08.12.2020»»вторник

Salt Generate New Minion Key

08.12.2020
Salt Generate New Minion Key Average ratng: 9,3/10 2127 reviews

Updated by LinodeContributed by Andy Stevens

Use Pre-existing RSA Key Pair and Certificate with Saltstack. Ask Question Asked 3 years. There is a generic Salt Cloud provisioner saltify that will use any SSH connection to the new minions to roll out salt and the fresh keys that have been created on the master. How can I generate a Salt minion key pair using OpenSSL?

  1. From the Salt documentation, I could generate the keys on the master with salt-key -gen-keys=keyname. However, for security reasons, I'd rather the key be generated on the minion, so only the public key ever needs leave the machine. The keys looks like fairly standard RSA keys.
  2. Ran into an issue the other day when installing and registering a Salt Minion with its master. The Host name wasn’t exactly what my OCD wanted when it registered its Key with the Master, so I needed to change the name of the key. Stop the Salt-Minion Service (service salt-minion stop).
  3. Oct 05, 2015 The new minion should contact the Salt master service at the provided address. It will then send its key for the master to accept. In order to securely verify the key, need to check the key fingerprint on the new minion server.
Use promo code Salt20 for $20 credit on a new account.
GenerateContribute on GitHub

Report an Issue View File Edit File

SaltStack is a powerful configuration management tool. The following is a quick-reference guide for Salt’s command line interface (CLI).

salt

Used to issue commands to minions in parallel. salt allows you to both control and query minions.

OptionDescriptionExample
--versionGet the current version of Salt.salt --version
-h, --helpDisplay Salt commands and help text.salt -h
-c, --config-dirChange the Salt configuration directory. The default is /etc/salt.salt -c /home/salt/conf test.ping
-s, --staticOnly return data after all minions have returned.salt --static
--asyncInstead of waiting for a job on a minion or minions, print the job ID and the job completion.salt '*' pkg.install apache2 --async
--subsetExecute commands on a random subset of minions.salt '*' telegram.post_message message='Hello random 3!' --subset 3
-v, --verbosePrint extra data, such as the job ID.salt 'minion1' user.add steve --verbose
--hide-timeoutOnly print minions that can be reached.salt '*' test.ping --hide-timeout
-b, --batch-sizeExecute on a batch or percentage of minions.salt '*' test.ping --batch-size 25%
-a, --authUse an external authentication medium. You will be prompted for credentials. Options are auto, keystone, ldap, and pam. Can be used with -T.salt -a pam '*' status.meminfo
-T, --make-tokenUsed with -a. Creates an authentication token in the active user’s home directory that has a default 12 hour expiration time. Token expiration time is set in the Salt master config file.salt -T -a pam '*' status.cpuinfo
--returnUsed to select an alternative returner. Options are carbon, cassandra, couchbase, couchdb, elasticsearch, etcd, hipchat, local, local_cache, memcache, mongo, mysql, odbc, postgres, redis, sentry, slack, sms, smtp, sqlite3, syslog, and xmpp.salt '*' status.all_status --return mongo
-d, --doc, --documentationReturn all available documentation for a module function, or all functions if one is not provided.salt 'minion3' service.available -d
-l, --log-levelChange console log level. Defaults to warning. Available options are all, garbage, trace, debug, info, warning, error, and quiet.salt 'minion2' state.apply -l info
--log-fileChange the log file path. Defaults to /var/log/salt/mastersalt '*' test.ping --log-file /home/salt/log
--log-file-levelChange the logging level of the log file. Same options as --log-levelsalt '*' test.ping --log-level all
-E, --pcreTarget expression will be interpreted as a Perl Compatible Regular Expression (PCRE) rather than a shell glob.salt -E 'minion[0-9]' service.reload apache2
-L, --listTarget expression will be interpreted as a comma-delimited list.salt -L 'minion1,minion2' service.show sshd
-G, --grainTarget expression in the form of a glob expression matches a Salt grain. <grain value>:<glob expression>.salt -G 'os:Ubuntu' service.available mysql
--grain-pcreTarget expression in the form of a Perl Compatible Regular Expression matches values returned by Salt grains on the minion.<grain value>:<regular expression>salt --grain-pcre 'os:Arch' service.restart apache2
-I, --pillarUse pillar values instead of shell globs to identify targets.salt -I 'role:production' test.echo 'playback'
--outChoose an alternative outputter to display returned data. Available outputters are: grains, highstate, json, key, overstatestage, pprint, raw, txt, yaml. Note: when using --out json you will probably want to also use --static.salt '*' test.version --out json --static

salt-call

Runs module functions on a minion instead of the master. It is used to run a standalone minion.

