[BUG] onedir blocks installation of shared libraries for pygit2 gitfs in 3006.0

[DaAwesomeP]

Description
I did not change any configuration between 3005.1 and 3006.0 but suddently salt-master cannot find my public keys.

Setup

fileserver_backend:
  - gitfs

gitfs_provider: pygit2
gitfs_remotes:
  - ssh://git@github.com/myorg/mysalt.git:
    - base: main
    - root: salt
    - pubkey: /root/.ssh/id_salt.pub
    - privkey: /root/.ssh/id_salt
  - https://github.com/saltstack/salt-winrepo-ng.git:
    - all_saltenvs: master
    - mountpoint: salt://win/repo-ng/salt-winrepo-ng

ext_pillar:
  - git:
    - main ssh://git@github.com/myorg/mypillar.git:
      - env: base
      - root: pillar
      - pubkey: /root/.ssh/id_pillar.pub
      - privkey: /root/.ssh/id_pillar

• on-prem machine
• VM (Virtualbox, KVM, etc. please specify)
• VM running on a cloud service, please be explicit and add details
• container (Kubernetes, Docker, containerd, etc. please specify)
• or a combination, please be explicit
• jails if it is FreeBSD
• classic packaging
• onedir packaging
• used bootstrap to install

Steps to Reproduce the behavior
Upgrade from 3005.1 to 3006.0. Run salt-pip install pygit2.

Expected behavior
Should fetch gitfs normally.

Screenshots

[CRITICAL] SSH pubkey (/root/.ssh/id_salt.pub) for gitfs remote 'ssh://git@github.com/myorg/mysalt.git' could not be found, path may be incorrect. Note that it may be necessary to clear git_pillar locks to proceed once this is resolved and the master has been started back up. A warning will be logged if this is the case, with instructions.
[CRITICAL] SSH pubkey (/root/.ssh/id_pillar.pub) for git_pillar remote 'main ssh://git@github.com/myorg/mypillar.git' could not be found, path may be incorrect. Note that it may be necessary to clear git_pillar locks to proceed once this is resolved and the master has been started back up. A warning will be logged if this is the case, with instructions.
[CRITICAL] Failed to load gitfs
[CRITICAL] Failed to load git_pillar
[CRITICAL] Master failed pre flight checks, exiting

Versions Report

salt --versions-report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

Salt Version:
          Salt: 3006.0
 
Python Version:
        Python: 3.10.11 (main, Apr 14 2023, 05:57:16) [GCC 11.2.0]
 
Dependency Versions:
          cffi: 1.15.1
      cherrypy: unknown
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.2
       libgit2: 1.6.3
  looseversion: 1.0.2
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 22.0
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.9.8
        pygit2: 1.12.0
  python-gnupg: 0.4.8
        PyYAML: 5.4.1
         PyZMQ: 23.2.0
        relenv: 0.11.2
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4
 
System Versions:
          dist: debian 11 bullseye
        locale: utf-8
       machine: x86_64
       release: 5.10.0-21-cloud-amd64
        system: Linux
       version: Debian GNU/Linux 11 bullseye

Additional context
Running cat and ls on those files show they exist fine. The files have permission 0400/-r-------- and are owned by root:root.

[lkubb]

The Salt master does not not run as root anymore, see the release notes:

https://docs.saltproject.io/en/latest/topics/releases/3006.0.html#linux-packaging-salt-master-salt-user-and-group

[DaAwesomeP]

Ah, well that was half of it. I moved them to a directory owned by root and readable by the new salt user.

Now I am getting an error probably because the salt user doesn't have a home directory it also doesn't have a known_hosts file or a place to create one:

[ERROR   ] Error occurred fetching gitfs remote 'ssh://git@github.com/myorg/mysalt.git': error loading known_hosts:
Traceback (most recent call last):
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/gitfs.py", line 1870, in _fetch
    fetch_results = origin.fetch(**fetch_kwargs)
  File "/opt/saltstack/salt/extras-3.10/pygit2/remote.py", line 146, in fetch
    payload.check_error(err)
  File "/opt/saltstack/salt/extras-3.10/pygit2/callbacks.py", line 98, in check_error
    check_error(error_code)
  File "/opt/saltstack/salt/extras-3.10/pygit2/errors.py", line 65, in check_error
    raise GitError(message)
_pygit2.GitError: error loading known_hosts:

The known_hosts functionality should probably be disabled or a specific path should be chosen for it.

[DaAwesomeP]

I stand corrected, there is a home directory assigned to it at the default /home/salt. I do find this odd since it is a system user. Often (at least on Debian) system users do not have home folders or they are put somewhere else like /var (at least this is what I have found).

EDIT: See #64141

[DaAwesomeP]

Running sudo -u salt ssh github.com and accepting the host does not appear to resolve the issue. I also tried sudo -u salt bash -c "ssh-keyscan github.com >> ~/.ssh/known_hosts" and salt [MASTER_ID] ssh.set_known_host user=salt hostname=github.com.

I verified that the /home/salt/.ssh/known_hosts file existed and contained some contents after running these commands.

[DaAwesomeP]

OK, I found a version inconsistency that may make dealing this this quite horrible:

• Debian 11 stable (Bullseye) includes libgit2 v1.1.0 in the libgit2-1.1 package
• Saltstack uses Python 3.10 in onedir in 3006.0
• pygit2 versions v1.4 through v1.6 support libgit2 v1.1
• pygit2 versions v1.4 through v1.6 only support Python 3.6 through 3.9
• pygit versions v1.7 through v1.8 are the first to support Python 3.10 and onward, but these only support libgit2 v1.3 and onward
• See https://www.pygit2.org/install.html#version-numbers

So it seems you have to pick libgit2 compatibility or Python 3.10 compatibility or build libgit2 from source?

Was gitfs on Debian stable tested as a part of the 3006.0 release? I'm sure this is a very common configuration. If not, how can we be sure this sort of thing is tested going forward? I imagine this is also a mess on RHEL 6 and other older stable platforms.

