How do I share root user ssh public key between other minions?
361 views
Skip to first unread message
pankaj ghadge
Dec 3, 2014, 2:10:52 AM12/3/14
to salt-...@googlegroups.com
Hi all,
I have 3 minion under one project and I want to share public key of each minion with other minions, so user will able to login/copy files between them without credentials.
As I know minions can't communicate with each other, but via master is it possible?
1) Master send command to minion to generate ssh key.
2) Copy ssh public key to master.
3) Copy ssh public key to remaining minions.
4) Same procedure for other minions.
or is there any other solutions for this.
Here I don't want to generate ssh key manually.
Thanks a lot.
Dan Garthwaite
Dec 5, 2014, 7:40:30 AM12/5/14
to salt-...@googlegroups.com
I wouldn't recommend such behavior, but you could expose each minion's user's public key as a grain. Minions and retrieve each other's grains.
Best practice for moving files between minions is vexing to me as well. Salt provides an encrypted, authenticated network and it is tempting to want to leverage it for everything.
Best practice for moving files between minions is vexing to me as well. Salt provides an encrypted, authenticated network and it is tempting to want to leverage it for everything.
pankaj ghadge
Dec 5, 2014, 8:02:54 AM12/5/14
to salt-...@googlegroups.com
Thanks for reply,
Yes it's not a recommended behavior, but requirement is like that.
is it possible to share an example to expose each minion's user's public key as a grain and minions retrieve each other's grains.
It would be a great help to me.
Also I never heard of vexing for moving files between minions, if you can share link or reference or an example with me then it would help me to gain more knowledge on Salt.
Mathieu Le Marec - Pasquet
Dec 5, 2014, 8:09:37 AM12/5/14
to salt-...@googlegroups.com
--Use an ext pillar for exposing the key (either pub/priv or both) to appropriate minions as a key and generate the file content from the value.
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
-- Cordialement, kiorky GPG Key FingerPrint: 0x1A1194B7681112AF Pensez à l’environnement. N’imprimez ce courriel que si vous en avez vraiment besoin.
Daniel Jagszent
Dec 5, 2014, 9:06:47 AM12/5/14
to salt-...@googlegroups.com
Hello,
one way could be the following:
1) create a custom module that outputs the public key or creates it:
/srv/salt/_modules/ssh_key.py:
import os.path
def root():
if not os.path.isfile('/root/.ssh/id_rsa.pub'):
__salt__['cmd.run']('ssh-keygen -q -t rsa -b 2048 -f /root/.ssh/id_rsa')
with open('/root/.ssh/id_rsa.pub') as f:
return f.read()
2) allow all minions to execute this module for every other minion via Peer Communcation http://docs.saltstack.com/en/latest/ref/peer.html
/etc/salt/master.d/peer.conf:
peer:
.*:
- ssh_key.root
after a master restart you should be able to execute this on any minion:
master$ service salt-master restart
master$ salt \* saltutil.sync_all
a-random-minon$ salt-call publish.publish \* ssh_key.root
and get all the public keys of all the minons.
3) With that you can write a state that deployes these keys:
/srv/salt/ssh_keys.sls:
all-the-ssh-keys:
ssh_auth:
- present
- user: root
- enc: ssh-rsa
- names:
{% for minion, pub_key in salt['publish.publish']('*', 'ssh_key.root', timeout=60).iteritems() %}
- {{ pub_key }}
{% endfor %}
4) put that state in your top.sls and execute a state.highstate on all minons.
one way could be the following:
1) create a custom module that outputs the public key or creates it:
/srv/salt/_modules/ssh_key.py:
import os.path
def root():
if not os.path.isfile('/root/.ssh/id_rsa.pub'):
__salt__['cmd.run']('ssh-keygen -q -t rsa -b 2048 -f /root/.ssh/id_rsa')
with open('/root/.ssh/id_rsa.pub') as f:
return f.read()
2) allow all minions to execute this module for every other minion via Peer Communcation http://docs.saltstack.com/en/latest/ref/peer.html
/etc/salt/master.d/peer.conf:
peer:
.*:
- ssh_key.root
after a master restart you should be able to execute this on any minion:
master$ service salt-master restart
master$ salt \* saltutil.sync_all
a-random-minon$ salt-call publish.publish \* ssh_key.root
and get all the public keys of all the minons.
