Port from SW - Salt master rsa key issue
-
@dgingerich said in Port from SW - Salt master rsa key issue:
Of course, trying the same sequence, I cannot reproduce the results. Looks like I'm going to have to rebuild the masters.
Maybe copying the rsa key files to the new systems will be possible.
Possible. Or it might be worth accepting the pain of changing the keys on GIT.
-
rebuilding the systems did not work. getting the same issue with brand new master under the same name.
-
@dgingerich said in Port from SW - Salt master rsa key issue:
rebuilding the systems did not work. getting the same issue with brand new master under the same name.
You didn't do anything with the keys, you left the new system with its automatically created keys? The minions will not be able to rejoin with the same name, you'll need to remove them and add them again.
-
@scottalanmiller The other minions were not included in this. The masters would not even log into themselves after the keys were accepted. Total blank slate machines, install salt-master and salt-minion, configure them to point to themselves, (other minions were turned off) and they still failed the test.ping and salt-minion -l debug gave the exact same result. Could it be something with the DNS info?
-
So the masters can't see THEMSELVES? What master name are you using? You could try using a straight IP address to test. Yes, DNS could do this.
-
root@QAICS-MAN-01:~# apt-get install salt-master salt-minion
...
root@QAICS-MAN-01:/etc/salt# vi minion
root@QAICS-MAN-01:/etc/salt# vi master
root@QAICS-MAN-01:/etc/salt# service salt-master start
root@QAICS-MAN-01:/etc/salt# service salt-minion start
root@QAICS-MAN-01:/etc/salt# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
QAICS-MAN-01
QAICS-MAN-02
Rejected Keys:
root@QAICS-MAN-01:/etc/salt# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
QAICS-MAN-01
QAICS-MAN-02
Rejected Keys:
root@QAICS-MAN-01:/etc/salt# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
QAICS-MAN-01
QAICS-MAN-02
Proceed? [n/Y] y
Key for minion QAICS-MAN-01 accepted.
Key for minion QAICS-MAN-02 accepted.
Key for minion QAICS-Proxy-01 accepted.
root@QAICS-MAN-01:/etc/salt# salt-key -L
Accepted Keys:
QAICS-MAN-01
QAICS-MAN-02
Denied Keys:
Unaccepted Keys:
Rejected Keys:
root@QAICS-MAN-01:/etc/salt# salt '*' test.ping
[WARNING ] Key 'file_ignore_glob' with value None has an invalid type of NoneType, a list is required for this value
[WARNING ] Key 'file_ignore_glob' with value None has an invalid type of NoneType, a list is required for this value
[WARNING ] Key 'file_ignore_glob' with value None has an invalid type of NoneType, a list is required for this value
[WARNING ] Key 'file_ignore_glob' with value None has an invalid type of NoneType, a list is required for this value
[WARNING ] jid does not exist
[WARNING ] Returner unavailable:
QAICS-MAN-02:
Minion did not return. [No response]
QAICS-MAN-01:
Minion did not return. [No response]
root@QAICS-MAN-01:/etc/salt# -
@dgingerich said in Port from SW - Salt master rsa key issue:
[WARNING ] Key 'file_ignore_glob' with value None has an invalid type of NoneType, a list is required for this value
maybe you have duplicate DNS entries and round robin is getting you?
-
@scottalanmiller said in Port from SW - Salt master rsa key issue:
@dgingerich said in Port from SW - Salt master rsa key issue:
[WARNING ] Key 'file_ignore_glob' with value None has an invalid type of NoneType, a list is required for this value
maybe you have duplicate DNS entries and round robin is getting you?
The DNS is just one address for each. I changed the to the new IPs while the systems were building at the authoritative servers. (Systems are housed at Packet.net, DNS handled through AWS) So, there should not be any DNS caching issues.
-
@dgingerich said in Port from SW - Salt master rsa key issue:
@scottalanmiller said in Port from SW - Salt master rsa key issue:
@dgingerich said in Port from SW - Salt master rsa key issue:
[WARNING ] Key 'file_ignore_glob' with value None has an invalid type of NoneType, a list is required for this value
maybe you have duplicate DNS entries and round robin is getting you?
The DNS is just one address for each. I changed the to the new IPs while the systems were building at the authoritative servers. (Systems are housed at Packet.net, DNS handled through AWS) So, there should not be any DNS caching issues.
Oh okay, this is all hosted. Still, best to be sure and rule out possibilities while testing. This is weird, we use Vultr for Salt Masters and have never seen anything like this. But we avoid Ubuntu, so if there is any bug there, we'd not have seen it.
