search

saltstack / relenv

Re-producible and Re-relocatable Python Environments
Apache License 2.0
25 stars 16 forks source link

Setting OPENSSL_MODULES breaks non-Salt tooling that uses OpenSSL #140

Closed terminalmage closed 1 year ago

terminalmage commented 1 year ago

The 3006.2 release of Salt introduced a new version of relenv, which added code to runtime.py that sets OPENSSL_MODULES. It also added openssl modules to the relenv. However, this transparent environment mangling breaks (at least some) non-Salt tooling that uses OpenSSL.

For example, when using Salt to manage maas, we utilize a cmd.script state to run several shell commands that initialize a new maas instance, configure TLS, etc. With the latest changes to relenv released with Salt 3006.2, OPENSSL_MODULES is pointed at the OpenSSL within the relenv, and any commands that Salt runs inherit this modified environment. This means that, when Salt runs maas CLI commands, the maas CLI tools try (and fail) to load legacy.so, resulting in a cryptic OpenSSL error.

I was able to work around this by manually unsetting OPENSSL_MODULES in the shell script, but other tools are likely to be similarly affected.

Ch3LL commented 1 year ago

@dwoz any ideas here ?

dwoz commented 1 year ago

We need to set OPENSSL_MODULES for when running under relenv in order for Salt's (or any other project that uses relenv) to find relenv's OPENSSL_MODULES directory. There's really no way around that because relenv can be run from anywhere. There are only two options I can think of here.

The best option would be to find a way to make relenv's openssl search for the modules dir using a relative path. I'm not aware of a way to do that right now but can spend some time looking into it.

The second option if we can't find a way to do the first would be to detect if we're in relenv and remove the OPENSSL_MODULES environment variable when running scripts from Salt.

terminalmage commented 1 year ago

The problem with the second option is that you break legitimate use of OPENSSL_MODULES. So, I would say, should that be the fix, that OPENSSL_MODULES only gets stripped from the environment (presumably in the TimedProc class) if the path matches the relenv's openssl module dir.

dwoz commented 1 year ago

I think we may be able to get away without setting OPENSSL_MODULES at all. I noticed a method OSSL_PROVIDER_set_default_search_path in the Openssl source. Looks like we can use that to set the default location just for relenv's openssl.

dwoz commented 1 year ago

From the relenv side of things this has been fixed in 0.13.5. Salt will release the changes in 3006.3 see saltstack/salt#65058

terminalmage commented 1 year ago

Thanks!