24, 2023
@DaAwesomeP
Copy link
Contributor Author

@OrangeDog I see, that makes sense. Has this been observed with any other bundled shared libraries? Is there a workaround?

@dwoz dwoz self-assigned this Apr 24, 2023
@defanator
Copy link
Contributor

defanator commented Apr 25, 2023
edited
Loading

@DaAwesomeP @OrangeDog @dwoz observing the same issue, looking for a workaround.

UPDATE: it seems to work for me with pygit2==1.7.0:

$ salt-pip install --only-binary=:all: --no-deps pygit2==1.7.0
[..]
$ salt-pip show pygit2
Name: pygit2
Version: 1.7.0
Summary: Python bindings for libgit2.
Home-page: http://github.com/libgit2/pygit2
Author: 
Author-email: 
License: GPLv2 with linking exception
Location: /opt/saltstack/salt/extras-3.10
Requires: cffi
Required-by:

Latest version (1.12.0) throws exactly the same error as @DaAwesomeP described in #64121 (comment).

@OrangeDog
Copy link
Contributor

What happens if you update salt's pip to the latest version first?

salt-pip install --upgrade pip

@defanator
Copy link
Contributor

What happens if you update salt's pip to the latest version first?

Just reinstalled everything on master from scratch and did this:

$ salt-pip install --upgrade pip
Collecting pip
  Downloading pip-23.1.1-py3-none-any.whl (2.1 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 32.6 MB/s eta 0:00:00
Installing collected packages: pip
Successfully installed pip-23.1.1
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

[notice] A new release of pip available: 22.3.1 -> 23.1.1
[notice] To update, run: /opt/saltstack/salt/bin/python3 -m pip install --upgrade pip

Then installed latest pygit2:

$ salt-pip install --only-binary=:all: --no-deps pygit2
Collecting pygit2
  Using cached pygit2-1.12.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.9 MB)
Installing collected packages: pygit2
  Do not adjust rpath of /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libcrypto-1b9ded14.so.3
  WARNING: Unable to find library libssl-d3387b0f.so.3 linked from /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  WARNING: Unable to find library libcrypto-1b9ded14.so.3 linked from /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  WARNING: Unable to find library libpcre-9513aab5.so.1.2.0 linked from /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  WARNING: Unable to find library libssh2-3ed487a7.so.1.0.1 linked from /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  Do not adjust rpath of /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  Do not adjust rpath of /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libpcre-9513aab5.so.1.2.0
  WARNING: Unable to find library libssl-d3387b0f.so.3 linked from /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  WARNING: Unable to find library libcrypto-1b9ded14.so.3 linked from /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  Do not adjust rpath of /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  WARNING: Unable to find library libcrypto-1b9ded14.so.3 linked from /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libssl-d3387b0f.so.3
  Do not adjust rpath of /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libssl-d3387b0f.so.3
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libgit2-dc37b70b.so.1.6.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libssl-d3387b0f.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libcrypto-1b9ded14.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libssh2-3ed487a7.so.1.0.1 is not in /opt/saltstack/salt
  Do not adjust rpath of /tmp/pip-target-726v8fwk/lib/python/pygit2/_libgit2.abi3.so
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libgit2-dc37b70b.so.1.6.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libssl-d3387b0f.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libcrypto-1b9ded14.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libssh2-3ed487a7.so.1.0.1 is not in /opt/saltstack/salt
  Do not adjust rpath of /tmp/pip-target-726v8fwk/lib/python/pygit2/_pygit2.cpython-310-x86_64-linux-gnu.so
Successfully installed pygit2-1.12.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

Started salt-master service and got this:

2023-04-25 08:43:49,729 [salt.cli.daemons :83  ][INFO    ][325483] Setting up the Salt Master
2023-04-25 08:43:49,892 [salt.daemons.masterapi:221 ][INFO    ][325483] Preparing the salt key for local communication
2023-04-25 08:43:49,893 [salt.daemons.masterapi:221 ][INFO    ][325483] Preparing the root key for local communication
2023-04-25 08:43:49,898 [salt.cli.daemons :83  ][INFO    ][325483] Starting up the Salt Master
2023-04-25 08:43:49,930 [salt.utils.gitfs :2796][INFO    ][325483] Wrote new gitfs remote map to /var/cache/salt/master/gitfs/remote_map.txt
2023-04-25 08:43:49,930 [salt.master      :690 ][INFO    ][325483] salt-master is starting as user 'salt'
2023-04-25 08:43:49,931 [salt.master      :559 ][INFO    ][325483] Current values for max open files soft/hard setting: 100000/100000
2023-04-25 08:43:49,933 [salt.master      :717 ][INFO    ][325483] Creating master process manager
2023-04-25 08:43:49,933 [salt.master      :721 ][INFO    ][325483] Creating master publisher process
2023-04-25 08:43:50,430 [salt.master      :727 ][INFO    ][325483] Creating master event publisher process
2023-04-25 08:43:50,442 [salt.transport.zeromq:744 ][INFO    ][325534] Starting the Salt Publisher on tcp://0.0.0.0:4505
2023-04-25 08:43:50,442 [salt.transport.zeromq:747 ][INFO    ][325534] Starting the Salt Puller on ipc:///var/run/salt/master/publish_pull.ipc
2023-04-25 08:43:50,457 [salt.master      :751 ][INFO    ][325483] Creating master maintenance process
2023-04-25 08:43:50,460 [salt.master      :790 ][INFO    ][325483] Creating master request server process
2023-04-25 08:43:50,516 [salt.transport.zeromq:328 ][INFO    ][325541] Setting up the master communication server
2023-04-25 08:43:50,516 [salt.transport.zeromq:329 ][INFO    ][325541] ReqServer clients tcp://0.0.0.0:4506
2023-04-25 08:43:50,516 [salt.transport.zeromq:331 ][INFO    ][325541] ReqServer workers ipc:///var/run/salt/master/workers.ipc
2023-04-25 08:43:50,670 [salt.utils.gitfs :1894][ERROR   ][325540] Error occurred fetching gitfs remote '[email protected]:***/***.git': error loading known_hosts: 
Traceback (most recent call last):
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/gitfs.py", line 1870, in _fetch
    fetch_results = origin.fetch(**fetch_kwargs)
  File "/opt/saltstack/salt/extras-3.10/pygit2/remote.py", line 146, in fetch
    payload.check_error(err)
  File "/opt/saltstack/salt/extras-3.10/pygit2/callbacks.py", line 98, in check_error
    check_error(error_code)
  File "/opt/saltstack/salt/extras-3.10/pygit2/errors.py", line 65, in check_error
    raise GitError(message)
_pygit2.GitError: error loading known_hosts:

Stopped salt-master, installed pygit2==1.7.0:

$ salt-pip install --only-binary=:all: --no-deps --upgrade pygit2==1.7.0
Collecting pygit2==1.7.0
  Using cached pygit2-1.7.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.6 MB)
Installing collected packages: pygit2
  WARNING: Unable to find library libpcre-9513aab5.so.1.2.0 linked from /tmp/pip-target-4m7w_cb0/lib/python/pygit2.libs/libgit2-c59d94c5.so.1.3.0
  WARNING: Unable to find library libpcreposix-7b9c3045.so.0.0.1 linked from /tmp/pip-target-4m7w_cb0/lib/python/pygit2.libs/libgit2-c59d94c5.so.1.3.0
  WARNING: Unable to find library libssh2-cd9fe4aa.so.1.0.1 linked from /tmp/pip-target-4m7w_cb0/lib/python/pygit2.libs/libgit2-c59d94c5.so.1.3.0
  Do not adjust rpath of /tmp/pip-target-4m7w_cb0/lib/python/pygit2.libs/libgit2-c59d94c5.so.1.3.0
  Do not adjust rpath of /tmp/pip-target-4m7w_cb0/lib/python/pygit2.libs/libpcre-9513aab5.so.1.2.0
  WARNING: Unable to find library libpcre-9513aab5.so.1.2.0 linked from /tmp/pip-target-4m7w_cb0/lib/python/pygit2.libs/libpcreposix-7b9c3045.so.0.0.1
  Do not adjust rpath of /tmp/pip-target-4m7w_cb0/lib/python/pygit2.libs/libpcreposix-7b9c3045.so.0.0.1
  Do not adjust rpath of /tmp/pip-target-4m7w_cb0/lib/python/pygit2.libs/libssh2-cd9fe4aa.so.1.0.1
  WARNING: In `rpath_only mode` but /tmp/pip-target-4m7w_cb0/lib/python/pygit2/../pygit2.libs/libgit2-c59d94c5.so.1.3.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-4m7w_cb0/lib/python/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-4m7w_cb0/lib/python/pygit2/../pygit2.libs/libpcreposix-7b9c3045.so.0.0.1 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-4m7w_cb0/lib/python/pygit2/../pygit2.libs/libssh2-cd9fe4aa.so.1.0.1 is not in /opt/saltstack/salt
  Do not adjust rpath of /tmp/pip-target-4m7w_cb0/lib/python/pygit2/_libgit2.abi3.so
  WARNING: In `rpath_only mode` but /tmp/pip-target-4m7w_cb0/lib/python/pygit2/../pygit2.libs/libgit2-c59d94c5.so.1.3.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-4m7w_cb0/lib/python/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-4m7w_cb0/lib/python/pygit2/../pygit2.libs/libpcreposix-7b9c3045.so.0.0.1 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-4m7w_cb0/lib/python/pygit2/../pygit2.libs/libssh2-cd9fe4aa.so.1.0.1 is not in /opt/saltstack/salt
  Do not adjust rpath of /tmp/pip-target-4m7w_cb0/lib/python/pygit2/_pygit2.cpython-310-x86_64-linux-gnu.so
Successfully installed pygit2-1.7.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

