salt: [RC1 Sodium] salt fails on macOS Catalina, due to loading unversioned /usr/lib/libcrypto.dylib

Description of Issue

salt crashes on macOS Catalina (10.15). I find out that the problem happens on loading /usr/lib/libcrypto.dylib library (https://github.com/saltstack/salt/blob/v2019.2.1/salt/utils/rsax931.py#L57). There is a similar issue with another python library: https://github.com/wbond/asn1crypto/issues/158

Setup

Steps to Reproduce Issue

Install salt to macOS Catalina (10.15) via pip or brew
Then run salt --version, it will crash with Abort trap: 6

Versions Report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

$ python3 --version
Python 3.7.4

$ python3 -m pip install salt
Processing /Users/bayandin/Library/Caches/pip/wheels/2d/98/b0/95c23563552c50dc3349e24745f755fdfb63201bcc4602e988/salt-2019.2.1-cp37-none-any.whl
Requirement already satisfied: msgpack!=0.5.5,>=0.5 in /usr/local/lib/python3.7/site-packages (from salt) (0.5.6)
Requirement already satisfied: PyYAML<5.1 in /usr/local/lib/python3.7/site-packages (from salt) (3.13)
Requirement already satisfied: tornado<5.0,>=4.2.1 in /usr/local/lib/python3.7/site-packages (from salt) (4.5.3)
Requirement already satisfied: MarkupSafe in /usr/local/lib/python3.7/site-packages (from salt) (1.1.1)
Requirement already satisfied: pycrypto>=2.6.1 in /usr/local/lib/python3.7/site-packages (from salt) (2.6.1)
Requirement already satisfied: pyzmq>=2.2.0 in /usr/local/lib/python3.7/site-packages (from salt) (18.1.0)
Requirement already satisfied: requests>=1.0.0 in /usr/local/lib/python3.7/site-packages (from salt) (2.22.0)
Requirement already satisfied: Jinja2 in /usr/local/lib/python3.7/site-packages (from salt) (2.10.3)
Requirement already satisfied: idna<2.9,>=2.5 in /usr/local/lib/python3.7/site-packages (from requests>=1.0.0->salt) (2.8)
Requirement already satisfied: urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1 in /usr/local/lib/python3.7/site-packages (from requests>=1.0.0->salt) (1.25.6)
Requirement already satisfied: certifi>=2017.4.17 in /usr/local/lib/python3.7/site-packages (from requests>=1.0.0->salt) (2019.9.11)
Requirement already satisfied: chardet<3.1.0,>=3.0.2 in /usr/local/lib/python3.7/site-packages (from requests>=1.0.0->salt) (3.0.4)
Installing collected packages: salt
Successfully installed salt-2019.2.1

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 40 (15 by maintainers)

Links to this issue

slskit · PyPI

Commits related to this issue

Properly handle libcrypto library search on macOS. macOS has been steadily moving towards requiring programmers to directly link against the library version they prefer and forbidding linking against... — committed to saltstack/salt by kaorihinata 4 years ago

Most upvoted comments

Workaround that actually worked so far:

brew install openssl
cd /usr/local/lib
ln -s /usr/local/opt/openssl/lib/libssl.dylib libssl.dylib
ln -s /usr/local/opt/openssl/lib/libcrypto.dylib libcrypto.dylib

You might need to use sudo for the link commands, wasn’t needed in my case.

More info

mariusvw on Nov 11, 2019

I’m experiencing the problem with v3000. And that homebrew recipe that I linked is for v3000.

nijotz on Feb 27, 2020

I’m pretty sure this should not be closed. The problem still exists in 2019.2.3

CodingMinds on Feb 12, 2020

I found a workaround here

cd /usr/local/Cellar/openssl/1.0.2t/lib
sudo cp libssl.1.0.0.dylib libcrypto.1.0.0.dylib /usr/local/lib/
cd /usr/local/lib
sudo ln -s libssl.1.0.0.dylib libssl.dylib
sudo ln -s libcrypto.1.0.0.dylib libcrypto.dylib

Basically it appears that asn1crypto is using unversioned crypto libs or something? And Catalina says that’s not allowed.

It looks like newer asn1crypto fixes this though? https://github.com/pyca/pyopenssl/issues/874

waynew on Jan 2, 2020

@almoore I see. I suppose that’s about what we can expect from them. I’ll create a Pull Request right now so that we can be done with this.

(Edit: I forgot to mention that the reason my solution is more complex is because I install salt from pip to avoid Homebrew’s “fixes”. My snippet will use Apple’s installed OpenSSL libraries without complaint, and as can be seen in the function below _load_libcrypto (specifically, _init_libcrypto), salt still supports pre-1.1 OpenSSL, so unless the salt maintainers themselves say otherwise, I see no reason to specifically hard code just the 1.1 dylibs. If Homebrew wants to force the use of their own dylibs, then they’re more than welcome to do that after this.)

kaorihinata on Apr 29, 2020

Thank you for updating this issue. It is no longer marked as stale.

stale[bot] on Feb 28, 2020

I locally modified the patch to result into

    elif sys.platform == 'darwin':
      return cdll.LoadLibrary('/usr/local/opt/openssl@1.1/lib/libcrypto.dylib')
    else:
        lib = find_library('crypto')

Which still isn’t ideal, but works for now.

jhass on Mar 18, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

stale[bot] on Feb 1, 2020

@bayandin I’ve installed saltstack and openssl using brew

➜  ~ salt --version
salt 2019.2.2 (Fluorine)
➜  ~ brew list | grep openssl
openssl@1.1

I’ve tryed to create symlinks https://github.com/saltstack/salt/issues/55084#issuecomment-552510505 but it hasn’t worked.

sromanenko on Dec 5, 2019

@jpmckinney we welcome a Homebrew pull request to update to the latest version!

fxcoudert on Oct 28, 2019

After doing pip install salt salt-ssh I can run salt and salt-ssh commands without the ‘abort trap 6’. Homebrew installs 2019.2.1_1, whereas with pip I installed 2019.2.2, so perhaps the latest version fixes the abort issue?

jpmckinney on Oct 27, 2019