Problem Preseeding Minions
804 views
Skip to first unread message
Beth W.
Feb 7, 2013, 1:00:31 PM2/7/13
to salt-...@googlegroups.com
I've followed the instructions at http://docs.saltstack.org/en/latest/topics/tutorials/preseed_key.html for preseeding minions. I have virtual machines with minion.pub and minion.pem being inserted on boot. The keys are correctly accepted on the master. But when the minion tries to authenticate, it gives this error:
"[CRITICAL] The Salt Master has rejected this minions public key!"
I removed the pre-accepted keys and manually accepted them, and that worked. But when I compared the public keys for the minion on the master, I found that the key the minion was sending to the master was NOT the one in /etc/salt/pki/minion (which is the one the instructions said it should be using). This is why the authentication was failing.
I can't even find any file on the machine with the public key that the minion is sending to the master! It's like it's pulling it out of thin air. And I can't pre-seed a file I can't locate.
Can anyone help me out here? Am I missing a configuration setting or something?
David Boucha
Feb 7, 2013, 1:28:18 PM2/7/13
to salt users list
Beth,
So just to be sure. You've copied the following files to the minion, right?
/etc/salt/pki/minion/minion.pem /etc/salt/pki/minion/minion.pub
And copied and renamed minion.pub to :
/etc/salt/pki/master/minions/[your_minion_id]
These files need to be there before starting the minion service the first time because otherwise the minion will create its own.
We can help you in #salt on irc.freenode.net as well
Dave
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Dave Boucha | Sr. Engineer
office 801-305-3563
da...@saltstack.com | www.saltstack.com
Bethany
Feb 7, 2013, 1:44:24 PM2/7/13
to salt-...@googlegroups.com
Yes, to all of those. I tested the method out manually before scripting it to make sure I was replacing the right files.
The master is created and populated with pre-accepted keys before any of the minions are made (the minions ids are known in advance).
I'm creating the VMs using OpenStack's file insertion, and their documentation says file insertion is done by mounting the file system prior to boot, so the files should be in place before the minion starts for the first time.
(I'll try the IRC as well, but in my experience IRC support is usually chaotic and not too helpful)
Bethany
Feb 7, 2013, 1:55:49 PM2/7/13
to salt-...@googlegroups.com
Both minion and master are version 0.12.1.
David Ward
Mar 13, 2013, 12:45:32 AM3/13/13
to salt-...@googlegroups.com
I'd double check those file locations on the minion. It sounds like it is generating it's own which it would only do it if can not find the preseeded keys.
Once the minion is up, does it have the keys you preseeded and a new set? What are their locations and md5sums?
Once the minion is up, does it have the keys you preseeded and a new set? What are their locations and md5sums?
Elizabeth W.
Mar 14, 2013, 8:58:21 PM3/14/13
to salt-...@googlegroups.com
Once the minion is up, it has only the keys I preseeded. The md5 sums on the minion keys and the keys on the master match. The key that the minion is sending, however, is still different. I did a grep of the entire filesystem, and the key it is sending does not appear to exist in any file on the VM, so I don't even know where it's coming from.
One thing worth mentioning is that these VMs are all made from an image with salt-minion already installed.
For now, I've given up on this. I'm just toggling auto-accept, since this is just being used on an internal network.
On Tue, Mar 12, 2013 at 11:45 PM, David Ward <dav...@gmail.com> wrote:
I'd double check those file locations on the minion. It sounds like it is generating it's own which it would only do it if can not find the preseeded keys.
Once the minion is up, does it have the keys you preseeded and a new set? What are their locations and md5sums?
--
You received this message because you are subscribed to a topic in the Google Groups "Salt-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/salt-users/ttC79HdbIo0/unsubscribe?hl=en-US.
To unsubscribe from this group and all its topics, send an email to salt-users+...@googlegroups.com.
David Ward
Mar 14, 2013, 11:40:00 PM3/14/13
to salt-...@googlegroups.com
That is disappointing. I am doing preseeding with no issue.
I had to work out how to ensure the hostname was set before keys were generated and the minion contacted the master. But never an issue with the preseeding the key.
You could try using something like fdupes to help find where this key is on the minion. Or launch the minion manually like so:
salt-minion -l debug
That will tell you which key it is loading if I recall correctly.
I had to work out how to ensure the hostname was set before keys were generated and the minion contacted the master. But never an issue with the preseeding the key.
You could try using something like fdupes to help find where this key is on the minion. Or launch the minion manually like so:
salt-minion -l debug
That will tell you which key it is loading if I recall correctly.
Reply all
Reply to author
Forward
0 new messages