[DaAwesomeP]

I tried salt-pip install 'pygit2>=1.4,<1.7' but since there is no wheel available for pygit2 v1.6.1 with Python 3.10 it has to build the wheel on install. This effectively requires installing build-essential on the machine (not a solution for production machines) or building the wheel offline.

I also tried salt-pip install 'pygit2>=1.7,<1.9' but this resulted in pip warning of many linked library versions not available on Debian 11, and the known_hosts issue persisted.

I will try building the wheel separately and see if pygit2 v1.6.1 works with Python 3.10, but this is clearly not supported by the pygit2 developers and would be a temporary workaround.

I see why Salt moved to Python 3.10 but I'm sure this is not the only package version inconsistency that will be found on other stable/LTS distros.

[DaAwesomeP]

Another workaround: Since Salstack still support Python 3.9 just fine and Debian 11 packages are built around Python 3.9 as the latest available version, then the Salt packages could use Python 3.9 on Debian 11.

[OrangeDog]

you have to pick libgit2 compatibility or Python 3.10 compatibility or build libgit2 from source?

No, you have to install pygit2 via wheel: salt-pip install --only-binary=:all: pygit2

The system package of libgit2 does not usually work, as it doesn't have SSH support included.

[DaAwesomeP]

@OrangeDog To try that out I removed salt, wiped the Python 3.10 and package folders to start afresh, and reinstalled. Pip installs pygit2 but it complains of missing libssl, libcrypto, libpcre, and libssh2 presumably because the versions that the libgit2 bundled with pygit2 v1.12 relies on are not available in Debian 11.

I have verified that package libssh2-1 is installed which should provide libssh2.so.1.0.1 is installed on the system. It seems in Debian 11 libcrypto.so.3 should really link to libmbedcrypto.so.3 from the libmbedcrypto3 package or just libssl3 is not available on Debian 11. I stopped checking the rest

Given that it can't find libssh2.so.1.0.1, is the issue really that all of these are missing from /opt/saltstack/salt/lib/ and not from the system?

# uninstall 3006
$ rm -rf /opt/saltstack/salt/lib/python3.10 /opt/saltstack/salt/extras-3.10
# install 3006
$ salt-pip install --only-binary=:all: pygit2
Collecting pygit2
  Using cached pygit2-1.12.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.9 MB)
Collecting cffi>=1.9.1
  Using cached cffi-1.15.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (441 kB)
Collecting pycparser
  Using cached pycparser-2.21-py2.py3-none-any.whl (118 kB)
Installing collected packages: pycparser, cffi, pygit2
  Do not adjust rpath of /tmp/pip-target-mvjvbnk5/lib/python/_cffi_backend.cpython-310-x86_64-linux-gnu.so
  Do not adjust rpath of /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libcrypto-1b9ded14.so.3
  WARNING: Unable to find library libssl-d3387b0f.so.3 linked from /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  WARNING: Unable to find library libcrypto-1b9ded14.so.3 linked from /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  WARNING: Unable to find library libpcre-9513aab5.so.1.2.0 linked from /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  WARNING: Unable to find library libssh2-3ed487a7.so.1.0.1 linked from /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  Do not adjust rpath of /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  Do not adjust rpath of /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libpcre-9513aab5.so.1.2.0
  WARNING: Unable to find library libssl-d3387b0f.so.3 linked from /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  WARNING: Unable to find library libcrypto-1b9ded14.so.3 linked from /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  Do not adjust rpath of /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  WARNING: Unable to find library libcrypto-1b9ded14.so.3 linked from /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libssl-d3387b0f.so.3
  Do not adjust rpath of /tmp/pip-target-mvjvbnk5/lib/python/pygit2.libs/libssl-d3387b0f.so.3
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libgit2-dc37b70b.so.1.6.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libssl-d3387b0f.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libcrypto-1b9ded14.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libssh2-3ed487a7.so.1.0.1 is not in /opt/saltstack/salt
  Do not adjust rpath of /tmp/pip-target-mvjvbnk5/lib/python/pygit2/_libgit2.abi3.so
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libgit2-dc37b70b.so.1.6.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libssl-d3387b0f.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libcrypto-1b9ded14.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-mvjvbnk5/lib/python/pygit2/../pygit2.libs/libssh2-3ed487a7.so.1.0.1 is not in /opt/saltstack/salt
  Do not adjust rpath of /tmp/pip-target-mvjvbnk5/lib/python/pygit2/_pygit2.cpython-310-x86_64-linux-gnu.so
ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
salt 3006.0 requires cffi==1.14.6, but you have cffi 1.15.1 which is incompatible.
Successfully installed cffi-1.15.1 pycparser-2.21 pygit2-1.12.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
$ systemctl restart salt-master.service

Resulting log:

systemd[1]: Started The Salt Master Server.
salt-master[211397]: [ERROR   ] Error occurred fetching gitfs remote 'ssh://git@github.commyorg/mysalt.git': error loading known_hosts:
salt-master[211397]: Traceback (most recent call last):
salt-master[211397]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/gitfs.py", line 1870, in _fetch
salt-master[211397]:     fetch_results = origin.fetch(**fetch_kwargs)
salt-master[211397]:   File "/opt/saltstack/salt/extras-3.10/pygit2/remote.py", line 146, in fetch
salt-master[211397]:     payload.check_error(err)
salt-master[211397]:   File "/opt/saltstack/salt/extras-3.10/pygit2/callbacks.py", line 98, in check_error
salt-master[211397]:     check_error(error_code)
salt-master[211397]:   File "/opt/saltstack/salt/extras-3.10/pygit2/errors.py", line 65, in check_error
salt-master[211397]:     raise GitError(message)
salt-master[211397]: _pygit2.GitError: error loading known_hosts:

[OrangeDog]

It's not looking for libssh2.so.1.0.1, it's looking for libssh2-3ed487a7.so.1.0.1.
It has unpacked that from the .whl into /tmp, but the onedir environment appears to be blocking it from loading during installation.

[DaAwesomeP]

@OrangeDog I see, that makes sense. Has this been observed with any other bundled shared libraries? Is there a workaround?