-
@scottalanmiller said in Port from SW - Salt master rsa key issue:
@dgingerich said in Port from SW - Salt master rsa key issue:
@scottalanmiller said in Port from SW - Salt master rsa key issue:
@dgingerich said in Port from SW - Salt master rsa key issue:
[WARNING ] Key 'file_ignore_glob' with value None has an invalid type of NoneType, a list is required for this value
maybe you have duplicate DNS entries and round robin is getting you?
The DNS is just one address for each. I changed the to the new IPs while the systems were building at the authoritative servers. (Systems are housed at Packet.net, DNS handled through AWS) So, there should not be any DNS caching issues.
Oh okay, this is all hosted. Still, best to be sure and rule out possibilities while testing. This is weird, we use Vultr for Salt Masters and have never seen anything like this. But we avoid Ubuntu, so if there is any bug there, we'd not have seen it.
I was able to build another system, named QAICS-mastertest, that worked perfectly using the exact same methods. It's really weird.
-
@dgingerich said in Port from SW - Salt master rsa key issue:
@scottalanmiller said in Port from SW - Salt master rsa key issue:
@dgingerich said in Port from SW - Salt master rsa key issue:
@scottalanmiller said in Port from SW - Salt master rsa key issue:
@dgingerich said in Port from SW - Salt master rsa key issue:
[WARNING ] Key 'file_ignore_glob' with value None has an invalid type of NoneType, a list is required for this value
maybe you have duplicate DNS entries and round robin is getting you?
The DNS is just one address for each. I changed the to the new IPs while the systems were building at the authoritative servers. (Systems are housed at Packet.net, DNS handled through AWS) So, there should not be any DNS caching issues.
Oh okay, this is all hosted. Still, best to be sure and rule out possibilities while testing. This is weird, we use Vultr for Salt Masters and have never seen anything like this. But we avoid Ubuntu, so if there is any bug there, we'd not have seen it.
I was able to build another system, named QAICS-mastertest, that worked perfectly using the exact same methods. It's really weird.
Very weird. So the changing of the name played a role.
-
OK. I've deleted the DNS entries and the systems from Packet.net. I'm going to try again tomorrow morning after all the DNS caching should have expired.
-
@dgingerich said in Port from SW - Salt master rsa key issue:
OK. I've deleted the DNS entries and the systems from Packet.net. I'm going to try again tomorrow morning after all the DNS caching should have expired.
Okay. I'll be around.
-
Thank you very much for your time on this.
-
@dgingerich said in Port from SW - Salt master rsa key issue:
Thank you very much for your time on this.
No problem. Sorry that we've not gotten it all figured out yet.
-
I too, not an expert, more like playing with salt and you seem like you know more about it than me, but this one liner helps me when I feel something is cached in the setting, or command fails cause its already running:
salt '*' saltutil.kill_all_jobs && salt-run cache.clear_all && salt '*' saltutil.clear_cache && salt '*' saltutil.sync_all
-
@msff-amman-Itofficer said in Port from SW - Salt master rsa key issue:
I too, not an expert, more like playing with salt and you seem like you know more about it than me, but this one liner helps me when I feel something is cached in the setting, or command fails cause its already running:
salt '*' saltutil.kill_all_jobs && salt-run cache.clear_all && salt '*' saltutil.clear_cache && salt '*' saltutil.sync_all
Yeah, that wouldn't work because the masters simply aren't talking to the minions.
Over the weekend, I tried to delete the DNS and recreate the masters after 12 hours, and that did sort of work, for a bit. The masters would talk to themselves, but as soon as two minions were connected, the communication just stopped again. I don't have any idea what is causing this.
-
What if you create new masters with totally new names. Start fresh, including the names. A huge pain, I know, but I think that that key regeneration something horrible. Just avoid that next time, use the keys that are generated automatically only. This is a bad break that I'd love to get figured out, but I know that you have a time crunch and we want this working, too.
-
This post is deleted! -
@scottalanmiller said in Port from SW - Salt master rsa key issue:
What if you create new masters with totally new names. Start fresh, including the names. A huge pain, I know, but I think that that key regeneration something horrible. Just avoid that next time, use the keys that are generated automatically only. This is a bad break that I'd love to get figured out, but I know that you have a time crunch and we want this working, too.
Tried this. It works, but the salt scripts have to be adjusted for the new names in order to work, and I have not had success with that. The guy who made the scripts is in Italy this whole week, and then UK for the week after that.