Salt: winrepo repositories must reside within file_roots base:

Created on 10 Nov 2015  路  7Comments  路  Source: saltstack/salt

After some hair tearing today, I've discovered that the winrepo MUST live within the file_roots base:

I had configured the winrepo to be at the same level in my local filesystem as file_roots base: and had some very strange and unhelpful errors as a result.

Seems that if this is a dependency, that the configuration should require a relative path instead of absolute.

Bug P3 Platform Windows severity-medium stale
Source
picture rterbush

Most helpful comment

After upgrading my Windows minion to 2015.8.1 to test another issue, I figured I'd go ahead and start testing the winrepo configuration. I think I ended up basically confirming what @rterbush found. Here's what worked (note that I had to make winrepo_dir a subdirectory within my base environment):

Also note that this was masterless; hence the Windows-style paths for file_roots.

relevant settings from C:\salt\conf\minion:

file_roots:
  base:
    - C:\salt\srv\states\base

winrepo_source_dir: 'salt://winrepo'
winrepo_dir: 'C:\salt\srv\states\base\winrepo'

Here is the minion config that did not work, but that I expected would (using a custom winrepo directory, based on experience with earlier versions, see previous comment):

file_roots:
  base:
    - C:\salt\srv\states\base
    - C:\salt\srv\winrepo

winrepo_source_dir: 'salt://winrepo'
winrepo_dir: 'C:\salt\srv\winrepo'

I traced through the code to figure out what was happening, which is how I came to the configuration that worked. Ultimately, the issue was that the winrepo files were not being copied to the minion cache.

  1. cp.cache_dir is initiated by pkg.refresh_db in modules/win_pkg.py.
  2. The value of winrepo_source_dir is passed to cp.cache_dir as the directory to cache.
  3. The pertinent entry in file_roots is C:\salt\srv\winrepo and the winrepo_source_dir is salt://winrepo.
  4. cp.cache_dir gets the paths of all files in file roots, _but the paths are relative to the file_roots location_. So the file C:\salt\srv\winrepo\mypackage\init.s is returned to cp.cache_dir as mypackage\init.sls.
  5. cp.cache_dir then filters each file path (fn_) for anything that startswith() the value of winrepo_source_dir (after figuring out the protocol piece), in this case it was filtering with fn_.startswith('winrepo/').
  6. That filter does not match any files, so nothing gets cached.

Knowing all that, here is another minion configuration that works and maintains the file_roots config that I expected to work, but it is a little annoying to have to double up the 'winrepowinrepo' in the winrepo_dir path.

file_roots:
  base:
    - C:\salt\srv\states\base
    - C:\salt\srv\winrepo

winrepo_source_dir: 'salt://winrepo'
winrepo_dir: 'C:\salt\srv\winrepo\winrepo'
picture lorengordon on 14 Nov 2015
👍3 🎉1

All 7 comments

I ran into that once upon a time, as well. I didn't move the winrepo directory, though, I just added it as another path in the file_roots base environment.

lorengordon picture lorengordon on 10 Nov 2015

So defaulting to relative path to file_roots base would avoid the confusion and you could still take your approach if you wanted to drop it outside of the file_roots base. Makes sense.

rterbush picture rterbush on 10 Nov 2015

@rterbush, thanks for the report. Relative paths on the master can be a security vulnerability. The documentation on winrepo might need to be updated to mention this. What do you think, @UtahDave?

jfindlay picture jfindlay on 11 Nov 2015

It seems that winrepo_dir is not a required setting and defaults /srv/salt/win/repo.

If I change file_roots.base to /srv/salt/formulas, it silently breaks winrepo functionality.

IMO, it would follow rulle of least astonishment to have winrepo default to a location that is relative to file_roots.base. And of course require an absolute path if you point it to some other location.

If you place it outside of a file_roots path, it should generate some warning.

In this same winrepo functionality, I ran across another issue that I will create a separate issue for. Mentioning it here as it is related. It seems there is no way to turn off the default repo locations for winrepo_remotes as well. I'm find that if I don't set a remote, I get the saltstack/salt-winrepo.git. I believe this requires me to rename my fork of the repo and still leaves me vulnerable to issues with the public repo. I'll open another issue for this.

And of course all of this applies to _ng variants as well.

rterbush picture rterbush on 11 Nov 2015

I haven't started moving my Windows instances to 2015.8, yet, and I remember seeing that these options may have changed, but this is what I've been configuring to get things working in 2015.5:

file_roots:
  - /srv/salt
  - /srv/salt/winrepo

win_repo: /srv/salt/winrepo
win_repo_cachefile: /srv/salt/winrepo/winrepo.p
lorengordon picture lorengordon on 11 Nov 2015

After upgrading my Windows minion to 2015.8.1 to test another issue, I figured I'd go ahead and start testing the winrepo configuration. I think I ended up basically confirming what @rterbush found. Here's what worked (note that I had to make winrepo_dir a subdirectory within my base environment):

Also note that this was masterless; hence the Windows-style paths for file_roots.

relevant settings from C:\salt\conf\minion:

file_roots:
  base:
    - C:\salt\srv\states\base

winrepo_source_dir: 'salt://winrepo'
winrepo_dir: 'C:\salt\srv\states\base\winrepo'

Here is the minion config that did not work, but that I expected would (using a custom winrepo directory, based on experience with earlier versions, see previous comment):

file_roots:
  base:
    - C:\salt\srv\states\base
    - C:\salt\srv\winrepo

winrepo_source_dir: 'salt://winrepo'
winrepo_dir: 'C:\salt\srv\winrepo'

I traced through the code to figure out what was happening, which is how I came to the configuration that worked. Ultimately, the issue was that the winrepo files were not being copied to the minion cache.

  1. cp.cache_dir is initiated by pkg.refresh_db in modules/win_pkg.py.
  2. The value of winrepo_source_dir is passed to cp.cache_dir as the directory to cache.
  3. The pertinent entry in file_roots is C:\salt\srv\winrepo and the winrepo_source_dir is salt://winrepo.
  4. cp.cache_dir gets the paths of all files in file roots, _but the paths are relative to the file_roots location_. So the file C:\salt\srv\winrepo\mypackage\init.s is returned to cp.cache_dir as mypackage\init.sls.
  5. cp.cache_dir then filters each file path (fn_) for anything that startswith() the value of winrepo_source_dir (after figuring out the protocol piece), in this case it was filtering with fn_.startswith('winrepo/').
  6. That filter does not match any files, so nothing gets cached.

Knowing all that, here is another minion configuration that works and maintains the file_roots config that I expected to work, but it is a little annoying to have to double up the 'winrepowinrepo' in the winrepo_dir path.

file_roots:
  base:
    - C:\salt\srv\states\base
    - C:\salt\srv\winrepo

winrepo_source_dir: 'salt://winrepo'
winrepo_dir: 'C:\salt\srv\winrepo\winrepo'
lorengordon picture lorengordon on 14 Nov 2015
👍3 🎉1

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

stale[bot] picture stale[bot] on 7 Feb 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mooperd picture mooperd  路  3Comments
layer3switch picture layer3switch  路  3Comments
commutecat picture commutecat  路  3Comments
zieba88 picture zieba88  路  3Comments
sagetherage picture sagetherage  路  3Comments