Open awestendorf opened 3 years ago
@awestendorf Salt v3002.2 is vulnerable, we recommend upgrading at your earliest to at least v3002.6 and is this a Bug
or is this as the title describes "inconsistent" docs or both, simply clarify, thank you!
I consider it a bug because the docs describe the expected grain load order, but the code does not enforce that order. The docs are inconsistent on this because they state that one cannot be certain of what's loaded into the grains
argument at the time of execution, which is true for the order of the programmatic grains, but all previous grain load steps should be complete when programmatic grains are evaluated.
Description
We're using Salt 3002.2 and trying to use a custom grain to declare
meta_role
for a machine, based on a staticrole
grain, but are unable to do so because of the order in which grains are processed. At the time of evaluation,/etc/salt/grains
has not yet been loaded and so it is not passed in thegrains
argument to the function.In reading the documentation for grains, this behavior is called out here:
However, just above that, the documentation says:
If I modify the example below to return
role
, I have confirmed that it does not override the value ofrole
in/etc/salt/grains
, because the file is loaded after grain modules in the_grains
directory have been evaluated. I have tried putting a static file in that directory but it is not synced, seemingly confirming that only custom grain modules are expected in the_grains
directory, and so the custom modules should have access to, and be able to override, grains defined in/etc/salt/grains
, per the documentation.Setup
Grain
role
on a machine, a list stored in/etc/salt/grains
. In this example we could say the value could be one or more of[public_service, backend_service, postgres, redis]
.The
meta_role
grain code would look something like this:Steps to Reproduce the behavior
After declaring the above static and dynamic grains, and syncing them to a minion, run the following commands:
Expected behavior
I expect that
grains.get role
returns the list[public_service]
, andgrains.get meta_role
returns the list[application]
. However,meta_role
returns an empty list because/etc/salt/grains
has not been loaded at the time of the_grains/meta_role.py
evaluation.Versions Report
salt --versions-report
(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) ``` Salt Version: Salt: 3002.2 Dependency Versions: cffi: Not Installed cherrypy: Not Installed dateutil: 2.8.1 docker-py: Not Installed gitdb: 4.0.7 gitpython: 3.1.8 Jinja2: 2.10.3 libgit2: Not Installed M2Crypto: Not Installed Mako: Not Installed msgpack: 1.0.0 msgpack-pure: Not Installed mysql-python: Not Installed pycparser: Not Installed pycrypto: Not Installed pycryptodome: 3.4.7 pygit2: Not Installed Python: 3.5.2 (default, Nov 23 2017, 16:37:01) python-gnupg: 0.3.8 PyYAML: 5.3.1 PyZMQ: 17.1.2 smmap: 4.0.0 timelib: Not Installed Tornado: 4.5.3 ZMQ: 4.1.4 System Versions: dist: ubuntu 16.04 Xenial Xerus locale: UTF-8 machine: x86_64 release: 4.4.0-87-generic system: Linux version: Ubuntu 16.04 Xenial Xerus ```Additional context
It appears that this bug was described previously in 2018, and recently closed due to inactivity https://github.com/saltstack/salt/issues/50491