[Pkg-salt-team] Bug#919231: salt-master: Upgrade Stretch -> Buster: permission denied on certain files/directories

Stijn Segers francesco.borromini at gmail.com
Sun Jan 13 22:00:37 GMT 2019 

Package: salt-master
Version: 2018.3.3+dfsg1-2
Severity: important

Dear Maintainer,

Upgrading salt-master from its Stretch version to Buster (whole system was
upgraded) breaks the Salt master.

Symptoms:

E: Sub-process /usr/bin/dpkg returned an error code (1)

[...]

Job for salt-master.service failed because the control process exited with
error code.
See "systemctl status salt-master.service" and "journalctl -xe" for details.
invoke-rc.d: initscript salt-master, action "restart" failed.
● salt-master.service - The Salt Master Server
   Loaded: loaded (/lib/systemd/system/salt-master.service; enabled; vendor
preset: enabled)
   Active: failed (Result: exit-code) since Sun 2019-01-13 22:43:04 CET; 6ms
ago
     Docs: man:salt-master(1)
           file:///usr/share/doc/salt/html/contents.html
           https://docs.saltstack.com/en/latest/contents.html
  Process: 14194 ExecStart=/usr/bin/salt-master (code=exited, status=1/FAILURE)
 Main PID: 14194 (code=exited, status=1/FAILURE)

jan 13 22:43:04 icarus salt-master[14194]:   File "/usr/lib/python3/dist-
packages/salt/daemons/masterapi.py", line 237, in access_keys
jan 13 22:43:04 icarus salt-master[14194]:     key = mk_key(opts, user)
jan 13 22:43:04 icarus salt-master[14194]:   File "/usr/lib/python3/dist-
packages/salt/daemons/masterapi.py", line 206, in mk_key
jan 13 22:43:04 icarus salt-master[14194]:     with
salt.utils.files.fopen(keyfile, 'w+') as fp_:
jan 13 22:43:04 icarus salt-master[14194]:   File "/usr/lib/python3/dist-
packages/salt/utils/files.py", line 387, in fopen
jan 13 22:43:04 icarus salt-master[14194]:     f_handle = open(*args, **kwargs)
# pylint: disable=resource-leakage
jan 13 22:43:04 icarus salt-master[14194]: PermissionError: [Errno 13]
Permission denied: '/var/cache/salt/master/.salt_key'
jan 13 22:43:04 icarus systemd[1]: salt-master.service: Main process exited,
code=exited, status=1/FAILURE
jan 13 22:43:04 icarus systemd[1]: salt-master.service: Failed with result
'exit-code'.
jan 13 22:43:04 icarus systemd[1]: Failed to start The Salt Master Server.


It turns out renaming /var/cache/salt works around this - a new /var/cache/salt
directory gets created and the .salt_key gets generated (does not exist on a
Stretch installation). There is a .root_key though.

After overwriting the contents of the new /var/cache/salt/ directory with what
was in the old one (and keeping the .salt_key), the Salt service starts, but
still seems unable to access (existing) directories:

jan 13 22:48:37 icarus salt-master[16017]: Traceback (most recent call last):
jan 13 22:48:37 icarus salt-master[16017]:   File
"/usr/lib/python3.7/multiprocessing/process.py", line 297, in _bootstrap
jan 13 22:48:37 icarus salt-master[16017]:     self.run()
jan 13 22:48:37 icarus salt-master[16017]:   File "/usr/lib/python3/dist-
packages/salt/utils/process.py", line 750, in _run
jan 13 22:48:37 icarus salt-master[16017]:     return self._original_run()
jan 13 22:48:37 icarus salt-master[16017]:   File "/usr/lib/python3/dist-
packages/salt/master.py", line 234, in run
jan 13 22:48:37 icarus salt-master[16017]:
salt.utils.verify.check_max_open_files(self.opts)
jan 13 22:48:37 icarus salt-master[16017]:   File "/usr/lib/python3/dist-
packages/salt/utils/verify.py", line 429, in check_max_open_files
jan 13 22:48:37 icarus salt-master[16017]:     accepted_count =
len(os.listdir(accepted_keys_dir))
jan 13 22:48:37 icarus salt-master[16017]: PermissionError: [Errno 13]
Permission denied: '/var/lib/salt/pki/master/minions'


This directory is 700, but when I chmod it to 755 (which I suppose is bad
practice, I presume it's 700 for a valid reason), restart
the Salt service, the permissions are reset to 700:

$ ls -lh /var/lib/salt/pki/master/|grep minions
drwx------ 2  755 root 4,0K dec 29 16:21 minions

Let me know if you need more information. This was a clean upgrade from Stretch
(no bits and pieces).

Thank you

Stijn Segers



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (450, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_BE.UTF-8, LC_CTYPE=nl_BE.UTF-8 (charmap=UTF-8), LANGUAGE=nl_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages salt-master depends on:
ii  adduser          3.118
ii  lsb-base         10.2018112800
ii  python3          3.7.1-3
ii  python3-crypto   2.6.1-9+b1
ii  python3-systemd  234-2+b1
ii  python3-zmq      17.1.2-1
ii  salt-common      2018.3.3+dfsg1-2

Versions of packages salt-master recommends:
ii  python3-pygit2  0.27.3-1

salt-master suggests no packages.

-- Configuration Files:
/etc/salt/master changed [not included]

-- no debconf information

More information about the pkg-salt-team mailing list