[defanator]

@DaAwesomeP @OrangeDog @dwoz observing the same issue, looking for a workaround.

UPDATE: it seems to work for me with pygit2==1.7.0:

$ salt-pip install --only-binary=:all: --no-deps pygit2==1.7.0
[..]
$ salt-pip show pygit2
Name: pygit2
Version: 1.7.0
Summary: Python bindings for libgit2.
Home-page: http://github.com/libgit2/pygit2
Author: 
Author-email: 
License: GPLv2 with linking exception
Location: /opt/saltstack/salt/extras-3.10
Requires: cffi
Required-by: 

Latest version (1.12.0) throws exactly the same error as @DaAwesomeP described in #64121 (comment).

[OrangeDog]

What happens if you update salt's pip to the latest version first?

salt-pip install --upgrade pip

[defanator]

What happens if you update salt's pip to the latest version first?

Just reinstalled everything on master from scratch and did this:

$ salt-pip install --upgrade pip
Collecting pip
  Downloading pip-23.1.1-py3-none-any.whl (2.1 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 32.6 MB/s eta 0:00:00
Installing collected packages: pip
Successfully installed pip-23.1.1
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

[notice] A new release of pip available: 22.3.1 -> 23.1.1
[notice] To update, run: /opt/saltstack/salt/bin/python3 -m pip install --upgrade pip

Then installed latest pygit2:

$ salt-pip install --only-binary=:all: --no-deps pygit2
Collecting pygit2
  Using cached pygit2-1.12.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.9 MB)
Installing collected packages: pygit2
  Do not adjust rpath of /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libcrypto-1b9ded14.so.3
  WARNING: Unable to find library libssl-d3387b0f.so.3 linked from /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  WARNING: Unable to find library libcrypto-1b9ded14.so.3 linked from /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  WARNING: Unable to find library libpcre-9513aab5.so.1.2.0 linked from /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  WARNING: Unable to find library libssh2-3ed487a7.so.1.0.1 linked from /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  Do not adjust rpath of /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libgit2-dc37b70b.so.1.6.3
  Do not adjust rpath of /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libpcre-9513aab5.so.1.2.0
  WARNING: Unable to find library libssl-d3387b0f.so.3 linked from /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  WARNING: Unable to find library libcrypto-1b9ded14.so.3 linked from /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  Do not adjust rpath of /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  WARNING: Unable to find library libcrypto-1b9ded14.so.3 linked from /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libssl-d3387b0f.so.3
  Do not adjust rpath of /tmp/pip-target-726v8fwk/lib/python/pygit2.libs/libssl-d3387b0f.so.3
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libgit2-dc37b70b.so.1.6.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libssl-d3387b0f.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libcrypto-1b9ded14.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libssh2-3ed487a7.so.1.0.1 is not in /opt/saltstack/salt
  Do not adjust rpath of /tmp/pip-target-726v8fwk/lib/python/pygit2/_libgit2.abi3.so
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libgit2-dc37b70b.so.1.6.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libssl-d3387b0f.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libcrypto-1b9ded14.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-726v8fwk/lib/python/pygit2/../pygit2.libs/libssh2-3ed487a7.so.1.0.1 is not in /opt/saltstack/salt
  Do not adjust rpath of /tmp/pip-target-726v8fwk/lib/python/pygit2/_pygit2.cpython-310-x86_64-linux-gnu.so
Successfully installed pygit2-1.12.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

Started salt-master service and got this:

2023-04-25 08:43:49,729 [salt.cli.daemons :83  ][INFO    ][325483] Setting up the Salt Master
2023-04-25 08:43:49,892 [salt.daemons.masterapi:221 ][INFO    ][325483] Preparing the salt key for local communication
2023-04-25 08:43:49,893 [salt.daemons.masterapi:221 ][INFO    ][325483] Preparing the root key for local communication
2023-04-25 08:43:49,898 [salt.cli.daemons :83  ][INFO    ][325483] Starting up the Salt Master
2023-04-25 08:43:49,930 [salt.utils.gitfs :2796][INFO    ][325483] Wrote new gitfs remote map to /var/cache/salt/master/gitfs/remote_map.txt
2023-04-25 08:43:49,930 [salt.master      :690 ][INFO    ][325483] salt-master is starting as user 'salt'
2023-04-25 08:43:49,931 [salt.master      :559 ][INFO    ][325483] Current values for max open files soft/hard setting: 100000/100000
2023-04-25 08:43:49,933 [salt.master      :717 ][INFO    ][325483] Creating master process manager
2023-04-25 08:43:49,933 [salt.master      :721 ][INFO    ][325483] Creating master publisher process
2023-04-25 08:43:50,430 [salt.master      :727 ][INFO    ][325483] Creating master event publisher process
2023-04-25 08:43:50,442 [salt.transport.zeromq:744 ][INFO    ][325534] Starting the Salt Publisher on tcp://0.0.0.0:4505
2023-04-25 08:43:50,442 [salt.transport.zeromq:747 ][INFO    ][325534] Starting the Salt Puller on ipc:///var/run/salt/master/publish_pull.ipc
2023-04-25 08:43:50,457 [salt.master      :751 ][INFO    ][325483] Creating master maintenance process
2023-04-25 08:43:50,460 [salt.master      :790 ][INFO    ][325483] Creating master request server process
2023-04-25 08:43:50,516 [salt.transport.zeromq:328 ][INFO    ][325541] Setting up the master communication server
2023-04-25 08:43:50,516 [salt.transport.zeromq:329 ][INFO    ][325541] ReqServer clients tcp://0.0.0.0:4506
2023-04-25 08:43:50,516 [salt.transport.zeromq:331 ][INFO    ][325541] ReqServer workers ipc:///var/run/salt/master/workers.ipc
2023-04-25 08:43:50,670 [salt.utils.gitfs :1894][ERROR   ][325540] Error occurred fetching gitfs remote 'git@github.com:***/***.git': error loading known_hosts: 
Traceback (most recent call last):
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/gitfs.py", line 1870, in _fetch
    fetch_results = origin.fetch(**fetch_kwargs)
  File "/opt/saltstack/salt/extras-3.10/pygit2/remote.py", line 146, in fetch
    payload.check_error(err)
  File "/opt/saltstack/salt/extras-3.10/pygit2/callbacks.py", line 98, in check_error
    check_error(error_code)
  File "/opt/saltstack/salt/extras-3.10/pygit2/errors.py", line 65, in check_error
    raise GitError(message)
_pygit2.GitError: error loading known_hosts: 

