Tâche #21363
Scénario #21279: Epic1: Créer le microservice gérant SaltMaster
attacher le minion du module au master du Zéphir
Status:
Fermé
Priority:
Normal
Assigned To:
Target version:
Remaining (hours):
0.0
History
#1 Updated by Gérald Schwartzmann over 5 years ago
Activation de l'EAD 3
run-parts: executing /usr/share/eole/postservice/00-actions reconfigure ## Synchronisation des modules SaltStack ## [ERROR ] The master key has changed, the salt master could have been subverted, verify salt master's public key [CRITICAL] The Salt Master server's public key did not authenticate! The master may need to be updated if it is a version of Salt lower than 2016.3.4, or If you are confident that you are connecting to a valid Salt Master, then remove the master public key and restart the Salt Minion. The master public key can be found at: /etc/salt/pki/minion/minion_master.pub Invalid master key run-parts: /usr/share/eole/postservice/00-actions exited with return code 1 Erreur : postservice root@scribe:~#
mv /etc/salt/pki/minion/minion_master.pub /root/
root@scribe:~# mv /etc/salt/pki/minion/minion_master.pub /root/
root@scribe:~# /usr/share/eole/postservice/00-actions
## Synchronisation des modules SaltStack ##
local:
- modules.ead.__init__
- modules.ead.backuponce.__init__
[…]
- modules.ead.shutdown.custom
- modules.ead.shutdown.form
root@scribe:~#
root@scribe:~# ll /etc/salt/pki/minion/ total 20 drwx------ 2 root root 4096 sept. 14 10:59 ./ drwxr-xr-x 4 root root 4096 mai 22 13:09 ../ -rw-r--r-- 1 root root 450 sept. 14 10:59 minion_master.pub -r-------- 1 root root 1678 sept. 12 17:48 minion.pem -rw-r--r-- 1 root root 450 sept. 12 17:48 minion.pub root@scribe:~#
root@712af06135d1:~# salt-key -L Accepted Keys: scribe.ac-test.fr Denied Keys: Unaccepted Keys: Rejected Keys: root@712af06135d1:~#
root@scribe:~# service salt-minion status ● salt-minion.service - The Salt Minion Loaded: loaded (/lib/systemd/system/salt-minion.service; enabled; vendor preset: enabled) Active: inactive (dead) since jeu. 2017-09-14 10:50:00 CEST; 12min ago Process: 20235 ExecStart=/usr/bin/salt-minion (code=exited, status=0/SUCCESS) Main PID: 20235 (code=exited, status=0/SUCCESS) sept. 14 10:49:52 scribe systemd[1]: Started The Salt Minion. sept. 14 10:50:00 scribe salt-minion[20235]: [ERROR ] The master key has changed, the salt master could have been subverted, verify salt master's public key sept. 14 10:50:00 scribe salt-minion[20235]: [CRITICAL] The Salt Master server's public key did not authenticate! sept. 14 10:50:00 scribe salt-minion[20235]: The master may need to be updated if it is a version of Salt lower than 2016.3.4, or sept. 14 10:50:00 scribe salt-minion[20235]: If you are confident that you are connecting to a valid Salt Master, then remove the master public key and restar sept. 14 10:50:00 scribe salt-minion[20235]: The master public key can be found at: sept. 14 10:50:00 scribe salt-minion[20235]: /etc/salt/pki/minion/minion_master.pub sept. 14 10:50:00 scribe salt-minion[20235]: [WARNING ] Stopping the Salt Minion sept. 14 10:50:00 scribe salt-minion[20235]: [ERROR ] Invalid master key sept. 14 10:50:00 scribe salt-minion[20235]: The salt minion is shutdown.Invalid master key
reconfigure et c'est rentré dans l'ordre
#3 Updated by Gérald Schwartzmann over 5 years ago
Sur le mignon
# Set the location of the salt master server. If the master server cannot be # resolved, then the minion will fail to start. master: 127.0.0.1 master: eolebase.ac-test.fr
root@712af06135d1:~# salt-key -L Accepted Keys: scribe.ac-test.fr Denied Keys: Unaccepted Keys: local Rejected Keys: root@712af06135d1:~#
root@scribe:/etc/salt# service salt-minion status
● salt-minion.service - The Salt Minion
Loaded: loaded (/lib/systemd/system/salt-minion.service; enabled; vendor preset: enabled)
