FAQ
Hi,

I am trying to salt some systems manually and verify the master and minion
key fingerprints before allowing them to connect to one another. I have the
master's key fingerprint and use it in the minion's master_finger setting.
I would like to note the minion fingerprint before connecting and accepting
it in the master.

salt-call --local key.finger seems like just the thing for this, except
that /etc/salt/pki/minion remains empty no matter how long I let salt-minion
run with a default salt_master of 'salt' and no server named salt in my
DNS. The salt-minion just spins on this without creating the key pair:

[WARNING ] Master hostname: salt not found. Retrying in 30 seconds
[ERROR ] This master address: 'salt' was previously resolvable but now
fails to resolve! The previously resolved ip addr will continue to be used

If instead I use some bogus IP address for the salt_master, like
'127.0.0.1', the keys are created:

[DEBUG ] Reading configuration from /etc/salt/minion
[DEBUG ] Attempting to authenticate with the Salt Master at 127.0.0.1
[INFO ] Generating keys: /etc/salt/pki/minion
[DEBUG ] Loaded minion key: /etc/salt/pki/minion/minion.pem
[WARNING ] SaltReqTimeoutError: Waited 60 seconds
[INFO ] Waiting for minion key to be accepted by the master.

Is there another way to force salt-minion to ignore the DNS lookup and
create the key pair, or could it create the key pair before resolving the
IP address?

I know I could use salt-key on the master, or install salt-master to use
salt-key to create the keys on the minion and insert them in the right
place (pre-seed), but since salt-minion seems to know how to create it's
keys already that seems unnecessary.

Thank you,
--
Jacob

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

  • Seth House at Aug 21, 2014 at 12:46 am
    This would be a good feature addition. Maybe a new flag on
    ``salt-call``. Will you please file an issue on GitHub?
    On Wed, Aug 20, 2014 at 12:43 PM, Jacob Anawalt wrote:
    Hi,

    I am trying to salt some systems manually and verify the master and minion
    key fingerprints before allowing them to connect to one another. I have the
    master's key fingerprint and use it in the minion's master_finger setting. I
    would like to note the minion fingerprint before connecting and accepting it
    in the master.

    salt-call --local key.finger seems like just the thing for this, except that
    /etc/salt/pki/minion remains empty no matter how long I let salt-minion run
    with a default salt_master of 'salt' and no server named salt in my DNS. The
    salt-minion just spins on this without creating the key pair:

    [WARNING ] Master hostname: salt not found. Retrying in 30 seconds
    [ERROR ] This master address: 'salt' was previously resolvable but now
    fails to resolve! The previously resolved ip addr will continue to be used

    If instead I use some bogus IP address for the salt_master, like
    '127.0.0.1', the keys are created:

    [DEBUG ] Reading configuration from /etc/salt/minion
    [DEBUG ] Attempting to authenticate with the Salt Master at 127.0.0.1
    [INFO ] Generating keys: /etc/salt/pki/minion
    [DEBUG ] Loaded minion key: /etc/salt/pki/minion/minion.pem
    [WARNING ] SaltReqTimeoutError: Waited 60 seconds
    [INFO ] Waiting for minion key to be accepted by the master.

    Is there another way to force salt-minion to ignore the DNS lookup and
    create the key pair, or could it create the key pair before resolving the IP
    address?

    I know I could use salt-key on the master, or install salt-master to use
    salt-key to create the keys on the minion and insert them in the right place
    (pre-seed), but since salt-minion seems to know how to create it's keys
    already that seems unnecessary.

    Thank you,
    --
    Jacob

    --
    You received this message because you are subscribed to the Google Groups
    "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Jacob Anawalt at Aug 21, 2014 at 4:49 am
    Gladly, after I make sure I'm just not overlooking something that already
    exists.

    I think salt-minion may need to change, not salt-call. It seems it should
    create the key pair as soon as it knows it's ID (if it even needs that) and
    sees the key pair is missing rather than waiting until after the DNS
    lookup. Maybe it delays it for the masterless minion case. I'll have to
    read more and look at the code.
    On Wednesday, August 20, 2014 6:46:50 PM UTC-6, Seth House wrote:

    This would be a good feature addition. Maybe a new flag on
    ``salt-call``. Will you please file an issue on GitHub?

    On Wed, Aug 20, 2014 at 12:43 PM, Jacob Anawalt <jlan...@gmail.com
    <javascript:>> wrote:
    Is there another way to force salt-minion to ignore the DNS lookup and
    create the key pair, or could it create the key pair before resolving the IP
    address?
    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Jacob Anawalt at Aug 22, 2014 at 8:46 pm

    On Wednesday, August 20, 2014 10:49:52 PM UTC-6, Jacob Anawalt wrote:
    I think salt-minion may need to change, not salt-call. It seems it should
    create the key pair as soon as it knows it's ID (if it even needs that) and
    sees the key pair is missing rather than waiting until after the DNS
    lookup. Maybe it delays it for the masterless minion case. I'll have to
    read more and look at the code.
    What if salt.crypt.Auth(self.opts).gen_token('salt') were done once before
    salt.minion.Minion.authenticate, perhaps in salt.Minion.prepare?

    It could just be salt.crypt.Auth(self.config).get_keys() or maybe even move
    all the code to *# Make sure all key parent directories are accessible* into
    a new salt.crypt.Auth(self.config).prepare_keys() method and call that from
    salt.Minion.prepare.

    --
    Jacob

    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupsalt-users @
postedAug 20, '14 at 6:43p
activeAug 22, '14 at 8:46p
posts4
users2

2 users in discussion

Jacob Anawalt: 3 posts Seth House: 1 post

People

Translate

site design / logo © 2022 Grokbase