gcloud plugin exits with 120 code

Started by Hochenna, October 06, 2023, 12:30:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 06, 2023, 12:30:28 PM Last Edit: October 06, 2023, 02:29:13 PM by Hochenna
I'm setting up Let's Encrypt certs via the ACME plugin google cloud DNS. google cloud sdk and acme plugins both are installed from the plugins page.

When I manually try to renew the cert, it fails with the following on the logs (anonymised)

Code Select

2023-10-06T10:21:21 Notice opnsense AcmeClient: certificate must be issued/renewed: router.my.cert
2023-10-06T10:21:21 Notice opnsense AcmeClient: issue certificate: router.my.cert
2023-10-06T10:21:21 Notice opnsense AcmeClient: using CA: letsencrypt
2023-10-06T10:21:21 Notice opnsense AcmeClient: account is registered: Let's Encrypt
2023-10-06T10:21:21 Notice opnsense AcmeClient: Google Cloud DNS project name: my-project-infrastructure
2023-10-06T10:21:22 Error opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command '/usr/local/bin/gcloud --quiet config configurations create acme-651fd0c54d1f40-20765247' returned exit code '120'
2023-10-06T10:21:23 Error opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command '/usr/local/bin/gcloud --quiet config configurations activate acme-651fd0c54d1f40-20765247' returned exit code '120'
2023-10-06T10:21:24 Error opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command '/usr/local/bin/gcloud --quiet auth activate-service-account --key-file=/tmp/acme_dns_gcloud_651fd0c54d1f40-20765247.json' returned exit code '120'
2023-10-06T10:21:24 Error opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command '/usr/local/bin/gcloud --quiet config set account terraform@my-project-infrastructure.iam.gserviceaccount.com' returned exit code '120'
2023-10-06T10:21:26 Error opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command '/usr/local/bin/gcloud --quiet config set project my-project-infrastructure' returned exit code '120'
2023-10-06T10:21:26 Notice opnsense AcmeClient: using challenge type: Google Cloud DNS - my.cert
2023-10-06T10:21:32 Error opnsense AcmeClient: domain validation failed (dns01)
2023-10-06T10:21:32 Error opnsense AcmeClient: validation for certificate failed: router.my.cert


Now since it's using --quiet I can't see what the problem is. If I go on to a root shell I can see though that the cloud configuration not only exists, but it also works (eg I can list my gcloud storage buckets).

If I delete the gcloud configuration and try again to renew, same thing happens, and the configuration also gets re-created.

Is there any way to at least remove the `--quiet` from those commands to see what's up?
October 06, 2023, 03:55:13 PM #1
So I've managed to find the php code that ran the gcloud commands, which I've tweaked like so:

Code Select

LeUtils::run_shell_command("/usr/local/bin/gcloud --verbosity=debug config configurations list 2>&1 >> /tmp/deleteme.log", $proc_env);
        LeUtils::run_shell_command("/usr/local/bin/gcloud --verbosity=debug config configurations create ${gcloud_config} 2>&1 >> /tmp/deleteme.log", $proc_env);
        LeUtils::run_shell_command("/usr/local/bin/gcloud --verbosity=debug config configurations activate ${gcloud_config} 2>&1 >> /tmp/deleteme.log", $proc_env);
        LeUtils::run_shell_command("/usr/local/bin/gcloud --verbosity=debug auth activate-service-account --key-file=${gcloud_key_file} 2>&1 >> /tmp/deleteme.log", $proc_env);
        LeUtils::run_shell_command("/usr/local/bin/gcloud --verbosity=debug config set account ${gcloud_account} 2>&1 >> /tmp/deleteme.log", $proc_env);
        LeUtils::run_shell_command("/usr/local/bin/gcloud --verbosity=debug config set project ${gcloud_project} 2>&1 >> /tmp/deleteme.log", $proc_env);


The only output I get is that of `gcloud --verbosity=debug config configurations list`, which exits without error. All the other commands exit with code 120. I believe the issue is coming from python itself.

From https://bugs.python.org/issue29130:

QuoteDavid is right. The 120 code was added in Issue 5319, as a way of indicating a problem in the final stages of the interpreter exiting. The two conditions that trigger this are calling the flush() method on sys.stdout and sys.stderr. If you add a dummy flush() implementation, it no longer exits with 120:

If I run the commands directly on the shell they all succeed, so perhaps there's an issue with the way the PHP code is shell_exec'ing the gcloud commands
December 08, 2023, 11:21:53 AM #2
Hi,

I have the exact same problem, all glcoud commands are exiting with 120

Is there as workwaround ?
January 04, 2024, 02:34:26 PM #3
So the commands are actually succeeding. But the issue goes deeper. I'm trying to get acme validation for gcloud to work, and gcloud commands run from within acme run from opnsense are also returning code 120, whereas on a regular shell they're returning 0.

I'm not sure what's going on at this point, this is potentially a weird interaction between the PHP code running the exec command
January 04, 2024, 03:48:03 PM #4
Aha, got to the bottom of it. Proposed a fix here https://github.com/opnsense/plugins/pull/3745
Print
Go Up Pages1
User actions