Ubuntu
salt package

salt --versions-report broken in bionic/cosmic with openssl 1.1.1

Bug #1823332 reported by Dimitri John Ledkov
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Salt
Fix Released
Unknown
salt (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Confirmed
Undecided
Unassigned
Disco
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

 * salt fails to start with OpenSSL 1.1.1 (which is in cosmic-release, bionic-proposed)

[Test Case]

 * install openssl/libssl1.1 from bionic-proposed

 sudo apt install salt-master
 sudo salt --versions-report

 [bad] Python traceback ending in:
  ssl.SSLError: unknown error (_ssl.c:2788)

 [good] a table of version numbers
Salt Version:
           Salt: 2018.3.0
...

[Fix]

 * Unused imports, and 1.1.1 incompatible libcrypto init functions in salt are causing it to fail to start with OpenSSL 1.1.1. The upstream patches that were merged into stable branch make it compatible with either 1.1.0 or 1.1.1.

 * Note that for bionic above is sufficent by itself. In cosmic, python-tornado got upgraded from v4 to v5 and salt is incompatible with it. Hence salt in cosmic is currently complete busted due to this issue and lack of tornado4. I have now requested and SRU to reintroduce tornado4 into cosmic to unbreak salt in cosmic. But it may take much longer than the smaller fix for bionic.

[Regression Potential]

 * The underlying behavior of crypto with or without these patches is not changed. There are no versioned breaks to prevent upgrading libssl1.1 whilst salt is installed, but this fix should make salt compatible with any openssl releases. Currently, salt is completely broken in cosmic-release (fails to start) so it's hard to regress further than that in cosmic.

[Other Info]

 * Full traceback

# sudo apt install salt-master
# sudo salt --versions-report
Traceback (most recent call last):
  File "/usr/bin/salt", line 10, in <module>
    salt_main()
  File "/usr/lib/python3/dist-packages/salt/scripts.py", line 476, in salt_main
    client.run()
  File "/usr/lib/python3/dist-packages/salt/cli/salt.py", line 33, in run
    import salt.client
  File "/usr/lib/python3/dist-packages/salt/client/__init__.py", line 31, in <module>
    import salt.cache
  File "/usr/lib/python3/dist-packages/salt/cache/__init__.py", line 18, in <module>
    import salt.loader
  File "/usr/lib/python3/dist-packages/salt/loader.py", line 26, in <module>
    import salt.utils.event
  File "/usr/lib/python3/dist-packages/salt/utils/event.py", line 70, in <module>
    import tornado.iostream
  File "/usr/lib/python3/dist-packages/tornado/iostream.py", line 40, in <module>
    from tornado.netutil import ssl_wrap_socket, _client_ssl_defaults, _server_ssl_defaults
  File "/usr/lib/python3/dist-packages/tornado/netutil.py", line 45, in <module>
    ssl.Purpose.SERVER_AUTH)
  File "/usr/lib/python3.6/ssl.py", line 502, in create_default_context
    context = SSLContext(PROTOCOL_TLS)
  File "/usr/lib/python3.6/ssl.py", line 391, in __new__
    self = _SSLContext.__new__(cls, protocol)
ssl.SSLError: unknown error (_ssl.c:2788)

See original description
Dimitri John Ledkov (xnox)
description: updated
Changed in salt (Ubuntu Bionic):
status: New → Confirmed
Changed in salt (Ubuntu Cosmic):
status: New → Confirmed
Dimitri John Ledkov (xnox)
Changed in salt (Ubuntu Disco):
status: New → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in salt:
status: Unknown → New
Dimitri John Ledkov (xnox)
description: updated
Dimitri John Ledkov (xnox)
Changed in salt (Ubuntu Bionic):
status: Confirmed → In Progress
description: updated
Bug Watch Updater (bug-watch-updater)
Changed in salt:
status: New → Fix Released
Revision history for this message
EOLE team (eole-team) wrote :

Hello.

Is there any blocking thing for Bionic?

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

https://launchpad.net/ubuntu/bionic/+queue?queue_state=1&queue_text=salt

It's currently awaiting review from Stable Release Updates team, since 5th of April.

Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Dimitri, or anyone else affected,

Accepted salt into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/salt/2017.7.4+dfsg1-1ubuntu18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in salt (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

# dpkg-query -W libssl1.1 salt-master
libssl1.1:amd64 1.1.1-1ubuntu2.1~18.04.1
salt-master 2017.7.4+dfsg1-1ubuntu18.04.1

(bionic-amd64)root@ottawa:~# salt --versions-report
Salt Version:
           Salt: 2017.7.4

Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: 2.6.1
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.10
        libgit2: 0.26.0
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.5.6
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: 0.26.2
         Python: 3.6.8 (default, Jan 14 2019, 11:02:34)
   python-gnupg: Not Installed
         PyYAML: 3.12
          PyZMQ: 16.0.2
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.2.5

System Versions:
           dist: Ubuntu 18.04 bionic
         locale: ANSI_X3.4-1968
        machine: x86_64
        release: 5.0.0-13-generic
         system: Linux
        version: Ubuntu 18.04 bionic

All is good.

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for salt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package salt - 2017.7.4+dfsg1-1ubuntu18.04.1

---------------
salt (2017.7.4+dfsg1-1ubuntu18.04.1) bionic; urgency=medium

  * Cherrypick two upstream patches to fix compat with OpenSSL 1.1.1,
    without these salt fails to start when OpenSSL is upgraded from 1.1.0
    to 1.1.1. LP: #1823332
  * Fix up install call in debian/rules to resolve FTBFS.

 -- Dimitri John Ledkov <email address hidden> Fri, 05 Apr 2019 15:41:52 +0100

Changed in salt (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.