Project

General

Profile

Tâche #21363

Scénario #21279: Epic1: Créer le microservice gérant SaltMaster

attacher le minion du module au master du Zéphir

Added by Gérald Schwartzmann over 3 years ago. Updated over 3 years ago.

Status:
Fermé
Priority:
Normal
Start date:
09/14/2017
Due date:
% Done:

100%

Estimated time:
2.00 h
Spent time:
Remaining (hours):
0.0

History

#1 Updated by Gérald Schwartzmann over 3 years ago

Activation de l'EAD 3

run-parts: executing /usr/share/eole/postservice/00-actions reconfigure

## Synchronisation des modules SaltStack ##
[ERROR   ] The master key has changed, the salt master could have been subverted, verify salt master's public key
[CRITICAL] The Salt Master server's public key did not authenticate!
The master may need to be updated if it is a version of Salt lower than 2016.3.4, or
If you are confident that you are connecting to a valid Salt Master, then remove the master public key and restart the Salt Minion.
The master public key can be found at:
/etc/salt/pki/minion/minion_master.pub
Invalid master key
run-parts: /usr/share/eole/postservice/00-actions exited with return code 1
Erreur : postservice
root@scribe:~# 
mv /etc/salt/pki/minion/minion_master.pub /root/
root@scribe:~# mv /etc/salt/pki/minion/minion_master.pub /root/
root@scribe:~# /usr/share/eole/postservice/00-actions

## Synchronisation des modules SaltStack ##
local:
    - modules.ead.__init__
    - modules.ead.backuponce.__init__
[…]
    - modules.ead.shutdown.custom
    - modules.ead.shutdown.form
root@scribe:~#
root@scribe:~# ll /etc/salt/pki/minion/
total 20
drwx------ 2 root root 4096 sept. 14 10:59 ./
drwxr-xr-x 4 root root 4096 mai   22 13:09 ../
-rw-r--r-- 1 root root  450 sept. 14 10:59 minion_master.pub
-r-------- 1 root root 1678 sept. 12 17:48 minion.pem
-rw-r--r-- 1 root root  450 sept. 12 17:48 minion.pub
root@scribe:~#
root@712af06135d1:~# salt-key -L
Accepted Keys:
scribe.ac-test.fr
Denied Keys:
Unaccepted Keys:
Rejected Keys:
root@712af06135d1:~#
root@scribe:~# service salt-minion status
● salt-minion.service - The Salt Minion
   Loaded: loaded (/lib/systemd/system/salt-minion.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since jeu. 2017-09-14 10:50:00 CEST; 12min ago
  Process: 20235 ExecStart=/usr/bin/salt-minion (code=exited, status=0/SUCCESS)
 Main PID: 20235 (code=exited, status=0/SUCCESS)

sept. 14 10:49:52 scribe systemd[1]: Started The Salt Minion.
sept. 14 10:50:00 scribe salt-minion[20235]: [ERROR   ] The master key has changed, the salt master could have been subverted, verify salt master's public key
sept. 14 10:50:00 scribe salt-minion[20235]: [CRITICAL] The Salt Master server's public key did not authenticate!
sept. 14 10:50:00 scribe salt-minion[20235]: The master may need to be updated if it is a version of Salt lower than 2016.3.4, or
sept. 14 10:50:00 scribe salt-minion[20235]: If you are confident that you are connecting to a valid Salt Master, then remove the master public key and restar
sept. 14 10:50:00 scribe salt-minion[20235]: The master public key can be found at:
sept. 14 10:50:00 scribe salt-minion[20235]: /etc/salt/pki/minion/minion_master.pub
sept. 14 10:50:00 scribe salt-minion[20235]: [WARNING ] Stopping the Salt Minion
sept. 14 10:50:00 scribe salt-minion[20235]: [ERROR   ] Invalid master key
sept. 14 10:50:00 scribe salt-minion[20235]: The salt minion is shutdown.Invalid master key

reconfigure et c'est rentré dans l'ordre

#3 Updated by Gérald Schwartzmann over 3 years ago

Sur le mignon


# Set the location of the salt master server. If the master server cannot be
# resolved, then the minion will fail to start.
master: 127.0.0.1
master: eolebase.ac-test.fr


