Recently, when using saltstack to get token, there are always 401 certification failures. Baidu Google has searched a lot of data and failed to solve them. Well, this time, basically the mistakes have come out. This time, I blame myself for not being too careful. With more recent events, when I saw the error, I had some psychological explosion, but this step is not clear and I can not complete the content behind, and put it in one place. The day after tomorrow, I came back this morning to see Saltstack's article on github again. issue After that, I succeeded in obtaining the results. When I saw the results, I was still a little excited, so I quickly recorded them.
I. Test environment
1,api.conf
[root@V1 salt]# cat /etc/salt/master.d/api.conf rest_cherrypy: port: 8000 disable_ssl: True
2. eauth.conf
[root@V1 salt]# cat /etc/salt/master.d/eauth.conf external_auth: pam: saltapi: - .* - '@wheel' - '@runner'
3,salt-api --versions
[root@V1 salt]# salt-api --versions Salt Version: Salt: 2018.3.2 Dependency Versions: cffi: 1.11.5 cherrypy: 3.6.0 dateutil: Not Installed docker-py: Not Installed gitdb: Not Installed gitpython: Not Installed ioflo: Not Installed Jinja2: 2.9.6 libgit2: Not Installed libnacl: Not Installed M2Crypto: 0.21.1 Mako: Not Installed msgpack-pure: Not Installed msgpack-python: 0.5.1 mysql-python: Not Installed pycparser: 2.18 pycrypto: 2.6.1 pycryptodome: Not Installed pygit2: Not Installed Python: 2.7.5 (default, Apr 11 2018, 07:36:10) python-gnupg: Not Installed PyYAML: 3.11 PyZMQ: 14.3.1 RAET: Not Installed smmap: Not Installed timelib: Not Installed Tornado: 4.2.1 ZMQ: 3.2.5 System Versions: dist: centos 7.4.1708 Core locale: UTF-8 machine: x86_64 release: 3.10.0-693.21.1.el7.x86_64 system: Linux version: CentOS Linux 7.4.1708 Core
Well, in the process of troubleshooting, I also upgraded the version of salt. I have to say that the installation and upgrade operation of the official website is really friendly. Attached is the link below.
Salt Bootstrap is a shell script that detects the target platform and chooses the best installation method (taken from Google Translate. PS Serious Face)
Install the latest version. Even with the new major version, updates will install the latest version.
This way provides three versions of installation, namely REDHAT / CENTOS 7 PY2, REDHAT / CENTOS 7 PY3, REDHAT / CENTOS 6 PY2. I tried both ways, really easy to knock.
The details are not much to say, directly on the train of thought, thanks to the old man's thought excluded 401, dry look to know that the certification failed, and then do not know where to verify the heart is still a bit uncomfortable.
[root@salt ~]# cat /etc/salt/master # View master master master profile external_auth: pam: salt: - .* - '@wheel' # to allow access to all wheel modules - '@runner' # to allow access to all runner modules - '@jobs' # to allow access to the jobs runner and/or wheel module [root@salt ~]# systemctl start salt-master salt-minion # Restart master and minion [root@salt ~]# useradd -m salt # Add account [root@salt ~]# echo testpass | passwd --stdin salt # Add a password to the account Changing password for user salt. passwd: all authentication tokens updated successfully. [root@salt ~]# salt-key -Ay # Update unacceptable keys The following keys are going to be accepted: Unaccepted Keys: salt Key for minion salt accepted. [root@salt ~]# sleep 10 # Waiting for 10 s [root@salt ~]# salt -a pam --username=salt --password=testpass \* test.ping # Try to validate minion with pam salt: True
When I placed the validation file into master master master master master master configuration file according to the above steps, I restarted master service (the master, minion and api failed several times during the trial and miss journey, installed some packages (such as PyZMQ, etc.), updated the content (such as pip install CherryPy==3.6.0, etc.), and finally called back 401, embarrassing), and then called postman. Getting the token interface is successful.
[root@V1 salt]# curl -k http://127.0.0.1:8000/login -H "Accept: application/json" -d username='saltapi' -d password='saltapi' -d eauth='pam' {"return": [{"perms": [".*", "@wheel", "@runner"], "start": 1530760488.001925, "token": "4235157b6841803df754ec2b554e002c0fcb5592", "expire": 1530803688.001926, "user": "saltapi", "eauth": "pam"}]}
Later, it was thought that if only the configuration was added to the main configuration file, the default_include of the main configuration file should not be valid, and the configuration before the failure was like this.
# Per default, the master will automatically include all config files # from master.d/*.conf (master.d is a directory in the same directory # as the main master config file). default_include : master.d/*.conf
Add the current directory to the retry
default_include : ./master.d/*.conf
Then OK.
After successfully obtaining token, I changed the configuration file to the original one and restarted various services, embarrassing that I could not reproduce the problem... Restarting minion failed to refresh key...
This is roughly the case. In the process of debugging, we should look for more information and try more. It's better to see the official doc and issue. We must be official (history of blood and tears).
At last we can start the next step.
Reference material
1. salt-api is not working. "Authentication failure of type "eauth" occurred"