chaos/docker-salt-master
Archived
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add support for using signed keys

Browse Source
This commit is contained in:
Carlos Álvaro
2018-10-01 00:31:12 +02:00
parent c5ea24cd4c
commit 7ec9b84a9b
5 changed files with 139 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@@ -5,7 +5,7 @@ LABEL description="SaltStack master"
LABEL version="2018.3.2" LABEL version="2018.3.2"
ENV SALT_DOCKER_DIR="/etc/salt-docker" \ ENV SALT_DOCKER_DIR="/etc/salt-docker" \
SALT_MASTER_DIR="/etc/salt/pki/master" \ SALT_ROOT_DIR="/etc/salt" \
SALT_USER=root SALT_USER=root
ENV SALT_BUILD_DIR="${SALT_DOCKER_DIR}/build" \ ENV SALT_BUILD_DIR="${SALT_DOCKER_DIR}/build" \

47
README.md
View File

@@ -13,6 +13,7 @@ For other methods to install SaltStack please refer to the [Official SaltStack I
- [Configuration](#configuration) - [Configuration](#configuration)
- [Custom Recipes](#custom-recipes) - [Custom Recipes](#custom-recipes)
- [Minion Keys](#minion-keys) - [Minion Keys](#minion-keys)
- [Master Signed Keys](#master-signed-keys)
- [Available Configuration Parameters](#available-configuration-parameters) - [Available Configuration Parameters](#available-configuration-parameters)
- [Usage](#usage) - [Usage](#usage)
- [Shell Access](#shell-access) - [Shell Access](#shell-access)
@@ -58,7 +59,7 @@ Alternatively, you can manually launch the `saltstack-master` container:
docker run --name salt_master --detach \ docker run --name salt_master --detach \
--publish 4505:4505/tcp --publish 4506:4506/tcp \ --publish 4505:4505/tcp --publish 4506:4506/tcp \
--env 'SALT_LOG_LEVEL=info' \ --env 'SALT_LOG_LEVEL=info' \
--read-only --volume ./srv/:/srv/ \ --read-only --volume $(pwd)/srv/:/srv/ \
cdalvaro/saltstack-master:2018.3.2 cdalvaro/saltstack-master:2018.3.2
``` ```
@@ -76,16 +77,42 @@ Minion keys can be added automatically on startup to SaltStack master by mountin
```sh ```sh
mkdir -p keys/minions mkdir -p keys/minions
cp -v /etc/salt/pki/minion/minion.pub keys/minions/minion1 rsync root@minion1:/etc/salt/pki/minion/minion.pub keys/minions/minion1
docker run --name salt_master -d \ docker run --name salt_master -d \
--publish 4505:4505/tcp --publish 4506:4506/tcp \ --publish 4505:4505/tcp --publish 4506:4506/tcp \
--env 'SALT_LOG_LEVEL=info' \ --env 'SALT_LOG_LEVEL=info' \
--read-only --volume ./srv/:/srv/ \ --volume $(pwd)/srv/:/srv/ \
--volume ./keys/:/etc/salt-docker/keys/ \ --volume $(pwd)/keys/:/etc/salt-docker/keys/ \
cdalvaro/saltstack-master:2018.3.2 cdalvaro/saltstack-master:2018.3.2
``` ```
### Master Signed Keys
It is possible to use signed master keys by establishing the environment variable `SALT_MASTER_SIGN_PUBKEY` to `True`.
```sh
docker run --name salt_stack --detach \
--publish 4505:4505/tcp --publish 4506:4506/tcp \
--env 'SALT_LOG_LEVEL=info' \
--env 'SALT_MASTER_SIGN_PUBKEY=True'
--volume $(pwd)/srv/:/srv/ \
--volume $(pwd)/keys/:/etc/salt-docker/keys/ \
cdalvaro/saltstack-master:2018.3.2
```
The container will create the `master_sign` key and its signature. More information about how to configure the minion service can be found [here](https://docs.saltstack.com/en/latest/topics/tutorials/multimaster_pki.html#prepping-the-minion-to-verify-received-public-keys).
Additionally, you can generate new keys by executing the following command:
```sh
docker run --name salt_stack -it --rm \
--volume $(pwd)/keys/:/etc/salt-docker/keys/ \
cdalvaro/saltstack-master:2018.3.2 app:gen-signed-keys other_master_sign
```
The newly created keys will appear inside `keys/generated/other_master_sign` directory.
### Available Configuration Parameters ### Available Configuration Parameters
Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose. Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose.
@@ -94,8 +121,12 @@ Below is the list of available options that can be used to customize your SaltSt
| Parameter | Description | | Parameter | Description |
|-----------|-------------| |-----------|-------------|
| `SALT_LOG_LEVEL` | The level of messages to send to the console. One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. Default: 'warning' | | `SALT_LOG_LEVEL` | The level of messages to send to the console. One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. Default: `warning` |
| `SALT_LEVEL_LOGFILE` | The level of messages to send to the log file. One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. Default: 'warning' | | `SALT_LEVEL_LOGFILE` | The level of messages to send to the log file. One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. Default: `warning` |
| `SALT_MASTER_SIGN_PUBKEY` | Sign the master auth-replies with a cryptographic signature of the master's public key. Possible values: 'True' or 'False'. Default: `False` |
| `SALT_MASTER_USE_PUBKEY_SIGNATURE` | Instead of computing the signature for each auth-reply, use a pre-calculated signature. This option requires `SALT_MASTER_SIGN_PUBKEY` set to 'True'. Possible values: 'True' or 'False'. Default: `True` |
| `SALT_MASTER_SIGN_KEY_NAME` | The customizable name of the signing-key-pair without suffix. Default: `master_sign` |
| `SALT_MASTER_PUBKEY_SIGNATURE` | The name of the file in the master's pki-directory that holds the pre-calculated signature of the master's public-key. Default: `master_pubkey_signature` |
Any parameter not listed in the above table and available in the following [link](https://docs.saltstack.com/en/latest/ref/configuration/examples.html#configuration-examples-master), can be set by creating the directory `confs` and adding into it a `.conf` file with the desired parameters: Any parameter not listed in the above table and available in the following [link](https://docs.saltstack.com/en/latest/ref/configuration/examples.html#configuration-examples-master), can be set by creating the directory `confs` and adding into it a `.conf` file with the desired parameters:
@@ -111,8 +142,8 @@ EOF
docker run --name salt_master -d \ docker run --name salt_master -d \
--publish 3505:3505/tcp --publish 3506:3506/tcp \ --publish 3505:3505/tcp --publish 3506:3506/tcp \
--env 'SALT_LOG_LEVEL=info' \ --env 'SALT_LOG_LEVEL=info' \
--read-only --volume ./srv/:/srv/ \ --read-only --volume $(pwd)/srv/:/srv/ \
--volume ./confs/:/etc/salt-docker/confs/ \ --volume $(pwd)/confs/:/etc/salt-docker/confs/ \
cdalvaro/saltstack-master:2018.3.2 cdalvaro/saltstack-master:2018.3.2
``` ```

