Kezdőlap Felfedezés Súgó
Regisztráció Bejelentkezés
nee2c
/
salt
tükrözi: https://github.com/nee2c/salt.git
1
0
Másolás 0
Fájlok Problémák 0 Wiki
Branch: master
Branch-ok Tag-ek
salt
/
doc
/
topics
/
tutorials
/
preseed_key.rst

preseed_key.rst 2.5 KB
Állandó hivatkozás Előzmények Nyers

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970 
  1. .. _tutorial-preseed-key:
    2. 

  2. 

  3. ================================
    4. 

  4. Preseed Minion with Accepted Key
    5. 

  5. ================================
    6. 

  6. 

  7. In some situations, it is not convenient to wait for a minion to start before
    8. 

  8. accepting its key on the master. For instance, you may want the minion to
    9. 

  9. bootstrap itself as soon as it comes online. You may also want to let your
    10. 

  10. developers provision new development machines on the fly.
    11. 

  11. 

  12. .. seealso:: Many ways to preseed minion keys
    13. 

  13. 

  14.     Salt has other ways to generate and pre-accept minion keys in addition to
    15. 

  15.     the manual steps outlined below.
    16. 

  16. 

  17.     salt-cloud performs these same steps automatically when new cloud VMs are
    18. 

  18.     created (unless instructed not to).
    19. 

  19. 

  20.     salt-api exposes an HTTP call to Salt's REST API to :py:class:`generate and
    21. 

  21.     download the new minion keys as a tarball
    22. 

  22.     <salt.netapi.rest_cherrypy.app.Keys>`.
    23. 

  23. 

  24. There is a general four step process to do this:
    25. 

  25. 

  26. 1. Generate the keys on the master:
    27. 

  27. 

  28. .. code-block:: bash
    29. 

  29. 

  30.     root@saltmaster# salt-key --gen-keys=[key_name]
    31. 

  31. 

  32. Pick a name for the key, such as the minion's id.
    33. 

  33. 

  34. 2. Add the public key to the accepted minion folder:
    35. 

  35. 

  36. .. code-block:: bash
    37. 

  37. 

  38.     root@saltmaster# cp key_name.pub /etc/salt/pki/master/minions/[minion_id]
    39. 

  39. 

  40. It is necessary that the public key file has the same name as your minion id.
    41. 

  41. This is how Salt matches minions with their keys. Also note that the pki folder
    42. 

  42. could be in a different location, depending on your OS or if specified in the
    43. 

  43. master config file.
    44. 

  44. 

  45. 3. Distribute the minion keys.
    46. 

  46. 

  47. There is no single method to get the keypair to your minion.  The difficulty is
    48. 

  48. finding a distribution method which is secure. For Amazon EC2 only, an AWS best
    49. 

  49. practice is to use IAM Roles to pass credentials. (See blog post,
    50. 

  50. https://aws.amazon.com/blogs/security/using-iam-roles-to-distribute-non-aws-credentials-to-your-ec2-instances/ )
    51. 

  51. 

  52. .. admonition:: Security Warning
    53. 

  53. 

  54.     Since the minion key is already accepted on the master, distributing
    55. 

  55.     the private key poses a potential security risk. A malicious party
    56. 

  56.     will have access to your entire state tree and other sensitive data if they
    57. 

  57.     gain access to a preseeded minion key.
    58. 

  58. 

  59. 4. Preseed the Minion with the keys
    60. 

  60. 

  61. You will want to place the minion keys before starting the salt-minion daemon:
    62. 

  62. 

  63. .. code-block:: bash
    64. 

  64. 

  65.     /etc/salt/pki/minion/minion.pem
    66. 

  66.     /etc/salt/pki/minion/minion.pub
    67. 

  67. 

  68. Once in place, you should be able to start salt-minion and run ``salt-call
    69. 

  69. state.apply`` or any other salt commands that require master authentication.
    70. 

  70.