Page MenuHomeDevCentral

Deploy REST API for Salt using rest_cherrypy
ClosedPublic

Authored by dereckson on Jan 13 2024, 23:47.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Dec 21, 04:31
Unknown Object (File)
Thu, Dec 19, 05:57
Unknown Object (File)
Tue, Dec 17, 07:09
Unknown Object (File)
Tue, Dec 17, 01:28
Unknown Object (File)
Mon, Dec 16, 13:56
Unknown Object (File)
Sun, Dec 15, 04:18
Unknown Object (File)
Sun, Dec 15, 04:17
Unknown Object (File)
Thu, Dec 12, 18:14
Subscribers
None

Details

Summary

Salt provides a REST API applications can use to communicate through HTTP.

This deployment is intended to be able to trigger events to the reactor
from external sources like Notifications Center or Jenkins.

It reuses the TLS certificates for Vault as they share the same server.

Ref T1942.

Test Plan

sockstat | grep 8300

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dereckson created this revision.

Current status

The service starts, then quit a few seconds later. When running in foreground, we see an error
similar to the one we have when Salt is updated without restarting the primary service.

Complector
$ sudo su - salt
$ /usr/local/bin/python3.9 /usr/local/bin/salt-api -c /usr/local/etc/salt
[ERROR   ] Failed to import netapi rest_cherrypy, this is due most likely to a syntax error:
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/salt/loader/lazy.py", line 751, in _load_module
    mod = spec.loader.load_module()
  File "<frozen importlib._bootstrap_external>", line 529, in _check_name_wrapper
  File "<frozen importlib._bootstrap_external>", line 1029, in load_module
  File "<frozen importlib._bootstrap_external>", line 854, in load_module
  File "<frozen importlib._bootstrap>", line 274, in _load_module_shim
  File "<frozen importlib._bootstrap>", line 711, in _load
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 850, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/usr/local/lib/python3.9/site-packages/salt/netapi/rest_cherrypy/__init__.py", line 18, in <module>
    import cherrypy
  File "/usr/local/lib/python3.9/site-packages/cherrypy/__init__.py", line 60, in <module>
    import pkg_resources
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/__init__.py", line 3260, in <module>
    def _initialize_master_working_set():
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/__init__.py", line 3234, in _call_aside
    f(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/__init__.py", line 3272, in _initialize_master_working_set
    working_set = WorkingSet._build_master()
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/__init__.py", line 581, in _build_master
    ws.require(__requires__)
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/__init__.py", line 909, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/usr/local/lib/python3.9/site-packages/pkg_resources/__init__.py", line 795, in resolve
    raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'contextvars' distribution was not found and is required by salt
`

This can be fixed by removing contextvars from python3.9/site-packages/salt-3006.2-py3.9.egg-info/entry_points.txt,
as contextvars is now a part of Python 3.7+ standard library.

Then, another TLS-related issue occurs:

Complector
$ /usr/local/bin/python3.9 /usr/local/bin/salt-api -c /usr/local/etc/salt
[ERROR   ] [14/Jan/2024:00:11:05] ENGINE Error in HTTPServer.serve
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/cheroot/server.py", line 1814, in serve
    self._connections.run(self.expiration_interval)
  File "/usr/local/lib/python3.9/site-packages/cheroot/connections.py", line 198, in run
    self._run(expiration_interval)
  File "/usr/local/lib/python3.9/site-packages/cheroot/connections.py", line 241, in _run
    new_conn = self._from_server_socket(self.server.socket)
  File "/usr/local/lib/python3.9/site-packages/cheroot/connections.py", line 294, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/usr/local/lib/python3.9/site-packages/cheroot/ssl/builtin.py", line 270, in wrap
    s = self.context.wrap_socket(
  File "/usr/local/lib/python3.9/ssl.py", line 501, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/local/lib/python3.9/ssl.py", line 1074, in _create
    self.do_handshake()
  File "/usr/local/lib/python3.9/ssl.py", line 1343, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLZeroReturnError: TLS/SSL connection has been closed (EOF) (_ssl.c:1134)

Despite of this, the server is up:

Complector
$ sockstat | grep 70925
salt     python3.9  70925 10  tcp4   *:8300                *:*

Fix spaces. Add kludge to remove contextvars from egg info about Salt.

hunt-insecable-spaces sponsored by I can't use a MacBook Pro (tm)

Declare Salt API in services table so Jenkins can know what URL to use without hardcoding it

Reorder pillar/services/table.sls

This revision is now accepted and ready to land.Jan 14 2024, 01:52