Comments (7)
dwoz
commented on August 28, 2024
1
@tjyang Is fips enabled? That would explain why OAEP-SHA1 is not supported. If fips is enabled you should modify your master and minion configs:
# master.conf
fips_mode: True
publish_signing_algorithm: PKCS1v15-SHA224
# minion.conf
fips_mode: True
encryption_algorithm: OAEP-SHA224
signing_algorithm: PKCS1v15-SHA224
from salt.
dmurphy18
commented on August 28, 2024
Unable to reproduce this on a Photon 4 container that is updated to currently supported software, that is, tdnf -y update
Installed salt-minion and salt-master Salt 3006.9 and found no problems
root [ / ]# salt-call --local test.versions
local:
Salt Version:
Salt: 3006.9
Python Version:
Python: 3.10.14 (main, Jun 26 2024, 11:44:37) [GCC 11.2.0]
Dependency Versions:
cffi: 1.14.6
cherrypy: 18.6.1
cryptography: 42.0.5
dateutil: 2.8.1
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 3.1.4
libgit2: Not Installed
##### Primary configuration settings #####
##########################################
# This configuration file is used to manage the behavior of the Salt Minion.
# With the exception of the location of the Salt Master Server, values that are
# commented out but have an empty line after the comment are defaults that need
# not be set in the config. If there is no blank line after the comment, the
# value is presented as an example and is not the default.
# Per default the minion will automatically include all config files
# from minion.d/*.conf (minion.d is a directory in the same directory
# as the main minion config file).
#default_include: minion.d/*.conf
# Set the location of the salt master server. If the master server cannot be
# resolved, then the minion will fail to start.
#master: salt
master: localhost
id: tp4
# Set http proxy information for the minion when doing requests
#proxy_host:
#proxy_port:
#proxy_username:
#proxy_password:
# List of hosts to bypass HTTP proxy. This key does nothing unless proxy_host etc is
# configured, it does not support any kind of wildcards.
#no_proxy: []
# If multiple masters are specified in the 'master' setting, the default behavior
# is to always try to connect to them in the order they are listed. If random_master
# is set to True, the order will be randomized upon Minion startup instead. This can
# be helpful in distributing the load of many minions executing salt-call requests,
# for example, from a cron job. If only one master is listed, this setting is ignored
# and a warning will be logged.
#random_master: False
# NOTE: Deprecated in Salt 2019.2.0. Use 'random_master' instead.
#master_shuffle: False
# Minions can connect to multiple masters simultaneously (all masters
# are "hot"), or can be configured to failover if a master becomes
# unavailable. Multiple hot masters are configured by setting this
# value to "str". Failover masters can be requested by setting
# to "failover". MAKE SURE TO SET master_alive_interval if you are
"/etc/salt/minion" 965L, 40007B written
root [ / ]# systemctl restart salt-minion
bash: systemctl: command not found
root [ / ]# l='ls -alrth --color=auto'
root [ / ]# l /etc/
.pwd.lock environment gshadow- issue.net locale-gen.conf modprobe.d/ os-release pki/ rpm/ shells sudoers yum.repos.d/
bash.bashrc fstab hostname ld.so.cache login.access motdgen.d/ pam.d/ profile salt/ skel/ sudoers.d/
