-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[3007.x][BUG] Non-root users can not call functions after upgrade to 3007.0 #66228
Comments
Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. |
We started noticing issues with the Publisher_ACL since switching to salt 3006 |
I ran into this exact issue after upgrading from salt-master 3006.7 to 3007.0. I did not have the On Debian/Ubuntu: This change seems to have fixed the issue. I no longer see the TCP Publish Client error anymore. @lee-harmonic - does this work for you? |
I'm encountering the same issues described earlier. Reverting back to version 3005.5 enables me to utilize local or domain-signed-in users. I've experimented with versions 3006.7 and 3007.0, both with and without root user access. However, the 'publisher_acl' feature doesn't operate as anticipated in these versions. Thanks for bringing it up, @alexholodak, but it doesn't address the problem we've discussed previously. |
@alexholodak python not being available, and having to use python3 is very much an OS issue, for example: arch has python has python3, but older OS's got rid of python since it implies python2, so don't see having to install python-is-python3 as a Salt issue but a user and their OS's in use issue, about forgetting python referred to python2. But thanks for the tip, for those needing the work-around for their environments. @lee-harmonic Wondering if this is related to 3006.x plus using user salt, rather than root as in earlier releases, and missed a place where the change to default user salt affects things. Wonder if you change to user: root in the /etc/salt/master and minion configuration files, and restart and see if the problem still occurs, if not, indicates issue is default user: salt in configuration file. |
@lee-harmonic Can you check if the problem occurs with user: root as previously mentioned, it would help a lot in identifying the cause. |
@dmurphy18 Triple-checked all the settings as per https://docs.saltproject.io/en/latest/ref/publisheracl.html#publisher-acl-system Everything works fine as salt user. We were already running the salt-master service as user salt prior to updating. Installing
|
We figured this out, turns out that the update messes up the permissions. Before (not working, see above)
after (working):
The command, for anyone in doubt: cd /var/run/salt/master
sudo chmod g+rw *.ipc |
@jamest-pin Not seeing the difference between before and after in #66228 (comment), and thinking the fixes in #66218 will fix this, once 3006.9 is out, the fix is merged forward to the 3007.x branch, hence need to release a 3007.2, but 3006.9 comes first |
@dmurphy18 the difference is the |
This problem also exists with recently released Salt 3006.9
Will fix the problem in branch 3006.x and allow for the merge forward to fix in 3007.x branch |
@lee-harmonic I edited and restarted the salt-master using publisher_acl (https://docs.saltproject.io/salt/user-guide/en/latest/topics/security.html#id6), and have rw on the master_event_pub.ipc (3006.x)
After upgrading to Salt 3007.1 it failed, there was hardening in #64063, for 3006.0 which requires publisher_acl or external_auth, so investigating further in 3007.x branch |
Assigning this to @dwoz |
is this the same bug&? 2024-09-04 13:20:10,118 [salt.utils.parsers:1062][WARNING ][16404] Master received a SIGTERM. Exiting. File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/scripts.py", line 86, in salt_master File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/cli/daemons.py", line 223, in start File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/master.py", line 844, in start File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/engines/init.py", line 59, in start_engines File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/process.py", line 531, in add_process File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/process.py", line 1100, in start File "/opt/saltstack/salt/lib/python3.10/multiprocessing/process.py", line 121, in start File "/opt/saltstack/salt/lib/python3.10/multiprocessing/context.py", line 224, in _Popen File "/opt/saltstack/salt/lib/python3.10/multiprocessing/context.py", line 281, in _Popen File "/opt/saltstack/salt/lib/python3.10/multiprocessing/popen_fork.py", line 19, in init File "/opt/saltstack/salt/lib/python3.10/multiprocessing/popen_fork.py", line 71, in _launch File "/opt/saltstack/salt/lib/python3.10/multiprocessing/process.py", line 314, in _bootstrap File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/process.py", line 995, in wrapped_run_func File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/engines/init.py", line 104, in run File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 160, in call File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1269, in run File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1284, in _run_as File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/engines/reactor.py", line 31, in start File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/process.py", line 995, in wrapped_run_func File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/reactor.py", line 214, in run File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/event.py", line 127, in get_event File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/event.py", line 928, in init File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/event.py", line 265, in init File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/event.py", line 323, in connect_pub File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/asynchronous.py", line 76, in init File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/base.py", line 210, in ipc_publish_client File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/base.py", line 152, in publish_client File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/tcp.py", line 220, in init File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/base.py", line 398, in init 2024-09-04 13:24:50,029 [salt.utils.parsers:1062][WARNING ][79193] Master received a SIGINT. Exiting |
yes |
so i've done all the permission and still not able to ping to the minion02 from the master. Every Machine is running altinsher@salt-master:~$ sudo salt 'minion02' test.ping File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/scripts.py", line 528, in salt_main File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/cli/salt.py", line 192, in run File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/client/init.py", line 815, in cmd_cli File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/client/init.py", line 387, in run_job File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/client/init.py", line 1904, in pub File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/event.py", line 323, in connect_pub File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/asynchronous.py", line 76, in init File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/base.py", line 210, in ipc_publish_client File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/base.py", line 152, in publish_client File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/tcp.py", line 220, in init File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/base.py", line 398, in init |
Check the permissions again. Be aware it resets the perms again whenever the salt master service is restarted. This fixes it for me (note the different paths
|
Didn't know that every reset resets the perms, so thx for that. Regardless i'ts still not working, the config should be fine: altinsher@salt-master:~$ sudo salt 'minion02' test.ping File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/scripts.py", line 528, in salt_main File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/cli/salt.py", line 192, in run File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/client/init.py", line 815, in cmd_cli File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/client/init.py", line 387, in run_job File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/client/init.py", line 1904, in pub File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/event.py", line 323, in connect_pub File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/asynchronous.py", line 76, in init File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/base.py", line 210, in ipc_publish_client File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/base.py", line 152, in publish_client File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/tcp.py", line 220, in init File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/base.py", line 398, in init [ERROR ] Request client send timedout |
@Yarakson you may need a
|
@jamest-pin I did what you suggested
Still: altinsher@salt-master:~$ sudo salt 'minion02' test.ping File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/scripts.py", line 528, in salt_main File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/cli/salt.py", line 192, in run File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/client/init.py", line 815, in cmd_cli File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/client/init.py", line 387, in run_job File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/client/init.py", line 1904, in pub File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/event.py", line 323, in connect_pub File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/asynchronous.py", line 76, in init File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/base.py", line 210, in ipc_publish_client File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/base.py", line 152, in publish_client File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/tcp.py", line 220, in init File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/transport/base.py", line 398, in init [ERROR ] An un-handled exception was caught by Salt's global exception handler: Does the minion also need salt:salt?:
|
probably, just trial and error until it works, that's what I did |
@jamest-pin [Service] |
Description
After upgrading to 3007.0, non-root users in the salt group (and in publisher_acl) can not start jobs. Permissions to ipc prevent access and are automatically reset.
Error messages:
Group membership and permissions:
Setting permissions:
Logs for salt master now have:
Restarting salt master:
The log from the restart has the following line:
Setup
Contents of
/etc/salt/master.d/auth.conf
:Steps to Reproduce the behavior
Follow instructions at https://docs.saltproject.io/salt/user-guide/en/latest/topics/security.html#publisher-acls to set up
publisher-acl
and directory permissions.Expected behavior
Non-root user can start jobs such as
test.ping
and permissions to do so are not reset when (re)starting the salt-master service. Was working before upgrade to 3007.0.Versions Report
salt --versions-report
(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)The text was updated successfully, but these errors were encountered: