1
0

multimaster_pki.rst 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401
  1. .. _tutorial-multi-master-pki:
  2. =======================================
  3. Multi-Master-PKI Tutorial With Failover
  4. =======================================
  5. This tutorial will explain, how to run a salt-environment where a single
  6. minion can have multiple masters and fail-over between them if its current
  7. master fails.
  8. The individual steps are
  9. - setup the master(s) to sign its auth-replies
  10. - setup minion(s) to verify master-public-keys
  11. - enable multiple masters on minion(s)
  12. - enable master-check on minion(s)
  13. Please note, that it is advised to have good knowledge of the salt-
  14. authentication and communication-process to understand this tutorial.
  15. All of the settings described here, go on top of the default
  16. authentication/communication process.
  17. Motivation
  18. ==========
  19. The default behaviour of a salt-minion is to connect to a master and accept
  20. the masters public key. With each publication, the master sends his public-key
  21. for the minion to check and if this public-key ever changes, the minion
  22. complains and exits. Practically this means, that there can only be a single
  23. master at any given time.
  24. Would it not be much nicer, if the minion could have any number of masters
  25. (1:n) and jump to the next master if its current master died because of a
  26. network or hardware failure?
  27. .. note::
  28. There is also a MultiMaster-Tutorial with a different approach and topology
  29. than this one, that might also suite your needs or might even be better suited
  30. `Multi-Master Tutorial <http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html>`_
  31. It is also desirable, to add some sort of authenticity-check to the very first
  32. public key a minion receives from a master. Currently a minions takes the
  33. first masters public key for granted.
  34. The Goal
  35. ========
  36. Setup the master to sign the public key it sends to the minions and enable the
  37. minions to verify this signature for authenticity.
  38. Prepping the master to sign its public key
  39. ==========================================
  40. For signing to work, both master and minion must have the signing and/or
  41. verification settings enabled. If the master signs the public key but the
  42. minion does not verify it, the minion will complain and exit. The same
  43. happens, when the master does not sign but the minion tries to verify.
  44. The easiest way to have the master sign its public key is to set
  45. .. code-block:: yaml
  46. master_sign_pubkey: True
  47. After restarting the salt-master service, the master will automatically
  48. generate a new key-pair
  49. .. code-block:: yaml
  50. master_sign.pem
  51. master_sign.pub
  52. A custom name can be set for the signing key-pair by setting
  53. .. code-block:: yaml
  54. master_sign_key_name: <name_without_suffix>
  55. The master will then generate that key-pair upon restart and use it for
  56. creating the public keys signature attached to the auth-reply.
  57. The computation is done for every auth-request of a minion. If many minions
  58. auth very often, it is advised to use conf_master:`master_pubkey_signature`
  59. and conf_master:`master_use_pubkey_signature` settings described below.
  60. If multiple masters are in use and should sign their auth-replies, the signing
  61. key-pair master_sign.* has to be copied to each master. Otherwise a minion
  62. will fail to verify the masters public when connecting to a different master
  63. than it did initially. That is because the public keys signature was created
  64. with a different signing key-pair.
  65. Prepping the minion to verify received public keys
  66. ==================================================
  67. The minion must have the public key (and only that one!) available to be
  68. able to verify a signature it receives. That public key (defaults to
  69. master_sign.pub) must be copied from the master to the minions pki-directory.
  70. .. code-block:: bash
  71. /etc/salt/pki/minion/master_sign.pub
  72. .. important::
  73. DO NOT COPY THE master_sign.pem FILE. IT MUST STAY ON THE MASTER AND
  74. ONLY THERE!
  75. When that is done, enable the signature checking in the minions configuration
  76. .. code-block:: yaml
  77. verify_master_pubkey_sign: True
  78. and restart the minion. For the first try, the minion should be run in manual
  79. debug mode.
  80. .. code-block:: bash
  81. salt-minion -l debug
  82. Upon connecting to the master, the following lines should appear on the output:
  83. .. code-block:: text
  84. [DEBUG ] Attempting to authenticate with the Salt Master at 172.16.0.10
  85. [DEBUG ] Loaded minion key: /etc/salt/pki/minion/minion.pem
  86. [DEBUG ] salt.crypt.verify_signature: Loading public key
  87. [DEBUG ] salt.crypt.verify_signature: Verifying signature
  88. [DEBUG ] Successfully verified signature of master public key with verification public key master_sign.pub
  89. [INFO ] Received signed and verified master pubkey from master 172.16.0.10
  90. [DEBUG ] Decrypting the current master AES key
  91. If the signature verification fails, something went wrong and it will look
  92. like this
  93. .. code-block:: text
  94. [DEBUG ] Attempting to authenticate with the Salt Master at 172.16.0.10
  95. [DEBUG ] Loaded minion key: /etc/salt/pki/minion/minion.pem
  96. [DEBUG ] salt.crypt.verify_signature: Loading public key
  97. [DEBUG ] salt.crypt.verify_signature: Verifying signature
  98. [DEBUG ] Failed to verify signature of public key
  99. [CRITICAL] The Salt Master server's public key did not authenticate!
  100. In a case like this, it should be checked, that the verification pubkey
  101. (master_sign.pub) on the minion is the same as the one on the master.
  102. Once the verification is successful, the minion can be started in daemon mode
  103. again.
  104. For the paranoid among us, its also possible to verify the publication whenever
  105. it is received from the master. That is, for every single auth-attempt which
  106. can be quite frequent. For example just the start of the minion will force the
  107. signature to be checked 6 times for various things like auth, mine,
  108. :ref:`highstate <running-highstate>`, etc.
  109. If that is desired, enable the setting
  110. .. code-block:: yaml
  111. always_verify_signature: True
  112. Multiple Masters For A Minion
  113. =============================
  114. Configuring multiple masters on a minion is done by specifying two settings:
  115. - a list of masters addresses
  116. - what type of master is defined
  117. .. code-block:: yaml
  118. master:
  119. - 172.16.0.10
  120. - 172.16.0.11
  121. - 172.16.0.12
  122. .. code-block:: yaml
  123. master_type: failover
  124. This tells the minion that all the master above are available for it to
  125. connect to. When started with this configuration, it will try the master
  126. in the order they are defined. To randomize that order, set
  127. .. code-block:: yaml
  128. master_shuffle: True
  129. The master-list will then be shuffled before the first connection attempt.
  130. The first master that accepts the minion, is used by the minion. If the
  131. master does not yet know the minion, that counts as accepted and the minion
  132. stays on that master.
  133. For the minion to be able to detect if its still connected to its current
  134. master enable the check for it
  135. .. code-block:: yaml
  136. master_alive_interval: <seconds>
  137. If the loss of the connection is detected, the minion will temporarily
  138. remove the failed master from the list and try one of the other masters
  139. defined (again shuffled if that is enabled).
  140. Testing the setup
  141. =================
  142. At least two running masters are needed to test the failover setup.
  143. Both masters should be running and the minion should be running on the command
  144. line in debug mode
  145. .. code-block:: bash
  146. salt-minion -l debug
  147. The minion will connect to the first master from its master list
  148. .. code-block:: bash
  149. [DEBUG ] Attempting to authenticate with the Salt Master at 172.16.0.10
  150. [DEBUG ] Loaded minion key: /etc/salt/pki/minion/minion.pem
  151. [DEBUG ] salt.crypt.verify_signature: Loading public key
  152. [DEBUG ] salt.crypt.verify_signature: Verifying signature
  153. [DEBUG ] Successfully verified signature of master public key with verification public key master_sign.pub
  154. [INFO ] Received signed and verified master pubkey from master 172.16.0.10
  155. [DEBUG ] Decrypting the current master AES key
  156. A test.version on the master the minion is currently connected to should be run to
  157. test connectivity.
  158. If successful, that master should be turned off. A firewall-rule denying the
  159. minions packets will also do the trick.
  160. Depending on the configured conf_minion:`master_alive_interval`, the minion
  161. will notice the loss of the connection and log it to its logfile.
  162. .. code-block:: bash
  163. [INFO ] Connection to master 172.16.0.10 lost
  164. [INFO ] Trying to tune in to next master from master-list
  165. The minion will then remove the current master from the list and try connecting
  166. to the next master
  167. .. code-block:: bash
  168. [INFO ] Removing possibly failed master 172.16.0.10 from list of masters
  169. [WARNING ] Master ip address changed from 172.16.0.10 to 172.16.0.11
  170. [DEBUG ] Attempting to authenticate with the Salt Master at 172.16.0.11
  171. If everything is configured correctly, the new masters public key will be
  172. verified successfully
  173. .. code-block:: bash
  174. [DEBUG ] Loaded minion key: /etc/salt/pki/minion/minion.pem
  175. [DEBUG ] salt.crypt.verify_signature: Loading public key
  176. [DEBUG ] salt.crypt.verify_signature: Verifying signature
  177. [DEBUG ] Successfully verified signature of master public key with verification public key master_sign.pub
  178. the authentication with the new master is successful
  179. .. code-block:: bash
  180. [INFO ] Received signed and verified master pubkey from master 172.16.0.11
  181. [DEBUG ] Decrypting the current master AES key
  182. [DEBUG ] Loaded minion key: /etc/salt/pki/minion/minion.pem
  183. [INFO ] Authentication with master successful!
  184. and the minion can be pinged again from its new master.
  185. Performance Tuning
  186. ==================
  187. With the setup described above, the master computes a signature for every
  188. auth-request of a minion. With many minions and many auth-requests, that
  189. can chew up quite a bit of CPU-Power.
  190. To avoid that, the master can use a pre-created signature of its public-key.
  191. The signature is saved as a base64 encoded string which the master reads
  192. once when starting and attaches only that string to auth-replies.
  193. Enabling this also gives paranoid users the possibility, to have the signing
  194. key-pair on a different system than the actual salt-master and create the public
  195. keys signature there. Probably on a system with more restrictive firewall rules,
  196. without internet access, less users, etc.
  197. That signature can be created with
  198. .. code-block:: bash
  199. salt-key --gen-signature
  200. This will create a default signature file in the master pki-directory
  201. .. code-block:: bash
  202. /etc/salt/pki/master/master_pubkey_signature
  203. It is a simple text-file with the binary-signature converted to base64.
  204. If no signing-pair is present yet, this will auto-create the signing pair and
  205. the signature file in one call
  206. .. code-block:: bash
  207. salt-key --gen-signature --auto-create
  208. Telling the master to use the pre-created signature is done with
  209. .. code-block:: yaml
  210. master_use_pubkey_signature: True
  211. That requires the file 'master_pubkey_signature' to be present in the masters
  212. pki-directory with the correct signature.
  213. If the signature file is named differently, its name can be set with
  214. .. code-block:: yaml
  215. master_pubkey_signature: <filename>
  216. With many masters and many public-keys (default and signing), it is advised to
  217. use the salt-masters hostname for the signature-files name. Signatures can be
  218. easily confused because they do not provide any information about the key the
  219. signature was created from.
  220. Verifying that everything works is done the same way as above.
  221. How the signing and verification works
  222. ======================================
  223. The default key-pair of the salt-master is
  224. .. code-block:: yaml
  225. /etc/salt/pki/master/master.pem
  226. /etc/salt/pki/master/master.pub
  227. To be able to create a signature of a message (in this case a public-key),
  228. another key-pair has to be added to the setup. Its default name is:
  229. .. code-block:: yaml
  230. master_sign.pem
  231. master_sign.pub
  232. The combination of the master.* and master_sign.* key-pairs give the
  233. possibility of generating signatures. The signature of a given message
  234. is unique and can be verified, if the public-key of the signing-key-pair
  235. is available to the recipient (the minion).
  236. The signature of the masters public-key in master.pub is computed with
  237. .. code-block:: yaml
  238. master_sign.pem
  239. master.pub
  240. M2Crypto.EVP.sign_update()
  241. This results in a binary signature which is converted to base64 and attached
  242. to the auth-reply send to the minion.
  243. With the signing-pairs public-key available to the minion, the attached
  244. signature can be verified with
  245. .. code-block:: yaml
  246. master_sign.pub
  247. master.pub
  248. M2Cryptos EVP.verify_update().
  249. When running multiple masters, either the signing key-pair has to be present
  250. on all of them, or the master_pubkey_signature has to be pre-computed for
  251. each master individually (because they all have different public-keys).
  252. DO NOT PUT THE SAME master.pub ON ALL MASTERS FOR EASE OF USE.