bash_completion.d/ group hosts ld.so.conf login.defs mtab passwd profile.d/ security/ ssl/ sysconfig/
default/ group- inputrc ld.so.conf.d/ logrotate.d/ nsswitch.conf passwd- resolv.conf shadow sudo.conf tdnf/
dircolors gshadow issue limits lsb-release opt/ photon-release rpc shadow- sudo_logsrvd.conf vimrc
root [ / ]# tdnf install systemctl
systemctl package not found or not installed
Error(1011) : No matching packages
root [ / ]# tdnf list | grep systemd
systemd-rpm-macros.noarch 247.3-1.ph4 photon-release
rubygem-fluent-plugin-systemd.x86_64 1.0.2-1.ph4 photon-release
rubygem-systemd-journal.x86_64 1.4.2-1.ph4 photon-release
systemd.x86_64 247.3-1.ph4 photon-release
systemd-container.x86_64 247.3-1.ph4 photon-release
systemd-devel.x86_64 247.3-1.ph4 photon-release
systemd-journal-remote.x86_64 247.3-1.ph4 photon-release
systemd-lang.x86_64 247.3-1.ph4 photon-release
systemd-libs.x86_64 247.3-1.ph4 photon-release
systemd-pam.x86_64 247.3-1.ph4 photon-release
systemd-tests.x86_64 247.3-1.ph4 photon-release
systemd-udev.x86_64 247.3-1.ph4 photon-release
fail2ban-systemd.noarch 1.0.2-2.ph4 photon-updates
python3-systemd.x86_64 235-1.ph4 photon-updates
rpm-plugin-systemd-inhibit.x86_64 4.16.1.3-19.ph4 photon-updates
rubygem-fluent-plugin-systemd.x86_64 1.0.5-1.ph4 photon-updates
rubygem-systemd-journal.x86_64 1.4.2-1.ph4 photon-updates
systemd.x86_64 247.13-12.ph4 photon-updates
systemd-container.x86_64 247.13-12.ph4 photon-updates
systemd-devel.x86_64 247.13-12.ph4 photon-updates
systemd-journal-remote.x86_64 247.13-12.ph4 photon-updates
systemd-lang.x86_64 247.13-12.ph4 photon-updates
systemd-libs.x86_64 247.13-12.ph4 photon-updates
systemd-pam.x86_64 247.13-12.ph4 photon-updates
systemd-rpm-macros.noarch 247.13-12.ph4 photon-updates
systemd-tests.x86_64 247.13-12.ph4 photon-updates
systemd-udev.x86_64 247.13-12.ph4 photon-updates
root [ / ]# tdnf install systemd -y
Installing:
libunistring x86_64 0.9.10-2.ph4 photon-updates 4.39M 4600735
libltdl x86_64 2.4.6-3.ph4 photon-release 47.74k 48888
libatomic_ops x86_64 7.6.10-2.ph4 photon-updates 49.93k 51124
libffi x86_64 3.3-1.ph4 photon-release 43.63k 44680
nettle x86_64 3.7.3-1.ph4 photon-updates 731.17k 748721
libtasn1 x86_64 4.14-2.ph4 photon-updates 127.08k 130135
glibc-iconv x86_64 2.32-19.ph4 photon-updates 7.90M 8285185
guile x86_64 2.0.13-4.ph4 photon-updates 10.73M 11255203
gmp x86_64 6.2.0-1.ph4 photon-release 532.45k 545232
gc x86_64 8.0.4-2.ph4 photon-updates 525.82k 538435
autogen-libopts x86_64 5.18.16-4.ph4 photon-updates 148.20k 151754
attr x86_64 2.4.48-2.ph4 photon-updates 91.93k 94133
util-linux-libs x86_64 2.37.4-2.ph4 photon-updates 764.87k 783226
util-linux x86_64 2.37.4-2.ph4 photon-updates 6.58M 6895221
libseccomp x86_64 2.5.0-3.ph4 photon-updates 167.71k 171735
libmicrohttpd x86_64 0.9.76-2.ph4 photon-updates 173.06k 177216
libgpg-error x86_64 1.39-1.ph4 photon-release 223.29k 228654
libacl x86_64 2.2.53-2.ph4 photon-updates 39.70k 40650
kmod x86_64 27-1.ph4 photon-release 266.29k 272681
gnutls x86_64 3.7.10-3.ph4 photon-updates 4.09M 4288567
sed x86_64 4.8-3.ph4 photon-updates 194.55k 199218
lz4 x86_64 1.9.2-2.ph4 photon-updates 464.87k 476022
libgcrypt x86_64 1.9.4-2.ph4 photon-updates 1.31M 1371731
grep x86_64 3.4-2.ph4 photon-updates 234.56k 240186
