Deploy Terminals and Auto-Accept Keys

You can configure SUSE Manager to automatically accept the keys of newly deployed terminals. This is achieved using Salt grains.

Automatically accepting keys is less secure than manually checking and accepting keys. Only use this method on trusted networks.

There are three different ways you can configure auto-signed grains:

  • Configure Saltboot to send automatically signed grains once and then delete them. To do this, append the Saltboot configuration to an existing initrd. For more information, see [retail.deployterminals.auto.once].

  • Choose to keep the automatically signed grains on the Salt client. To do this, include the configuration file in the image source before the client image is built. After booting, the auto-signed grain is stored on the client as a regular Salt grain. For more information, see Configure Saltboot to Keep Auto-Signed Grains.

  • Configure Saltboot during PXE boot using kernel parameters. For more information, see Configure Saltboot to Auto-Sign During PXE Boot.

When you have configured Saltboot using one of these methods, you need to configure the SUSE Manager Server to accept them. For more information, see Configure the Server to Auto-Accept.

1. Configure the Server to Auto-Accept

When you have configured Saltboot using one of these methods, you need to configure the server to accept them. The server stores the autosign keys in a file within the /etc/salt/master.d/ directory, which is preserved in etc-salt volume. You can enable auto-signing by creating an auto-sign file that contains the key you created when you configured Saltboot.

Procedure: Configuring the Server to Auto-Accept
  1. On the SUSE Manager Server, create file autosign_grains.conf and add this line:

    autosign_grains_dir: /etc/salt/autosign_grains
  2. Create a file at /etc/salt/autosign_grains/autosign_key, that contains the auto-sign key you specified with Saltboot:

    <AUTOSIGN_KEY>

    For multiple keys, put each one on a new line.

  3. Push new files using mgrclt cp command:

    mgrctl exec mkdir /etc/salt/autosign_grains
    mgrctl cp autosign_grains.conf server:/etc/salt/master.d/
    mgrctl cp autosign_key server:/etc/salt/autosign_grains/

For more information about configuring the server to automatically accept grains, see https://docs.saltstack.com/en/latest/topics/tutorials/autoaccept_grains.html.

2. Configure Saltboot to Keep Auto-Signed Grains

Use different procedure for SLE 15 and SLE 12.

Procedure: Configuring Saltboot to Keep Auto-Signed Grains (SLE 15)
  1. In the location where the image source is built, such as a build host or source repository, create a configuration file called etc/salt/minion.d/autosign-grains.conf.

  2. Edit the new configuration file with these details. You can use any value you like as the auto-sign key:

    # create the grain
    grains:
        autosign_key: <AUTOSIGN_KEY>
    
    # send the grain as part of auth request
    autosign_grains:
        - autosign_key
Procedure: Configuring Saltboot to Keep Auto-Signed Grains (SLE 12)
  1. In the location where the image source is built, such as a build host or source repository, create a configuration file called etc/salt/minion.d/autosign-grains.conf. This must be outside of the root directory provided by the template. This way you prevent the inclusion of unwanted files in the initrd.

  2. Edit the new configuration file with these details. You can use any value you like as the auto-sign key:

    # create the grain
    grains:
        autosign_key: <AUTOSIGN_KEY>
    
    # send the grain as part of auth request
    autosign_grains:
        - autosign_key
  3. Create a tarball of this directory:

    tar -czf autosign-grains.tgz etc
  4. Edit the config.xml template file. In the <packages type="image"> element, add:

    <archive name="autosign.tgz" bootinclude="true"/>
  5. Save the file and rebuild the image.

3. Configure Saltboot to Auto-Sign During PXE Boot

Procedure: Configuring Saltboot to Auto-Sign During PXE Boot
  1. Configure the PXE formula to specify these kernel parameters during booting:

    SALT_AUTOSIGN_GRAINS=autosign_key:<AUTOSIGN_KEY>
  2. PXE boot the Salt client. The formula creates the ./etc/salt/minion.d/autosign-grains-onetime.conf configuration file and passes it to initrd.