CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-05-10 21:30:30 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: tolerate pip's non-zero exit on psycopg2 patchelf step

Browse Source 
salt's pip.installed flagged so_pillar_psycopg2_in_salt_python as
failed because pip exits non-zero when it can't find the patchelf
binary to rewrite the psycopg2 wheel's RPATH after extraction. The
wheel is fully installed and importable regardless — the patchelf
step is a cosmetic post-install rewrite, not a build dependency. But
salt's failure cascade then short-circuited so_pillar_initial_import
and the so-yaml mode flip, leaving the install in dual-pillar mode
instead of PG-canonical.

Replaced with cmd.run that runs pip with `|| true` and uses an
`import psycopg2` check as the actual readiness gate — same idea as
how salt's own bootstrap does it. Also fixed the require: ref on
so_pillar_initial_import (was `pip:`, needs to be `cmd:` for the new
state type).
This commit is contained in:
Mike Reeves
2026-05-04 22:08:31 -04:00
parent b25b221076
commit a7efabd90d
1 changed files with 11 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/postgres/schema_pillar.sls
+11 -4
View File
@@ -116,10 +116,17 @@ so_pillar_role_login_passwords:
# engine module can `import psycopg2`. Without this the engine's import fails # engine module can `import psycopg2`. Without this the engine's import fails
# silently in salt's loader and the engine just never starts. salt's bundled # silently in salt's loader and the engine just never starts. salt's bundled
# python at /opt/saltstack/salt/bin/python3 doesn't ship psycopg by default. # python at /opt/saltstack/salt/bin/python3 doesn't ship psycopg by default.
#
# Uses cmd.run with an `unless` import-test rather than pip.installed because
# pip exits non-zero if patchelf isn't on PATH (it tries to rewrite the
# psycopg2 wheel's RPATH after extraction), even though the wheel is fully
# installed and importable. salt's pip.installed surfaces the non-zero exit
# as a state failure and the cascade kills schema_pillar's downstream work.
# `import psycopg2` succeeds either way, so that's the actual readiness gate.
so_pillar_psycopg2_in_salt_python: so_pillar_psycopg2_in_salt_python:
pip.installed: cmd.run:
- name: psycopg2-binary - name: /opt/saltstack/salt/bin/pip3 install --quiet psycopg2-binary || true
- bin_env: /opt/saltstack/salt/bin/python3 - unless: /opt/saltstack/salt/bin/python3 -c "import psycopg2"
- require: - require:
- cmd: so_pillar_role_login_passwords - cmd: so_pillar_role_login_passwords
@@ -129,7 +136,7 @@ so_pillar_initial_import:
cmd.run: cmd.run:
- name: /usr/sbin/so-pillar-import --yes --reason 'schema_pillar.sls initial import' - name: /usr/sbin/so-pillar-import --yes --reason 'schema_pillar.sls initial import'
- require: - require:
- pip: so_pillar_psycopg2_in_salt_python - cmd: so_pillar_psycopg2_in_salt_python
# Flip so-yaml from dual-write to PG-canonical for managed paths now that # Flip so-yaml from dual-write to PG-canonical for managed paths now that
# the schema and importer are both in place. Bootstrap files (secrets.sls, # the schema and importer are both in place. Bootstrap files (secrets.sls,