← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1609899] Re: salt minion module writes minion keys to the wrong directory

 

This bug was fixed in the package cloud-init -
0.7.8-1-g3705bb5-0ubuntu1~16.04.1

---------------
cloud-init (0.7.8-1-g3705bb5-0ubuntu1~16.04.1) xenial-proposed; urgency=medium

  * New upstream release 0.7.8.
  * New upstream snapshot.
    - systemd: put cloud-init.target After multi-user.target (LP: #1623868)

cloud-init (0.7.7-31-g65ace7b-0ubuntu1~16.04.2) xenial-proposed;
urgency=medium

  * debian/control: add Breaks of older versions of walinuxagent (LP:
#1623570)

cloud-init (0.7.7-31-g65ace7b-0ubuntu1~16.04.1) xenial-proposed;
urgency=medium

  * debian/control: fix missing dependency on python3-serial,
    and make SmartOS datasource work.
  * debian/cloud-init.templates fix capitalisation in template so
    dpkg-reconfigure works to select OpenStack. (LP: #1575727)
  * d/README.source, d/control, d/new-upstream-snapshot, d/rules: sync
    with yakkety for changes due to move to git.
  * d/rules: change PYVER=python3 to PYVER=3 to adjust to upstream change.
  * debian/rules, debian/cloud-init.install: remove install file
    to ensure expected files are collected into cloud-init deb.
    (LP: #1615745)
  * debian/dirs: remove obsolete / unused file.
  * upstream move from bzr to git.
  * New upstream snapshot.
    - Allow link type of null in network_data.json [Jon Grimm] (LP: #1621968)
    - DataSourceOVF: fix user-data as base64 with python3 (LP: #1619394)
    - remove obsolete .bzrignore
    - systemd: Better support package and upgrade. (LP: #1576692, #1621336)
    - tests: cleanup tempdirs in apt_source tests
    - apt config conversion: treat empty string as not provided. (LP: #1621180)
    - Fix typo in default keys for phone_home [Roland Sommer] (LP: #1607810)
    - salt minion: update default pki directory for newer salt minion.
      (LP: #1609899)
    - bddeb: add --release flag to specify the release in changelog.
    - apt-config: allow both old and new format to be present.
      [Christian Ehrhardt] (LP: #1616831)
    - python2.6: fix dict comprehension usage in _lsb_release. [Joshua Harlow]
    - Add a module that can configure spacewalk. [Joshua Harlow]
    - add install option for openrc [Matthew Thode]
    - Generate a dummy bond name for OpenStack (LP: #1605749)
    - network: fix get_interface_mac for bond slave, read_sys_net for ENOTDIR
    - azure dhclient-hook cleanups
    - Minor cleanups to atomic_helper and add unit tests.
    - Fix Gentoo net config generation [Matthew Thode]
    - distros: fix get_primary_arch method use of os.uname [Andrew Jorgensen]
    - Apt: add new apt configuration format [Christian Ehrhardt]
    - Get Azure endpoint server from DHCP client [Brent Baude]
    - DigitalOcean: use the v1.json endpoint [Ben Howard]
    - MAAS: add vendor-data support (LP: #1612313)
    - Upgrade to a configobj package new enough to work [Joshua Harlow]
    - ConfigDrive: recognize 'tap' as a link type. (LP: #1610784)
    - NoCloud: fix bug providing network-interfaces via meta-data.
      (LP: 1577982)
    - Add distro tags on config modules that should have it [Joshua Harlow]
    - ChangeLog: update changelog for previous commit.
    - add ntp config module [Ryan Harper]
    - SmartOS: more improvements for network configuration
    - tools/read-version: update to address change in version
    - make-tarball: older versions of git with --format=tar.
    - read-version: do not attempt git-describe if no git.
    - Newer requests have strong type validation [Joshua Harlow]
    - For upstream snapshot versions do not modify git-describe output.
    - adjust signal_handler for version changes.
    - revert unintended change to ubuntu sources list
    - drop modification of version during make-tarball, tools changes.
    - adjust tools and version information.
    - Update build tools to work with git [Lars Kellogg-Stedman]
    - fix pep8 errors in mcollective unit tests
    - mcollective: add tests, cleanups and bug fix when no config in /etc.