zstd x86_64 1.5.2-2.ph4 photon-updates 1.13M 1183428
xz x86_64 5.2.5-2.ph4 photon-updates 167.07k 171084
pcre x86_64 8.44-4.ph4 photon-updates 1.10M 1149057
libarchive x86_64 3.4.3-10.ph4 photon-updates 882.09k 903260
libstdc++ x86_64 10.5.0-1.ph4 photon-updates 1.98M 2071594
elfutils x86_64 0.181-7.ph4 photon-updates 3.56M 3728269
bzip2 x86_64 1.0.8-4.ph4 photon-updates 124.97k 127968
systemd-rpm-macros noarch 247.13-12.ph4 photon-updates 5.45k 5581
systemd-pam x86_64 247.13-12.ph4 photon-updates 452.88k 463749
systemd-libs x86_64 247.13-12.ph4 photon-updates 1.60M 1673908
glib x86_64 2.68.4-2.ph4 photon-updates 3.54M 3713691
systemd x86_64 247.13-12.ph4 photon-updates 12.92M 13552710
Total installed size: 67.12M 70383631
Downloading:
libunistring 628810 100%
libltdl 25956 100%
libatomic_ops 21790 100%
libffi 27240 100%
nettle 365657 100%
libtasn1 58541 100%
glibc-iconv 1651555 100%
guile 2633529 100%
gmp 272614 100%
gc 207925 100%
autogen-libopts 71645 100%
attr 41217 100%
util-linux-libs 284507 100%
util-linux 1713001 100%
libseccomp 66565 100%
libmicrohttpd 85232 100%
libgpg-error 96542 100%
libacl 24082 100%
kmod 98590 100%
gnutls 1476993 100%
sed 104786 100%
lz4 143349 100%
libgcrypt 505019 100%
grep 129557 100%
zstd 465419 100%
xz 87637 100%
pcre 376004 100%
libarchive 372867 100%
libstdc++ 590955 100%
elfutils 785938 100%
bzip2 69184 100%
systemd-rpm-macros 18989 100%
systemd-pam 210812 100%
systemd-libs 559578 100%
glib 1281881 100%
systemd 3749366 100%
Testing transaction
Running transaction
Installing/Updating: libstdc++-10.5.0-1.ph4.x86_64
Installing/Updating: util-linux-libs-2.37.4-2.ph4.x86_64
Installing/Updating: gmp-6.2.0-1.ph4.x86_64
Installing/Updating: xz-5.2.5-2.ph4.x86_64
Installing/Updating: lz4-1.9.2-2.ph4.x86_64
Installing/Updating: libgpg-error-1.39-1.ph4.x86_64
Installing/Updating: libgcrypt-1.9.4-2.ph4.x86_64
Installing/Updating: libffi-3.3-1.ph4.x86_64
Installing/Updating: glib-2.68.4-2.ph4.x86_64
Installing/Updating: kmod-27-1.ph4.x86_64
Installing/Updating: nettle-3.7.3-1.ph4.x86_64
Installing/Updating: util-linux-2.37.4-2.ph4.x86_64
Installing/Updating: pcre-8.44-4.ph4.x86_64
Installing/Updating: systemd-rpm-macros-247.13-12.ph4.noarch
Installing/Updating: bzip2-1.0.8-4.ph4.x86_64
Installing/Updating: zstd-1.5.2-2.ph4.x86_64
Installing/Updating: libarchive-3.4.3-10.ph4.x86_64
Installing/Updating: grep-3.4-2.ph4.x86_64
Installing/Updating: libseccomp-2.5.0-3.ph4.x86_64
Installing/Updating: attr-2.4.48-2.ph4.x86_64
Installing/Updating: libacl-2.2.53-2.ph4.x86_64
Installing/Updating: sed-4.8-3.ph4.x86_64
Installing/Updating: systemd-libs-247.13-12.ph4.x86_64
Installing/Updating: autogen-libopts-5.18.16-4.ph4.x86_64
Installing/Updating: glibc-iconv-2.32-19.ph4.x86_64
Installing/Updating: libtasn1-4.14-2.ph4.x86_64
Installing/Updating: libatomic_ops-7.6.10-2.ph4.x86_64
Installing/Updating: gc-8.0.4-2.ph4.x86_64
Installing/Updating: libltdl-2.4.6-3.ph4.x86_64
Installing/Updating: libunistring-0.9.10-2.ph4.x86_64
Installing/Updating: guile-2.0.13-4.ph4.x86_64
Installing/Updating: gnutls-3.7.10-3.ph4.x86_64
Installing/Updating: libmicrohttpd-0.9.76-2.ph4.x86_64
Installing/Updating: elfutils-0.181-7.ph4.x86_64
Installing/Updating: systemd-pam-247.13-12.ph4.x86_64
Installing/Updating: systemd-247.13-12.ph4.x86_64
Complete!
