Closed terminalmage closed 1 year ago
@dwoz any ideas here ?
We need to set OPENSSL_MODULES
for when running under relenv in order for Salt's (or any other project that uses relenv) to find relenv's OPENSSL_MODULES directory. There's really no way around that because relenv can be run from anywhere. There are only two options I can think of here.
The best option would be to find a way to make relenv's openssl search for the modules dir using a relative path. I'm not aware of a way to do that right now but can spend some time looking into it.
The second option if we can't find a way to do the first would be to detect if we're in relenv and remove the OPENSSL_MODULES environment variable when running scripts from Salt.
The problem with the second option is that you break legitimate use of OPENSSL_MODULES
. So, I would say, should that be the fix, that OPENSSL_MODULES
only gets stripped from the environment (presumably in the TimedProc
class) if the path matches the relenv's openssl module dir.
I think we may be able to get away without setting OPENSSL_MODULES
at all. I noticed a method OSSL_PROVIDER_set_default_search_path
in the Openssl source. Looks like we can use that to set the default location just for relenv's openssl.
From the relenv side of things this has been fixed in 0.13.5
. Salt will release the changes in 3006.3
see saltstack/salt#65058
Thanks!
The 3006.2 release of Salt introduced a new version of relenv, which added code to runtime.py that sets
OPENSSL_MODULES
. It also added openssl modules to the relenv. However, this transparent environment mangling breaks (at least some) non-Salt tooling that uses OpenSSL.For example, when using Salt to manage maas, we utilize a
cmd.script
state to run several shell commands that initialize a new maas instance, configure TLS, etc. With the latest changes to relenv released with Salt 3006.2,OPENSSL_MODULES
is pointed at the OpenSSL within the relenv, and any commands that Salt runs inherit this modified environment. This means that, when Salt runs maas CLI commands, the maas CLI tools try (and fail) to loadlegacy.so
, resulting in a cryptic OpenSSL error.I was able to work around this by manually unsetting
OPENSSL_MODULES
in the shell script, but other tools are likely to be similarly affected.