Closed darkpixel closed 1 week ago
When I set logging to 'trace', I see the following in the output:
+ EX_PYTHON_INVALID=10
+ PYTHON_CMDS='python3 python27 python2.7 python26 python2.6 python2 python'
+ command -v python3
+ continue
+ command -v python27
+ continue
+ command -v python2.7
+ continue
+ command -v python26
+ continue
+ command -v python2.6
+ continue
+ command -v python2
+ continue
+ command -v python
+ continue
+ echo 'ERROR: Unable to locate appropriate python command'
ERROR: Unable to locate appropriate python command
+ exit 10
Looks like it's not even trying the --python3-bin
arg.
Workaround:
ln -s /usr/local/bin/python3.7 /usr/local/bin/python3
How did you install python3, the symlink should be there if you installed it from packages
The python37
package was automatically installed as part of pkg install py37-salt
No symlink--at least not on FreeBSD.
root@uswuxsdrtr01:~ # pkg info -l python37 | grep \/usr\/local\/bin
/usr/local/bin/2to3-3.7
/usr/local/bin/idle3.7
/usr/local/bin/pydoc3.7
/usr/local/bin/python3.7
/usr/local/bin/python3.7-config
/usr/local/bin/python3.7m
/usr/local/bin/python3.7m-config
/usr/local/bin/pyvenv-3.7
root@uswuxsdrtr01:~ #
ok, it seems you're missing lang/python3 port which handles this with:
${LN} -sf python${PYTHON_VER} \
${STAGEDIR}${PREFIX}/bin/python${PYTHON_MAJOR_VER}
${LN} -sf 2to3-${PYTHON_VER} \
${STAGEDIR}${PREFIX}/bin/2to3-${PYTHON_MAJOR_VER}
If I'm using pkg to install python37, wouldn't that already be included? I'd rather not compile python 3.7 from ports on a bunch of boxes.
no, lang/python3 is a meta port to provide a symlink for python3/pydoc3/idle3
Understood. I rarely use salt-ssh--but this recent CVE is forcing me to use it to push out spiped and reconfigure the minions.
salt-ssh still should be paying attention to the --python3-bin
arg, but I should probably install the lang/python3
port as part of my highstate.
yup, I agree, installing it would make sense. BTW, you might configure pf/ipfw on masters to allow in
rules for 4505/4506 from specific IPs only. Smth like pass in on $int_if proto tcp from $minionIP to $int_if port 4505:4506
would help
Yeah--I've been watching the recent CVE. A few weeks back I deployed 'spiped' to all my minions to forward 127.0.0.1:4505 and :4506 to the salt master. Last week I switched all the minions to look for the master on 127.0.0.1. So basically no one can talk to the master unless they have spiped installed and the correct encryption key deployed.
To help with the pain of deployment, I have a 'bootstrap' master that only has one state that installs spiped (minus the key) and configures the minion.
The join process is basically:
Description I have two FreeBSD 12.1-RELEASE-p3 machines. A master and a minion. Running salt-ssh from the master pointing to the minion throws:
Python 3.7 is installed on both machines. No other version of python is installed.
Setup roster.sls
Versions Report