[Pkg-salt-team] Bug#919231: salt-master: Upgrade Stretch -> Buster: permission denied on certain files/directories
Stijn Segers
francesco.borromini at gmail.com
Sun Jan 13 22:00:37 GMT 2019
Package: salt-master
Version: 2018.3.3+dfsg1-2
Severity: important
Dear Maintainer,
Upgrading salt-master from its Stretch version to Buster (whole system was
upgraded) breaks the Salt master.
Symptoms:
E: Sub-process /usr/bin/dpkg returned an error code (1)
[...]
Job for salt-master.service failed because the control process exited with
error code.
See "systemctl status salt-master.service" and "journalctl -xe" for details.
invoke-rc.d: initscript salt-master, action "restart" failed.
● salt-master.service - The Salt Master Server
Loaded: loaded (/lib/systemd/system/salt-master.service; enabled; vendor
preset: enabled)
Active: failed (Result: exit-code) since Sun 2019-01-13 22:43:04 CET; 6ms
ago
Docs: man:salt-master(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltstack.com/en/latest/contents.html
Process: 14194 ExecStart=/usr/bin/salt-master (code=exited, status=1/FAILURE)
Main PID: 14194 (code=exited, status=1/FAILURE)
jan 13 22:43:04 icarus salt-master[14194]: File "/usr/lib/python3/dist-
packages/salt/daemons/masterapi.py", line 237, in access_keys
jan 13 22:43:04 icarus salt-master[14194]: key = mk_key(opts, user)
jan 13 22:43:04 icarus salt-master[14194]: File "/usr/lib/python3/dist-
packages/salt/daemons/masterapi.py", line 206, in mk_key
jan 13 22:43:04 icarus salt-master[14194]: with
salt.utils.files.fopen(keyfile, 'w+') as fp_:
jan 13 22:43:04 icarus salt-master[14194]: File "/usr/lib/python3/dist-
packages/salt/utils/files.py", line 387, in fopen
jan 13 22:43:04 icarus salt-master[14194]: f_handle = open(*args, **kwargs)
# pylint: disable=resource-leakage
jan 13 22:43:04 icarus salt-master[14194]: PermissionError: [Errno 13]
Permission denied: '/var/cache/salt/master/.salt_key'
jan 13 22:43:04 icarus systemd[1]: salt-master.service: Main process exited,
code=exited, status=1/FAILURE
jan 13 22:43:04 icarus systemd[1]: salt-master.service: Failed with result
'exit-code'.
jan 13 22:43:04 icarus systemd[1]: Failed to start The Salt Master Server.
It turns out renaming /var/cache/salt works around this - a new /var/cache/salt
directory gets created and the .salt_key gets generated (does not exist on a
Stretch installation). There is a .root_key though.
After overwriting the contents of the new /var/cache/salt/ directory with what
was in the old one (and keeping the .salt_key), the Salt service starts, but
still seems unable to access (existing) directories:
jan 13 22:48:37 icarus salt-master[16017]: Traceback (most recent call last):
jan 13 22:48:37 icarus salt-master[16017]: File
"/usr/lib/python3.7/multiprocessing/process.py", line 297, in _bootstrap
jan 13 22:48:37 icarus salt-master[16017]: self.run()
jan 13 22:48:37 icarus salt-master[16017]: File "/usr/lib/python3/dist-
packages/salt/utils/process.py", line 750, in _run
jan 13 22:48:37 icarus salt-master[16017]: return self._original_run()
jan 13 22:48:37 icarus salt-master[16017]: File "/usr/lib/python3/dist-
packages/salt/master.py", line 234, in run
jan 13 22:48:37 icarus salt-master[16017]:
salt.utils.verify.check_max_open_files(self.opts)
jan 13 22:48:37 icarus salt-master[16017]: File "/usr/lib/python3/dist-
packages/salt/utils/verify.py", line 429, in check_max_open_files
jan 13 22:48:37 icarus salt-master[16017]: accepted_count =
len(os.listdir(accepted_keys_dir))
jan 13 22:48:37 icarus salt-master[16017]: PermissionError: [Errno 13]
Permission denied: '/var/lib/salt/pki/master/minions'
This directory is 700, but when I chmod it to 755 (which I suppose is bad
practice, I presume it's 700 for a valid reason), restart
the Salt service, the permissions are reset to 700:
$ ls -lh /var/lib/salt/pki/master/|grep minions
drwx------ 2 755 root 4,0K dec 29 16:21 minions
Let me know if you need more information. This was a clean upgrade from Stretch
(no bits and pieces).
Thank you
Stijn Segers
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (450, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_BE.UTF-8, LC_CTYPE=nl_BE.UTF-8 (charmap=UTF-8), LANGUAGE=nl_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages salt-master depends on:
ii adduser 3.118
ii lsb-base 10.2018112800
ii python3 3.7.1-3
ii python3-crypto 2.6.1-9+b1
ii python3-systemd 234-2+b1
ii python3-zmq 17.1.2-1
ii salt-common 2018.3.3+dfsg1-2
Versions of packages salt-master recommends:
ii python3-pygit2 0.27.3-1
salt-master suggests no packages.
-- Configuration Files:
/etc/salt/master changed [not included]
-- no debconf information
More information about the pkg-salt-team
mailing list