10
assets/runtime/env-defaults.sh
View File

@@ -1,5 +1,15 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# https://docs.saltstack.com/en/latest/ref/configuration/master.html
##### Logging settings ##### ##### Logging settings #####
# https://docs.saltstack.com/en/latest/ref/configuration/master.html#master-logging-settings
SALT_LOG_LEVEL=${SALT_LOG_LEVEL:-warning} SALT_LOG_LEVEL=${SALT_LOG_LEVEL:-warning}
SALT_LEVEL_LOGFILE=${SALT_LEVEL_LOGFILE:-warning} SALT_LEVEL_LOGFILE=${SALT_LEVEL_LOGFILE:-warning}
##### Security settings #####
# https://docs.saltstack.com/en/latest/ref/configuration/master.html#master-security-settings
SALT_MASTER_SIGN_PUBKEY=${SALT_MASTER_SIGN_PUBKEY:-False}
SALT_MASTER_USE_PUBKEY_SIGNATURE=${SALT_MASTER_USE_PUBKEY_SIGNATURE:-False}
SALT_MASTER_SIGN_KEY_NAME=${SALT_MASTER_SIGN_KEY_NAME:-master_sign}
SALT_MASTER_PUBKEY_SIGNATURE=${SALT_MASTER_PUBKEY_SIGNATURE:-master_pubkey_signature}

