-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Corrupted /var/cache/salt/master/salt_vault_token #59361
Comments
Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. |
We have faced the same issue. File /var/cache/salt/master/salt_vault_token is constantly growing and sometimes JSON structure inside it became broken: "path": "infra-kv/", "seal_wrap": false, "type": "kv", "uuid": "64850942-d1c6-18a7-4785-929955f74b7e"}}}e"}}} You can see excess symbols ( }}}e ) and this is the reason why salt goes broken:
|
We had exactly the same issue. It's extremely hard to apply states to nodes that extract pillar items from the Vault. Removing of Logs:
|
As a temporary solution we put immutable flag on file |
Discussed this a bit during open hour, dropping some info here: based on your output it looks like Salt is possibly hitting a race condition here. We should be doing an atomic write to this file instead (i.e. open a tmp file, write to that, and then rename that to the salt_vault_token file) A bit weird, though, as I'm not able to actually produce the error just by using threading with the same filehandle. Race condition might be extra "fun" 😬 |
@dwoz a thought I had for when you look into this: we might be able to just allow an |
Wouldn't it be enough in this case to gracefully handle the symptom and move on since it is only a cache file? For example, just catch the exception and wipe the file. modified from https://github.com/saltstack/salt/blob/master/salt/utils/vault.py#L249
|
How we can work around this issue? The salt is unusable at the moment - we either have: |
Description
After a certain amount of time, Salt incorrectly overwrites
/var/cache/salt/master/salt_vault_token
Setup
/etc/salt/master.d/vault.conf
Steps to Reproduce the behavior
less /var/log/salt/master
Expected behavior
Salt should regenerate vault token.
File
As you can see the file was incorrectly overwritten:
/var/cache/salt/master/salt_vault_token
Versions Report
salt --versions-report
(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)Workaround
Manually remove
/var/cache/salt/master/salt_vault_token
and salt regenerates it.The text was updated successfully, but these errors were encountered: