Error importing Salt states

OmniByte · August 17, 2018, 8:39am

Problem: Clicking import salt states throws 406 error
I can observe that the proxy.log reports an error connecting to the foreman instance (server1116) on port 9191. But that doesn’t make sense as the salt-proxy plugin runs on the salt-master (server1110) on port 9191. The smart-proxy should send the salt states to the foreman instance on port 8443.

proxy.log

E, [2018-08-17T10:19:10.231239 5f5df781] ERROR -- : Failed to list environments: Failed to open TCP connection to server1110.cs.technik.fhnw.ch:9191 (Connection refused - connect(2) for "server1110.cs.technik.fhnw.ch" port 9191)
I, [2018-08-17T10:19:10.294005 5f5df781]  INFO -- : 10.35.147.116 - - [17/Aug/2018:10:19:10 +0200] "GET /salt/environments HTTP/1.1" 406 176 0.1107

Uploading reports to the foreman server works, that is why I don’t assume an error in my configuration, however, from what the log says I can’t stop thinking I switched something around.

I found a bug on Redmine that described a fix to install a specific cherrypy version and add “*.” permission for the saltuser in the salt-master config but unfortunately that didn’t solve my issue: Bug #23985: "406 Not Acceptable" when attempting to import salt states - Salt - Foreman

Expected outcome:
Salt states should be imported from the salt-master and sent to Foreman via salt smart-proxy

Foreman and Proxy versions:
foreman instance

foreman/xenial,now 1.17.1-1 amd64

Foreman and Proxy plugin versions:
salt-master:

foreman-proxy/xenial,xenial,now 1.17.1-1 all 
ruby-foreman-salt/plugins,plugins,now 10.1.0-1 all

Other relevant data:

/etc/salt/foreman.yaml

:proto: https
:host: server1116.cs.technik.fhnw.ch
:port: 443
# if using http with ssl certificates
:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem"
:ssl_cert: "/var/lib/puppet/ssl/certs/server1110.cs.technik.fhnw.ch.pem"
:ssl_key: "/var/lib/puppet/ssl/private_keys/server1110.cs.technik.fhnw.ch.pem"
# if using http with username and password instead of https with certicates
#:username: admin
#:password: asdf
:timeout:  10
:salt:  /usr/bin/salt
:upload_grains:  true

/etc/foreman-proxy/settings.d/salt.yml

:enabled: true
:autosign_file: /etc/salt/autosign.conf
:salt_command_user: root
# Some features require using the Salt API - such as listing
# environments and retrieving state info
:use_api: true
:api_url: https://server1110.cs.technik.fhnw.ch:9191
:api_auth: pam
:api_username: saltuser
:api_password: asdf

/etc/salt/foreman

external_auth:
    pam:
        saltuser:
          - '@runner'
          - .*

rest_cherrypy:
  port: 9191
  host: 0.0.0.0
  ssl_key: /var/lib/puppet/ssl/private_keys/server1110.cs.technik.fhnw.ch.pem
  ssl_crt: /var/lib/puppet/ssl/certs/server1110.cs.technik.fhnw.ch.pe

CherryPy 3.2.3

pip show cherrypy
---
Metadata-Version: 1.1
Name: CherryPy
Version: 3.2.3

aruzicka · August 17, 2018, 12:13pm

Hi,
the error tells you smart proxy tried to ask the rest_cherrypi for a list of states and the connection was refused. Is the salt-api service running on the server1110 machine?

OmniByte · August 23, 2018, 9:17am

Hi @aruzicka

Good catch! It’s a riddle to me why the api wasn’t running as I didn’t restart the server - but that was the culprit.

I’ll keep in mind to have a look at netstat -tuna next time

Cheers

PS: Sorry for the late answer.