Stopped salt-master, installed pygit2==1.7.0:

$ salt-pip install --only-binary=:all: --no-deps --upgrade pygit2==1.7.0
Collecting pygit2==1.7.0
  Using cached pygit2-1.7.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.6 MB)
Installing collected packages: pygit2
  WARNING: Unable to find library libpcre-9513aab5.so.1.2.0 linked from /tmp/pip-target-4m7w_cb0/lib/python/pygit2.libs/libgit2-c59d94c5.so.1.3.0
  WARNING: Unable to find library libpcreposix-7b9c3045.so.0.0.1 linked from /tmp/pip-target-4m7w_cb0/lib/python/pygit2.libs/libgit2-c59d94c5.so.1.3.0
  WARNING: Unable to find library libssh2-cd9fe4aa.so.1.0.1 linked from /tmp/pip-target-4m7w_cb0/lib/python/pygit2.libs/libgit2-c59d94c5.so.1.3.0
  Do not adjust rpath of /tmp/pip-target-4m7w_cb0/lib/python/pygit2.libs/libgit2-c59d94c5.so.1.3.0
  Do not adjust rpath of /tmp/pip-target-4m7w_cb0/lib/python/pygit2.libs/libpcre-9513aab5.so.1.2.0
  WARNING: Unable to find library libpcre-9513aab5.so.1.2.0 linked from /tmp/pip-target-4m7w_cb0/lib/python/pygit2.libs/libpcreposix-7b9c3045.so.0.0.1
  Do not adjust rpath of /tmp/pip-target-4m7w_cb0/lib/python/pygit2.libs/libpcreposix-7b9c3045.so.0.0.1
  Do not adjust rpath of /tmp/pip-target-4m7w_cb0/lib/python/pygit2.libs/libssh2-cd9fe4aa.so.1.0.1
  WARNING: In `rpath_only mode` but /tmp/pip-target-4m7w_cb0/lib/python/pygit2/../pygit2.libs/libgit2-c59d94c5.so.1.3.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-4m7w_cb0/lib/python/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-4m7w_cb0/lib/python/pygit2/../pygit2.libs/libpcreposix-7b9c3045.so.0.0.1 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-4m7w_cb0/lib/python/pygit2/../pygit2.libs/libssh2-cd9fe4aa.so.1.0.1 is not in /opt/saltstack/salt
  Do not adjust rpath of /tmp/pip-target-4m7w_cb0/lib/python/pygit2/_libgit2.abi3.so
  WARNING: In `rpath_only mode` but /tmp/pip-target-4m7w_cb0/lib/python/pygit2/../pygit2.libs/libgit2-c59d94c5.so.1.3.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-4m7w_cb0/lib/python/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-4m7w_cb0/lib/python/pygit2/../pygit2.libs/libpcreposix-7b9c3045.so.0.0.1 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-4m7w_cb0/lib/python/pygit2/../pygit2.libs/libssh2-cd9fe4aa.so.1.0.1 is not in /opt/saltstack/salt
  Do not adjust rpath of /tmp/pip-target-4m7w_cb0/lib/python/pygit2/_pygit2.cpython-310-x86_64-linux-gnu.so
Successfully installed pygit2-1.7.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

Started salt-master again, got remote repositories cloned in /var/cache/salt/master/gitfs, no errors in log.

(This is on Debian 11 "bullseye" amd64.)

[DaAwesomeP]

I can confirm that salt-pip install --only-binary=:all: --no-deps --upgrade pygit2==1.7.0 works for me as well. Thanks @defanator for finding that workaround! It seems that the shared library dependencies differ slightly between the latest version and v1.7.0.

[dwoz]

For what it's worth. We are expecting that people will want to install from source and use the system's libraries. For pygit2 I did this:

apt-get install -y build-essential libssh2-1-dev libgit2-dev libffi-dev
sudo -u salt salt-pip install cffi==1.14.6 pygit2==1.6.1 --no-binary=':all:'

As far as --only-binary with --no-deps goes, I am concerned that the cffi version may actually matter. I'm not sure though, if it's working for you then it's probably okay. That being said, it looks like cffi didn't start packaging wheels until 1.15.x. If you want to use the newest version of pygit2 and not conflict on dependencies then you'll need to let pip compile cffi.

apt-get install -y build-essential libffi-dev
sudo -u salt salt-pip install cffi==1.14.6 pygit2 --only-binary='pygit2'

[DaAwesomeP]

It sounds like additional bundled shared libraries in wheels may have some issue with onedir, but there must be something particular since pygit2 v1.7.0 works fine but pygit2 v1.12.0 does not. I'm sure this issue will come up again at some point with this package or another. Locking into an older version (either v1.6.1 or v1.7.0 via wheel or source) seems more like a workaround.

For what it's worth. We are expecting that people will want to install from source and use the system's libraries.

I have had a lot of trouble with Python packages built from source across different systems, particularly with Salstack. Using the wheels/bundled libraries with pygit2 solves a lot of portability issues across many systems where the libgit2 could be really any version and the Python version included in onedir will increment as time goes on. More and more Python packages with bindings are bundling their dependencies so that they are consistent across platforms and independent from OS source versions. Having to install dependencies and compile the modules on each machine seems counter to onedir making salt more portable/consistent across installations.

Building from source on Debian 11 uses a now quite old libgit2 that does not support newer SSH keys. The workaround for this is to use the pygit2 wheel (which became always the case with onedir prior to 3006). See #61790.

Also, pygit2 v1.6.1 does not officially support Python 3.10: https://www.pygit2.org/install.html#version-numbers (so again the ability to install the latest version via wheel is much more future-proofed).

I am concerned that the cffi version may actually matter. I'm not sure though, if it's working for you then it's probably okay.

I have observed cffi version mismatches when installing additional packages alongside Salt for a while now. So far no issues (I have tried both installing the later version and keeping the older version), but it would be great if Salt updated that dependency. There are other additional packages too that rely on different cffi versions.

[OrangeDog]

people will want to install from source and use the system's libraries

In general, no. That's a big burden that many people really want to avoid (to the extent that they won't upgrade to onedir because of it). Especially for pygit2 because it usually also means you have to rebuild libgit2 from source as well.

Your build probably won't work. See #58898.

[dwoz]

@DaAwesomeP Can you please test using pygit2==1.12.0 with salt 3006.1 ?

[DaAwesomeP]

@dwoz I'm not able to test this out on the same Debian machine at the moment (maybe next week or week after), but I did try it out on a RHEL8 machine. No luck unfortunately.

Salt Version:
          Salt: 3006.1
 
Python Version:
        Python: 3.10.11 (main, May  5 2023, 02:31:54) [GCC 11.2.0]
 
Dependency Versions:
          cffi: 1.14.6
      cherrypy: unknown
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.2
       libgit2: 1.6.4
  looseversion: 1.0.2
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 22.0
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.9.8
        pygit2: 1.12.1
  python-gnupg: 0.4.8
        PyYAML: 5.4.1
         PyZMQ: 23.2.0
        relenv: 0.12.3
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4
 
System Versions:
          dist: rhel 8.7 Ootpa
        locale: utf-8
       machine: x86_64
       release: 4.18.0-425.13.1.el8_7.x86_64
        system: Linux
       version: Red Hat Enterprise Linux 8.7 Ootpa

salt-pip install --only-binary=:all: --no-deps pygit2
Looking in indexes: https://REDACTED/pypi/root/pypi/+simple
Collecting pygit2
  Downloading https://REDACTED/pypi/root/pypi/%2Bf/ad9/b46b52997d131/pygit2-1.12.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.9 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 4.9/4.9 MB 37.5 MB/s eta 0:00:00
Installing collected packages: pygit2
  Do not adjust rpath of /tmp/pip-target-j5ylkhyr/pygit2.libs/libcrypto-8ee4585d.so.3
  WARNING: Unable to find library libssl-d3387b0f.so.3 linked from /tmp/pip-target-j5ylkhyr/pygit2.libs/libgit2-a4ba6c4f.so.1.6.4
  WARNING: Unable to find library libcrypto-8ee4585d.so.3 linked from /tmp/pip-target-j5ylkhyr/pygit2.libs/libgit2-a4ba6c4f.so.1.6.4
  WARNING: Unable to find library libpcre-9513aab5.so.1.2.0 linked from /tmp/pip-target-j5ylkhyr/pygit2.libs/libgit2-a4ba6c4f.so.1.6.4
  WARNING: Unable to find library libssh2-3ed487a7.so.1.0.1 linked from /tmp/pip-target-j5ylkhyr/pygit2.libs/libgit2-a4ba6c4f.so.1.6.4
  Do not adjust rpath of /tmp/pip-target-j5ylkhyr/pygit2.libs/libgit2-a4ba6c4f.so.1.6.4
  Do not adjust rpath of /tmp/pip-target-j5ylkhyr/pygit2.libs/libpcre-9513aab5.so.1.2.0
  WARNING: Unable to find library libssl-d3387b0f.so.3 linked from /tmp/pip-target-j5ylkhyr/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  WARNING: Unable to find library libcrypto-8ee4585d.so.3 linked from /tmp/pip-target-j5ylkhyr/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  Do not adjust rpath of /tmp/pip-target-j5ylkhyr/pygit2.libs/libssh2-3ed487a7.so.1.0.1
  WARNING: Unable to find library libcrypto-8ee4585d.so.3 linked from /tmp/pip-target-j5ylkhyr/pygit2.libs/libssl-d3387b0f.so.3
  Do not adjust rpath of /tmp/pip-target-j5ylkhyr/pygit2.libs/libssl-d3387b0f.so.3
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libgit2-a4ba6c4f.so.1.6.4 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libssl-d3387b0f.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libcrypto-8ee4585d.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libssh2-3ed487a7.so.1.0.1 is not in /opt/saltstack/salt
  Do not adjust rpath of /tmp/pip-target-j5ylkhyr/pygit2/_libgit2.abi3.so
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libgit2-a4ba6c4f.so.1.6.4 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libssl-d3387b0f.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libcrypto-8ee4585d.so.3 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libpcre-9513aab5.so.1.2.0 is not in /opt/saltstack/salt
  WARNING: In `rpath_only mode` but /tmp/pip-target-j5ylkhyr/pygit2/../pygit2.libs/libssh2-3ed487a7.so.1.0.1 is not in /opt/saltstack/salt
  Do not adjust rpath of /tmp/pip-target-j5ylkhyr/pygit2/_pygit2.cpython-310-x86_64-linux-gnu.so
Successfully installed pygit2-1.12.1
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

[notice] A new release of pip available: 22.3.1 -> 23.1.2
[notice] To update, run: /opt/saltstack/salt/bin/python3.10 -m pip install --upgrade pip

