Bug 32630 - Нет связи с master после аутентификации ключа
Summary: Нет связи с master после аутентификации ключа
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: salt-minion (show other bugs)
Version: unstable
Hardware: all Linux
: P3 normal
Assignee: Valentin Rosavitskiy
QA Contact: qa-sisyphus
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-17 14:56 MSK by Sergey Novikov
Modified: 2023-09-14 12:48 MSK (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sergey Novikov 2016-10-17 14:56:20 MSK 
salt-minion после аутентификации ключа  на salt-master выдает ошибку:
 Traceback (most recent call last)
   File "/usr/lib64/python2.7/site-packages/tornado/ioloop.py", line 603, in _run_callback
     ret = callback()
   File "/usr/lib64/python2.7/site-packages/tornado/stack_context.py", line 274, in null_wrapper
     return fn(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/tornado/ioloop.py", line 618, in <lambda>
     self.add_future(ret, lambda f
   File "/usr/lib64/python2.7/site-packages/tornado/concurrent.py", line 236, in result
     raise_exc_info(self._exc_info)
   File "/usr/lib64/python2.7/site-packages/tornado/gen.py", line 1021, in run
     yielded = self.gen.throw(*exc_info)
   File "/usr/lib/python2.7/site-packages/salt/crypt.py", line 476, in _authenticate
     creds = yield self.sign_in(channel=channel)
   File "/usr/lib64/python2.7/site-packages/tornado/gen.py", line 1015, in run
     value = future.result()
   File "/usr/lib64/python2.7/site-packages/tornado/concurrent.py", line 236, in result
     raise_exc_info(self._exc_info)
   File "/usr/lib64/python2.7/site-packages/tornado/gen.py", line 1024, in run
     yielded = self.gen.send(value)
   File "/usr/lib/python2.7/site-packages/salt/crypt.py", line 597, in sign_in
     auth['aes'] = self.verify_master(payload, master_pub='token' in sign_in_payload)
   File "/usr/lib/python2.7/site-packages/salt/crypt.py", line 938, in verify_master
     return self.extract_aes(payload, master_pub=False)
   File "/usr/lib/python2.7/site-packages/salt/crypt.py", line 863, in extract_aes
     aes, token = self.decrypt_aes(payload, master_pub)
   File "/usr/lib/python2.7/site-packages/salt/crypt.py", line 726, in decrypt_aes
     m_digest = public_decrypt(mkey.publickey(), payload['sig'])
   File "/usr/lib/python2.7/site-packages/salt/crypt.py", line 206, in public_decrypt
     verifier = salt.utils.rsax931.RSAX931Verifier(pub.exportKey('PEM'))
   File "/usr/lib/python2.7/site-packages/salt/utils/rsax931.py", line 126, in __init__
     raise ValueError('invalid RSA public key')
 ValueError


Далее после перезапуска salt-minion не может установить соединение с salt-master выдаёт следующую ошибку:
 [WARNING ] Key 'whitelist_modules' with value None has an invalid type of NoneType, a list is required for this value
 [ERROR   ] The master failed to decrypt the random minion token
 [CRITICAL] The Salt Master server's public key did not authenticate!
 The master may need to be updated if it is a version of Salt lower than 2016.3.0, or
 If you are confident that you are connecting to a valid Salt Master, then remove the master public key and restart the Salt Minion.
 The master public key can be found at
 /etc/salt/pki/minion/minion_master.pub
 [ERROR   ] Error while bringing up minion for multi-master. Is master at salt responding?
 [ERROR   ] The master failed to decrypt the random minion token
 [CRITICAL] The Salt Master server's public key did not authenticate!
 The master may need to be updated if it is a version of Salt lower than 2016.3.0, or
 If you are confident that you are connecting to a valid Salt Master, then remove the master public key and restart the Salt Minion.
 The master public key can be found at
 /etc/salt/pki/minion/minion_master.pub
 [ERROR   ] Error while bringing up minion for multi-master. Is master at salt responding?
Comment 1 Sergey Novikov 2016-10-17 18:33:12 MSK 
Версия salt-master: 2016.3.0
Версия salt-minion: 2016.3.0

На Ubuntu 16 salt работает нормально:
Версия salt-master: 2016.3.0
Версия salt-minion: 2016.3.3
Comment 2 Sergey Novikov 2016-10-17 18:45:55 MSK 
Доп. информация:

salt-minion (ALTLinux) НЕ соединяется с salt-master (ubuntu)

salt-minion (ubuntu) соединяется с salt-master (ALTLinux), при этом в логах у salt-master (ALTLinux) следующие ошибки:

 [ERROR   ] Unable to decrypt token	 invalid RSA public key
 [ERROR   ] Salt minion claiming to be test-124 has attempted to communicate with the master and could not be verified	
 [WARNING ] Minion id test-124 is not who it says it is!	
 [ERROR   ] Unable to decrypt token	 invalid RSA public key
 [ERROR   ] Salt minion claiming to be test-124 has attempted to communicate with the master and could not be verified	
 [WARNING ] Minion id test-124 is not who it says it is!	

В связке salt-minion(ubuntu)+salt-master(ubuntu) таких ошибок нет.
Comment 3 Valentin Rosavitskiy 2016-10-31 11:07:58 MSK 
Если есть желание и возможности - исправьте, пожалуйста. У меня сейчас туго со временем. Если нет - думаю до конца Ноября исправлю.
Comment 4 Andrey Bragin 2019-01-28 16:32:06 MSK 
Багу более двух лет, а воз и ныне там. 
Жаль что приходится работать с таким "Импортозамещением".

Проблема решается заменой python-module-pycrypto на python-module-Crypto.
Comment 5 Alexander Makeenkov 2023-09-14 12:48:36 MSK 
На данный момент проблема не воспроизводится.

# rpm -q salt-master salt-minion 
salt-master-3006.3-alt2.noarch
salt-minion-3006.3-alt2.noarch