OptionDescriptionExample
--versionGet the current version of Salt.salt-call --version
-h, --helpDisplay Salt commands and help text.salt-call -h
-c, --config-dirChange the Salt configuration directory. The default is /etc/salt.salt-call -c /home/salt/conf test.ping
-g, --grainsGet the information generated by the Salt grains.salt-call --grains
-m, --module-dirsSelect an additional modules directory. You can provide this option multiple times for multiple directories.salt-call -m /home/salt/modules1 -m /home/salt/modules2
-d, --doc, --documentationReturn all available documentation for module function, or all functions if one is not provided.salt-call system.get_system_time -d
--masterChoose which master to use. The minion must be authenticated with the master. If the master is omitted, the first master in the minion config will be used.salt-call --master master1
--returnUsed to select an alternative returner. Options are carbon, cassandra, couchbase, couchdb, elasticsearch, etcd, hipchat, local, local_cache, memcache, mongo, mysql, odbc, postgres, redis, sentry, slack, sms, smtp, sqlite3, syslog, and xmpp.salt-call --return mongo status.all_status
--localRun Salt as if there was no master running.salt-call --local system.get_system_time
--file-rootSet a directory as the base file directory.salt-call --file-root /home/salt
--pillar-rootSet a directory as the base pillar directory.salt-call --file-root /home/salt/pillar
-l, --log-levelChange console log level. Defaults to warning. Available options are all, garbage, trace, debug, info, warning, error, and quiet.salt-call -l all test.exception 'oh no!'
--log-fileChange log file path. Defaults to /var/log/salt/minion.salt-call --logfile /home/salt/log/minion test.exception 'oh no!'
--log-file-levelChange logfile log level. Defaults to warning. Available options are all, garbage, trace, debug, info, warning, error, and quiet.salt-call --log-file-level all test.exception 'oh no!'
--outChoose an alternative outputter to display returned data. Available outputters are: grains, highstate, json, key, overstatestage, pprint, raw, txt, yaml.salt-call test.version --out json

salt-cloud

Used to provision virtual machines on public clouds with Salt.