root@712af06135d1:~# salt-key -L
Accepted Keys:
scribe.ac-test.fr
Denied Keys:
Unaccepted Keys:
local
Rejected Keys:
root@712af06135d1:~#
root@scribe:/etc/salt# service salt-minion status
● salt-minion.service - The Salt Minion
   Loaded: loaded (/lib/systemd/system/salt-minion.service; enabled; vendor preset: enabled)
   Active: active (running) since jeu. 2017-09-14 11:44:39 CEST; 4min 6s ago
 Main PID: 30891 (salt-minion)
   CGroup: /system.slice/salt-minion.service
           ├─30891 /usr/bin/python /usr/bin/salt-minion
           ├─30898 /usr/bin/python /usr/bin/salt-minion
           └─30900 /usr/bin/python /usr/bin/salt-minion

sept. 14 11:47:10 scribe salt-minion[30891]: [ERROR   ] The Salt Master has cached the public key for this node, this salt minion will wait for 10 seconds bef

root@scribe:/etc/salt# cp /root/minion_master.pub /etc/salt/pki/minion/minion_master_eolebase.pub

root@scribe:/etc/salt# service salt-minion restart
root@scribe:/etc/salt# service salt-minion status
● salt-minion.service - The Salt Minion
   Loaded: loaded (/lib/systemd/system/salt-minion.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since jeu. 2017-09-14 11:57:04 CEST; 175ms ago
  Process: 31864 ExecStart=/usr/bin/salt-minion (code=exited, status=0/SUCCESS)
 Main PID: 31864 (code=exited, status=0/SUCCESS)

sept. 14 11:57:03 scribe systemd[1]: Started The Salt Minion.
sept. 14 11:57:04 scribe salt-minion[31864]: [ERROR   ] The master key has changed, the salt master could have been subverted, verify salt master's public key
sept. 14 11:57:04 scribe salt-minion[31864]: [CRITICAL] The Salt Master server's public key did not authenticate!
sept. 14 11:57:04 scribe salt-minion[31864]: The master may need to be updated if it is a version of Salt lower than 2016.3.4, or
sept. 14 11:57:04 scribe salt-minion[31864]: If you are confident that you are connecting to a valid Salt Master, then remove the master public key and restar
sept. 14 11:57:04 scribe salt-minion[31864]: The master public key can be found at:
sept. 14 11:57:04 scribe salt-minion[31864]: /etc/salt/pki/minion/minion_master.pub
sept. 14 11:57:04 scribe salt-minion[31864]: [WARNING ] Stopping the Salt Minion
sept. 14 11:57:04 scribe salt-minion[31864]: [ERROR   ] Invalid master key
sept. 14 11:57:04 scribe salt-minion[31864]: The salt minion is shutdown.Invalid master key

#4 Updated by Gérald Schwartzmann over 3 years ago

  • Status changed from Nouveau to En cours

#5 Updated by Gérald Schwartzmann over 3 years ago

  • Assigned To set to Gérald Schwartzmann

#6 Updated by Fabrice Barconnière over 3 years ago

  • % Done changed from 0 to 20

Une doc plus complète : https://salt.readthedocs.io/en/stable/ref/configuration/minion.html

Des paramètres de configuration des minions intéressants :

  • verify_master_pubkey_sign :
    • utilisé pour le multi master, notamment en failover
    • vérifier si cela est également utilisable en multi-master HOT
  • master_sign_key_name (pas certain que ce soit utile)
    • permet d'indiquer un préfixe de clé du master
  • always_verify_signature :
    • toujours vérifier les clés des masters si verify_master_pubkey_sign est activé
  • MASTER :
    • nom d'hôte des masters
        - master1
        - master2
        - ...
        - ...
      
  • autre possibilité si MASTER_TYPE est func, on donne la liste des fonctions des modules.
    On aura ainsi du multi-master dynamique, le minion recevra l'adresse IP ou le nom d'hôte du master désiré
    master: module.function
    
  • MASTER_TYPE :
    • type de masters
      • standard : un seul master
      • failover : multi master en failover
      • func : multi-master dynamique (j'ai l'impression que c'est ce qu'on veut faire)
  • master_alive_interval :
    • obligatoire si multi master

#7 Updated by Lionel Morin over 3 years ago

  • Subject changed from attacher le salt-master du module à celui du Zéphir to attacher le minion du module au master du Zéphir

#8 Updated by Lionel Morin over 3 years ago

  • Status changed from En cours to Résolu

#9 Updated by Gérald Schwartzmann over 3 years ago

  • % Done changed from 20 to 100

#10 Updated by Gérald Schwartzmann over 3 years ago

  • Status changed from Résolu to Fermé
  • Remaining (hours) changed from 2.0 to 0.0

Also available in: Atom PDF