root [ / ]# systemctl restart salt-minion
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
root [ / ]# ps -ef | grep salt
root 263 1 0 17:17:09 pts/0 00:00:00 grep salt
root [ / ]# salt-minion &
[1] 264
root [ / ]# ps -ef | grep salt
root 264 1 6 17:17:31 pts/0 00:00:00 python3.10 /usr/bin/salt-minion
root 272 264 9 17:17:31 pts/0 00:00:00 salt-minion MultiMinionProcessManager MinionProcessManager
root 295 1 0 17:17:34 pts/0 00:00:00 grep salt
root [ / ]# salt-master &
[2] 296
root [ / ]# ps -ef | grep salt
root 264 1 1 17:17:31 pts/0 00:00:00 python3.10 /usr/bin/salt-minion
root 272 264 2 17:17:31 pts/0 00:00:00 salt-minion MultiMinionProcessManager MinionProcessManager
salt 296 1 31 17:17:46 136:0 00:00:00 salt-master MainProcess
salt 331 296 0 17:17:47 136:0 00:00:00 salt-master PubServerChannel._publish_daemon
salt 332 296 0 17:17:47 136:0 00:00:00 salt-master EventPublisher
salt 335 296 19 17:17:47 136:0 00:00:00 salt-master Maintenance
salt 336 296 1 17:17:47 136:0 00:00:00 salt-master ReqServer ReqServer_ProcessManager
salt 337 336 0 17:17:47 136:0 00:00:00 salt-master ReqServer MWorkerQueue
salt 338 336 26 17:17:47 136:0 00:00:00 salt-master ReqServer MWorker-0
salt 339 336 24 17:17:47 136:0 00:00:00 salt-master ReqServer MWorker-1
salt 340 296 0 17:17:47 136:0 00:00:00 salt-master FileServerUpdate
salt 341 336 24 17:17:47 136:0 00:00:00 salt-master ReqServer MWorker-2
salt 348 336 28 17:17:47 136:0 00:00:00 salt-master ReqServer MWorker-3
salt 349 336 31 17:17:47 136:0 00:00:00 salt-master ReqServer MWorker-4
root 554 1 0 17:17:48 pts/0 00:00:00 grep salt
root [ / ]# [ERROR ] The Salt Master has cached the public key for this node, this salt minion will wait for 10 seconds before attempting to re-authenticate
root [ / ]# salt-key
Accepted Keys:
Denied Keys:
Unaccepted Keys:
tp4
Rejected Keys:
root [ / ]# salt-key -[ERROR ] The Salt Master has cached the public key for this node, this salt minion will wait for 10 seconds before attempting to re-authenticate
y -a tp4
The following keys are going to be accepted:
Unaccepted Keys:
tp4
Key for minion tp4 accepted.
root [ / ]# salt tp4 test.versions
tp4:
Salt Version:
Salt: 3006.9
Python Version:
Python: 3.10.14 (main, Jun 26 2024, 11:44:37) [GCC 11.2.0]
Dependency Versions:
cffi: 1.14.6
cherrypy: 18.6.1
cryptography: 42.0.5
dateutil: 2.8.1
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 3.1.4
libgit2: Not Installed
looseversion: 1.0.2
M2Crypto: Not Installed
Mako: Not Installed
msgpack: 1.0.2
msgpack-pure: Not Installed
mysql-python: Not Installed
packaging: 22.0
pycparser: 2.21
pycrypto: Not Installed
pycryptodome: 3.19.1
pygit2: Not Installed
python-gnupg: 0.4.8
PyYAML: 6.0.1
PyZMQ: 23.2.0
relenv: 0.17.0
smmap: Not Installed
timelib: 0.2.4
Tornado: 4.5.3
ZMQ: 4.3.4
System Versions:
dist: photon 4.0 Photon
locale: utf-8
machine: x86_64
release: 6.8.0-39-generic
system: Linux
version: VMware Photon OS 4.0 Photon
root [ / ]#
Can you provide more details to reproduce the issue or recheck your environment.
Noting that the tdnf update did install openssl v 3.0.14-3.ph4, which typically does not support SHA-1, and Salt 3006.9 also makes use of openssl v3.x which does not support SHA-1 out of the box.