107
assets/runtime/functions.sh
View File

@@ -1,55 +1,92 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -e set -e
echo "Loading ${SALT_RUNTIME_DIR}/env-defaults.sh"
source ${SALT_RUNTIME_DIR}/env-defaults.sh source ${SALT_RUNTIME_DIR}/env-defaults.sh
# This function copies minion keys # This function generates a master_sign key pair and its signature
function copy_minion_keys() function gen_signed_keys()
{ {
echo "Copying minion keys..." local key_name=${1:-master}
mkdir -p ${SALT_KEYS_DIR}/generated/
GENERATED_KEYS_DIR=$(mktemp -d -p ${SALT_KEYS_DIR}/generated/ -t ${key_name}.XXXXX)
if [ -d "${SALT_KEYS_DIR}/master" ] && [ ! -z "$(ls -A ${SALT_KEYS_DIR}/master)" ]; then salt-key --gen-keys ${key_name} --gen-keys-dir ${GENERATED_KEYS_DIR} > /dev/null 2>&1
mkdir -v -p -m 0700 ${SALT_MASTER_DIR} salt-key --gen-signature --auto-create --pub ${GENERATED_KEYS_DIR}/${key_name}.pub --signature-path ${GENERATED_KEYS_DIR} > /dev/null 2>&1
cp -v ${SALT_KEYS_DIR}/master/master.{pem,pub} ${SALT_MASTER_DIR}
chown -v ${SALT_USER}:${SALT_USER} ${SALT_MASTER_DIR}/master.{pem,pub}
fi
if [ -d "${SALT_KEYS_DIR}/minions" ] && [ ! -z "$(ls -A ${SALT_KEYS_DIR}/minions)" ]; then echo -n ${GENERATED_KEYS_DIR}
mkdir -v -p -m 0700 ${SALT_MASTER_DIR}/minions }
cp -v ${SALT_KEYS_DIR}/minions/* ${SALT_MASTER_DIR}/minions
chown -v ${SALT_USER}:${SALT_USER} ${SALT_MASTER_DIR}/minions/* # This function repairs keys permissions and creates keys if neaded
function setup_keys()
{
echo "Setting up keys..."
sed -i \
-e "s|^[#]*master_sign_pubkey:.*$|# master_sign_pubkey -> overrided|" \
-e "s|^[#]*master_sign_key_name:.*$|# master_sign_key_name -> overrided|" \
-e "s|^[#]*master_pubkey_signature:.*$|# master_pubkey_signature -> overrided|" \
-e "s|^[#]*master_use_pubkey_signature:.*$|# master_use_pubkey_signature -> overrided|" \
${SALT_ROOT_DIR}/master
cat >> ${SALT_ROOT_DIR}/master <<EOF
##### Security settings #####
############################################
master_sign_pubkey: ${SALT_MASTER_SIGN_PUBKEY}
master_sign_key_name: ${SALT_MASTER_SIGN_KEY_NAME}
master_pubkey_signature: ${SALT_MASTER_PUBKEY_SIGNATURE}
master_use_pubkey_signature: ${SALT_MASTER_USE_PUBKEY_SIGNATURE}
EOF
if [ ! -f "${SALT_KEYS_DIR}/${SALT_MASTER_SIGN_KEY_NAME}" ] && [ ${SALT_MASTER_SIGN_PUBKEY} == True ]; then
echo "Generating signed keys..."
if [ ! -f ${SALT_KEYS_DIR}/master.pem ]; then
salt-key --gen-keys master --gen-keys-dir ${SALT_KEYS_DIR}
fi fi
salt-key --gen-signature --auto-create --pub ${SALT_KEYS_DIR}/master.pub --signature-path ${SALT_KEYS_DIR}
fi
for pub_key in $(find ${SALT_KEYS_DIR} -type f -maxdepth 2); do
if [[ ${pub_key} =~ .*\.pem$ ]]; then
chmod -v 400 ${pub_key}
else
chmod -v 644 ${pub_key}
fi
done
} }
# This functions cofigures master service # This functions cofigures master service
function configure_salt_master() function configure_salt_master()
{ {
echo "Configuring salt-master..." echo "Configuring salt-master..."
# https://docs.saltstack.com/en/latest/ref/configuration/master.html # https://docs.saltstack.com/en/latest/ref/configuration/master.html
local SALT_ROOT_DIR=/etc/salt # Backup file
if [ ! -f ${SALT_ROOT_DIR}/master.backup ]; then
cp -pv ${SALT_ROOT_DIR}/master ${SALT_ROOT_DIR}/master.backup
else
cp -pv ${SALT_ROOT_DIR}/master.backup ${SALT_ROOT_DIR}/master
fi
# Backup file # Set env variables
if [ ! -f ${SALT_ROOT_DIR}/master.backup ]; then sed -i \
cp -pv ${SALT_ROOT_DIR}/master ${SALT_ROOT_DIR}/master.backup -e "s|^[#]*log_level:.*$|log_level: ${SALT_LOG_LEVEL}|" \
else -e "s|^[#]*log_level_logfile:.*$|log_level_logfile: ${SALT_LEVEL_LOGFILE}|" \
cp -pv ${SALT_ROOT_DIR}/master.backup ${SALT_ROOT_DIR}/master -e "s|^[#]*default_include:.*$|default_include: ${SALT_ROOT_DIR}/master.d/*.conf|" \
fi -e "s|^[#]*pki_dir:.*$|pki_dir: ${SALT_KEYS_DIR}/|" \
${SALT_ROOT_DIR}/master
# Set env variables cat >> ${SALT_ROOT_DIR}/master <<EOF
sed -i \
-e "s|^[#]*log_level:.*$|log_level: ${SALT_LOG_LEVEL}|" \
-e "s|^[#]*log_level_logfile:.*$|log_level_logfile: ${SALT_LEVEL_LOGFILE}|" \
-e "s|^[#]*default_include:.*$|default_include: ${SALT_ROOT_DIR}/master.d/*.conf|" \
${SALT_ROOT_DIR}/master
# Sync config files ###### Custom Settings ######
if [[ $(find ${SALT_CONFS_DIR} -type f -name '*.conf' | wc -l) -gt 0 ]]; then ############################################
rsync --verbose --delete ${SALT_CONFS_DIR}/*.conf ${SALT_ROOT_DIR}/master.d/ EOF
chown ${SALT_USER}:${SALT_USER} ${SALT_ROOT_DIR}/master.d/*.conf
chmod +rx-w ${SALT_ROOT_DIR}/master.d/*.conf
fi
# Sync config files
if [[ $(find ${SALT_CONFS_DIR} -type f -name '*.conf' | wc -l) -gt 0 ]]; then
rsync --verbose --delete ${SALT_CONFS_DIR}/*.conf ${SALT_ROOT_DIR}/master.d/
chown ${SALT_USER}:${SALT_USER} ${SALT_ROOT_DIR}/master.d/*.conf
chmod +rx-w ${SALT_ROOT_DIR}/master.d/*.conf
fi
} }

