Rockstor not starting, gpg decryption issue

KeithMnemonic · June 6, 2025, 3:05pm

Has anyone seen this after the latest update and reboot.

I did:

rm -rf /opt/rockstor/.venv
/opt/rockstor/build.sh

it errors with

gpg: A key for “rockstor@localhost” already exists
Sourcing /opt/rockstor.env
Password store initialized for rockstor@localhost
The generated password for python-keyring/rockstor/SECRET_KEY is:
XXXXXXXXXXXXXXXXXXX…
gpg: public key decryption failed: Invalid data
gpg: decryption failed: Invalid data
Traceback (most recent call last):
File “/opt/rockstor/.venv/bin/django-admin”, line 8, in
sys.exit(execute_from_command_line())
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/rockstor/.venv/lib/python3.11/site-packages/django/core/management/init.py”, line 442, in execute_from_command_line
utility.execute()
File “/opt/rockstor/.venv/lib/python3.11/site-packages/django/core/management/init.py”, line 382, in execute
settings.INSTALLED_APPS
File “/opt/rockstor/.venv/lib/python3.11/site-packages/django/conf/init.py”, line 102, in getattr
self._setup(name)
File “/opt/rockstor/.venv/lib/python3.11/site-packages/django/conf/init.py”, line 89, in _setup
self._wrapped = Settings(settings_module)
^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/rockstor/.venv/lib/python3.11/site-packages/django/conf/init.py”, line 217, in init
mod = importlib.import_module(self.SETTINGS_MODULE)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib64/python3.11/importlib/init.py”, line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “”, line 1204, in _gcd_import
File “”, line 1176, in _find_and_load
File “”, line 1147, in _find_and_load_unlocked
File “”, line 690, in _load_unlocked
File “”, line 940, in exec_module
File “”, line 241, in _call_with_frames_removed
File “/opt/rockstor/src/rockstor/settings.py”, line 133, in
CLIENT_SECRET = keyring.get_password(“rockstor”, “CLIENT_SECRET”)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/rockstor/.venv/lib/python3.11/site-packages/keyring/core.py”, line 63, in get_password
return get_keyring().get_password(service_name, username)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/rockstor/.venv/lib/python3.11/site-packages/keyring_pass/init.py”, line 183, in get_password
ret = command(
^^^^^^^^
File “/opt/rockstor/.venv/lib/python3.11/site-packages/keyring_pass/init.py”, line 26, in command
return subprocess.check_output(cmd, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib64/python3.11/subprocess.py”, line 466, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib64/python3.11/subprocess.py”, line 571, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command ‘[‘pass’, ‘show’, ‘python-keyring/rockstor/CLIENT_SECRET’]’ returned non-zero exit status 2.

phillxnet · June 6, 2025, 4:16pm

@KeithMnemonic Hello again, and thanks for this report.

@Flox has just brought this to my attention as I’ve just seen this exact issue myself in an as-yet un-release installer, and I was working through what may have caused it - and a work-around also is the hope.

Linking back to the issue @Flox has linked to this forum post.