Started salt-master again, got remote repositories cloned in /var/cache/salt/master/gitfs, no errors in log.

(This is on Debian 11 "bullseye" amd64.)

@DaAwesomeP
Copy link
Contributor Author

I can confirm that salt-pip install --only-binary=:all: --no-deps --upgrade pygit2==1.7.0 works for me as well. Thanks @defanator for finding that workaround! It seems that the shared library dependencies differ slightly between the latest version and v1.7.0.

@dwoz
Copy link
Contributor

dwoz commented Apr 25, 2023

For what it's worth. We are expecting that people will want to install from source and use the system's libraries. For pygit2 I did this:

apt-get install -y build-essential libssh2-1-dev libgit2-dev libffi-dev
sudo -u salt salt-pip install cffi==1.14.6 pygit2==1.6.1 --no-binary=':all:'

As far as --only-binary with --no-deps goes, I am concerned that the cffi version may actually matter. I'm not sure though, if it's working for you then it's probably okay. That being said, it looks like cffi didn't start packaging wheels until 1.15.x. If you want to use the newest version of pygit2 and not conflict on dependencies then you'll need to let pip compile cffi.

apt-get install -y build-essential libffi-dev
sudo -u salt salt-pip install cffi==1.14.6 pygit2 --only-binary='pygit2'

@dwoz dwoz removed the needs-triage label Apr 25, 2023
@DaAwesomeP
Copy link
Contributor Author

It sounds like additional bundled shared libraries in wheels may have some issue with onedir, but there must be something particular since pygit2 v1.7.0 works fine but pygit2 v1.12.0 does not. I'm sure this issue will come up again at some point with this package or another. Locking into an older version (either v1.6.1 or v1.7.0 via wheel or source) seems more like a workaround.

For what it's worth. We are expecting that people will want to install from source and use the system's libraries.

I have had a lot of trouble with Python packages built from source across different systems, particularly with Salstack. Using the wheels/bundled libraries with pygit2 solves a lot of portability issues across many systems where the libgit2 could be really any version and the Python version included in onedir will increment as time goes on. More and more Python packages with bindings are bundling their dependencies so that they are consistent across platforms and independent from OS source versions. Having to install dependencies and compile the modules on each machine seems counter to onedir making salt more portable/consistent across installations.

Building from source on Debian 11 uses a now quite old libgit2 that does not support newer SSH keys. The workaround for this is to use the pygit2 wheel (which became always the case with onedir prior to 3006). See #61790.

Also, pygit2 v1.6.1 does not officially support Python 3.10: https://www.pygit2.org/install.html#version-numbers (so again the ability to install the latest version via wheel is much more future-proofed).

I am concerned that the cffi version may actually matter. I'm not sure though, if it's working for you then it's probably okay.

I have observed cffi version mismatches when installing additional packages alongside Salt for a while now. So far no issues (I have tried both installing the later version and keeping the older version), but it would be great if Salt updated that dependency. There are other additional packages too that rely on different cffi versions.

@OrangeDog
Copy link
Contributor

people will want to install from source and use the system's libraries

In general, no. That's a big burden that many people really want to avoid (to the extent that they won't upgrade to onedir because of it). Especially for pygit2 because it usually also means you have to rebuild libgit2 from source as well.

Your build probably won't work. See #58898.

@dwoz
Copy link
Contributor

dwoz commented May 6, 2023
edited
Loading

@DaAwesomeP Can you please test using pygit2==1.12.0 with salt 3006.1 ?

@DaAwesomeP
Copy link
Contributor Author

DaAwesomeP commented May 13, 2023
edited
Loading

@dwoz I'm not able to test this out on the same Debian machine at the moment (maybe next week or week after), but I did try it out on a RHEL8 machine. No luck unfortunately.

