Description
The netapi does a naive check for if the salt-master is running before processing any requests. This check is fundamentally broken when ipc_mode = tcp.
Setup
- Configure "ipc_mode: tcp" in the master config.
- Start the API server.
- Attempt to login / run commands.
- Can't.
The cherrypy login endpoint does a check to see if the salt-master is running. Overall it seems pretty reasonable to do so.
|
def POST(self, **kwargs): |
|
""" |
|
:ref:`Authenticate <rest_cherrypy-auth>` against Salt's eauth system |
|
|
|
.. http:post:: /login |
|
|
|
:reqheader X-Auth-Token: |req_token| |
|
:reqheader Accept: |req_accept| |
|
:reqheader Content-Type: |req_ct| |
|
|
|
:form eauth: the eauth backend configured for the user |
|
:form username: username |
|
:form password: password |
|
|
|
:status 200: |200| |
|
:status 401: |401| |
|
:status 406: |406| |
|
|
|
**Example request:** |
|
|
|
.. code-block:: bash |
|
|
|
curl -si localhost:8000/login \\ |
|
-c ~/cookies.txt \\ |
|
-H "Accept: application/json" \\ |
|
-H "Content-type: application/json" \\ |
|
-d '{ |
|
"username": "saltuser", |
|
"password": "saltuser", |
|
"eauth": "auto" |
|
}' |
|
|
|
.. code-block:: text |
|
|
|
POST / HTTP/1.1 |
|
Host: localhost:8000 |
|
Content-Length: 42 |
|
Content-Type: application/json |
|
Accept: application/json |
|
|
|
{"username": "saltuser", "password": "saltuser", "eauth": "auto"} |
|
|
|
|
|
**Example response:** |
|
|
|
.. code-block:: text |
|
|
|
HTTP/1.1 200 OK |
|
Content-Type: application/json |
|
Content-Length: 206 |
|
X-Auth-Token: 6d1b722e |
|
Set-Cookie: session_id=6d1b722e; expires=Sat, 17 Nov 2012 03:23:52 GMT; Path=/ |
|
|
|
{"return": { |
|
"token": "6d1b722e", |
|
"start": 1363805943.776223, |
|
"expire": 1363849143.776224, |
|
"user": "saltuser", |
|
"eauth": "pam", |
|
"perms": [ |
|
"grains.*", |
|
"status.*", |
|
"sys.*", |
|
"test.*" |
|
] |
|
}} |
|
""" |
|
if not self.api._is_master_running(): |
|
raise salt.exceptions.SaltDaemonNotRunning("Salt Master is not available.") |
|
|
|
# the urlencoded_processor will wrap this in a list |
|
if isinstance(cherrypy.serving.request.lowstate, list): |
|
creds = cherrypy.serving.request.lowstate[0] |
|
else: |
|
creds = cherrypy.serving.request.lowstate |
That check is fundamentally flawed. It is only checking if some IPC socket files exist. And it's not even checking if they're socket files (but that's beside the point)! These socket files do not exist when ipc_mode = tcp. If I create the files the salt-api endpoint works with no further issues.
|
def _is_master_running(self): |
|
""" |
|
Perform a lightweight check to see if the master daemon is running |
|
|
|
Note, this will return an invalid success if the master crashed or was |
|
not shut down cleanly. |
|
""" |
|
# Windows doesn't have IPC. Assume the master is running. |
|
# At worse, it will error 500. |
|
if salt.utils.platform.is_windows(): |
|
return True |
|
|
|
if self.opts["transport"] == "tcp": |
|
ipc_file = "publish_pull.ipc" |
|
else: |
|
ipc_file = "workers.ipc" |
|
return os.path.exists(os.path.join(self.opts["sock_dir"], ipc_file)) |
For what it's worth the cherrypy login endpoint is the ONLY endpoint that checks if the salt-master is running. The tornado server does no checks whatsoever.
Options to fix:
- Check that the salt-master is running properly.
- Might be worth extending the checks to all the places that it's not checked or do one global check when the api starts and if it the salt-master is not running exit and if it is assume it's always running.
- Remove the check. No other endpoint uses the check. It's probably not needed?