OptionDescriptionExample
--versionGet the current version of Salt.salt-cloud --version
-h, --helpDisplay Salt commands and help text.salt-cloud -h
-c, --config-dirChange the Salt configuration directory. The default is /etc/salt.salt-cloud -c /home/salt/conf
-a, --actionPerform a cloud provider specific action. Requires an instance.salt-cloud -a reboot testlinode
-f, --functionPerform a cloud provider specific function that does not apply to an instance. Requires a provider.salt-cloud -f clone my-linode-config linode_id=1234567 datacenter_id=2 plan_id=5
-p, --profileChoose a profile from which to build cloud VMs.salt-cloud -p linode-1024 mynewlinode
-m, --mapChoose a map file from which to create your VMs. If a VM exists it will be skipped.salt-cloud -m /path/to/map
-H, --hardUsed when creating VMs with a map file. If set, will destroy all VMs not listed in the map file.salt-cloud -m /path/to/map -H
-d, --destroyDestroy the named VMs. Can be used with -m to provide a map of VMs to destroy.salt-cloud -m /path/to/map -d
-P, --parallelBuild VMs in parallel.salt-cloud -P -p linode-profile newlinode1 newlinode2
-u, --update-boostrapUpdate salt-bootstrap.salt-cloud -u
-y, --assume-yesAnswer yes to all questions.salt-cloud -y -d linode1 linode2
-k, -keep-tmpDo not remove /tmp files.salt-cloud -k -m /path/to/map
--show-deploy-argsInclude deployment arguments in the return data.salt-cloud --show-deploy-args -m /path/to/map
--script-argsArguments to be passed to the bootstrap script when deploying.salt-cloud -m /path/to/map --script-args '-h'
-Q, --queryQuery nodes running on configured cloud providers.salt-cloud -Q
-F, --full-queryQuery VMs and print all available information. Can be used with -m to provide a map.salt-cloud -F
-S, --select-queryQuery VMs and print selected information. Can be used with -m to provide a map.salt-cloud -S
--list-providersDisplay a list of configured providers.salt-cloud --list-providers
--list-profilesDisplay a list of configured profiles. Supply a cloud provider, such as linode, or pass all to view all configured profiles.salt-cloud --list-profiles linode
--list-locationsDisplay a list of available locations. Supply a cloud provider, such as linode, or pass all to view all location for configured profiles.salt-cloud --list-locations linode
--list-imagesDisplay a list of available images. Supply a cloud provider, such as linode, or pass all to view all images for configured profiles.salt-cloud --list-images linode
--list-sizesDisplay a list of available sizes. Supply a cloud provider, such as linode, or pass all to view all sizes for configured profiles.salt-cloud --list-sizes linode
--outChoose an alternative outputter to display returned data. Available outputters are: grains, highstate, json, key, overstatestage, pprint, raw, txt, yaml.salt-call test.version --out json

salt-cp

Used to copy files from the master to all Salt minions that match a specific target expression.

OptionDescriptionExample
--versionGet the current version of Salt.salt-cp --version
-h, --helpDisplay Salt commands and help text.salt-cp -h
-c, --config-dirChange the Salt configuration directory. The default is /etc/salt.salt-cp '*' -c /home/salt/conf /file/to/copy /destination
-t, --timeoutThe amount of seconds to wait for replies from minions. The default is 5 seconds.salt-cp '*' -t 25 /file/to/copy /destination
-l, --log-levelChange console log level. Defaults to warning. Available options are all, garbage, trace, debug, info, warning, error, and quiet.salt-cp '*' -l all /file/to/copy /destination
--log-fileChange log file path. Defaults to /var/log/salt/master.salt-cp '*' --logfile /home/salt/log/minion /file/to/copy /destination
--log-file-levelChange logfile log level. Defaults to warning. Available options are all, garbage, trace, debug, info, warning, error, and quiet.salt-cp '*' --log-file-level all /file/to/copy /destination
-E, --pcreTarget expression will be interpreted as a Perl Compatible Regular Expression (PCRE) rather than a shell glob.salt-cp -E 'minion[0-9]' /file/to/copy /destination
-L, --listTarget expression will be interpreted as a comma-delimited list.salt -L 'minion1,minion2' /file/to/copy /destination
-G, --grainTarget expression matches a Salt grain. <grain value>:<glob expression>.salt -G 'os:Ubuntu' /file/to/copy /destination
--grain-pcreTarget expression in the form of a Perl Compatible Regular Expression matches values returned by Salt grains on the minion.<grain value>:<regular expression>salt-cp --grain-pcre 'os:Arch' /file/to/copy /destination
-C, --chunkedUse chunked mode to copy files. Supports large files, recursive directories copying and compression.salt-cp -C /some/large/file /destination
-n, --no-compressionDisable gzip in chunked mode.salt-cp -C -n /some/large/file /destination

salt-key

Used to manage the Salt server public keys.