Salt Version:
          Salt: 3006.1
 
Python Version:
        Python: 3.10.11 (main, May  5 2023, 02:31:54) [GCC 11.2.0]
 
Dependency Versions:
          cffi: 1.14.6
      cherrypy: unknown
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.2
       libgit2: 1.6.4
  looseversion: 1.0.2
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 22.0
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.9.8
        pygit2: 1.12.1
  python-gnupg: 0.4.8
        PyYAML: 5.4.1
         PyZMQ: 23.2.0
        relenv: 0.12.3
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4
 
System Versions:
          dist: rhel 8.7 Ootpa
        locale: utf-8
       machine: x86_64
       release: 4.18.0-425.13.1.el8_7.x86_64
        system: Linux
       version: Red Hat Enterprise Linux 8.7 Ootpa

salt-pip install --only-binary=:all: --no-deps pygit2
Looking in indexes: https://REDACTED/pypi/root/pypi/+simple
Collecting pygit2
  Downloading https://REDACTED/pypi/root/pypi/%2Bf/ad9/b46b52997d131/pygit2-1.12.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.9 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 4.9/4.9 MB 37.5 MB/s eta 0:00:00
Installing collected packages: pygit2
  Do not adjust rpath of /tmp/pip-target-j5ylkhyr/pygit2.libs/libcrypto-8ee4585d.so.3
  WARNING: Unable to find library libssl-d3387b0f.so.3 linked from /tmp/pip-target-j5ylkhyr/pygit2.libs/libgit2-a4ba6c4f.so.1.6.4
  WARNING: Unable to find library libcrypto-8ee4585d.so.3 linked from /tmp/pip-target-j5ylkhyr/pygit2.libs/libgit2-a4ba6c4f.so.1.6.4
  WARNING: Unable to find library libpcre-9513aab5.so.1.2.0 linked from /tmp/pip-target-j5ylkhyr/pygit2.libs/libgit2-a4ba6c4f.so.1.6.4
  WARNING: Unable to find library libssh2-3ed487a7.so.1.0.1 linked from /tmp/pip-target-j5ylkhyr/pygit2.libs/libgit2-a4ba6c4f.so.1.6.4
  Do not adjust rpath of /tmp/pip-target-j5ylkhyr/pygit2.libs/libgit2-a4ba6c4f.so.1.6.4
  Do not adjust rpath of /tmp/pip-target-j5ylkhyr/pygit2.libs/libpcre-9513aab5.so.1.2.0
  WARNING: Unable to find library libssl-d3387b0f.so.3 linked from /tmp/pip-target-j5ylkhyr/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  WARNING: Unable to find library libcrypto-8ee4585d.so.3 linked from /tmp/pip-target-j5ylkhyr/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  Do not adjust rpath of /tmp/pip-target-j5ylkhyr/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  WARNING: Unable to find library libcrypto-8ee4585d.so.3 linked from /tmp/pip-target-j5ylkhyr/pygit2.libs/libssl-d3387b0f.so.3
  Do not adjust rpath of /tmp/pip-target-j5ylkhyr/pygit2.libs/libssl-d3387b0f.so.3
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libgit2-a4ba6c4f.so.1.6.4 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libssl-d3387b0f.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libcrypto-8ee4585d.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libssh2-3ed487a7.so.1.0.1 is not in /opt/saltstack/salt
  Do not adjust rpath of /tmp/pip-target-j5ylkhyr/pygit2/_libgit2.abi3.so
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libgit2-a4ba6c4f.so.1.6.4 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libssl-d3387b0f.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libcrypto-8ee4585d.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libssh2-3ed487a7.so.1.0.1 is not in /opt/saltstack/salt
  Do not adjust rpath of /tmp/pip-target-j5ylkhyr/pygit2/_pygit2.cpython-310-x86_64-linux-gnu.so
Successfully installed pygit2-1.12.1
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

[notice] A new release of pip available: 22.3.1 -> 23.1.2
[notice] To update, run: /opt/saltstack/salt/bin/python3.10 -m pip install --upgrade pip