25
entrypoint.sh
View File

@@ -6,23 +6,32 @@ source "${SALT_RUNTIME_DIR}/functions.sh"
[[ ${DEBUG} == true ]] && set -x [[ ${DEBUG} == true ]] && set -x
case ${1} in case ${1} in
app:start) app:start|app:init|app:gen-signed-keys)
configure_salt_master configure_salt_master
case ${1} in case ${1} in
app:start) app:start)
copy_minion_keys setup_keys
echo "Starting salt-master..." echo "Starting salt-master..."
exec salt-master exec salt-master
;;
app:init)
setup_keys
;;
app:gen-signed-keys)
shift 1
gen_signed_keys ${1}
;; ;;
esac esac
;; ;;
app:help) app:help)
echo "Available options:" echo "Available options:"
echo " app:start - Start salt-master service. (default)" echo " app:start - Start salt-master service. (default)"
echo " app:help - Displays this help." echo " app:init - Setup salt-master without launching the service."
echo " [command] - Execute the specified command, eg. bash." echo " app:gen-signed-keys <key_name> - Create a master_sign key pair and its signature inside ${SALT_KEYS_DIR}/generated/"
echo " app:help - Displays this help."
echo " [command] - Execute the specified command, eg. bash."
;; ;;
*) *)
exec "$@" exec "$@"