3) With that you can write a state that deployes these keys:
/srv/salt/ssh_keys.sls:
all-the-ssh-keys:
ssh_auth:
- present
- user: root
- enc: ssh-rsa
- names:
{% for minion, pub_key in salt['publish.publish']('*', 'ssh_key.root', timeout=60).iteritems() %}
- {{ pub_key }}
{% endfor %}
4) put that state in your top.sls and execute a state.highstate on all minons.
Thanks for reply,Yes it's not a recommended behavior, but requirement is like that.is it possible to share an example to expose each minion's user's public key as a grain and minions retrieve each other's grains.It would be a great help to me.Also I never heard of vexing for moving files between minions, if you can share link or reference or an example with me then it would help me to gain more knowledge on Salt.
On Friday, 5 December 2014 18:10:30 UTC+5:30, Dan Garthwaite wrote:
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
I wouldn't recommend such behavior, but you could expose each minion's user's public key as a grain. Minions and retrieve each other's grains.
Best practice for moving files between minions is vexing to me as well. Salt provides an encrypted, authenticated network and it is tempting to want to leverage it for everything.
On Wednesday, December 3, 2014 2:10:52 AM UTC-5, pankaj ghadge wrote:
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Hi all,I have 3 minion under one project and I want to share public key of each minion with other minions, so user will able to login/copy files between them without credentials.As I know minions can't communicate with each other, but via master is it possible?1) Master send command to minion to generate ssh key.2) Copy ssh public key to master.3) Copy ssh public key to remaining minions.4) Same procedure for other minions.or is there any other solutions for this.Here I don't want to generate ssh key manually.Thanks a lot.
Dan Garthwaite
Dec 5, 2014, 11:41:52 AM12/5/14
to salt-...@googlegroups.com
For some reason I was convinced that grains were public information that is retrievable across minions. Thinking about it - I have no idea how to do that without opening up the peer publisher, I guess I thought it was PFM.
I retract my earlier advice. There is no PFM module in salt, yet.
I retract my earlier advice. There is no PFM module in salt, yet.
Les Mikesell
Dec 5, 2014, 11:56:44 AM12/5/14
to salt-users
On Wed, Dec 3, 2014 at 1:10 AM, pankaj ghadge <ghadge...@gmail.com> wrote:
>
> I have 3 minion under one project and I want to share public key of each
> minion with other minions, so user will able to login/copy files between
> them without credentials.
>
> As I know minions can't communicate with each other, but via master is it
> possible?
>
> 1) Master send command to minion to generate ssh key.
> 2) Copy ssh public key to master.
> 3) Copy ssh public key to remaining minions.
> 4) Same procedure for other minions.
>
> or is there any other solutions for this.
Alternatively you could generate one keypair for the user and put the
>
> I have 3 minion under one project and I want to share public key of each
> minion with other minions, so user will able to login/copy files between
> them without credentials.
>
> As I know minions can't communicate with each other, but via master is it
> possible?
>
> 1) Master send command to minion to generate ssh key.
> 2) Copy ssh public key to master.
> 3) Copy ssh public key to remaining minions.
> 4) Same procedure for other minions.
>
> or is there any other solutions for this.
same instance everywhere with the one public key in the
authorized_keys file instead of setting up an N-way matrix.
--
Les Mikesell
lesmi...@gmail.com
pankaj ghadge
Dec 5, 2014, 12:32:54 PM12/5/14
to salt-...@googlegroups.com
Here I learned something new about salt, thanks for all your help and advice, I will give it a try and let you know the result !!!
Luminous Salt
Dec 5, 2014, 12:49:38 PM12/5/14
to salt-...@googlegroups.com
Hi Pankaj,
On 2014-12-05 08:09, Mathieu Le Marec - Pasquet wrote:
> On 03/12/2014 08:10, pankaj ghadge wrote:
>
>> Hi all,
>>
>> I have 3 minion under one project and I want to share public key of
>> each minion with other minions, so user will able to login/copy
>> files between them without credentials.