systemd[1]: Starting The Salt Master Server...
systemd[1]: Started The Salt Master Server.
salt-master[1704165]: [ERROR   ] Error occurred fetching gitfs remote 'ssh://git@REDACTED/REDACTED/REDACTED.git': error loading known_hosts:
salt-master[1704165]: Traceback (most recent call last):
salt-master[1704165]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/gitfs.py", line 1870, in _fetch
salt-master[1704165]:     fetch_results = origin.fetch(**fetch_kwargs)
salt-master[1704165]:   File "/opt/saltstack/salt/extras-3.10/pygit2/remote.py", line 146, in fetch
salt-master[1704165]:     payload.check_error(err)
salt-master[1704165]:   File "/opt/saltstack/salt/extras-3.10/pygit2/callbacks.py", line 98, in check_error
salt-master[1704165]:     check_error(error_code)
salt-master[1704165]:   File "/opt/saltstack/salt/extras-3.10/pygit2/errors.py", line 65, in check_error
salt-master[1704165]:     raise GitError(message)
salt-master[1704165]: _pygit2.GitError: error loading known_hosts:
salt-master[1704163]: [ERROR   ] Error occurred fetching git_pillar remote 'main ssh://git@REDACTED/REDACTED/REDACTED.git': error loading known_hosts:
salt-master[1704163]: Traceback (most recent call last):
salt-master[1704163]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/gitfs.py", line 1870, in _fetch
salt-master[1704163]:     fetch_results = origin.fetch(**fetch_kwargs)
salt-master[1704163]:   File "/opt/saltstack/salt/extras-3.10/pygit2/remote.py", line 146, in fetch
salt-master[1704163]:     payload.check_error(err)
salt-master[1704163]:   File "/opt/saltstack/salt/extras-3.10/pygit2/callbacks.py", line 98, in check_error
salt-master[1704163]:     check_error(error_code)
salt-master[1704163]:   File "/opt/saltstack/salt/extras-3.10/pygit2/errors.py", line 65, in check_error
salt-master[1704163]:     raise GitError(message)
salt-master[1704163]: _pygit2.GitError: error loading known_hosts:

@OrangeDog OrangeDog added Regression The issue is a bug that breaks functionality known to work in previous releases. dependency underlying Salt dependency issue Sulfur v3006.0 release code name and version labels May 13, 2023
@dwoz
Copy link
Contributor

dwoz commented May 26, 2023

We can modify check_user to set HOME even if the key is not in os.environ and add a call to check_user before importing salt.master here:

https://github.com/saltstack/salt/blob/master/salt/cli/daemons.py#L182

@damon-atkins
Copy link
Contributor

We can modify check_user to set HOME even if the key is not in os.environ and add a call to check_user before importing salt.master here:

https://github.com/saltstack/salt/blob/master/salt/cli/daemons.py#L182

def check_user(user):  # bad name of this function, as it checks and also changes things if the check fails
    """
    Check user and assign process uid/gid.
    """
    if salt.utils.platform.is_windows():
        return True
    if user == salt.utils.user.get_user():
        return True
.................
        if "HOME" in os.environ:      # Does it make it down to this line of code
            os.environ["HOME"] = pwuser.pw_dir

@dukhat2259 dukhat2259 mentioned this issue Jun 20, 2023
Closed
9 tasks
This was referenced Jun 20, 2023
Closed
Merged
@grandmotivator grandmotivator mentioned this issue Jul 21, 2023
Open
@ipaqmaster
Copy link
Contributor

_pygit2.GitError: error loading known_hosts: seems to go away and my gitfs definitions started working on Archlinux after adding WorkingDirectory=~ in the [Service] section of /usr/lib/systemd/system/salt-master.service.

I don't think Arch is using the onedir solution nor the salt user account yet. It seems to be running as root and has pieces of itself all over the filesystem on the master.

@howbazaar
Copy link

Spent a few days chasing this in our project too and what I found was that pygit2 seems to determine the HOME during package load, and not inside the function call itself. Perhaps this helps you with the issue.

@network-shark
Copy link
Contributor

Would it possible to fix it in 3006.4 ? I guess, a lot of people using git with salt.

@MartinEmrich
Copy link

After upgrading on the good ol' CentOS 7 from 3005 to 3006.3, I also ran into this issue.

salt-pip install --only-binary :all: --no-deps "pygit2==1.7.0" gave me a working pygit2.

Here and there, it is mentioned that Salt-Master now runs as non-root, but this was not the case here; it still runs as root just as before.

But the HOME environment variable was indeed missing. Adding this to my /usr/lib/systemd/system/salt-master.service fixed it for me:

User=root
Environment=HOME=/root

@jzandbergen
Copy link
Contributor

jzandbergen commented Oct 12, 2023
edited
Loading

Thanks to @MartinEmrich i've got it working on AlmaLinux 8.8 and salt-master 3006.3. In my case the steps to take where:

  • salt-pip install pygit2
  • mkdir /opt/saltstack/salt/.ssh and place the known_hosts file inside this directory.
  • chown -Rv salt:salt /opt/saltstack/salt/.ssh
  • systemctl edit salt-master and enter:
[Service]
Environment="HOME=/opt/saltstack/salt"
  • systemctl restart salt-master

@OrangeDog
Copy link
Contributor

To sum up, this seems to have been two separate issues.

