pool/salt
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1206690 from systemsmanagement:saltstack

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1206690
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/salt?expand=0&rev=161
This commit is contained in:
Ana Guerrero 2024-10-11 15:01:02 +00:00 committed by Git OBS Bridge
commit 61e23ed20c
6 changed files with 405 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_lastrevision
View File

@ -1 +1 @@
f52fbbd54dd538b283adddb91e14c9cbdb687060
af4efe8013e54de4be818761003c5966c88b6c19

26
enhance-cleanup-mechanism-after-salt-bundle-upgrade-.patch Normal file
View File

@ -0,0 +1,26 @@
From 994ebca519945c86dc30f1510dff36b3261446c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
<psuarezhernandez@suse.com>
Date: Thu, 10 Oct 2024 11:51:02 +0100
Subject: [PATCH] Enhance cleanup mechanism after Salt Bundle upgrade
(bsc#1228690) (#685)
---
pkg/common/venv-salt-minion-postinstall.service | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pkg/common/venv-salt-minion-postinstall.service b/pkg/common/venv-salt-minion-postinstall.service
index b122d7d6ea..c9db270435 100644
--- a/pkg/common/venv-salt-minion-postinstall.service
+++ b/pkg/common/venv-salt-minion-postinstall.service
@@ -2,6 +2,6 @@
Description=Clean old environment for venv-salt-minion
[Service]
-ExecStart=/bin/sh -c '/usr/lib/venv-salt-minion/bin/post_start_cleanup.sh || :'
+ExecStart=/bin/sh -c 'WAIT_IF_SALT_JOBS=1 /usr/lib/venv-salt-minion/bin/post_start_cleanup.sh || :'
Type=oneshot
--
2.46.1

87
fix-x509-private-key-tests-and-test_suse-on-sle12-68.patch Normal file
View File

@ -0,0 +1,87 @@
From 43e05d3beea1d6e772fe88c051abf006c2a9bf90 Mon Sep 17 00:00:00 2001
From: Marek Czernek <marek.czernek@suse.com>
Date: Thu, 3 Oct 2024 13:08:16 +0200
Subject: [PATCH] Fix x509 private key tests and test_suse on SLE12
(#684)
---
.../functional/modules/test_x509_v2.py | 12 +++++++++--
.../functional/states/pkgrepo/test_suse.py | 20 +++++++++----------
2 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/tests/pytests/functional/modules/test_x509_v2.py b/tests/pytests/functional/modules/test_x509_v2.py
index 7de8f3b01f..3db78c1b63 100644
--- a/tests/pytests/functional/modules/test_x509_v2.py
+++ b/tests/pytests/functional/modules/test_x509_v2.py
@@ -1442,14 +1442,22 @@ def test_create_private_key_with_passphrase(x509, algo):
@pytest.mark.slow_test
def test_create_private_key_der(x509):
- res = x509.create_private_key(algo="ec", encoding="der")
+ try:
+ res = x509.create_private_key(algo="ec", encoding="der")
+ except NotImplementedError:
+ pytest.skip("Algorithm 'ec' is not supported on this OpenSSL version")
assert base64.b64decode(res)
@pytest.mark.slow_test
@pytest.mark.parametrize("passphrase", [None, "hunter2"])
def test_create_private_key_pkcs12(x509, passphrase):
- res = x509.create_private_key(algo="ec", encoding="pkcs12", passphrase=passphrase)
+ try:
+ res = x509.create_private_key(
+ algo="ec", encoding="pkcs12", passphrase=passphrase
+ )
+ except NotImplementedError:
+ pytest.skip("Algorithm 'ec' is not supported on this OpenSSL version")
assert base64.b64decode(res)
diff --git a/tests/pytests/functional/states/pkgrepo/test_suse.py b/tests/pytests/functional/states/pkgrepo/test_suse.py
index 3bafeedc94..d21a9aeb9d 100644
--- a/tests/pytests/functional/states/pkgrepo/test_suse.py
+++ b/tests/pytests/functional/states/pkgrepo/test_suse.py
@@ -28,14 +28,14 @@ def suse_state_tree(grains, pkgrepo, state_tree):
- comments:
- '# Salt Test'
- refresh: 1
- {% if grains['osmajorrelease'] == 15 %}
- - baseurl: https://download.opensuse.org/repositories/openSUSE:/Backports:/SLE-15-SP4/standard/
- - humanname: openSUSE Backports for SLE 15 SP4
- - gpgkey: https://download.opensuse.org/repositories/openSUSE:/Backports:/SLE-15-SP4/standard/repodata/repomd.xml.key
- {% elif grains['osfullname'] == 'openSUSE Tumbleweed' %}
+ {% if grains['osfullname'] == 'openSUSE Tumbleweed' %}
- baseurl: http://download.opensuse.org/tumbleweed/repo/oss/
- humanname: openSUSE Tumbleweed OSS
- gpgkey: https://download.opensuse.org/tumbleweed/repo/oss/repodata/repomd.xml.key
+ {% else %}
+ - baseurl: https://download.opensuse.org/repositories/openSUSE:/Backports:/SLE-15-SP4/standard/
+ - humanname: openSUSE Backports for SLE 15 SP4
+ - gpgkey: https://download.opensuse.org/repositories/openSUSE:/Backports:/SLE-15-SP4/standard/repodata/repomd.xml.key
{% endif %}
"""
@@ -53,14 +53,14 @@ def suse_state_tree(grains, pkgrepo, state_tree):
- comments:
- '# Salt Test (modified)'
- refresh: 1
- {% if grains['osmajorrelease'] == 15 %}
- - baseurl: https://download.opensuse.org/repositories/openSUSE:/Backports:/SLE-15-SP4/standard/
- - humanname: Salt modified Backports
- - gpgkey: https://download.opensuse.org/repositories/openSUSE:/Backports:/SLE-15-SP4/standard/repodata/repomd.xml.key
- {% elif grains['osfullname'] == 'openSUSE Tumbleweed' %}
+ {% if grains['osfullname'] == 'openSUSE Tumbleweed' %}
- baseurl: http://download.opensuse.org/tumbleweed/repo/oss/
- humanname: Salt modified OSS
- gpgkey: https://download.opensuse.org/tumbleweed/repo/oss/repodata/repomd.xml.key
+ {% else %}
+ - baseurl: https://download.opensuse.org/repositories/openSUSE:/Backports:/SLE-15-SP4/standard/
+ - humanname: Salt modified Backports
+ - gpgkey: https://download.opensuse.org/repositories/openSUSE:/Backports:/SLE-15-SP4/standard/repodata/repomd.xml.key
{% endif %}
"""
--
2.46.1

