Bug #24250
openAutosign hosts not working
Description
Hello,
According to this: https://theforeman.org/plugins/foreman_salt/7.0/index.html I configured foreman salt plugin. Everything works fine except that my host isn't autosigned. I have to manually accept its key into the foreman web gui (salt_keys page).
Here it's some debug information from log after provisioning (the same appears after preseeding):
D, [2018-07-13T10:35:05.441102 ] DEBUG -- : accept: 172.18.0.1:57674
D, [2018-07-13T10:35:05.449991 ] DEBUG -- : Rack::Handler::WEBrick is invoked.
D, [2018-07-13T10:35:05.451295 0f804661] DEBUG -- : Found salt-key at /usr/bin/salt-key
D, [2018-07-13T10:35:05.451491 0f804661] DEBUG -- : Found salt at /usr/bin/salt
D, [2018-07-13T10:35:05.451762 0f804661] DEBUG -- : Found sudo at /usr/bin/sudo
D, [2018-07-13T10:35:05.451863 0f804661] DEBUG -- : Executing /usr/bin/sudo u root /usr/bin/salt-key --finger-all --output=json : 172.18.0.1 - - [13/Jul/2018:10:35:09 +0000] "GET /salt/key HTTP/1.1" 200 2 3.8120
I, [2018-07-13T10:35:09.262949 0f804661] INFO -
172.18.0.1 - - [13/Jul/2018:10:35:05 UTC] "GET /salt/key HTTP/1.1" 200 2
- > /salt/key : close: 172.18.0.1:57674
D, [2018-07-13T10:35:09.307187 ] DEBUG -
No entry appears in /etc/salt/autosign.conf
VERSIONS:
foreman: 1.17.1
foreman-proxy: 1.17.1
ruby-foreman-salt 10.0.0
ruby-smart-proxy-salt 2.1.9
salt-master 2018.3.2
salt-api 2018.3.2
Updated by Brent Wells almost 6 years ago
This is still an issue with the latest version of foreman/katello.
VERSIONS:
foreman-release-1.20.2
foreman-proxy-1.20.2
tfm-rubygem-foreman_salt-10.1.0-2
salt-master 2019.2.0-1
salt-api 2019.2.0.-1
Updated by Brent Wells almost 6 years ago
- Priority changed from Normal to Immediate
Updated by Bernhard Suttner over 5 years ago
AFAIK, the autosign feature is not used for new hosts provisioned with foreman. Currently it (should) work like this:
- host provisioning starts.
- salt-minion is installed on host
- salt-call on host is executed which will tell salt-master (=foreman) that there is a new salt-minion. This will add a unaccepted salt key
- host provisioning ended -> host is built. At this step, the salt key of the host (found by the fqdn) will be accepted automatically
=> There shouldn't be a need to accept the salt key manually and no salt autosign should be necessary for new provisioned hosts.
Which provisioning template / OS did you use?