  • The onedir installation problem, which I think has been fixed?
  • The service environment problem, which has nothing to do with onedir, and has not been

The latter problem appears to be dependent on the version of pygit2, and affects all versions of Salt.

@DaAwesomeP
Copy link
Contributor Author

DaAwesomeP commented Nov 2, 2023
edited
Loading

  • The onedir installation problem, which I think has been fixed?

Yesterday I did a fresh install of 3006.4 on Debian 12 (using packages from Debian 11) and was able to get it to install with: salt-pip install --only-binary :all: --no-deps pygit2. It is very possible/likely this still doesn't work on Debian 11 though (have not tested recently). The --no-deps option is definitely necessary or pip will mess with cffi and others. If people aren't seeing this issue again then it may be resolved, but I am suspect that this was due to Salt/pygit2/OS releases and not handled intentionally (which is fine but we should understand why). EDIT: I think maybe I have confused myself here and there never was an install issue and only was the env issue? I'm not sure.

  • The service environment problem, which has nothing to do with onedir, and has not been

Yes, I am currently solving this with a Systemd unit modifier in /etc/systemd/system/salt-master.service.d/99-pygit2-fix.conf:

[Service]
WorkingDirectory=~

Note that I am using ~ which seems to work and is maybe most future-proof. I did not need to create a known_hosts or adjust any permissions.

If the install-specific parts in this issue have been resolved then we should also turn our attention to:

@OrangeDog
Copy link
Contributor

there never was an install issue

I definitely had library load issues when installing wheels the last time I tested onedir.

I am currently solving this with a Systemd unit modifier

Similarly, this one fixes 3004.2, and probably any classic packaging running as root.

[Service]
Environment=HOME=/root

@NdK73
Copy link

NdK73 commented Jan 26, 2024

Seems I managed to make my 3006.5 (onedir package from repo.saltstack.io on Debian11) to work by:

  • "systemctl edit salt-master" to add
    [Service]
    WorkingDirectory="/opt/saltstack/salt"
    Environment="HOME=/opt/saltstack/salt"
  • verify/change permissions of /opt/saltstack/salt and /var/log/salt (must be writable by 'salt' user)
  • verify permissions on key files (and the path to reach 'em!)
  • install pygit2 with salt-pip install --only-binary :all: --no-deps "pygit2==1.7.0"
  • a lot of praying (to compensate the swearing during the "not working" phase...).

Maybe it's just me, but official docs seems a bit lagging about the onedir package, recommending to install via OS tools (one for all: pip instead of salt-pip)...

@ipaqmaster
Copy link
Contributor

Had to do this again today with a more recent update modified salt-master.service. Original method did not help but this time:

User=root
Environment=HOME=/root

did the trick.

@mdschmitt
Copy link

mdschmitt commented Jan 31, 2024
edited
Loading

Seems I managed to make my 3006.5 (onedir package from repo.saltstack.io on Debian11) to work by:

  • "systemctl edit salt-master" to add
    [Service]
    WorkingDirectory="/opt/saltstack/salt"
    Environment="HOME=/opt/saltstack/salt"
  • verify/change permissions of /opt/saltstack/salt and /var/log/salt (must be writable by 'salt' user)
  • verify permissions on key files (and the path to reach 'em!)
  • install pygit2 with salt-pip install --only-binary :all: --no-deps "pygit2==1.7.0"
  • a lot of praying (to compensate the swearing during the "not working" phase...).

Maybe it's just me, but official docs seems a bit lagging about the onedir package, recommending to install via OS tools (one for all: pip instead of salt-pip)...

I was able to get it going even without pinning to 1.7.0.
I'm running 1.14.0 of pygit2 and so long as the systemd service edit and permissions updates you mentioned are in place, it just works ™️ (for me, at least).

@Darkentik
Copy link

Darkentik commented Feb 16, 2024
edited
Loading

Thanks to @MartinEmrich i've got it working on AlmaLinux 8.8 and salt-master 3006.3. In my case the steps to take where:

* `salt-pip install pygit2`

* `mkdir /opt/saltstack/salt/.ssh` and place the `known_hosts` file inside this directory.