github.com/rockstor/rockstor-core

rockstor-pre fails re password-store public key

opened 03:48PM - 06 Jun 25 UTC

phillxnet

As yet without sufficient reproducer background - we have a recorded incident of… rockstor-pre failing to start on reboot. Know context: a Tumbleweed-Slowroll instance, derived from a pending publication rockstor installer. An updates was applied via the Web-UI and on subsequent reboots, rockstor-pre fails. ## Summary ``` systemctl status rockstor-pre × rockstor-pre.service - Tasks required prior to starting Rockstor Loaded: loaded (/usr/lib/systemd/system/rockstor-pre.service; disabled; preset: disabled) Active: failed (Result: exit-code) since Fri 2025-06-06 16:11:18 WEST; 1min 40s ago Invocation: ef53744401574c34b34c96d4ac5676a1 Process: 1065 ExecStartPre=/usr/bin/gpg --quick-generate-key --batch --passphrase rockstor@localhost (code=exited, status=2) Process: 1068 ExecStartPre=/usr/bin/pass init rockstor@localhost (code=exited, status=0/SUCCESS) Process: 1104 ExecStartPre=/usr/bin/pass rename --force python-keyring/rockstor/SECRET_KEY python-keyring/rockstor/SECRET_KEY_FALLBACK (code=exited, status=0/SUCCESS) Process: 1139 ExecStartPre=/usr/bin/pass generate --no-symbols --force python-keyring/rockstor/SECRET_KEY 100 (code=exited, status=0/SUCCESS) Process: 1154 ExecStartPre=/usr/bin/rpm --erase gpg-pubkey-5f043187 (code=exited, status=0/SUCCESS) Process: 1157 ExecStartPre=/usr/bin/rpm --import /opt/rockstor/conf/ROCKSTOR-GPG-KEY (code=exited, status=0/SUCCESS) Process: 1161 ExecStart=/usr/local/bin/poetry run initrock (code=exited, status=1/FAILURE) Main PID: 1161 (code=exited, status=1/FAILURE) CPU: 2.165s Jun 06 16:11:16 binstaller systemd[1]: Starting Tasks required prior to starting Rockstor... Jun 06 16:11:16 binstaller [RPM][1154]: Transaction ID 68430514 started Jun 06 16:11:16 binstaller [RPM][1154]: erase gpg-pubkey-5f043187-5ed2a099: success Jun 06 16:11:16 binstaller [RPM][1154]: erase gpg-pubkey-5f043187-5ed2a099: success Jun 06 16:11:16 binstaller [RPM][1154]: Transaction ID 68430514 finished: 0 Jun 06 16:11:18 binstaller systemd[1]: rockstor-pre.service: Main process exited, code=exited, status=1/FAILURE Jun 06 16:11:18 binstaller systemd[1]: rockstor-pre.service: Failed with result 'exit-code'. Jun 06 16:11:18 binstaller systemd[1]: Failed to start Tasks required prior to starting Rockstor. Jun 06 16:11:18 binstaller systemd[1]: rockstor-pre.service: Consumed 2.165s CPU time. ``` With the failure then narrowed to this services invocation of initrock: ## initrock ``` cd /opt/rockstor/ poetry run initrock gpg: public key decryption failed: Invalid data gpg: decryption failed: Invalid data Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/lib64/python3.11/importlib/__init__.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "<frozen importlib._bootstrap>", line 1204, in _gcd_import File "<frozen importlib._bootstrap>", line 1176, in _find_and_load File "<frozen importlib._bootstrap>", line 1126, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed File "<frozen importlib._bootstrap>", line 1204, in _gcd_import File "<frozen importlib._bootstrap>", line 1176, in _find_and_load File "<frozen importlib._bootstrap>", line 1147, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 690, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 940, in exec_module File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed File "/opt/rockstor/src/rockstor/scripts/__init__.py", line 23, in <module> django.setup() File "/opt/rockstor/.venv/lib/python3.11/site-packages/django/__init__.py", line 19, in setup configure_logging(settings.LOGGING_CONFIG, settings.LOGGING) ^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/rockstor/.venv/lib/python3.11/site-packages/django/conf/__init__.py", line 102, in __getattr__ self._setup(name) File "/opt/rockstor/.venv/lib/python3.11/site-packages/django/conf/__init__.py", line 89, in _setup self._wrapped = Settings(settings_module) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/rockstor/.venv/lib/python3.11/site-packages/django/conf/__init__.py", line 217, in __init__ mod = importlib.import_module(self.SETTINGS_MODULE) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.11/importlib/__init__.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "<frozen importlib._bootstrap>", line 1204, in _gcd_import File "<frozen importlib._bootstrap>", line 1176, in _find_and_load File "<frozen importlib._bootstrap>", line 1147, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 690, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 940, in exec_module File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed File "/opt/rockstor/src/rockstor/settings.py", line 133, in <module> CLIENT_SECRET = keyring.get_password("rockstor", "CLIENT_SECRET") ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/rockstor/.venv/lib/python3.11/site-packages/keyring/core.py", line 63, in get_password return get_keyring().get_password(service_name, username) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/rockstor/.venv/lib/python3.11/site-packages/keyring_pass/__init__.py", line 183, in get_password ret = command( ^^^^^^^^ File "/opt/rockstor/.venv/lib/python3.11/site-packages/keyring_pass/__init__.py", line 26, in command return subprocess.check_output(cmd, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.11/subprocess.py", line 466, in check_output return run(*popenargs, stdout=PIPE, timeout=timeout, check=True, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.11/subprocess.py", line 571, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '['pass', 'show', 'python-keyring/rockstor/CLIENT_SECRET']' returned non-zero exit status 2. ``` In turn pointing to an issue with password-store, our CLI based secrets manager: - accessed directly via rockstor-pre's multiple ExecStartPre= entries, - and via the python module keyring_pass which presents password-store as a python keyring backend. ## pass The ultimate problem command in question (invoked by keyring_pass via python.subprocess in initirock), as reported; looks to be: ``` pass show python-keyring/rockstor/CLIENT_SECRET gpg: public key decryption failed: Invalid data gpg: decryption failed: Invalid data ``` Reproducing the initrock failure point at the CLI.

I’ll report back here if I find a work-around.

Could you indicate what OS version your install is based on, i.e. is this a Tumbleweed based install, or one built on one of the Leaps.

Hope that helps, at lease with some context. You report here has defintely help as I was concerned this was associated with an issue on our as-yet un-release installers - recently rebuild.

phillxnet · June 6, 2025, 5:03pm

@KeithMnemonic & @Flox OK so we now have a proposed work-around, detailed in the previously referenced issue.

@KeithMnemonic could you confirm that the following restores your system to it’s prior function:

Executed as the ‘root’ user

cd
systemctl stop rockstor*
pass rm python-keyring/rockstor/CLIENT_SECRET

Answer “y” as in the following quote:

Are you sure you would like to delete python-keyring/rockstor/CLIENT_SECRET? [y/N] y
removed ‘/root/.password-store/python-keyring/rockstor/CLIENT_SECRET.gpg’

Restart rockstor’s systemd cascade

systemctl start rockstor-bootstrap.service

Note: Any Web-UI that remaind open during this failure will requrie a Browser refresh - even if the dashboard looks to have ‘woken-up’.

Let us know if this works in your instance, and we will then have further confirmation of at least a viable work-around. If all is well we can then approach a fix in an rpm update in due course. Likely making the associated code more robust to this type of failure.

Hope that helps.

Flox · June 12, 2025, 12:15pm

For information and reference, for those who may have been impacted this:
This has been tracked down to a bug in gnupg. A fix was quickly provided by gnupg and included and released in the Tumbleweed and Slowroll repos. As result, if you encounter this issue, make sure to update your system packages and you should be good to go.

The problematic gpg2 version was: 2.5.7-1.1
The gpg2 version with the fix is: 2.5.7-2.1

More information can be found in our GitHub issue: rockstor-pre fails re password-store public key · Issue #3000 · rockstor/rockstor-core · GitHub