-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Windows EC2 minion provisioned with salt-cloud keyed to master incorrectly #62968
Comments
one question. does your windows image already have a copy of salt installed? because remember if salt starts and there is no key where it is expecting it will create one. and these two keys look totally different, like different versions of salt generated them. the accepted key would be the one that is generated by the salt master that gets moved over. the other is generated by a salt-minion. and pushed towards the salt-master on start up. |
That's a great question -- I am just using the base Windows Server 2016 AMI ( As an extra test, I went ahead and installed |
interesting. so. one of the setups is that salt should detect if c:\salt exists and use it if it already exists. which i think salt-cloud takes advantage of. i know in my personal windows desktop that i have been upgrading forever my config is still found in c:\salt and I'm on 3005.1. and looking at the deploy for salt-cloud it does create c:\salt but it also tells the config to use that directory for the config. so i am not sure why it ends up moving over to the new default when it should already be using the old config directory. |
Is there any way to pass arguments to the installer which we declare for Windows win_installer: /root/Salt-Minion-3004.2-Py3-AMD64-Setup.exe there are install arguments like /S and /move-config which may help to have only one directory for the configuration etc. |
The issue has been fixed by: #63030 |
Opinion: Given that users of SaltStack Config are stuck with 3005 until SSC can work with Onedir packages (and Salt decided to release SSC with that limitation and only package 3006 with Onedir), it would seem reasonable that this and other serious bugs be back-ported to 3005 with the older packages. Yes, support gave me a patch, but that is messing with RHEL file packages which can cause issues if 3005.X is released with CVE security fixes and blows away the changed file. |
Description
When using
salt-cloud -p
to provision a Windows EC2 instance in AWS, the resulting minion is keyed to the master incorrectly. When runningsalt-key -L
, two thumbprints appear -- one inAccepted Keys
and one inDenied Keys
-- the thumbprint inDenied Keys
is correct (validated usingsalt-call key.finger --local
from the EC2 machine).We are installing version 3004.2 of the salt-minion onto Windows Server 2016 using the base/core Windows Server 2016 AMI provided by Amazon (AMI ID
ami-0d79078d185bf79b7
). This behavior does not occur for Linux EC2 instances.Setup
provider configuration
profile configuration
windows-firewall.ps1
Provision with
salt-cloud -p winserver2016_medium winserver2016_medium -l debug
. Once the VM is provisioned and command output is successfully returned:The minion appears in both
Accepted Keys
andDenied Keys
.A
test.ping
does not return successfully:Showing the fingerprints:
And then hopping onto the Windows EC2 instance:
The incorrect thumbprint is accepted on the Salt master -- how is there even 2 thumbprints to begin with?
I did some poking around and noticed that there are 2
conf
dirs however -- one atC:\salt\conf
(old pre-3000 salt-minion installations) and one atC:\ProgramData\Salt Project\Salt\conf
(newer salt-minion installs). Each has aminion.pub
in thepki
dir and they contain different contents:Is it possible this is the cause of the 2 thumbprints? My theory is that part of the salt-minion bootstrapping is creating the conf in
C:\salt
because when we onboard on-prem Windows VMs into Salt usingSalt-Minion-3004.2-Py3-AMD64-Setup.exe
it creates theconf
dir withinC:\ProgramData\Salt Project\Salt
.The workaround is to simply unkey with
salt-key -d
and restart the salt-minion service and it will attempt to re-key with the correct thumbprint. Note however that I did not delete either one of thepki
dirs.Expected behavior
The provisioned EC2 instance is keyed to the Salt master using the correct thumbprint.
Versions Report
The text was updated successfully, but these errors were encountered: