我有两个 ssh 密钥,我正尝试将它们部署到我的一个 minions 上。但我似乎无法部署它。它出错了。以下是init.sls
主要内容:
/xxx/yyy/zzz/id_rsa:
file.managed:
- source: salt://private/id_rsa
/xxx/yyy/zz/id_rsa.pub:
file.managed:
- source: salt://private/id_rsa.pub
这是我的init.sls
状态:
ssh:
file.managed:
- name: {{ pillar['private'] }}
我肯定做错了什么(显然),但我不确定是什么。有什么建议吗?
答案1
Salt Pillar 系统没有 init.sls 文件。states 和 pillars 都有一个 top.sls 文件。作为子目录的 states 可能有一个 init.sls 文件。
步骤 1:在 /srv/pillar/users.sls 中定义您的用户
users:
- name: fred
fullname: Fred Flintstone
email: [email protected]
uid: 4001
gid: 4001
shell: /bin/bash
groups:
- bowling
shadow: $6$Sasdf/Ss$asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfsadfasdfsadfsadfsdf
authkey: ssh-dss AAAAasdfasdfsadfsadfsadfsadfasdfasdfsdafsdafaasdfasdfasdfasdfasdfsadfsadfsadfsadfasdfasdfsdafsdafaasdfasdfasdfasdfasdfsadfsadfsadfsadfasdfasdfsdafsdafaasdfasdfasdfasdfasdfsadfsadfsadfsadfasdfasdfsdafsdafa = [email protected]
sshpub: ssh-dss AAAAasdfasdfsadfsadfsadfsadfasdfasdfsdafsdafaasdfasdfasdfasdfasdfsadfsadfsadfsadfasdfasdfsdafsdafaasdfasdfasdfasdfasdfsadfsadfsadfsadfasdfasdfsdafsdafaasdfasdfasdfasdfasdfsadfsadfsadfsadfasdfasdfsdafsdafa = [email protected]
- name: barney
fullname: Barney Rubble
email: [email protected]
uid: 4002
gid: 4002
shell: /bin/bash
groups:
- bowling
shadow: $6$Suiop/Ss$uiopuiopuiopuiopuiopuiopuiopuiopuiopuiopuiopsadfuiopsadfsadfsdf
authkey: ssh-dss AAAAuiopuiopsadfsadfsadfsadfuiopuiopsdafsdafauiopuiopuiopuiopuiopsadfsadfsadfsadfuiopuiopsdafsdafauiopuiopuiopuiopuiopsadfsadfsadfsadfuiopuiopsdafsdafauiopuiopuiopuiopuiopsadfsadfsadfsadfuiopuiopsdafsdafa = [email protected]
sshpub: ssh-dss AAAAuiopuiopsadfsadfsadfsadfuiopuiopsdafsdafauiopuiopuiopuiopuiopsadfsadfsadfsadfuiopuiopsdafsdafauiopuiopuiopuiopuiopsadfsadfsadfsadfuiopuiopsdafsdafauiopuiopuiopuiopuiopsadfsadfsadfsadfuiopuiopsdafsdafa = [email protected]
第 2 步:将新支柱添加到 /srv/pillar/top.sls
base:
'testminion':
- users
步骤 3:使用 jinja 将 pillar 映射到 /srv/salt/user/init.sls 中的状态
{% for user in pillar['users'] %}
user_{{user.name}}:
group.present:
- name: {{user.name}}
- gid: {{user.gid}}
user.present:
- name: {{user.name}}
- fullname: {{user.fullname}}
- password: {{user.shadow}}
- shell: {{user.shell}}
- uid: {{user.uid}}
- gid: {{user.gid}}
{% if user.groups %}
- optional_groups:
{% for group in user.groups %}
- {{group}}
{% endfor %}
{% endif %}
- require:
- group: user_{{user.name}}
file.directory:
- name: /home/{{user.name}}
- user: {{user.name}}
- group: {{user.name}}
- mode: 0751
- makedirs: True
user_{{user.name}}_forward:
file.append:
- name: /home/{{user.name}}/.forward
- text: {{user.email}}
user_{{user.name}}_sshdir:
file.directory:
- name: /home/{{user.name}}/.ssh
- user: {{user.name}}
- group: {{user.name}}
- mode: 0700
{% if 'authkey' in user %}
user_{{user.name}}_authkeys:
ssh_auth.present:
- user: {{user.name}}
- name: {{user.authkey}}
{% endif %}
{% if 'sshpriv' in user %}
user_{{user.name}}_sshpriv:
file.managed:
- name: /home/{{user.name}}/.ssh/id_rsa
- user: {{user.name}}
- group: {{user.name}}
- mode: 0600
- contents_pillar: {{user.sshpriv}}
{% endif %}
{% if 'sshpub' in user %}
user_{{user.name}}_sshpub:
file.managed:
- name: /home/{{user.name}}/.ssh/id_rsa.pub
- user: {{user.name}}
- group: {{user.name}}
- mode: 0600
- contents_pillar: {{user.sshpub}}
{% endif %}
{% endfor %} # user in users
# vim: ft=yaml tabstop=2 sts=2 sw=2 et ai si
不要忘记将小兵与新支柱同步!
salt targetminions saltutil.refresh_pillar
答案2
可能应该注意的是,关于原始问题,如果source: salt://...
格式不适用于file.managed
- 则还有另一个简单的解决方案,因为它仍然salt-ssh
由于错误而发生https://github.com/saltstack/salt/issues/38458该问题现已得到修复 - 即切换到contents:
文件树外部支柱,该支柱也由主文件支持。
记录file_tree
ext_pillar
在https://docs.saltstack.com/en/latest/ref/pillar/all/salt.pillar.file_tree.html#module-salt.pillar.file_tree如今。它自 2015.5.0 版本以来就已存在,因此它比原始问题和答案更新,但它是目前相当可用的解决方案。
事实上,它也可以在常见问题解答中找到https://docs.saltstack.com/en/latest/faq.html#is-it-possible-to-deploy-a-file-to-a-specific-minion-without-other-minions-having-access-to-it