systemd[1]: Starting The Salt Master Server...
systemd[1]: Started The Salt Master Server.
salt-master[1704165]: [ERROR   ] Error occurred fetching gitfs remote 'ssh://git@REDACTED/REDACTED/REDACTED.git': error loading known_hosts:
salt-master[1704165]: Traceback (most recent call last):
salt-master[1704165]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/gitfs.py", line 1870, in _fetch
salt-master[1704165]:     fetch_results = origin.fetch(**fetch_kwargs)
salt-master[1704165]:   File "/opt/saltstack/salt/extras-3.10/pygit2/remote.py", line 146, in fetch
salt-master[1704165]:     payload.check_error(err)
salt-master[1704165]:   File "/opt/saltstack/salt/extras-3.10/pygit2/callbacks.py", line 98, in check_error
salt-master[1704165]:     check_error(error_code)
salt-master[1704165]:   File "/opt/saltstack/salt/extras-3.10/pygit2/errors.py", line 65, in check_error
salt-master[1704165]:     raise GitError(message)
salt-master[1704165]: _pygit2.GitError: error loading known_hosts:
salt-master[1704163]: [ERROR   ] Error occurred fetching git_pillar remote 'main ssh://git@REDACTED/REDACTED/REDACTED.git': error loading known_hosts:
salt-master[1704163]: Traceback (most recent call last):
salt-master[1704163]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/gitfs.py", line 1870, in _fetch
salt-master[1704163]:     fetch_results = origin.fetch(**fetch_kwargs)
salt-master[1704163]:   File "/opt/saltstack/salt/extras-3.10/pygit2/remote.py", line 146, in fetch
salt-master[1704163]:     payload.check_error(err)
salt-master[1704163]:   File "/opt/saltstack/salt/extras-3.10/pygit2/callbacks.py", line 98, in check_error
salt-master[1704163]:     check_error(error_code)
salt-master[1704163]:   File "/opt/saltstack/salt/extras-3.10/pygit2/errors.py", line 65, in check_error
salt-master[1704163]:     raise GitError(message)
salt-master[1704163]: _pygit2.GitError: error loading known_hosts:

[DaAwesomeP]

salt-pip install pygit2==1.11.1 works declaring a version before latest is not a hack.

@whytewolf version locking or manually building a wheel may work now, but it is only a matter of time before this breaks and we need a new version or there is risk of a CVE preventing this version from being used. Debian 12 is also right around the corner which would affect how that wheel builds outside of the relenv. While it may not be a "hack" it is definitely a temporary workaround.

Using these modules has become a constant stream of workarounds, and surely this was not tested prior to 3006 release or these workarounds wouldn't be necessary or would be well documented.

[dwoz]

Looks like this is an issue with how the Salt Master process is being run. When running on Ubuntu 20.04 and some of the other OSes systemd is launching the Salt master without a HOME environment variable defined. This results in the error loading known_hosts: message. It also happens if the HOME variable is set to an empty string. It seems if home is any existing directory the error will not happen. I tracked it down to this commit:

libgit2/libgit2@e33d7c0

That explains why we see it in pygit2==1.12.1 and it is because of the libgit2 upgrade libgit2.so.1.5.0 to 1.6.3.

A temporary work around could be to modify the Salt Master's service file to include a user.

root@ip-10-27-5-126:/home/ubuntu# cat /etc/systemd/system/multi-user.target.wants/salt-master.service
[Unit]
Description=The Salt Master Server
Documentation=man:salt-master(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltproject.io/en/latest/contents.html
After=network.target

[Service]
LimitNOFILE=100000
Type=notify
NotifyAccess=all
ExecStart=/usr/bin/salt-master
User=salt

[Install]
WantedBy=multi-user.target

Salt has a method that set's the HOME environment variable, salt/utils/verify.py::check_user. However, there are two things preventing that from working. First, we don't set anything if HOME isn't already in the environment. Second, the method is getting called to late the environment variable to matter. I think we need to set it before importing pygit2 unless we can find another way configuring pygit2 with a valid directory.

[damon-atkins]

From https://git-scm.com/book/en/v2/Git-Internals-Environment-Variables

HOME isn’t usually considered customizable (too many other things depend on it), but it’s where Git looks for the global configuration file. If you want a truly portable Git installation, complete with global configuration, you can override HOME in the portable Git’s shell profile.

If HOME is required then .../bin/salt-master should check to see if it is set before starting the service and maybe even checking it's writable....

[dwoz]

We can modify check_user to set HOME even if the key is not in os.environ and add a call to check_user before importing salt.master here:

https://github.com/saltstack/salt/blob/master/salt/cli/daemons.py#L182

[damon-atkins]

We can modify check_user to set HOME even if the key is not in os.environ and add a call to check_user before importing salt.master here:

https://github.com/saltstack/salt/blob/master/salt/cli/daemons.py#L182

def check_user(user):  # bad name of this function, as it checks and also changes things if the check fails
    """
    Check user and assign process uid/gid.
    """
    if salt.utils.platform.is_windows():
        return True
    if user == salt.utils.user.get_user():
        return True
.................
        if "HOME" in os.environ:      # Does it make it down to this line of code
            os.environ["HOME"] = pwuser.pw_dir

[ipaqmaster]

_pygit2.GitError: error loading known_hosts: seems to go away and my gitfs definitions started working on Archlinux after adding WorkingDirectory=~ in the [Service] section of /usr/lib/systemd/system/salt-master.service.

I don't think Arch is using the onedir solution nor the salt user account yet. It seems to be running as root and has pieces of itself all over the filesystem on the master.

[howbazaar]

Spent a few days chasing this in our project too and what I found was that pygit2 seems to determine the HOME during package load, and not inside the function call itself. Perhaps this helps you with the issue.

[network-shark]

Would it possible to fix it in 3006.4 ? I guess, a lot of people using git with salt.

[MartinEmrich]

After upgrading on the good ol' CentOS 7 from 3005 to 3006.3, I also ran into this issue.

salt-pip install --only-binary :all: --no-deps "pygit2==1.7.0" gave me a working pygit2.

Here and there, it is mentioned that Salt-Master now runs as non-root, but this was not the case here; it still runs as root just as before.

But the HOME environment variable was indeed missing. Adding this to my /usr/lib/systemd/system/salt-master.service fixed it for me:

User=root
Environment=HOME=/root

[jzandbergen]

Thanks to @MartinEmrich i've got it working on AlmaLinux 8.8 and salt-master 3006.3. In my case the steps to take where:

• salt-pip install pygit2
• mkdir /opt/saltstack/salt/.ssh and place the known_hosts file inside this directory.
• chown -Rv salt:salt /opt/saltstack/salt/.ssh
• systemctl edit salt-master and enter:

[Service]
Environment="HOME=/opt/saltstack/salt"

• systemctl restart salt-master

[OrangeDog]

To sum up, this seems to have been two separate issues.

