Accept salt keys for provisioned hosts

Currently, accepting the salt key for provisioned hosts doesn’t work for all os:

  1. autosign_file is no longer possible because foreman requires to write the autosign_file but salt-master since v2018 ignores the file content if the access permissions are “to open”
  2. before_provision hook in foreman only works if the request is exactly timed. For some operating systems (e.g. SLES) this doesn’t work in an acceptable way.

Possible solution:

It would be great to have an opinion of other salt users and discuss possible solutions.

while autosign_grains would be an option, the salt-master ignoring the autosign_file also means that the “Autosign” GUI feature is no longer working. Wouldn’t a script to edit the autosign.conf be an option and give foreman sudo access? Something like add/delete to edit entries?

thanks for the idea but personally, I don’t like to have “another” script which is called with sudo.
My suggestion is, to

  • use autosign_grains when creating a host so that the host key is accepted automatically
  • it would be nice to remove the automatically generated autosign_grains entries which are generated at host creation time after the host-key is accepted and the minion is really associated. I think about adding a section to foreman-node (smart_proxy_salt -> /usr/bin/node) which would only remove these /etc/salt/autosign_grains/fqdn entries.
  • adapt the audosign_file foreman GUI page so that users can manage autosign_grains instead of autosign_file entries.

Or you could create a reactor in salt listening to the salt/key event and remove the autosign grain once the key has been accepted.

1 Like

Good idea :+1:

The challenge is then similar to uploading the salt report to foreman using the salt reactor, that every user need to set up the reactor for himself. Hope everyone using salt can achieve this.

I don’t really see why not. When documented well its something that can be copy-pasted into the config file. But as for the upload reactor, I’m excited to see how that’s going to work out. It is going to produce way more jobs in foreman-tasks than the current implementation (at least from what I understood from the code)

Ok, then I will have a look at adding a reactor to delete the auto-accept autosign_grain.

Regarding upload reactor, try it out. :slight_smile:

I talked to a colleague (thanks @m-bucher) and we have another proposal:

  • remove autosign_file completely
  • use autosign_grains_dir
    • during provisioning, create a serial and store it on salt-master/autosign_grains_dir/foreman_provisioning_serial
    • put this serial to /etc/salt/minion.d/minion configuration like

        - foreman_provisioning_serial
        foreman_provisioning_serial: 10ddf613e70ab6d1

  • after provisioning is done / key is accepted, remove the serial from autosign_grains/foreman_provisioning_serial

Much easier and I guess, the autosign_file was never be used. In case a user want to use other autosign_grains, it still can be configured on command-line.

Yes this sounds like a very good idea.

1 Like