261
fix-x509-test-fails-on-old-openssl-systems-682.patch Normal file
View File

@ -0,0 +1,261 @@
From 7daf461528c90776b8f865cd58d20e23bd5b6f3f Mon Sep 17 00:00:00 2001
From: Marek Czernek <marek.czernek@suse.com>
Date: Wed, 2 Oct 2024 09:09:34 +0200
Subject: [PATCH] Fix x509 test fails on old openssl systems (#682)
---
.../functional/modules/test_x509_v2.py | 41 +++++++++++++----
.../pytests/functional/states/test_x509_v2.py | 44 +++++++++++++++----
.../scenarios/performance/test_performance.py | 8 +++-
3 files changed, 75 insertions(+), 18 deletions(-)
diff --git a/tests/pytests/functional/modules/test_x509_v2.py b/tests/pytests/functional/modules/test_x509_v2.py
index 2e8152d04a..7de8f3b01f 100644
--- a/tests/pytests/functional/modules/test_x509_v2.py
+++ b/tests/pytests/functional/modules/test_x509_v2.py
@@ -681,8 +681,13 @@ def test_create_certificate_self_signed(x509, algo, request):
privkey = request.getfixturevalue(f"{algo}_privkey")
try:
res = x509.create_certificate(signing_private_key=privkey, CN="success")
- except UnsupportedAlgorithm:
+ except (UnsupportedAlgorithm, NotImplementedError):
pytest.skip(f"Algorithm '{algo}' is not supported on this OpenSSL version")
+ except salt.exceptions.CommandExecutionError as e:
+ if "Could not load PEM-encoded" in e.error:
+ pytest.skip(f"Algorithm '{algo}' is not supported on this OpenSSL version")
+ else:
+ raise e
assert res.startswith("-----BEGIN CERTIFICATE-----")
cert = _get_cert(res)
assert cert.subject.rfc4514_string() == "CN=success"
@@ -754,8 +759,13 @@ def test_create_certificate_from_privkey(x509, ca_key, ca_cert, algo, request):
private_key=privkey,
CN="success",
)
- except UnsupportedAlgorithm:
+ except (UnsupportedAlgorithm, NotImplementedError):
pytest.skip(f"Algorithm '{algo}' is not supported on this OpenSSL version")
+ except salt.exceptions.CommandExecutionError as e:
+ if "Could not load PEM-encoded" in e.error:
+ pytest.skip(f"Algorithm '{algo}' is not supported on this OpenSSL version")
+ else:
+ raise e
assert res.startswith("-----BEGIN CERTIFICATE-----")
cert = _get_cert(res)
assert cert.subject.rfc4514_string() == "CN=success"
@@ -802,8 +812,13 @@ def test_create_certificate_from_pubkey(x509, ca_key, ca_cert, algo, request):
public_key=pubkey,
CN="success",
)
- except UnsupportedAlgorithm:
+ except (UnsupportedAlgorithm, NotImplementedError):
pytest.skip(f"Algorithm '{algo}' is not supported on this OpenSSL version")
+ except salt.exceptions.CommandExecutionError as e:
+ if "Could not load PEM-encoded" in e.error:
+ pytest.skip(f"Algorithm '{algo}' is not supported on this OpenSSL version")
+ else:
+ raise e
assert res.startswith("-----BEGIN CERTIFICATE-----")
cert = _get_cert(res)
assert cert.subject.rfc4514_string() == "CN=success"
@@ -1341,8 +1356,13 @@ def test_create_csr(x509, algo, request):
privkey = request.getfixturevalue(f"{algo}_privkey")
try:
res = x509.create_csr(private_key=privkey)
- except UnsupportedAlgorithm:
+ except (UnsupportedAlgorithm, NotImplementedError):
pytest.skip(f"Algorithm '{algo}' is not supported on this OpenSSL version")
+ except salt.exceptions.CommandExecutionError as e:
+ if "Could not load PEM-encoded" in e.error:
+ pytest.skip(f"Algorithm '{algo}' is not supported on this OpenSSL version")
+ else:
+ raise e
assert res.startswith("-----BEGIN CERTIFICATE REQUEST-----")
@@ -1402,7 +1422,7 @@ def test_create_csr_raw(x509, rsa_privkey):
def test_create_private_key(x509, algo):
try:
res = x509.create_private_key(algo=algo)
- except UnsupportedAlgorithm:
+ except (UnsupportedAlgorithm, NotImplementedError):
pytest.skip(f"Algorithm '{algo}' is not supported on this OpenSSL version")
