Deploy Terminals and Auto-Accept Keys

You can configure SUSE Manager to automatically accept the keys of newly deployed terminals. This is achieved using Salt grains.

Automatically accepting keys is less secure than manually checking and accepting keys. Only use this method on trusted networks.

There are three different ways you can configure auto-signed grains:

When you have configured Saltboot using one of these methods, you need to configure the SUSE Manager Server to accept them. For more information, see Configure the Server to Auto-Accept.

1. Configure Saltboot to Send Auto-Signed Grain Once

Procedure: Configuring Saltboot to Send Auto-Signed Grain Once

  1. On the branch server, create a configuration file called /etc/salt/minion.d/autosign-grains-onetime.conf.

  2. Edit the new configuration file with these details. You can use any value you like as the auto-sign key:

    # create the grain
grains:
    autosign_key: <AUTOSIGN_KEY>

# send the grain as part of auth request
autosign_grains:
    - autosign_key

  3. At the command prompt, add the new configuration file to the existing initrd:

    echo ./etc/salt/minion.d/autosign-grains-onetime.conf | /
cpio -H newc -o | gzip >> /srv/saltboot/boot/initrd.gz

2. Configure Saltboot to Keep Auto-Signed Grains

Use different procedure for SLE 15 and SLE 11/12.

Procedure: Configuring Saltboot to Keep Auto-Signed Grains (SLE 15)

  1. In the location where the image source is built, such as a build host or source repository, create a configuration file called etc/salt/minion.d/autosign-grains.conf.

  2. Edit the new configuration file with these details. You can use any value you like as the auto-sign key:

    # create the grain
grains:
    autosign_key: <AUTOSIGN_KEY>

# send the grain as part of auth request
autosign_grains:
    - autosign_key
Procedure: Configuring Saltboot to Keep Auto-Signed Grains (SLE 11 and SLE 12)

  1. In the location where the image source is built, such as a build host or source repository, create a configuration file called etc/salt/minion.d/autosign-grains.conf. This must be outside of the root directory provided by the template. This way you prevent the inclusion of unwanted files in the initrd.

  2. Edit the new configuration file with these details. You can use any value you like as the auto-sign key:

    # create the grain
grains:
    autosign_key: <AUTOSIGN_KEY>

# send the grain as part of auth request
autosign_grains:
    - autosign_key

  3. Create a tarball of this directory:

    tar -czf autosign-grains.tgz etc

  4. Edit the config.xml template file. In the <packages type="image"> element, add:

    <archive name="autosign.tgz" bootinclude="true"/>

  5. Save the file and rebuild the image.

3. Configure Saltboot to Auto-Sign During PXE Boot

Procedure: Configuring Saltboot to Auto-Sign During PXE Boot

  1. Configure the PXE formula to specify these kernel parameters during booting:

    SALT_AUTOSIGN_GRAINS=autosign_key:<AUTOSIGN_KEY>

  2. PXE boot the Salt client. The formula creates the ./etc/salt/minion.d/autosign-grains-onetime.conf configuration file and passes it to initrd.

4. Configure the Server to Auto-Accept

When you have configured Saltboot using one of these methods, you need to configure the server to accept them. The server stores the autosign keys in a file within the /etc/salt/master.d/ directory. You can enable auto-signing by creating an auto-sign file that contains the key you created when you configured Saltboot.

Procedure: Configuring the Server to Auto-Accept

  1. On the SUSE Manager Server, open the master configuration file in the /etc/salt/master.d/ directory, and add or edit this line:

    autosign_grains_dir: /etc/salt/autosign_grains

  2. Create a file at /etc/salt/autosign_grains/autosign_key, that contains the auto-sign key you specified with Saltboot:

    <AUTOSIGN_KEY>
    For multiple keys, put each one on a new line.

For more information about configuring the server to automatically accept grains, see https://docs.saltstack.com/en/latest/topics/tutorials/autoaccept_grains.html.