 -- Scott Moser <smoser@xxxxxxxxxx>  Thu, 15 Sep 2016 09:57:27 -0400

** Changed in: cloud-init (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1609899

Title:
  salt minion module writes minion keys to the wrong directory

Status in cloud-init:
  Fix Released
Status in cloud-init package in Ubuntu:
  Fix Released
Status in cloud-init source package in Xenial:
  Fix Released

Bug description:
  ==== Begin SRU Template ====
  [Impact] 
  Salt minion config module of cloud-init would not work by default
  if 'public_key' and 'private_key' were provided.

  [Test Case]
  ## Recreate failure
  $ cat >user-data <<EOF
  #cloud-config
  salt_minion:
    public_key: "foo public"
    private_key: "foo private"
  EOF

  $ lxc launch ubuntu-daily:xenial x1 "--config=user.user-data=$(cat user-data)"
  $ lxc exec x1 -- grep salt/pki/ /var/log/cloud-init.log
  Sep 13 21:04:55 ubuntu [CLOUDINIT] util.py[DEBUG]: Writing to /etc/salt/pki/minion.pub - wb: [420] 10 bytes
  Sep 13 21:04:55 ubuntu [CLOUDINIT] util.py[DEBUG]: Writing to /etc/salt/pki/minion.pem - wb: [420] 11 bytes

  ## Note, that ubuntu's packaging actuall moves these files to their proper
  ## location, so checking the log is all we can do to show failure.

  ## Now update container, clean and reboot to show first boot 
  $ lxc exec x1 -- sh -c '
      p=/etc/apt/sources.list.d/proposed.list
      echo deb http://archive.ubuntu.com/ubuntu xenial-proposed main > "$p" &&
      apt-get update -q && apt-get -qy install cloud-init'
  $ lxc exec x1 -- sh -c 'apt-get -qy --purge remove salt-minion && rm -Rf /etc/salt'
  $ lxc exec x1 -- sh -c '
      cd /var/lib/cloud && for d in *; do [ "$d" = "seed" ] || rm -Rf "$d"; done
      rm -Rf /var/log/cloud-init*'

  $ lxc exec x1 reboot

  $ lxc exec x1 -- grep salt/pki/ /var/log/cloud-init.log
  Sep 13 21:10:52 x1 [CLOUDINIT] util.py[DEBUG]: Writing to /etc/salt/pki/minion/minion.pub - wb: [420] 10 bytes
  Sep 13 21:10:52 x1 [CLOUDINIT] util.py[DEBUG]: Writing to /etc/salt/pki/minion/minion.pem - wb: [420] 11 bytes

  [Regression Potential] 
  Low chance for regression, especially since the packaging does the right thing.
  ==== End SRU Template ====

  
  Cloud-init's salt minion module writes minion.pem, and minion.pub to the wrong directory. Salt-minion expects them in /etc/salt/pki/minion, but /etc/salt/pki is used by cloud-init's salt minion module. Somehow in the past this worked out, and the files would be moved to /etc/salt/pki/minion. This part I don't understand, but currently on Ubuntu 16.04 Xenial with cloud-init 0.7.7 it doesn't work out. What happens is cloud-init writes to /etc/salt/pki, and salt-minion ignores the /etc/salt/pki files and writes it's own /etc/salt/pki/minion files. This results in the salt minion generated keys being rejected by the salt master.

  Current:
  pki_dir = salt_cfg.get('pki_dir', '/etc/salt/pki')

  Fixed:
  pki_dir = salt_cfg.get('pki_dir', '/etc/salt/pki/minion')

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1609899/+subscriptions


References