assert res.startswith("-----BEGIN PRIVATE KEY-----")
@@ -1413,7 +1433,7 @@ def test_create_private_key_with_passphrase(x509, algo):
passphrase = "hunter2"
try:
res = x509.create_private_key(algo=algo, passphrase=passphrase)
- except UnsupportedAlgorithm:
+ except (UnsupportedAlgorithm, NotImplementedError):
pytest.skip(f"Algorithm '{algo}' is not supported on this OpenSSL version")
assert res.startswith("-----BEGIN ENCRYPTED PRIVATE KEY-----")
# ensure it can be loaded
@@ -1465,8 +1485,13 @@ def test_get_private_key_size(x509, algo, expected, request):
privkey = request.getfixturevalue(f"{algo}_privkey")
try:
res = x509.get_private_key_size(privkey)
- except UnsupportedAlgorithm:
+ except (UnsupportedAlgorithm, NotImplementedError):
pytest.skip(f"Algorithm '{algo}' is not supported on this OpenSSL version")
+ except salt.exceptions.CommandExecutionError as e:
+ if "Could not load PEM-encoded" in e.error:
+ pytest.skip(f"Algorithm '{algo}' is not supported on this OpenSSL version")
+ else:
+ raise e
assert res == expected
@@ -1612,7 +1637,7 @@ def test_verify_signature(x509, algo, request):
wrong_privkey = request.getfixturevalue(f"{algo}_privkey")
try:
privkey = x509.create_private_key(algo=algo)
- except UnsupportedAlgorithm:
+ except (UnsupportedAlgorithm, NotImplementedError):
pytest.skip(f"Algorithm '{algo}' is not supported on this OpenSSL version")
cert = x509.create_certificate(signing_private_key=privkey)
assert x509.verify_signature(cert, privkey)
diff --git a/tests/pytests/functional/states/test_x509_v2.py b/tests/pytests/functional/states/test_x509_v2.py
index 47a1c555f8..139f7b1906 100644
--- a/tests/pytests/functional/states/test_x509_v2.py
+++ b/tests/pytests/functional/states/test_x509_v2.py
@@ -574,9 +574,9 @@ def existing_cert(x509, cert_args, ca_key, rsa_privkey, request):
ca_key,
encoding=cert_args.get("encoding", "pem"),
passphrase=cert_args.get("pkcs12_passphrase"),
- subject=subject
- if "signing_policy" not in cert_args
- else "CN=from_signing_policy",
+ subject=(
+ subject if "signing_policy" not in cert_args else "CN=from_signing_policy"
+ ),
)
yield cert_args["name"]
@@ -694,8 +694,12 @@ def existing_csr_exts(x509, csr_args, csr_args_exts, ca_key, rsa_privkey, reques
def existing_pk(x509, pk_args, request):
pk_args.update(request.param)
ret = x509.private_key_managed(**pk_args)
- if ret.result == False and "UnsupportedAlgorithm" in ret.comment:
- pytest.skip(f"Algorithm '{pk_args['algo']}' is not supported on this OpenSSL version")
+ if ret.result == False and (
+ "UnsupportedAlgorithm" in ret.comment or "NotImplementedError" in ret.comment
+ ):
+ pytest.skip(
+ f"Algorithm '{pk_args['algo']}' is not supported on this OpenSSL version"
+ )
_assert_pk_basic(
ret,
pk_args.get("algo", "rsa"),
@@ -1054,6 +1058,8 @@ def test_certificate_managed_days_valid_does_not_override_days_remaining(
def test_certificate_managed_privkey_change(x509, cert_args, ec_privkey, ca_key):
cert_args["private_key"] = ec_privkey
ret = x509.certificate_managed(**cert_args)
+ if ret.result == False and "NotImplementedError" in ret.comment:
+ pytest.skip("Current OpenSSL does not support 'ec' algorithm")
_assert_cert_basic(ret, cert_args["name"], ec_privkey, ca_key)
assert ret.changes["private_key"]
@@ -1237,6 +1243,8 @@ def test_certificate_managed_wrong_ca_key(
cert_args["private_key"] = ec_privkey
cert_args["signing_private_key"] = rsa_privkey
ret = x509.certificate_managed(**cert_args)
+ if ret.result == False and "NotImplementedError" in ret.comment:
+ pytest.skip("Current OpenSSL does not support 'ec' algorithm")
assert ret.result is False
assert not ret.changes
assert "Signing private key does not match the certificate" in ret.comment
