calling "salt-key" remotely -- need an API

[ed.lane]

This issue has recently surfaced in our implementation using Salt...

When a VM is recycled/decommissioned/destroyed by a process external to the salt-master that VM's key should then be deleted on the salt-master.

From the command line on the salt-master this would simply require "salt-key --delete MY_VM_ID"

or in the case of a local script, "salt-key --yes --delete ${MY_VM_ID}"

The problem is when calling "salt-key"  remotely to the salt-master.  The Salt CLI has an API but appears to be "Local only".

Using the existing Salt framework is there a way call "salt-key"  from an external machine not running a Salt master or minion ?

Is this problem solved by Salt UI?

Is "ssh -t 'salt-key --yes --delete MY_VM_ID' my best option today?

Thanks,

-ed lane

[David Boucha]

Ed, you're probably going to want to use Salt API

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--

Dave Boucha  |  Sr. Engineer

5272 South College Drive, Suite 301 | Murray, UT 84123
office 801-305-3563
da...@saltstack.com | www.saltstack.com

[David Boucha]

I think there's an open issue to allow a minion to request that it's own key be deleted. I'm not sure if that has been implemented yet, though.

Also, I wonder if you could somehow use the event system to have the minion send a message to the master to delete it's key.

Food for thought.

On Wed, Apr 10, 2013 at 1:24 PM, ed.lane <ed.l...@gmail.com> wrote:

--

You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Seth House]

Ed, this is possible with salt-api (as Dave mentioned). The command to
do so would look something like this:

curl -sS localhost:8000 -d client='wheel' -d fun='key.delete' -d
match='MY_VM_ID'

On Wed, Apr 10, 2013 at 1:24 PM, ed.lane <ed.l...@gmail.com> wrote:

[ed.lane]

David,

This approach has been suggested by others but it is not clear to me how you would inject an event directly into a minion. The documentation clearly shows how you listen for an event but not how to generate one from a process external to Salt.  In my case the minion never gets notified that it's VM is being permanently terminated.  Can you point me to the docs describing how to inject an event directly into the minion from an external process? -- This could be useful for other situations.  I was under the assumption that salt's event loop(s) always originate from the salt-master.

Thanks!

-ed

[ed.lane]

Seth,

This looks like the ideal solution long turn.  There is no doubt some authentication tokens omitted from your example... and I assume I will have to install a dedicated webserver on the saltmaster just to handle this single call that occurs very infrequently.

Have you considered embedding a lightweight webserver into the saltmaster itself for handling API calls?

Additionally, have you considered a salt:// protocol gateway to the Salt API web service running on a saltmaster?

-ed

[Andrew Niemantsverdriet]

Ed,

There is a lightweight server on the saltmaster provided by salt-api
(cherrypy). The documentation about salt-api is a pretty good starting
point to get a feel of how salt-api works.

Thanks,

--
_
/-\ ndrew Niemantsverdriet
Linux System Administrator
Academic Computing
(406) 238-7360
Rocky Mountain College
1511 Poly Dr.
Billings MT, 59102

[Seth House]

On Thu, Apr 11, 2013 at 10:53 AM, ed.lane <ed.l...@gmail.com> wrote:

> There is no doubt some
> authentication tokens omitted from your example

Yes. There are a few ways to auth through salt-api.

> Have you considered embedding a lightweight webserver into the saltmaster
> itself for handling API calls?

As Andrew mentioned we use a lightweight, single-dependency
Python-based web server. (Though using something like Apache/Nginx is
possible as well.) We have discussed making a zero-dependency web
server; it would certainly be possible.

[David Boucha]

You can fire an event from the minion using salt-call and the event module.

docs are here: http://docs.saltstack.com/ref/modules/all/salt.modules.event.html?highlight=fire#salt.modules.event.fire_master

You can do something custom like this: like salt-call event.fire_master '<minion id>' 'deletekey'

Then you could use the reactor on the master to listen for your custom tag 'deletekey' and delete the key using the wheel module.

This is a proof of concept, you'd have to actually test this.

[ed.lane]

David,

I finally understand how you inject events directly into a salt-minion without passing through the saltmaster -- "salt-call" of course!  :-)

Your original salt-api suggestion seems the best because I need to delete the salt key from a remote machine that does not have a minion running on it.  I can see other situations where the event system could still come in handy however.

Thanks again!

-ed

[David Boucha]

You're welcome!