yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #56946
[Bug 1609899] Re: salt minion module writes minion keys to the wrong directory
This bug was fixed in the package cloud-init -
0.7.8-1-g3705bb5-0ubuntu1~16.04.1
---------------
cloud-init (0.7.8-1-g3705bb5-0ubuntu1~16.04.1) xenial-proposed; urgency=medium
* New upstream release 0.7.8.
* New upstream snapshot.
- systemd: put cloud-init.target After multi-user.target (LP: #1623868)
cloud-init (0.7.7-31-g65ace7b-0ubuntu1~16.04.2) xenial-proposed;
urgency=medium
* debian/control: add Breaks of older versions of walinuxagent (LP:
#1623570)
cloud-init (0.7.7-31-g65ace7b-0ubuntu1~16.04.1) xenial-proposed;
urgency=medium
* debian/control: fix missing dependency on python3-serial,
and make SmartOS datasource work.
* debian/cloud-init.templates fix capitalisation in template so
dpkg-reconfigure works to select OpenStack. (LP: #1575727)
* d/README.source, d/control, d/new-upstream-snapshot, d/rules: sync
with yakkety for changes due to move to git.
* d/rules: change PYVER=python3 to PYVER=3 to adjust to upstream change.
* debian/rules, debian/cloud-init.install: remove install file
to ensure expected files are collected into cloud-init deb.
(LP: #1615745)
* debian/dirs: remove obsolete / unused file.
* upstream move from bzr to git.
* New upstream snapshot.
- Allow link type of null in network_data.json [Jon Grimm] (LP: #1621968)
- DataSourceOVF: fix user-data as base64 with python3 (LP: #1619394)
- remove obsolete .bzrignore
- systemd: Better support package and upgrade. (LP: #1576692, #1621336)
- tests: cleanup tempdirs in apt_source tests
- apt config conversion: treat empty string as not provided. (LP: #1621180)
- Fix typo in default keys for phone_home [Roland Sommer] (LP: #1607810)
- salt minion: update default pki directory for newer salt minion.
(LP: #1609899)
- bddeb: add --release flag to specify the release in changelog.
- apt-config: allow both old and new format to be present.
[Christian Ehrhardt] (LP: #1616831)
- python2.6: fix dict comprehension usage in _lsb_release. [Joshua Harlow]
- Add a module that can configure spacewalk. [Joshua Harlow]
- add install option for openrc [Matthew Thode]
- Generate a dummy bond name for OpenStack (LP: #1605749)
- network: fix get_interface_mac for bond slave, read_sys_net for ENOTDIR
- azure dhclient-hook cleanups
- Minor cleanups to atomic_helper and add unit tests.
- Fix Gentoo net config generation [Matthew Thode]
- distros: fix get_primary_arch method use of os.uname [Andrew Jorgensen]
- Apt: add new apt configuration format [Christian Ehrhardt]
- Get Azure endpoint server from DHCP client [Brent Baude]
- DigitalOcean: use the v1.json endpoint [Ben Howard]
- MAAS: add vendor-data support (LP: #1612313)
- Upgrade to a configobj package new enough to work [Joshua Harlow]
- ConfigDrive: recognize 'tap' as a link type. (LP: #1610784)
- NoCloud: fix bug providing network-interfaces via meta-data.
(LP: 1577982)
- Add distro tags on config modules that should have it [Joshua Harlow]
- ChangeLog: update changelog for previous commit.
- add ntp config module [Ryan Harper]
- SmartOS: more improvements for network configuration
- tools/read-version: update to address change in version
- make-tarball: older versions of git with --format=tar.
- read-version: do not attempt git-describe if no git.
- Newer requests have strong type validation [Joshua Harlow]
- For upstream snapshot versions do not modify git-describe output.
- adjust signal_handler for version changes.
- revert unintended change to ubuntu sources list
- drop modification of version during make-tarball, tools changes.
- adjust tools and version information.
- Update build tools to work with git [Lars Kellogg-Stedman]
- fix pep8 errors in mcollective unit tests
- mcollective: add tests, cleanups and bug fix when no config in /etc.
-- Scott Moser <smoser@xxxxxxxxxx> Thu, 15 Sep 2016 09:57:27 -0400
** Changed in: cloud-init (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1609899
Title:
salt minion module writes minion keys to the wrong directory
Status in cloud-init:
Fix Released
Status in cloud-init package in Ubuntu:
Fix Released
Status in cloud-init source package in Xenial:
Fix Released
Bug description:
==== Begin SRU Template ====
[Impact]
Salt minion config module of cloud-init would not work by default
if 'public_key' and 'private_key' were provided.
[Test Case]
## Recreate failure
$ cat >user-data <<EOF
#cloud-config
salt_minion:
public_key: "foo public"
private_key: "foo private"
EOF
$ lxc launch ubuntu-daily:xenial x1 "--config=user.user-data=$(cat user-data)"
$ lxc exec x1 -- grep salt/pki/ /var/log/cloud-init.log
Sep 13 21:04:55 ubuntu [CLOUDINIT] util.py[DEBUG]: Writing to /etc/salt/pki/minion.pub - wb: [420] 10 bytes
Sep 13 21:04:55 ubuntu [CLOUDINIT] util.py[DEBUG]: Writing to /etc/salt/pki/minion.pem - wb: [420] 11 bytes
## Note, that ubuntu's packaging actuall moves these files to their proper
## location, so checking the log is all we can do to show failure.
## Now update container, clean and reboot to show first boot
$ lxc exec x1 -- sh -c '
p=/etc/apt/sources.list.d/proposed.list
echo deb http://archive.ubuntu.com/ubuntu xenial-proposed main > "$p" &&
apt-get update -q && apt-get -qy install cloud-init'
$ lxc exec x1 -- sh -c 'apt-get -qy --purge remove salt-minion && rm -Rf /etc/salt'
$ lxc exec x1 -- sh -c '
cd /var/lib/cloud && for d in *; do [ "$d" = "seed" ] || rm -Rf "$d"; done
rm -Rf /var/log/cloud-init*'
$ lxc exec x1 reboot
$ lxc exec x1 -- grep salt/pki/ /var/log/cloud-init.log
Sep 13 21:10:52 x1 [CLOUDINIT] util.py[DEBUG]: Writing to /etc/salt/pki/minion/minion.pub - wb: [420] 10 bytes
Sep 13 21:10:52 x1 [CLOUDINIT] util.py[DEBUG]: Writing to /etc/salt/pki/minion/minion.pem - wb: [420] 11 bytes
[Regression Potential]
Low chance for regression, especially since the packaging does the right thing.
==== End SRU Template ====
Cloud-init's salt minion module writes minion.pem, and minion.pub to the wrong directory. Salt-minion expects them in /etc/salt/pki/minion, but /etc/salt/pki is used by cloud-init's salt minion module. Somehow in the past this worked out, and the files would be moved to /etc/salt/pki/minion. This part I don't understand, but currently on Ubuntu 16.04 Xenial with cloud-init 0.7.7 it doesn't work out. What happens is cloud-init writes to /etc/salt/pki, and salt-minion ignores the /etc/salt/pki files and writes it's own /etc/salt/pki/minion files. This results in the salt minion generated keys being rejected by the salt master.
Current:
pki_dir = salt_cfg.get('pki_dir', '/etc/salt/pki')
Fixed:
pki_dir = salt_cfg.get('pki_dir', '/etc/salt/pki/minion')
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1609899/+subscriptions
References