Active: active (running) since jeu. 2017-09-14 11:44:39 CEST; 4min 6s ago
Main PID: 30891 (salt-minion)
CGroup: /system.slice/salt-minion.service
├─30891 /usr/bin/python /usr/bin/salt-minion
├─30898 /usr/bin/python /usr/bin/salt-minion
└─30900 /usr/bin/python /usr/bin/salt-minion
sept. 14 11:47:10 scribe salt-minion[30891]: [ERROR ] The Salt Master has cached the public key for this node, this salt minion will wait for 10 seconds bef
root@scribe:/etc/salt# cp /root/minion_master.pub /etc/salt/pki/minion/minion_master_eolebase.pub
root@scribe:/etc/salt# service salt-minion restart root@scribe:/etc/salt# service salt-minion status ● salt-minion.service - The Salt Minion Loaded: loaded (/lib/systemd/system/salt-minion.service; enabled; vendor preset: enabled) Active: inactive (dead) since jeu. 2017-09-14 11:57:04 CEST; 175ms ago Process: 31864 ExecStart=/usr/bin/salt-minion (code=exited, status=0/SUCCESS) Main PID: 31864 (code=exited, status=0/SUCCESS) sept. 14 11:57:03 scribe systemd[1]: Started The Salt Minion. sept. 14 11:57:04 scribe salt-minion[31864]: [ERROR ] The master key has changed, the salt master could have been subverted, verify salt master's public key sept. 14 11:57:04 scribe salt-minion[31864]: [CRITICAL] The Salt Master server's public key did not authenticate! sept. 14 11:57:04 scribe salt-minion[31864]: The master may need to be updated if it is a version of Salt lower than 2016.3.4, or sept. 14 11:57:04 scribe salt-minion[31864]: If you are confident that you are connecting to a valid Salt Master, then remove the master public key and restar sept. 14 11:57:04 scribe salt-minion[31864]: The master public key can be found at: sept. 14 11:57:04 scribe salt-minion[31864]: /etc/salt/pki/minion/minion_master.pub sept. 14 11:57:04 scribe salt-minion[31864]: [WARNING ] Stopping the Salt Minion sept. 14 11:57:04 scribe salt-minion[31864]: [ERROR ] Invalid master key sept. 14 11:57:04 scribe salt-minion[31864]: The salt minion is shutdown.Invalid master key
#4 Updated by Gérald Schwartzmann over 5 years ago
- Status changed from Nouveau to En cours
#5 Updated by Gérald Schwartzmann over 5 years ago
- Assigned To set to Gérald Schwartzmann
#6 Updated by Fabrice Barconnière over 5 years ago
- % Done changed from 0 to 20
Une doc plus complète : https://salt.readthedocs.io/en/stable/ref/configuration/minion.html
Des paramètres de configuration des minions intéressants :
verify_master_pubkey_sign:- utilisé pour le multi master, notamment en failover
- vérifier si cela est également utilisable en multi-master HOT
master_sign_key_name(pas certain que ce soit utile)- permet d'indiquer un préfixe de clé du master
always_verify_signature:- toujours vérifier les clés des masters si
verify_master_pubkey_signest activé
- toujours vérifier les clés des masters si
MASTER:- nom d'hôte des masters
- master1 - master2 - ... - ...
- nom d'hôte des masters
- autre possibilité si
MASTER_TYPEestfunc, on donne la liste des fonctions des modules.
On aura ainsi du multi-master dynamique, le minion recevra l'adresse IP ou le nom d'hôte du master désirémaster: module.function
MASTER_TYPE:- type de masters
standard: un seul masterfailover: multi master en failoverfunc: multi-master dynamique (j'ai l'impression que c'est ce qu'on veut faire)
- type de masters
master_alive_interval:- obligatoire si multi master
#7 Updated by Lionel Morin over 5 years ago
- Subject changed from attacher le salt-master du module à celui du Zéphir to attacher le minion du module au master du Zéphir
#8 Updated by Lionel Morin over 5 years ago
- Status changed from En cours to Résolu
#9 Updated by Gérald Schwartzmann over 5 years ago
- % Done changed from 20 to 100
#10 Updated by Gérald Schwartzmann over 5 years ago
- Status changed from Résolu to Fermé
- Remaining (hours) changed from 2.0 to 0.0