Accept salt keys for provisioned hosts

Bernhard_Suttner · July 17, 2020, 7:46pm

Currently, accepting the salt key for provisioned hosts doesn’t work for all os:

autosign_file is no longer possible because foreman requires to write the autosign_file but salt-master since v2018 ignores the file content if the access permissions are “to open”
before_provision hook in foreman only works if the request is exactly timed. For some operating systems (e.g. SLES) this doesn’t work in an acceptable way.

Possible solution:

Remove autosign_file and use autosign_grains instead: https://docs.saltstack.com/en/latest/topics/tutorials/autoaccept_grains.html#tutorial-autoaccept-grains
smart_proxy_salt could write a autosign_grains/fqdn entry for each host which will be cleaned later if the host is then available in salt-key. Cleanup can be done in e.g. foreman-node.

It would be great to have an opinion of other salt users and discuss possible solutions.

bochi · July 20, 2020, 6:13am

Hi,
while autosign_grains would be an option, the salt-master ignoring the autosign_file also means that the “Autosign” GUI feature is no longer working. Wouldn’t a script to edit the autosign.conf be an option and give foreman sudo access? Something like autosign.py add/delete to edit entries?

Bernhard_Suttner · July 20, 2020, 7:21am

Hi,
thanks for the idea but personally, I don’t like to have “another” script which is called with sudo.
My suggestion is, to

use autosign_grains when creating a host so that the host key is accepted automatically
it would be nice to remove the automatically generated autosign_grains entries which are generated at host creation time after the host-key is accepted and the minion is really associated. I think about adding a section to foreman-node (smart_proxy_salt -> /usr/bin/node) which would only remove these /etc/salt/autosign_grains/fqdn entries.
adapt the audosign_file foreman GUI page so that users can manage autosign_grains instead of autosign_file entries.

bochi · July 20, 2020, 7:27am

Or you could create a reactor in salt listening to the salt/key event and remove the autosign grain once the key has been accepted.

Bernhard_Suttner · July 20, 2020, 7:43am

Good idea

The challenge is then similar to uploading the salt report to foreman using the salt reactor, that every user need to set up the reactor for himself. Hope everyone using salt can achieve this.

bochi · July 20, 2020, 10:45am

I don’t really see why not. When documented well its something that can be copy-pasted into the config file. But as for the upload reactor, I’m excited to see how that’s going to work out. It is going to produce way more jobs in foreman-tasks than the current implementation (at least from what I understood from the code)

Bernhard_Suttner · July 20, 2020, 10:47am

Ok, then I will have a look at adding a reactor to delete the auto-accept autosign_grain.

Regarding upload reactor, try it out.

Bernhard_Suttner · July 21, 2020, 4:15pm

I talked to a colleague (thanks @m-bucher) and we have another proposal:

remove autosign_file completely
use autosign_grains_dir
- during provisioning, create a serial and store it on salt-master/autosign_grains_dir/foreman_provisioning_serial
- put this serial to /etc/salt/minion.d/minion configuration like


      autosign_grains:
        - foreman_provisioning_serial
      grains:
        foreman_provisioning_serial: 10ddf613e70ab6d1

after provisioning is done / key is accepted, remove the serial from autosign_grains/foreman_provisioning_serial

Much easier and I guess, the autosign_file was never be used. In case a user want to use other autosign_grains, it still can be configured on command-line.

bochi · July 22, 2020, 7:28am

Yes this sounds like a very good idea.