* `chown -Rv salt:salt /opt/saltstack/salt/.ssh`

* `systemctl edit salt-master` and enter:

[Service]
Enironment="HOME=/opt/saltstack/salt"

* `systemctl restart salt-master`

This saves me now a lot of pain!
Thanks for the workaround.
I have now added a state into the installation of the salt-master as a salt-minion of himself. :)
For the debian users we have do to a systemctl daemon-reload after editing a service unit. ;)

i am using pygit2 from salt-pip:

upgrade all installed pip packages:
  pip.installed:
    - name: pip
    - upgrade: True

install gitpython with salt-pip for onedir:
  pip.installed:
    - name: pygit2

My code:

#####################################################################################
# workaround while pygit2 + onedir installation not working properly with using system user salt
# https://github.com/saltstack/salt/issues/64121#issuecomment-1758999821
add fix for pygit2 with onedir in service unit file of salt:
  file.managed:
    - name: /usr/lib/systemd/system/salt-master.service.d/99-pygit2-fix.conf
    - source: salt://salt/files/master/99-pygit2-fix.conf
    - watch_in:
      - service: service-saltmaster
    - require:
      - pkg: saltmaster-packages

reload systemd after managing saltmaster unit with pygit2 fix file:
  cmd.run:
    - name: systemctl daemon-reload
#####################################################################################

I am very sad that saltstack do not have a "one shoot" solution for debian users and we must do such a lot of "workarounds" while using salt-master with a git repo and ssh. :(

@st-claude
Copy link

st-claude commented Feb 21, 2024
edited
Loading

for me in centos 7 a workaround that worked was downgrading pygit2 to 1.10.1

/opt/saltstack/salt/bin/python3.10 -m pip install pygit2==1.10.*

and restarting the salt-master of course

@jamest-pin
Copy link

jamest-pin commented Mar 27, 2024
edited
Loading

EDIT: apologies, my error was not the same as what's listed in this thread.
For anyone finding my response via google, my solution was adding apt install -y patchelf and apt install python3-pip above salt-pip install pygit2

I started having this same problem when installing fresh in Ubuntu 22.04. I didn't have this issue last year when I was working on this last.

I'm using literally the exact same dockerfile I was previously using, nothing has changed.

```logs
 > [salt 6/7] RUN salt-pip install pygit2:
0.985 Collecting pygit2
1.674   Downloading pygit2-1.14.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.metadata (3.4 kB)
1.774 Requirement already satisfied: cffi>=1.16.0 in /opt/saltstack/salt/lib/python3.10/site-packages (from pygit2) (1.16.0)
1.774 Requirement already satisfied: pycparser in /opt/saltstack/salt/lib/python3.10/site-packages (from cffi>=1.16.0->pygit2) (2.21)
1.788 Downloading pygit2-1.14.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (4.8 MB)
2.013    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 4.8/4.8 MB 21.6 MB/s eta 0:00:00
2.197 Installing collected packages: pygit2
2.370   Do not adjust rpath of /opt/saltstack/salt/extras-3.10/pygit2.libs/libcrypto-7f4a96b6.so.3
2.376   WARNING: Unable to find library libssl-3fd7af83.so.3 linked from /opt/saltstack/salt/extras-3.10/pygit2.libs/libgit2-3fb45b56.so.1.7.2
2.376   WARNING: Unable to find library libcrypto-7f4a96b6.so.3 linked from /opt/saltstack/salt/extras-3.10/pygit2.libs/libgit2-3fb45b56.so.1.7.2
2.376   WARNING: Unable to find library libpcre-6b975b27.so.1.2.0 linked from /opt/saltstack/salt/extras-3.10/pygit2.libs/libgit2-3fb45b56.so.1.7.2
2.377   WARNING: Unable to find library libssh2-42ae10f7.so.1.0.1 linked from /opt/saltstack/salt/extras-3.10/pygit2.libs/libgit2-3fb45b56.so.1.7.2
2.377   Do not adjust rpath of /opt/saltstack/salt/extras-3.10/pygit2.libs/libgit2-3fb45b56.so.1.7.2
2.381   Do not adjust rpath of /opt/saltstack/salt/extras-3.10/pygit2.libs/libpcre-6b975b27.so.1.2.0
2.386   WARNING: Unable to find library libssl-3fd7af83.so.3 linked from /opt/saltstack/salt/extras-3.10/pygit2.libs/libssh2-42ae10f7.so.1.0.1
2.386   WARNING: Unable to find library libcrypto-7f4a96b6.so.3 linked from /opt/saltstack/salt/extras-3.10/pygit2.libs/libssh2-42ae10f7.so.1.0.1
2.386   Do not adjust rpath of /opt/saltstack/salt/extras-3.10/pygit2.libs/libssh2-42ae10f7.so.1.0.1
2.390   WARNING: Unable to find library libcrypto-7f4a96b6.so.3 linked from /opt/saltstack/salt/extras-3.10/pygit2.libs/libssl-3fd7af83.so.3
2.390   Do not adjust rpath of /opt/saltstack/salt/extras-3.10/pygit2.libs/libssl-3fd7af83.so.3
2.395   File already within root directory: /opt/saltstack/salt/extras-3.10/pygit2/../pygit2.libs/libgit2-3fb45b56.so.1.7.2
2.395   File already within root directory: /opt/saltstack/salt/extras-3.10/pygit2/../pygit2.libs/libssl-3fd7af83.so.3
2.395   File already within root directory: /opt/saltstack/salt/extras-3.10/pygit2/../pygit2.libs/libcrypto-7f4a96b6.so.3
2.396   File already within root directory: /opt/saltstack/salt/extras-3.10/pygit2/../pygit2.libs/libpcre-6b975b27.so.1.2.0
2.396   File already within root directory: /opt/saltstack/salt/extras-3.10/pygit2/../pygit2.libs/libssh2-42ae10f7.so.1.0.1
2.396   Adjust rpath of /opt/saltstack/salt/extras-3.10/pygit2/_libgit2.abi3.so to $ORIGIN/../../lib
2.397 ERROR: Could not install packages due to an OSError: [Errno 2] No such file or directory: 'readelf'
2.397
2.481
2.481 [notice] A new release of pip is available: 23.3.2 -> 24.0
2.481 [notice] To update, run: /opt/saltstack/salt/bin/python3.10 -m pip install --upgrade pip
------
failed to solve: process "/bin/sh -c salt-pip install pygit2" did not complete successfully: exit code: 1
```