Reason for moving to SHA-256 keys with 3006.0 and above.
Also
root [ / ]# rpm -qa | grep salt
salt-3006.9-0.x86_64
salt-master-3006.9-0.x86_64
salt-minion-3006.9-0.x86_64
root [ / ]# salt-call --master=localhost test.version
local:
3006.9
root [ / ]#
from salt.
tjyang
commented on August 28, 2024
@dmurphy18 , Thanks for quick reply. I will recheck my setup again with your testing.
from salt.
dmurphy18
commented on August 28, 2024
@tjyang Have an internal report with the same issue (suspect they are using old EOL versions of Salt), but also unable to reproduce the problem a salt-master (rocky Linux 9) Salt 3007.1 and salt-minion (Photon 4 docker container) 3006.9 and no problems seen.
from salt.
dmurphy18
commented on August 28, 2024
@tjyang From the internal discussions with user on Photon 4.0 have the following
wondering if they upgraded from openssl v1.x to openssl v3.x which drops SHA-1 and that is the cause of the problem.
Given it appeared as an update on the container I suspect so
From a fresh container of Photon 4
root [ / ]# tdnf list | grep openssl
openssl.x86_64 3.0.14-2.ph4 @System
openssl.x86_64 1.1.1i-2.ph4 photon-release
openssl-c_rehash.x86_64 1.1.1i-2.ph4 photon-release
openssl-devel.x86_64 1.1.1i-2.ph4 photon-release
openssl-docs.x86_64 1.1.1i-2.ph4 photon-release
openssl-perl.x86_64 1.1.1i-2.ph4 photon-release
openssl.x86_64 3.0.14-3.ph4 photon-updates
openssl-c_rehash.x86_64 3.0.14-3.ph4 photon-updates
openssl-devel.x86_64 3.0.14-3.ph4 photon-updates
openssl-docs.x86_64 3.0.14-3.ph4 photon-updates
openssl-fips-provider.x86_64 3.0.8-2.ph4 photon-updates
openssl-perl.x86_64 3.0.14-3.ph4 photon-updates
root [ / ]#
photon -release was openssl v1.x, and System is now openssl v3.x, suspect things were using SHA-1 at the time and after update, SHA-1 is now MIA.
Wondering if system was recently updated
from salt.
tjyang
commented on August 28, 2024
@dwoz , your input fixed my problem. Yes, FIPS was enabled on this vcenter 8.0.0(not latest 8.0U3) instance.
@dmurphy18 , Thanks for your inputs also.
I see now the bug reports are responded more quickly by core team members.
Thank you all.
Please resolve this issue.
from salt.
dmurphy18
commented on August 28, 2024
@tjyang Marking this closed since FIPS settings resolved the issue
from salt.
Related Issues (20)
- [BUG] 3007.1 - salt-proxy - "there is no current event loop in thread"
- [FEATURE REQUEST] Updates to pgjsonb returner
- [BUG] Triggering "cmd.run" with "runas" on SELinux enabled minion produces ERROR and denied message
- Minion to Master communication blocked HOT 21
- [BUG] grain_opts minion config option breaks some core grains
- [BUG] salt.utils.atomicfile: creating new file keeps restrictive tempfile permissions
- [BUG] Invlaid async_method on AsyncPubChannel
- [BUG] Corrected the description of the MWorker constructor HOT 1
- [BUG] invalid arguments passed into fileserver.update from saltutil runner
- [BUG] Git repos are not fetched when using salt-ssh HOT 3
- [DOCS] Documentation Inconsistency HOT 1
- [BUG] ext_pillar for mongo & redis is unavailable HOT 3
- [BUG] boto3mod requires boto
- [BUG] Saltclass can't reuse variable which have type list or dict HOT 3
- [BUG] win_pkg fails to find any packages if cachedir is relocated to "hidden" folder HOT 1
- [FEATURE REQUEST] file.keyvalue should be able to manage file permissions and ownership HOT 1
- [BUG] can't create grants for table with escape symbols HOT 1
- [DOCS] SLACK community link is not working HOT 8
- [BUG] Highstate Returner doesn't take in consideration "report_failure" configuration
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from salt.