• The onedir installation problem, which I think has been fixed?
• The service environment problem, which has nothing to do with onedir, and has not been

The latter problem appears to be dependent on the version of pygit2, and affects all versions of Salt.

[DaAwesomeP]

• The onedir installation problem, which I think has been fixed?

Yesterday I did a fresh install of 3006.4 on Debian 12 (using packages from Debian 11) and was able to get it to install with: salt-pip install --only-binary :all: --no-deps pygit2. It is very possible/likely this still doesn't work on Debian 11 though (have not tested recently). The --no-deps option is definitely necessary or pip will mess with cffi and others. If people aren't seeing this issue again then it may be resolved, but I am suspect that this was due to Salt/pygit2/OS releases and not handled intentionally (which is fine but we should understand why). EDIT: I think maybe I have confused myself here and there never was an install issue and only was the env issue? I'm not sure.

• The service environment problem, which has nothing to do with onedir, and has not been

Yes, I am currently solving this with a Systemd unit modifier in /etc/systemd/system/salt-master.service.d/99-pygit2-fix.conf:

[Service]
WorkingDirectory=~

Note that I am using ~ which seems to work and is maybe most future-proof. I did not need to create a known_hosts or adjust any permissions.

If the install-specific parts in this issue have been resolved then we should also turn our attention to:

• [BUG] Maintain version locking/compatibility/updates with optional modules #64299: we should resolve version matching/managing compatibility between optional modules like pygit2 and Salt (see later comments in this issue)
• [TECH DEBT] Automate tests for packaging and onedir with optional modules #64296: testing optional modules as a part of packaging build/test

[OrangeDog]

there never was an install issue

I definitely had library load issues when installing wheels the last time I tested onedir.

I am currently solving this with a Systemd unit modifier

Similarly, this one fixes 3004.2, and probably any classic packaging running as root.

[Service]
Environment=HOME=/root

[NdK73]

Seems I managed to make my 3006.5 (onedir package from repo.saltstack.io on Debian11) to work by:

• "systemctl edit salt-master" to add
  [Service]
  WorkingDirectory="/opt/saltstack/salt"
  Environment="HOME=/opt/saltstack/salt"
• verify/change permissions of /opt/saltstack/salt and /var/log/salt (must be writable by 'salt' user)
• verify permissions on key files (and the path to reach 'em!)
• install pygit2 with salt-pip install --only-binary :all: --no-deps "pygit2==1.7.0"
• a lot of praying (to compensate the swearing during the "not working" phase...).

Maybe it's just me, but official docs seems a bit lagging about the onedir package, recommending to install via OS tools (one for all: pip instead of salt-pip)...

[ipaqmaster]

Had to do this again today with a more recent update modified salt-master.service. Original method did not help but this time:

User=root
Environment=HOME=/root

did the trick.

[mdschmitt]

Seems I managed to make my 3006.5 (onedir package from repo.saltstack.io on Debian11) to work by:

• "systemctl edit salt-master" to add
  [Service]
  WorkingDirectory="/opt/saltstack/salt"
  Environment="HOME=/opt/saltstack/salt"
• verify/change permissions of /opt/saltstack/salt and /var/log/salt (must be writable by 'salt' user)
• verify permissions on key files (and the path to reach 'em!)
• install pygit2 with salt-pip install --only-binary :all: --no-deps "pygit2==1.7.0"
• a lot of praying (to compensate the swearing during the "not working" phase...).

Maybe it's just me, but official docs seems a bit lagging about the onedir package, recommending to install via OS tools (one for all: pip instead of salt-pip)...

I was able to get it going even without pinning to 1.7.0.
I'm running 1.14.0 of pygit2 and so long as the systemd service edit and permissions updates you mentioned are in place, it just works ™️ (for me, at least).

[Darkentik]

Thanks to @MartinEmrich i've got it working on AlmaLinux 8.8 and salt-master 3006.3. In my case the steps to take where:

* `salt-pip install pygit2`

* `mkdir /opt/saltstack/salt/.ssh` and place the `known_hosts` file inside this directory.

* `chown -Rv salt:salt /opt/saltstack/salt/.ssh`

* `systemctl edit salt-master` and enter:

[Service]
Enironment="HOME=/opt/saltstack/salt"

* `systemctl restart salt-master`

This saves me now a lot of pain!
Thanks for the workaround.
I have now added a state into the installation of the salt-master as a salt-minion of himself. :)
For the debian users we have do to a systemctl daemon-reload after editing a service unit. ;)

i am using pygit2 from salt-pip:

upgrade all installed pip packages:
  pip.installed:
    - name: pip
    - upgrade: True

install gitpython with salt-pip for onedir:
  pip.installed:
    - name: pygit2

My code:

#####################################################################################
# workaround while pygit2 + onedir installation not working properly with using system user salt
# https://github.com/saltstack/salt/issues/64121#issuecomment-1758999821
add fix for pygit2 with onedir in service unit file of salt:
  file.managed:
    - name: /usr/lib/systemd/system/salt-master.service.d/99-pygit2-fix.conf
    - source: salt://salt/files/master/99-pygit2-fix.conf
    - watch_in:
      - service: service-saltmaster
    - require:
      - pkg: saltmaster-packages

reload systemd after managing saltmaster unit with pygit2 fix file:
  cmd.run:
    - name: systemctl daemon-reload
#####################################################################################

I am very sad that saltstack do not have a "one shoot" solution for debian users and we must do such a lot of "workarounds" while using salt-master with a git repo and ssh. :(

[st-claude]

for me in centos 7 a workaround that worked was downgrading pygit2 to 1.10.1

/opt/saltstack/salt/bin/python3.10 -m pip install pygit2==1.10.*

and restarting the salt-master of course

[jamest-pin]

EDIT: apologies, my error was not the same as what's listed in this thread.
For anyone finding my response via google, my solution was adding apt install -y patchelf and apt install python3-pip above salt-pip install pygit2

I started having this same problem when installing fresh in Ubuntu 22.04. I didn't have this issue last year when I was working on this last.

