2016-12-15 22:36:44 +00:00
|
|
|
.. _tutorial-preseed-key:
|
|
|
|
|
|
2016-02-01 03:10:02 +00:00
|
|
|
================================
|
2012-06-14 16:26:47 +00:00
|
|
|
Preseed Minion with Accepted Key
|
2016-02-01 03:10:02 +00:00
|
|
|
================================
|
2012-06-14 16:26:47 +00:00
|
|
|
|
2014-02-11 23:24:40 +00:00
|
|
|
In some situations, it is not convenient to wait for a minion to start before
|
|
|
|
|
accepting its key on the master. For instance, you may want the minion to
|
2016-11-23 21:53:17 +00:00
|
|
|
bootstrap itself as soon as it comes online. You may also want to let your
|
2012-06-14 16:26:47 +00:00
|
|
|
developers provision new development machines on the fly.
|
|
|
|
|
|
2015-02-06 00:17:14 +00:00
|
|
|
.. seealso:: Many ways to preseed minion keys
|
|
|
|
|
|
|
|
|
|
Salt has other ways to generate and pre-accept minion keys in addition to
|
|
|
|
|
the manual steps outlined below.
|
|
|
|
|
|
|
|
|
|
salt-cloud performs these same steps automatically when new cloud VMs are
|
|
|
|
|
created (unless instructed not to).
|
|
|
|
|
|
|
|
|
|
salt-api exposes an HTTP call to Salt's REST API to :py:class:`generate and
|
|
|
|
|
download the new minion keys as a tarball
|
|
|
|
|
<salt.netapi.rest_cherrypy.app.Keys>`.
|
|
|
|
|
|
2012-06-14 16:26:47 +00:00
|
|
|
There is a general four step process to do this:
|
|
|
|
|
|
2013-08-12 03:17:47 +00:00
|
|
|
1. Generate the keys on the master:
|
|
|
|
|
|
|
|
|
|
.. code-block:: bash
|
2012-06-14 16:26:47 +00:00
|
|
|
|
|
|
|
|
root@saltmaster# salt-key --gen-keys=[key_name]
|
|
|
|
|
|
|
|
|
|
Pick a name for the key, such as the minion's id.
|
|
|
|
|
|
2013-08-12 03:17:47 +00:00
|
|
|
2. Add the public key to the accepted minion folder:
|
|
|
|
|
|
|
|
|
|
.. code-block:: bash
|
2012-06-14 16:26:47 +00:00
|
|
|
|
2013-01-07 04:44:09 +00:00
|
|
|
root@saltmaster# cp key_name.pub /etc/salt/pki/master/minions/[minion_id]
|
2012-06-14 16:26:47 +00:00
|
|
|
|
2014-02-11 23:24:40 +00:00
|
|
|
It is necessary that the public key file has the same name as your minion id.
|
|
|
|
|
This is how Salt matches minions with their keys. Also note that the pki folder
|
|
|
|
|
could be in a different location, depending on your OS or if specified in the
|
2012-06-14 16:26:47 +00:00
|
|
|
master config file.
|
|
|
|
|
|
|
|
|
|
3. Distribute the minion keys.
|
|
|
|
|
|
2014-02-11 23:24:15 +00:00
|
|
|
There is no single method to get the keypair to your minion. The difficulty is
|
2014-02-24 21:28:28 +00:00
|
|
|
finding a distribution method which is secure. For Amazon EC2 only, an AWS best
|
2014-12-11 15:50:14 +00:00
|
|
|
practice is to use IAM Roles to pass credentials. (See blog post,
|
2014-04-30 17:03:18 +00:00
|
|
|
http://blogs.aws.amazon.com/security/post/Tx610S2MLVZWEA/Using-IAM-roles-to-distribute-non-AWS-credentials-to-your-EC2-instances )
|
2012-06-14 16:26:47 +00:00
|
|
|
|
|
|
|
|
.. admonition:: Security Warning
|
|
|
|
|
|
2014-02-11 23:24:40 +00:00
|
|
|
Since the minion key is already accepted on the master, distributing
|
|
|
|
|
the private key poses a potential security risk. A malicious party
|
2014-02-11 23:24:15 +00:00
|
|
|
will have access to your entire state tree and other sensitive data if they
|
|
|
|
|
gain access to a preseeded minion key.
|
2012-06-14 16:26:47 +00:00
|
|
|
|
|
|
|
|
4. Preseed the Minion with the keys
|
|
|
|
|
|
2013-08-12 03:17:47 +00:00
|
|
|
You will want to place the minion keys before starting the salt-minion daemon:
|
|
|
|
|
|
|
|
|
|
.. code-block:: bash
|
2012-06-14 16:26:47 +00:00
|
|
|
|
2013-01-07 04:44:09 +00:00
|
|
|
/etc/salt/pki/minion/minion.pem
|
|
|
|
|
/etc/salt/pki/minion/minion.pub
|
2012-06-14 16:26:47 +00:00
|
|
|
|
2016-03-22 03:56:17 +00:00
|
|
|
Once in place, you should be able to start salt-minion and run ``salt-call
|
|
|
|
|
state.apply`` or any other salt commands that require master authentication.
|
2016-03-25 17:47:16 +00:00
|
|
|
|