>>
>> As I know minions can't communicate with each other, but via master
>> is it possible?
>>
>> 1) Master send command to minion to generate ssh key.
>> 2) Copy ssh public key to master.
>> 3) Copy ssh public key to remaining minions.
>> 4) Same procedure for other minions.
>>
>> or is there any other solutions for this.
>>
>> Here I don't want to generate ssh key manually.
>>
>> Thanks a lot.
>> --
As Mathieu noted:
> Use an ext pillar for exposing the key (either pub/priv or both) to
> appropriate minions as a key and generate the file content from the
> value.
I would recommend making the key available through pillar, either the
standard .sls or a ext_pillar.
To use ext_pillar.. A simple script, in any language, would return the
current value of the pub key in a particular file path, and return that
to ext_pillar to be consumed in your formula. While that is a more
automated solution, you could also simplify and just put the key in .sls
pillar. You can then used that pub key in pillar as part of ssh/file
salt states as needed.
Good luck.
On 2014-12-05 08:09, Mathieu Le Marec - Pasquet wrote:
> On 03/12/2014 08:10, pankaj ghadge wrote:
>
>> Hi all,
>>
>> I have 3 minion under one project and I want to share public key of
>> each minion with other minions, so user will able to login/copy
>> files between them without credentials.
>>
>> As I know minions can't communicate with each other, but via master
>> is it possible?
>>
>> 1) Master send command to minion to generate ssh key.
>> 2) Copy ssh public key to master.
>> 3) Copy ssh public key to remaining minions.
>> 4) Same procedure for other minions.
>>
>> or is there any other solutions for this.
>>
>> Here I don't want to generate ssh key manually.
>>
>> Thanks a lot.
>> --
> Use an ext pillar for exposing the key (either pub/priv or both) to
> appropriate minions as a key and generate the file content from the
> value.
standard .sls or a ext_pillar.
To use ext_pillar.. A simple script, in any language, would return the
current value of the pub key in a particular file path, and return that
to ext_pillar to be consumed in your formula. While that is a more
automated solution, you could also simplify and just put the key in .sls
pillar. You can then used that pub key in pillar as part of ssh/file
salt states as needed.
Good luck.
Wolodja Wentland
Dec 8, 2014, 4:47:28 AM12/8/14
to salt-...@googlegroups.com
On Tue, Dec 02, 2014 at 23:10 -0800, pankaj ghadge wrote:
> I have 3 minion under one project and I want to share public key of each minion
> with other minions, so user will able to login/copy files between them without
> credentials.
You are thinking about it the wrong way: Salt describes a state that you want to
> I have 3 minion under one project and I want to share public key of each minion
> with other minions, so user will able to login/copy files between them without
> credentials.
achieve on your minions and not reactions to state you find on it.
The idiomatic way to go about this is to generate one keypair and to manage
that on the minions directly. Salt offers various ways to go about this, but
I would recommend to expose the private key via pillars [0] to selected minions
like:
foo:
private_key: |
----- BEGIN P ....
...
...
...
----- END ...
And then reference that in file.managed's contents_pillar [1].
Salt also allows you to put the public key into ~/.ssh/authorized_keys via its
ssh_auth states [2] which has states for keys that should be present or absent
there.
In fact I would recommend to use the users-formula [3] to manage your users and
an additional file.managed state to manage each user's private SSH keys in
addition to that. I'd personally keep the private and public key both in the
user's pillar, but save them in a different pillar SLS file and rely on pillar
merging.
[0] http://docs.saltstack.com/en/latest/topics/tutorials/pillar.html
http://docs.saltstack.com/en/latest/topics/pillar/index.html
[1] http://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html#salt.states.file.managed
[2] http://docs.saltstack.com/en/latest/ref/states/all/salt.states.ssh_auth.html
[3] https://github.com/saltstack-formulas/users-formula
--
Wolodja Wentland <bab...@gmail.com>
4096R/CAF14EFC
081C B7CD FF04 2BA9 94EA 36B2 8B7F 7D30 CAF1 4EFC
Reply all
Reply to author
Forward
0 new messages