I'm using literally the exact same dockerfile I was previously using, nothing has changed.

```logs
 > [salt 6/7] RUN salt-pip install pygit2:
0.985 Collecting pygit2
1.674   Downloading pygit2-1.14.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.metadata (3.4 kB)
1.774 Requirement already satisfied: cffi>=1.16.0 in /opt/saltstack/salt/lib/python3.10/site-packages (from pygit2) (1.16.0)
1.774 Requirement already satisfied: pycparser in /opt/saltstack/salt/lib/python3.10/site-packages (from cffi>=1.16.0->pygit2) (2.21)
1.788 Downloading pygit2-1.14.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (4.8 MB)
2.013    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 4.8/4.8 MB 21.6 MB/s eta 0:00:00
2.197 Installing collected packages: pygit2
2.370   Do not adjust rpath of /opt/saltstack/salt/extras-3.10/pygit2.libs/libcrypto-7f4a96b6.so.3
2.376   WARNING: Unable to find library libssl-3fd7af83.so.3 linked from /opt/saltstack/salt/extras-3.10/pygit2.libs/libgit2-3fb45b56.so.1.7.2
2.376   WARNING: Unable to find library libcrypto-7f4a96b6.so.3 linked from /opt/saltstack/salt/extras-3.10/pygit2.libs/libgit2-3fb45b56.so.1.7.2
2.376   WARNING: Unable to find library libpcre-6b975b27.so.1.2.0 linked from /opt/saltstack/salt/extras-3.10/pygit2.libs/libgit2-3fb45b56.so.1.7.2
2.377   WARNING: Unable to find library libssh2-42ae10f7.so.1.0.1 linked from /opt/saltstack/salt/extras-3.10/pygit2.libs/libgit2-3fb45b56.so.1.7.2
2.377   Do not adjust rpath of /opt/saltstack/salt/extras-3.10/pygit2.libs/libgit2-3fb45b56.so.1.7.2
2.381   Do not adjust rpath of /opt/saltstack/salt/extras-3.10/pygit2.libs/libpcre-6b975b27.so.1.2.0
2.386   WARNING: Unable to find library libssl-3fd7af83.so.3 linked from /opt/saltstack/salt/extras-3.10/pygit2.libs/libssh2-42ae10f7.so.1.0.1
2.386   WARNING: Unable to find library libcrypto-7f4a96b6.so.3 linked from /opt/saltstack/salt/extras-3.10/pygit2.libs/libssh2-42ae10f7.so.1.0.1
2.386   Do not adjust rpath of /opt/saltstack/salt/extras-3.10/pygit2.libs/libssh2-42ae10f7.so.1.0.1
2.390   WARNING: Unable to find library libcrypto-7f4a96b6.so.3 linked from /opt/saltstack/salt/extras-3.10/pygit2.libs/libssl-3fd7af83.so.3
2.390   Do not adjust rpath of /opt/saltstack/salt/extras-3.10/pygit2.libs/libssl-3fd7af83.so.3
2.395   File already within root directory: /opt/saltstack/salt/extras-3.10/pygit2/../pygit2.libs/libgit2-3fb45b56.so.1.7.2
2.395   File already within root directory: /opt/saltstack/salt/extras-3.10/pygit2/../pygit2.libs/libssl-3fd7af83.so.3
2.395   File already within root directory: /opt/saltstack/salt/extras-3.10/pygit2/../pygit2.libs/libcrypto-7f4a96b6.so.3
2.396   File already within root directory: /opt/saltstack/salt/extras-3.10/pygit2/../pygit2.libs/libpcre-6b975b27.so.1.2.0
2.396   File already within root directory: /opt/saltstack/salt/extras-3.10/pygit2/../pygit2.libs/libssh2-42ae10f7.so.1.0.1
2.396   Adjust rpath of /opt/saltstack/salt/extras-3.10/pygit2/_libgit2.abi3.so to $ORIGIN/../../lib
2.397 ERROR: Could not install packages due to an OSError: [Errno 2] No such file or directory: 'readelf'
2.397
2.481
2.481 [notice] A new release of pip is available: 23.3.2 -> 24.0
2.481 [notice] To update, run: /opt/saltstack/salt/bin/python3.10 -m pip install --upgrade pip
------
failed to solve: process "/bin/sh -c salt-pip install pygit2" did not complete successfully: exit code: 1
```

[whytewolf]

@jamest-pin you need to install readelf and also maybe patchelf into the operating system. these should be installed through your normal package manager.

[jamest-pin]

Thanks @whytewolf that's what I ended up doing, although readelf is not an available package according to apt, only patchelf. But installing python3-pip seemed to include readelf.

[OrangeDog]

readelf is in the binutils package for Ubuntu.

[DaAwesomeP]

@mazhenyong1 see this comment: #64121 (comment). All you need is the Systemd modifier and ensure that the salt user can read your SSH keys wherever you put them (they don't necessarily need to be in salt's home and you don't need to make a home dir).

[BeehiveSystems]

Running sudo -u salt ssh github.com and accepting the host does not appear to resolve the issue. I also tried sudo -u salt bash -c "ssh-keyscan github.com >> ~/.ssh/known_hosts" and salt [MASTER_ID] ssh.set_known_host user=salt hostname=github.com.

I verified that the /home/salt/.ssh/known_hosts file existed and contained some contents after running these commands.

To piggyback this, Salt 3006.8 on Rocky Linux 9 does not have a home directory created for the Salt user. I installed with the bootstrap method.

The SystemD environment solution mentioned above resolved it for me as well.

[MartinEmrich]

My workaround with pygit==1.7.0 is now starting to rot for me, too:

It uses an ancient version of libgit2, which does not (yet) support non-RSA host keys: libgit2/pygit2#552 (comment)

After trying literally all versions after 1.9.0 of pygit2, I am stuck now. All up to and including 1.10.1 will refuse to connect to our new Git server without RSA host key. The next ist 1.11.1, which will bail out with the missing known_hosts file :(

Using the latest 1.15.x will produce lots of errors in the Salt Master log.
Using 1.12.2 works now, but only after adding Environment=HOME=/root to the systemd unit and populating the known_hosts file.