Deploy Terminals and Auto-Accept Keys
You can configure SUSE Manager to automatically accept the keys of newly deployed terminals. This is achieved using Salt grains.
Automatically accepting keys is less secure than manually checking and accepting keys. Only use this method on trusted networks. |
There are three different ways you can configure auto-signed grains:
-
Configure Saltboot to send automatically signed grains once and then delete them. To do this, append the Saltboot configuration to an existing
initrd
. For more information, see [retail.deployterminals.auto.once]. -
Choose to keep the automatically signed grains on the Salt client. To do this, include the configuration file in the image source before the client image is built. After booting, the auto-signed grain is stored on the client as a regular Salt grain. For more information, see Configure Saltboot to Keep Auto-Signed Grains.
-
Configure Saltboot during PXE boot using kernel parameters. For more information, see Configure Saltboot to Auto-Sign During PXE Boot.
When you have configured Saltboot using one of these methods, you need to configure the SUSE Manager Server to accept them. For more information, see Configure the Server to Auto-Accept.
1. Configure the Server to Auto-Accept
When you have configured Saltboot using one of these methods, you need to configure the server to accept them. The server stores the autosign keys in a file within the /etc/salt/master.d/
directory, which is preserved in etc-salt
volume. You can enable auto-signing by creating an auto-sign file that contains the key you created when you configured Saltboot.
-
On the SUSE Manager Server, create file
autosign_grains.conf
and add this line:autosign_grains_dir: /etc/salt/autosign_grains
-
Create a file at
/etc/salt/autosign_grains/autosign_key
, that contains the auto-sign key you specified with Saltboot:<AUTOSIGN_KEY>
For multiple keys, put each one on a new line.
-
Push new files using
mgrclt cp
command:mgrctl exec mkdir /etc/salt/autosign_grains mgrctl cp autosign_grains.conf server:/etc/salt/master.d/ mgrctl cp autosign_key server:/etc/salt/autosign_grains/
For more information about configuring the server to automatically accept grains, see https://docs.saltstack.com/en/latest/topics/tutorials/autoaccept_grains.html.
2. Configure Saltboot to Keep Auto-Signed Grains
Use different procedure for SLE 15 and SLE 12.
-
In the location where the image source is built, such as a build host or source repository, create a configuration file called
etc/salt/minion.d/autosign-grains.conf
. -
Edit the new configuration file with these details. You can use any value you like as the auto-sign key:
# create the grain grains: autosign_key: <AUTOSIGN_KEY> # send the grain as part of auth request autosign_grains: - autosign_key
-
In the location where the image source is built, such as a build host or source repository, create a configuration file called
etc/salt/minion.d/autosign-grains.conf
. This must be outside of theroot
directory provided by the template. This way you prevent the inclusion of unwanted files in theinitrd
. -
Edit the new configuration file with these details. You can use any value you like as the auto-sign key:
# create the grain grains: autosign_key: <AUTOSIGN_KEY> # send the grain as part of auth request autosign_grains: - autosign_key
-
Create a tarball of this directory:
tar -czf autosign-grains.tgz etc
-
Edit the
config.xml
template file. In the<packages type="image">
element, add:<archive name="autosign.tgz" bootinclude="true"/>
-
Save the file and rebuild the image.
3. Configure Saltboot to Auto-Sign During PXE Boot
-
Configure the PXE formula to specify these kernel parameters during booting:
SALT_AUTOSIGN_GRAINS=autosign_key:<AUTOSIGN_KEY>
-
PXE boot the Salt client. The formula creates the
./etc/salt/minion.d/autosign-grains-onetime.conf
configuration file and passes it toinitrd
.