Good question… I’m afraid I’m not up to speed on that one… You are correct that we do set that in build.sh when we first pass init.
To confirm you are onto something… if the script run by root preexec has:
run pass
Password Store
└── python-keyring
└── rockstor
├── CLIENT_SECRET
├── SECRET_KEY_FALLBACK
└── SECRET_KEY
Without setting PASSWORD_STORE_DIR that way, I get the same Error: password store is empty. Try "pass init". error.
Unfortunately, setting that in the preexec line seems to upset the way Samba runs this… For instance:
samba has the variable substitution %$(envvar), maybe that will work better. Though it seems that adding an import of the environment variable to the script might be the better solution
I did try that but I was rushed and failed to specify it… my apologies. It failed the same way.
I did try that as follows. In src/rockstor/scripts/__init__.py:
import os
os.environ["DJANGO_SETTINGS_MODULE"] = "settings"
os.environ["PASSWORD_STORE_DIR"] = "/root/.password-store" # new line
import django # noqa E402
django.setup()
/etc/samba/smb.conf remained as produced by Rockstor.
It does seem to fix it as I can connect to that same samba share just fine.
To confirm the need for setting that env variable continuously, I commented out that new line and I could no longer access the Samba share in question, seeing the same 'Error: password store is empty. Try "pass init".' error as before.
@Hooverdan, @phillxnet: I’m not familiar with pass yet when compared to both of you so does that seem like an appropriate fix to you?
Great find!
Considering that this was required in the bootstrap and pre-service to function, I would assume the same will be required for the “new” thread that the samba preexec opens to execute, But, as always, since @phillxnet did the actual implementation across, he will have an opinion on that. If it is, the question will be whether we need to consider explicit definition of the env variable in other places where it doesn’t exist yet.
I had completely overlooked this ramification to our new secrets managment added in 5.0.6-0 as a small part of an extensive update of our Python dependencies:
And yes, there is a definite requirement for us to declare the environmental variable that guides pass to it’s pre-configured secrets store.
Excellent exposition here folks. But I’ve yet to fully digest all this as I’m currently working in another area currently. Lets try to have a fix ready for our next rpm release.
I am also interested. Since installing 5.06.0 then updating to 5.07.0 I can no longer access my setup from my Windows 11,10,7 systems no matter what I try.
I can now connect to my Samba shares but they all show as \host\export\share_name instead of \host\share_name. A short term frustration I can overcome to be sure. Is anyone else experiencing this inconvenience?
Thanks for reporting this. At first glance, what you described seems to fit the failing script detailed above so I think we are seeing the same root cause here.
Just a quick update, in the issue specific branch of by current draft pull request, associated with the GitHub issue raised by @Hooverdan, I’m pretty sure I’m on the home run to a proper fix for at least the reported keyring.errors.NoKeyringError related to an unset PASSWORD_STORE_DIR when samba tries to run the preexec for each export.
And under @Hooverdan’s in-issue advisement , and given we are still in testing phase here, I’ve also centralised our problematic secrets store env var. An overdue arrangement that seems to have found it’s time be be resolved.
Hope that helps, at least by way of a progress update. Once all sorted and provisionally tested, I’ll build and release our next testing channel updates rpm. This should retroactively fix all current testing rpm installs in this regard.