salt: [salt-ssh] will fail when targeting Ubuntu<15 from CentOS
Description of Issue/Question
The thin shipped to the target will contain the python-tornado=4.2.1 module, however the source code differs between Ubuntu and CentOS. This results in salt-call from the thin failing completely on the target machine.
root@ubuntu:/var/tmp/.vagrant_5c782e_salt# python salt-call
Traceback (most recent call last):
File "salt-call", line 15, in <module>
salt_call()
File "py2/salt/scripts.py", line 374, in salt_call
import salt.cli.call
File "py2/salt/cli/call.py", line 9, in <module>
import salt.cli.caller
File "py2/salt/cli/caller.py", line 18, in <module>
import salt.loader
File "py2/salt/loader.py", line 29, in <module>
import salt.utils.event
File "py2/salt/utils/event.py", line 68, in <module>
import tornado.iostream
File "py2/tornado/iostream.py", line 39, in <module>
from tornado.netutil import ssl_wrap_socket, ssl_match_hostname, SSLCertificateError, _client_ssl_defaults, _server_ssl_defaults
File "py2/tornado/netutil.py", line 38, in <module>
import certifi
ImportError: No module named certifi
I was confused to why I didn’t catch that earlier on since I tested it, but was using Ubuntu. Eventually, I compared the source code for python-tornado between the RPM and DEB packages here is the diff:
# diff tornado_netutil_ubuntu16.py tornado_netutil_centos7.py
1d0
< #!/usr/bin/env python
38a38,46
> import certifi
> except ImportError:
> # certifi is optional as long as we have ssl.create_default_context.
> if ssl is None or hasattr(ssl, 'create_default_context'):
> certifi = None
> else:
> raise
>
> try:
66c74
< _client_ssl_defaults.load_verify_locations('/etc/ssl/certs/ca-certificates.crt')
---
> _client_ssl_defaults.load_verify_locations(certifi.where())
77c85
< ca_certs='/etc/ssl/certs/ca-certificates.crt')
---
> ca_certs=certifi.where())
158,162c166
< try:
< sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
< except socket.error as e:
< if e.args[0] != errno.ENOPROTOOPT:
< raise
---
> sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
ssl.create_default_context is not available until python 2.7.9, which means it doesn’t exist until Ubuntu15. So the above code will raise on anything below that.
Setup
Centos7 latest salt-ssh targeting Ubuntu <= v14
Workaround
Target Ubuntu, from Ubuntu.
Versions Report
Salt Version:
Salt: 2017.7.2
Dependency Versions:
cffi: 1.6.0
cherrypy: Not Installed
dateutil: Not Installed
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.7.2
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.8
mysql-python: Not Installed
pycparser: 2.14
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.5 (default, Aug 4 2017, 00:39:18)
python-gnupg: Not Installed
PyYAML: 3.11
PyZMQ: 15.3.0
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.1.4
System Versions:
dist: centos 7.3.1611 Core
locale: UTF-8
machine: x86_64
release: 3.10.0-514.21.2.el7.x86_64
system: Linux
version: CentOS Linux 7.3.1611 Core
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 27 (22 by maintainers)
@Ch3LL Note that users may need to clear the thin cache (
/var/cache/salt/master/thin/) after installing certifi if they have previously run salt-ssh. Otherwise, salt-ssh will continue to deploy the cached files and produce the certifi error even when it’s available.EDIT: or, use the
-wand-tflags with the next run ofsalt-ssh