@whytewolf
Copy link
Collaborator

@jamest-pin you need to install readelf and also maybe patchelf into the operating system. these should be installed through your normal package manager.

@jamest-pin
Copy link

jamest-pin commented Mar 28, 2024
edited
Loading

Thanks @whytewolf that's what I ended up doing, although readelf is not an available package according to apt, only patchelf. But installing python3-pip seemed to include readelf.

@OrangeDog
Copy link
Contributor

readelf is in the binutils package for Ubuntu.

@DaAwesomeP
Copy link
Contributor Author

@mazhenyong1 see this comment: #64121 (comment). All you need is the Systemd modifier and ensure that the salt user can read your SSH keys wherever you put them (they don't necessarily need to be in salt's home and you don't need to make a home dir).

@BeehiveSystems
Copy link

BeehiveSystems commented May 21, 2024
edited
Loading

Running sudo -u salt ssh github.com and accepting the host does not appear to resolve the issue. I also tried sudo -u salt bash -c "ssh-keyscan github.com >> ~/.ssh/known_hosts" and salt [MASTER_ID] ssh.set_known_host user=salt hostname=github.com.

I verified that the /home/salt/.ssh/known_hosts file existed and contained some contents after running these commands.

To piggyback this, Salt 3006.8 on Rocky Linux 9 does not have a home directory created for the Salt user. I installed with the bootstrap method.

The SystemD environment solution mentioned above resolved it for me as well.

@MartinEmrich
Copy link

MartinEmrich commented May 23, 2024
edited
Loading

My workaround with pygit==1.7.0 is now starting to rot for me, too:

It uses an ancient version of libgit2, which does not (yet) support non-RSA host keys: libgit2/pygit2#552 (comment)

After trying literally all versions after 1.9.0 of pygit2, I am stuck now. All up to and including 1.10.1 will refuse to connect to our new Git server without RSA host key. The next ist 1.11.1, which will bail out with the missing known_hosts file :(

Using the latest 1.15.x will produce lots of errors in the Salt Master log.
Using 1.12.2 works now, but only after adding Environment=HOME=/root to the systemd unit and populating the known_hosts file.

@kquinsland kquinsland mentioned this issue Jan 16, 2025
Open
9 tasks
@vitotafuni
Copy link

iusse still there on 3006.9
the only working solution at the moment is to apply a patch on every upgrade to add

[Service]
WorkingDirectory=~

@meaksh meaksh linked a pull request Jan 22, 2025 that will close this issue
Open
3 tasks
@OrangeDog
Copy link
Contributor

@vitotafuni no, you should be using a drop-in (e.g. via systemctl edit) so there is no need to re-patch every upgrade.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dwoz dwoz

Labels
Bug broken, incorrect, or confusing behavior dependency underlying Salt dependency issue Regression The issue is a bug that breaks functionality known to work in previous releases. Sulfur v3006.0 release code name and version
Projects
None yet
Milestone
No milestone