@@ -1917,6 +1925,8 @@ def test_csr_managed_existing_invalid_version(x509, csr_args, rsa_privkey):
def test_csr_managed_privkey_change(x509, csr_args, ec_privkey):
csr_args["private_key"] = ec_privkey
ret = x509.csr_managed(**csr_args)
+ if ret.result == False and "NotImplementedError" in ret.comment:
+ pytest.skip("Current OpenSSL does not support 'ec' algorithm")
_assert_csr_basic(ret, ec_privkey)
assert ret.changes["private_key"]
@@ -2141,11 +2151,14 @@ def test_private_key_managed(x509, pk_args, algo, encoding, passphrase):
pytest.skip(
"PKCS12 serialization of Edwards-curve keys requires cryptography v37"
)
+
pk_args["algo"] = algo
pk_args["encoding"] = encoding
pk_args["passphrase"] = passphrase
ret = x509.private_key_managed(**pk_args)
- if ret.result == False and "UnsupportedAlgorithm" in ret.comment:
+ if ret.result == False and (
+ "UnsupportedAlgorithm" in ret.comment or "NotImplementedError" in ret.comment
+ ):
pytest.skip(f"Algorithm '{algo}' is not supported on this OpenSSL version")
_assert_pk_basic(ret, algo, encoding, passphrase)
@@ -2155,6 +2168,8 @@ def test_private_key_managed_keysize(x509, pk_args, algo, keysize):
pk_args["algo"] = algo
pk_args["keysize"] = keysize
ret = x509.private_key_managed(**pk_args)
+ if ret.result == False and "NotImplementedError" in ret.comment:
+ pytest.skip("Current OpenSSL does not support 'ec' algorithm")
pk = _assert_pk_basic(ret, algo)
assert pk.key_size == keysize
@@ -2174,8 +2189,12 @@ def test_private_key_managed_keysize(x509, pk_args, algo, keysize):
)
def test_private_key_managed_existing(x509, pk_args):
ret = x509.private_key_managed(**pk_args)
- if ret.result == False and "UnsupportedAlgorithm" in ret.comment:
- pytest.skip(f"Algorithm '{pk_args['algo']}' is not supported on this OpenSSL version")
+ if ret.result == False and (
+ "UnsupportedAlgorithm" in ret.comment or "NotImplementedError" in ret.comment
+ ):
+ pytest.skip(
+ f"Algorithm '{pk_args['algo']}' is not supported on this OpenSSL version"
+ )
_assert_not_changed(ret)
@@ -2382,6 +2401,8 @@ def test_private_key_managed_follow_symlinks_changes(
pk_args["encoding"] = encoding
pk_args["algo"] = "ec"
ret = x509.private_key_managed(**pk_args)
+ if ret.result == False and "NotImplementedError" in ret.comment:
+ pytest.skip("Current OpenSSL does not support 'ec' algorithm")
assert ret.changes
assert Path(ret.name).is_symlink() == follow
@@ -2722,7 +2743,12 @@ def _get_cert(cert, encoding="pem", passphrase=None):
def _belongs_to(cert_or_pubkey, privkey):
if isinstance(cert_or_pubkey, cx509.Certificate):
cert_or_pubkey = cert_or_pubkey.public_key()
- return x509util.is_pair(cert_or_pubkey, x509util.load_privkey(privkey))
+ try:
+ return x509util.is_pair(cert_or_pubkey, x509util.load_privkey(privkey))
+ except NotImplementedError:
+ pytest.skip(
+ "This OpenSSL version does not support current cryptographic algorithm"
+ )
def _signed_by(cert, privkey):
diff --git a/tests/pytests/scenarios/performance/test_performance.py b/tests/pytests/scenarios/performance/test_performance.py
index 85b92ed986..6319e26ce1 100644
--- a/tests/pytests/scenarios/performance/test_performance.py
+++ b/tests/pytests/scenarios/performance/test_performance.py
@@ -10,7 +10,13 @@ from saltfactories.utils import random_string
from salt.version import SaltVersionsInfo, __version__
-pytestmark = [pytest.mark.skip_if_binaries_missing("docker")]
+pytestmark = [
+ pytest.mark.skip_if_binaries_missing("docker"),
+ pytest.mark.skipif(
+ os.environ.get("GITHUB_ACTIONS", "") == "true",
+ reason="Cannot spawn containers in GH actions run",
+ ),
+]
class ContainerMaster(SaltDaemon, master.SaltMaster):
--
2.46.1

