Authenticator pod failing to authenticate

Secrets Management - Conjur, Secrets Hub & CP
21

Reviewing the setup I noticed that I had the following setup for the FOLLOWER_SEED variable “$CONJUR_APPLIANCE_URL/configuration/$CONJUR_ACCOUNT/seed/follower”. I then tested that (I assumed the “start” script would pull the seed from the URL.

curl --cacert openshift/conjurmaster-ssl.pem https://conjurmaster.dtt-iam.xyz/configuration/deloittepilot/seed/follower
{“status”:401,“error”:“Required header is missing”}

After changing to use the local file (I followed the steps to issue the cert and then export the seed file, copying over to the local file-system where the deployment scripts were). The authenticator init container started with the following warning (which seems ok):

WARN: Seed URL not found - assuming seedfile exists on the follower!

The follower pod is now running, but the readiness prob for the :443/health is not responding

Starting follower services...
Joined session keyring: 619756041
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
*** Running /etc/my_init.d/01-clear-run.sh...
*** Running /etc/my_init.d/10_local_hosts.rb...
*** Running /etc/my_init.d/10_syslog-ng.init...
2019-11-11T00:56:46.679+00:00 conjur-follower-78967f5f7-qj7fv syslog-ng[20]: syslog-ng starting up; version='3.13.2'
*** Running /etc/my_init.d/dhgen.sh...
*** Booting runit daemon...
*** Runit started as PID 28
+ exec conjur-plugin-logger etcd
2019-11-11T00:56:46.000+00:00 conjur-follower-78967f5f7-qj7fv cron[73]: (CRON) INFO (pidfile fd = 3)
2019-11-11T00:56:46.000+00:00 conjur-follower-78967f5f7-qj7fv cron[73]: (CRON) INFO (Running @reboot jobs)
2019-11-11T00:56:46.000+00:00 conjur-follower-78967f5f7-qj7fv evoke-seed: [2019-11-11 00:56:50] INFO  WEBrick 1.4.2
2019-11-11T00:56:50.000+00:00 conjur-follower-78967f5f7-qj7fv evoke-seed: [2019-11-11 00:56:50] INFO  ruby 2.5.5 (2019-03-15) [x86_64-linux-gnu]
2019-11-11T00:56:50.000+00:00 conjur-follower-78967f5f7-qj7fv evoke-seed: [2019-11-11 00:56:50] INFO  WEBrick::HTTPServer#start: pid=53 port=5612
2019-11-11T00:56:46.000+00:00 conjur-follower-78967f5f7-qj7fv evoke-info: [2019-11-11 00:56:51] INFO  WEBrick 1.4.2
2019-11-11T00:56:51.000+00:00 conjur-follower-78967f5f7-qj7fv evoke-info: [2019-11-11 00:56:51] INFO  ruby 2.5.5 (2019-03-15) [x86_64-linux-gnu]
2019-11-11T00:56:51.000+00:00 conjur-follower-78967f5f7-qj7fv evoke-info: [2019-11-11 00:56:51] INFO  WEBrick::HTTPServer#start: pid=51 port=5611
2019-11-11T00:56:46.000+00:00 conjur-follower-78967f5f7-qj7fv evoke-health: [2019-11-11 00:56:51] INFO  WEBrick 1.4.2
2019-11-11T00:56:51.000+00:00 conjur-follower-78967f5f7-qj7fv evoke-health: [2019-11-11 00:56:51] INFO  ruby 2.5.5 (2019-03-15) [x86_64-linux-gnu]
2019-11-11T00:56:51.000+00:00 conjur-follower-78967f5f7-qj7fv evoke-health: [2019-11-11 00:56:51] INFO  WEBrick::HTTPServer#start: pid=55 port=5610
2019-11-11 00:56:53.874 UTC [151] LOG:  database system was shut down at 2019-11-11 00:56:53 UTC
2019-11-11 00:56:53.875 UTC [151] LOG:  MultiXact member wraparound protections are now enabled
2019-11-11 00:56:53.878 UTC [155] LOG:  autovacuum launcher started
2019-11-11 00:56:53.878 UTC [61] LOG:  database system is ready to accept connections

System error
2019-11-11T01:05:01.000+00:00 conjur-follower-78967f5f7-qj7fv CRON[157]: PAM audit_log_acct_message() failed: Operation not permitted
2019-11-11T01:05:01.000+00:00 conjur-follower-78967f5f7-qj7fv CRON[157]: System error

So the original issue was related with the follower seed, but now I am still trouble-shooting:

image

22

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.