OptionDescriptionExample
--versionGet the current version of Salt.salt-key --version
-h, --helpDisplay Salt commands and help text.salt-key -h
-c, --config-dirChange the Salt configuration directory. The default is /etc/salt.salt-key -c /home/salt/conf
-u, --userSupply a user to run salt-key.salt-key --user steven
-q, --quietSuppress outputsalt-key -q
-y, --yesAnswer yes to all questions. Default is False.salt-key -y True
--rotate-aes-keySetting to False prevents the key session from being refreshed when keys are deleted or rejected. Default is True.salt-key --rotate-aes-key False
--log-fileChange log file path. Defaults to /var/log/salt/minion.salt-key --logfile /home/salt/log/minion -D
--log-file-levelChange logfile log level. Defaults to warning. Available options are all, garbage, trace, debug, info, warning, error, and quiet.salt-key --log-file-level all --accept '*'
-l, --listList public keys. pre, un, and unaccepted will list unaccepted/unsigned keys. acc or accepted will list accepted/signed keys. rej or rejected will list rejected keys. all will list all keys.salt-key -l all
-a, --acceptAccept a public key. Globs are supported.salt-key --accept 'minion*'
-A, --accept-allAccept all pending keys.salt-key -A
-r, --rejectReject a specific key. Globs are supported.salt-key -r 'minion*'
-R, --reject-allReject all pending keys.salt-key -R
--include-allInclude non-pending keys when accepting and rejecting.salt-key -r 'minion*' --include-all
-p, --printPrint a public key.salt-key --print 'minion1'
-d, --deleteDelete a public key. Globs are supported.salt-key -d 'minion*'
-D, --delete-allDelete all public keys.salt-key --delete-all -y
-f, --fingerPrint a key’s fingerprint.salt-key --finger 'minion1'
-F, --finger-allPrint all keys’ fingerprints.salt-key --F
--gen-keysSet a name to generate a key-pair.salt-key --gen-keys newminion
--gen-keys-dirChoose where to save newly generated key-pairs. Only works with --gen-keys.salt-key --gen-keys newminion --gen-keys-dir /home/salt/keypairs
--keysizeSet the keysize for a generated key. Must be a value of 2048 or higher. Only works with --gen-keys.salt-key --gen-keys newminion --keysize 4096
--gen-signatureCreate a signature for the master’s public key named master_pubkey_signature. This requires a new-signing-keypair which can be created with the --auto-create option.salt-key --gen-signature --auto-create
--privThe private-key file with which to create a signature.salt-key --priv key.pem
--signature-pathThe file path for the new signature.salt-key --gen-signature --auto-create --signature-path /path/to/signature
--pubThe public-key file with which to create a signature.salt-key --gen-signature key.pub
--auto-createAuto-create a signing key-pair.salt-key --gen-signature --auto-create

salt-master

Salt Generate New Minion Key

A daemon used to control Salt minions.

OptionDescriptionExample
--versionGet the current version of Salt.salt-master --version
-h, --helpDisplay Salt commands and help text.salt-master -h
-c, --config-dirChange the Salt configuration directory. The default is /etc/salt.salt-master -c /home/salt/conf
-u, --userSupply a user to run salt-master.salt-master --user steven
-d, --daemonRun salt-master as daemon.salt-master -d
--pid-fileSpecify the file path of the pidfile. Default is /var/run/salt-master.pidsalt-master --pid-file /path/to/new/pid
-l, --log-levelChange console log level. Defaults to warning. Available options are all, garbage, trace, debug, info, warning, error, and quiet.salt-master -l info
--log-fileChange the log file path. Defaults to /var/log/salt/mastersalt-master --log-file /home/salt/log
--log-file-levelChange the logging level of the log file. Same options as --log-levelsalt-master --log-level all

salt-minion

A daemon that is controlled by a Salt master.

OptionDescriptionExample
--versionGet the current version of Salt.salt-minion --version
-h, --helpDisplay Salt commands and help text.salt-minion -h
-c, --config-dirChange the Salt configuration directory. The default is /etc/salt.salt-minion -c /home/salt/conf
-u, --userSupply a user to run salt-minion.salt-minion --user steven
-d, --daemonRun salt-minion as daemon.salt-minion -d
--pid-fileSpecify the file path of the pidfile. Default is /var/run/salt-minion.pidsalt-minion --pid-file /path/to/new/pid
-l, --log-levelChange console log level. Defaults to warning. Available options are all, garbage, trace, debug, info, warning, error, and quiet.salt-master -l info
--log-fileChange the log file path. Defaults to /var/log/salt/minionsalt-minion --log-file /home/salt/log
--log-file-levelChange the logging level of the log file. Same options as --log-levelsalt-minion --log-level all

salt-run

Runs a Salt runner on a Salt master.

OptionDescriptionExample
--versionGet the current version of Salt.salt-run --version
-h, --helpDisplay Salt commands and help text.salt-run -h
-c, --config-dirChange the Salt configuration directory. The default is /etc/salt.salt-run -c /home/salt/conf foo.bar
-t, --timeoutThe amount of seconds to wait for replies from minions. The default is 5 seconds.salt-run -t 25 foo.bar
-d, --doc, --documentationReturn all available documentation for a module or runner.salt-run foo.bar -d
-l, --log-levelChange console log level. Defaults to warning. Available options are all, garbage, trace, debug, info, warning, error, and quiet.salt-run -l info foo.bar
--log-fileChange the log file path. Defaults to /var/log/salt/mastersalt-minion --log-file /home/salt/log foo.bar
--log-file-levelChange the logging level of the log file. Same options as --log-levelsalt-minion --log-level all foo.bar

salt-ssh

Use SSH transport to execute salt routines.

OptionDescriptionExample
--versionGet the current version of Salt.salt-ssh --version
-h, --helpDisplay Salt commands and help text.salt-ssh -h
-c, --config-dirChange the Salt configuration directory. The default is /etc/salt.salt-ssh '*' -c /home/salt/conf test.ping
-r, --raw, --raw-shellRun a raw shell command.salt-ssh '*' -r echo 'test'
--rosterChoose which roster system to use. The default is the flat file roster.salt-ssh '192.168.0.0/16' --roster scan pkg.install apache2
--roster-fileChange the roster file directory. The default is the same directory as the master config file.salt-ssh 'minion1' --roster-file /path/to/roster test.ping
--refresh, --refresh-cacheUse to force refresh the target’s data in the master side cache before the auto refresh timeframe has been reached.salt-ssh 'minion1' --refresh-cache status.diskstats
--max-procsThe number of minions to communicate with concurrently. In general, more connections mean faster communication. Default is 25.salt-ssh '*' --max-procs 50 test.ping
-v, --verboseDisplay job ID.salt-ssh '*' -v test.ping
-s, --staticReturn minion data as a grouping.salt-ssh '*' -s status.meminfo
-w, --wipeRemove Salt files when the job is done.salt-ssh '*' -w state.apply
-W. --rand-thin-dirDeploys to a random temp directory and cleans the directory when done.salt-ssh '*' -W state.apply
--python2-binFile path to a python2 binary which has Salt installed.salt-ssh '*' --python2-bin /file/to/bin test.ping
--python3-binFile path to a python3 binary which has Salt installed.salt-ssh '*' --python3-bin /file/to/bin test.ping
--jidSupply a job ID instead of generating one.salt-ssh '*' -v --jid 00000000000000000000 test.ping
--privSupply which SSH private key to use for authentication.salt-ssh '*' --priv /path/to/privkey status.netstats
-i, --ignore-host-keysDisable StrictHostKeyChecking, which suppresses asking for connection approval.salt-ssh '*' -i pkg.install mysql-client
--no-host-keysIgnores SSH host keys. Useful if an error persists with --ignore-host-keys.salt-ssh '*' -i --no-host-keys pkg.install cowsay
--userSupply the user to authenticate with.salt-ssh '*' --user steven -r cowsay 'hello!'
--passwdSupply the password to authenticate with.salt-ssh 'minion2' --passwd p455w0rd system.reboot
--askpassRequest a password prompt.salt-ssh 'minion1' --askpass sys.doc
--key-deployDeploy the authorized SSH key to all minions.salt-ssh '*' --key-deploy --passwd test.ping
--sudoRun command with elevated privileges.salt-ssh '*' -r --sudo somecommand
--scan-portsA comma-separated list of ports to scan in the scan roster.salt-ssh '192.168.0.0/16' --roster scan --scan-ports 22,23 test.ping
--scan-timeoutTimeout for scan roster.salt-ssh '192.168.0.0/16' --roster scan --scan-timeout 100 test.ping
-l, --log-levelChange console log level. Defaults to warning. Available options are all, garbage, trace, debug, info, warning, error, and quiet.salt-ssh -l info test.ping
--log-fileChange the log file path. Defaults to /var/log/salt/sshsalt-ssh --log-file /home/salt/log test.ping
--log-file-levelChange the logging level of the log file. Same options as --log-levelsalt-ssh --log-level all test.ping
-E, --pcreTarget expression will be interpreted as a Perl Compatible Regular Expression (PCRE) rather than a shell glob.salt-ssh -E 'minion[0-9]' service.reload apache2
--outChoose an alternative outputter to display returned data. Available outputters are: grains, highstate, json, key, overstatestage, pprint, raw, txt, yaml.salt-ssh '*' test.version --out json

salt-syndic

A minion set up on a master that allows for passing commands in from a higher master.

OptionDescriptionExample
--versionGet the current version of Salt.salt-syndic --version
-h, --helpDisplay Salt commands and help text.salt-syndic -h
-c, --config-dirChange the Salt configuration directory. The default is /etc/salt.salt-syndic -c /home/salt/conf
-u, --userSupply a user to run salt-syndic.salt-syndic --user steven
-d, --daemonRun salt-syndic as daemon.salt-syndic -d
--pid-fileSpecify the file path of the pidfile. Default is /var/run/salt-syndic.pidsalt-syndic --pid-file /path/to/new/pid
-l, --log-levelChange console log level. Defaults to warning. Available options are all, garbage, trace, debug, info, warning, error, and quiet.salt-syndic -l info
--log-fileChange the log file path. Defaults to /var/log/salt/mastersalt-syndic --log-file /home/salt/log
--log-file-levelChange the logging level of the log file. Same options as --log-levelsalt-syndic --log-level all

spm

Salt Package Manager

OptionDescriptionExample
-y, --yesAnswer yes to all questions.spm remove -y apache
-f, --forceForce spm to perform an action it would normally refuse to perform.
-l, --log-levelChange console log level. Defaults to warning. Available options are all, garbage, trace, debug, info, warning, error, and quiet.spm -l info install apache
--log-fileChange the log file path. Defaults to /var/log/salt/spmspm --log-file /home/salt/log install mysql
--log-file-levelChange the logging level of the log file. Same options as --log-levelspm --log-level all remove nginx
CommandDescriptionExample
update_repoUpdate locally configured repository metadata.spm update_repo
installInstall a package by name from a configured SPM repository.spm install nginx
removeRemove a package.spm remove apache
infoGet an installed package’s information.spm info mysql
filesList an installed package’s files.spm files mongodb
localPerform a command on a local package, not a package in a repository or an installed package. Does not work with remove.spm local install /path/to/package
buildBuild a package.spm build /path/to/package
create_repoScan a directory for a valid SPM package and build an SPM-METADATA file in that directory.spm create_rep /path/to/package

Salt Generate New Minion Key Fob

salt-api

Used to start the Salt API

OptionDescriptionExample
--versionGet the current version of Salt.salt-api --version
-h, --helpDisplay Salt commands and help text.salt-api -h
-c, --config-dirChange the Salt configuration directory. The default is /etc/salt.salt-api -c /home/salt/conf
-u, --userSupply a user to run salt-api.salt-api --user steven
-d, --daemonRun salt-api as daemon.salt-api -d
--pid-fileSpecify the file path of the pidfile. Default is /var/run/salt-api.pidsalt-api --pid-file /path/to/new/pid
-l, --log-levelChange console log level. Defaults to warning. Available options are all, garbage, trace, debug, info, warning, error, and quiet.salt-api -l info
--log-fileChange the log file path. Defaults to /var/log/salt/apisalt-api --log-file /home/salt/log
--log-file-levelChange the logging level of the log file. Same options as --log-levelsalt-api --log-level all

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

Salt Generate New Minion Keys

Join our Community

Salt Generate New Minion Keyboard

Please enable JavaScript to view the comments powered by Disqus.comments powered by Disqus

Salt Minion Generate Key

Luminar 3 free download mac. This guide is published under a CC BY-ND 4.0 license.