24
salt.changes
View File

@ -1,3 +1,27 @@
-------------------------------------------------------------------
Thu Oct 10 11:19:52 UTC 2024 - Pablo Suárez Hernández <psuarezhernandez@suse.com>
- Make Salt Bundle more tolerant to long running jobs (bsc#1228690)
- Added:
* enhance-cleanup-mechanism-after-salt-bundle-upgrade-.patch
-------------------------------------------------------------------
Thu Oct 3 11:21:30 UTC 2024 - Marek Czernek <marek.czernek@suse.com>
- Fix additional x509 tests and test_suse tests for SLE12
- Added:
* fix-x509-private-key-tests-and-test_suse-on-sle12-68.patch
-------------------------------------------------------------------
Wed Oct 2 07:47:58 UTC 2024 - Marek Czernek <marek.czernek@suse.com>
- Fix failing x509 tests with OpenSSL < 1.1
- Added:
* fix-x509-test-fails-on-old-openssl-systems-682.patch
-------------------------------------------------------------------
Wed Sep 25 11:45:28 UTC 2024 - Victor Zhestkov <vzhestkov@suse.com>

6
salt.spec
View File

@ -446,6 +446,12 @@ Patch140: revert-the-change-making-reactor-less-blocking-bsc-1.patch
Patch141: allow-namedloadercontexts-to-be-returned-from-loader.patch
# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/commit/d54407ba6dc664e5e5f3f613e27ae24f828c9648
Patch142: avoid-explicit-reading-of-etc-salt-minion-bsc-122035.patch
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/682
Patch143: fix-x509-test-fails-on-old-openssl-systems-682.patch
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/684
Patch144: fix-x509-private-key-tests-and-test_suse-on-sle12-68.patch
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/685
Patch145: enhance-cleanup-mechanism-after-salt-bundle-upgrade-.patch
### IMPORTANT: The line below is used as a snippet marker. Do not touch it.
### SALT PATCHES LIST END