Handling a command that may not complete?
80 views
Skip to first unread message
brad.v...@gmail.com
Jul 20, 2023, 8:00:45 AM7/20/23
to Salt-users
I have a piece of software to install. The installation part works fine, however after installation it needs to reach out and connect to a master server. As part of that reaching out, it needs to pull back the server certificate from that master server. Maybe 60-70% of the time that works. The rest fail. When that happens, I run:
echo | openssl s_client -connect master.server:8886 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
when that does not work, it just hangs forever. From the command line, if I prepend that with
/bin/timeout 10
it will terminate the process if it has not completed in 10 seconds. Within salt it does not work. I was thinking of this, but not really sure of the difference between the two loop.until commands and I really do not know python.
check_for_certificate:
loop.until_no_eval:
- name: cmd.run
- expected: '-----BEGIN CERTIFICATE-----...'
- compare_operator: data.subdict_match
- period: 8
- timeout: 30
- args:
- /bin/bash echo | /usr/sbin/openssl s_client -connect server.masterr:8886 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
loop.until_no_eval:
- name: cmd.run
- expected: '-----BEGIN CERTIFICATE-----...'
- compare_operator: data.subdict_match
- period: 8
- timeout: 30
- args:
- /bin/bash echo | /usr/sbin/openssl s_client -connect server.masterr:8886 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
For expected, I want to just say starts with and the same for the result. Not sure how to do that. Any suggestions would be appreciated.
ende...@gmail.com
Jul 21, 2023, 10:39:56 AM7/21/23
to Salt-users
Do you need to use the -k option in conjunction with the timeout to actually kill the process?
brad.v...@gmail.com
Jul 21, 2023, 12:16:58 PM7/21/23
to Salt-users
No. On the command line it worked without using -k.
brad.v...@gmail.com
Jul 24, 2023, 9:01:14 AM7/24/23
to Salt-users
Does anyone know how the loop.until_no_eval works? I'm trying:
check_for_certificate:
loop.until_no_eval:
- name: cmd.run
loop.until_no_eval:
- name: cmd.run
- expected: '-----BEGIN CERTIFICATE-----'
- compare_operator: data.subdict_match
- period: 8
- timeout: 30
- args:
- echo | /usr/bin/openssl s_client -connect server.masterr:8886 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/p'
So that I hope I'm just returning the first line of the certificate (The command after the -args works just fine from a bash prompt). I'm just not sure if that is how I should express it in salt since it is python based? The compare_operator I just took from the only example I've been able to find. The problem is when the openssl command does not pull down the server certificate, it just hangs forever. That is why I'm trying to use this command and timeout after a given time. Also, I want it to fail the rest of the state if this fails for either exceeding the number of loops or the timeout.
Phipps, Thomas
Jul 24, 2023, 12:29:43 PM7/24/23
to salt-...@googlegroups.com
putting the cmd into arg is most likely causing an issue with how it is being interpreted.
this could have been tested by you by logging into a minion in question and just running salt-call state.apply -l debug. it will show what it is doing. the command being run. the output of that command. and the comparison.
next. with this much pipes and stdio being manipulated here. you will want to use python_shell being true. just to make sure it python isn’t getting in the way of the command.
next. data.subdict_match is WAY the wrong item you should be using. cmd.run is all strings. it doesn’t return a dict. so that will always resolve to false.
you don’t even need a campare_operator. that is only if you need to manipulate the data in stream.
test_loops:
loop.until_no_eval:
- name: cmd.run
- expected: -----BEGIN CERTIFICATE-----
- period: 8
- timeout: 30
- kwargs:
cmd: 'echo | /usr/bin/openssl s_client -connect server.masterr:8886 2>&1 | sed -ne "/-BEGIN CERTIFICATE-/p"'
python_shell: true
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/402a87da-92aa-4679-8d45-5ddf04864f16n%40googlegroups.com.
brad.v...@gmail.com
Jul 28, 2023, 11:12:43 AM7/28/23
to Salt-users
Thanks. I will work on that.
brad.v...@gmail.com
Jul 31, 2023, 8:01:11 AM7/31/23
to Salt-users
I think I'm getting closer. At least I'm not getting any error messages, it just never gives success even after I run the openssl command from the bash shell and it works. So, something is not quite correct. I have:
test_loops:
loop.until_no_eval:
- name: cmd.run
- expected: '-----BEGIN CERTIFICATE-----'
- period: 6
- timeout: 30
- args:
- 'echo | /usr/bin/openssl s_client -connect server.masterr:8886 2>&1 | sed -ne "/-BEGIN CERTIFICATE-/p"'
Phipps, Thomas
Jul 31, 2023, 12:06:10 PM7/31/23
to salt-...@googlegroups.com
did you miss the part where I explicitly said args would not work and that you should put it in kwargs?
the code i posted was tested.
To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/38aaaf9d-7af2-4ea7-8de6-b56b523de9f9n%40googlegroups.com.
Brad Van Orden
Jul 31, 2023, 12:11:12 PM7/31/23
to salt-...@googlegroups.com
You received this message because you are subscribed to a topic in the Google Groups "Salt-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/salt-users/Lw25goQtKiQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to salt-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/CAPaX09inwNV_X8cB9-ctOfWTxnjjTc5rheY5XkTTjP%2BM9%3DM1dw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages