search

saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:
https://repo.saltproject.io/
Apache License 2.0
14.09k stars 5.47k forks source link

salt-cloud keeps borking on certificates #41272

Closed The-Loeki closed 5 years ago

The-Loeki commented 7 years ago

Description of Issue/Question

A couple of months ago, apparently someone had some real issue with YAST's CA certs; they're now hardcoded appended to libcloud.security.CA_CERT_PATHS to a number of drivers (e.g. CloudStack, Dimension Data, GCE).

However, at libcloud they recently refactored the lot to default CA_CERT_PATHS to None.

Discussion

I don't think the certificates should be hardcoded across the board, there must be a more elegant way to do that. Secondly, the reason the libcloud guys now set it to None (which arguably could be [] to solve this as well) is because they're enthousiastic about certifi; maybe it's not such a bad idea to keep with that convention as that package provides a much-better curated list of CA's than a few distro's out there do

Related

https://github.com/apache/libcloud/commit/a4ad8d4a44dbf6069d924cdadabfff522ed703e6 https://github.com/saltstack/salt/issues/32743

Steps to Reproduce Issue

[root@pampus1 file_roots]# salt-cloud --list-sizes scaleway
[ERROR   ] Failed to import clouds cloudstack, this is due most likely to a syntax error:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/salt/loader.py", line 1343, in _load_module
    mod = imp.load_module(mod_namespace, fn_, fpath, desc)
  File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/cloudstack.py", line 43, in <module>
    libcloud.security.CA_CERTS_PATH.append('/etc/ssl/certs/YaST-CA.pem')
AttributeError: 'NoneType' object has no attribute 'append'
[ERROR   ] Failed to import clouds dimensiondata, this is due most likely to a syntax error:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/salt/loader.py", line 1343, in _load_module
    mod = imp.load_module(mod_namespace, fn_, fpath, desc)
  File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/dimensiondata.py", line 42, in <module>
    libcloud.security.CA_CERTS_PATH.append('/etc/ssl/certs/YaST-CA.pem')
AttributeError: 'NoneType' object has no attribute 'append'
[ERROR   ] Failed to import clouds gce, this is due most likely to a syntax error:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/salt/loader.py", line 1343, in _load_module
    mod = imp.load_module(mod_namespace, fn_, fpath, desc)
  File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/gce.py", line 71, in <module>
    libcloud.security.CA_CERTS_PATH.append('/etc/ssl/certs/YaST-CA.pem')
AttributeError: 'NoneType' object has no attribute 'append'

Versions Report

           Salt: 2017.5.0-696-g9290435

Dependency Versions:
           cffi: 1.9.1
       cherrypy: Not Installed
       dateutil: Not Installed
      docker-py: 2.2.1
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.7.2
        libgit2: 0.25.1
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.8
   mysql-python: Not Installed
      pycparser: 2.17
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: 0.25.1
         Python: 2.7.5 (default, Nov  6 2016, 00:28:07)
   python-gnupg: Not Installed
         PyYAML: 3.12
          PyZMQ: 15.3.0
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.1.4

System Versions:
           dist: centos 7.3.1611 Core
        machine: x86_64
        release: 4.5.7-std-3
         system: Linux
        version: CentOS Linux 7.3.1611 Core
techhat commented 7 years ago

Ping @erjohnso.

erjohnso commented 7 years ago

@tonybaloney - isn't this the same thing you were discussing in https://github.com/saltstack/salt/pull/40837?

tonybaloney commented 7 years ago

Yes it is. That needs to get merged first. Or a version of it. There's a hack for SuSE that no longer applies or works in 2.0>

stale[bot] commented 5 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.