- Error Generating Key Null Salt Vmware Server
- Error Generating Key Null Salt Vmware Version
- Error Generating Key Null Salt Vmware 10
My immediate reaction to this is to ask if the hardware is the same on each of the servers?
Obtain a vSphere license key and assign the key to the ESXi host. Verify that the edition of the license key matches the configured features and resources on the host. If they do not match, you cannot assign the license key. The license of the host is expired. Jan 09, 2017 r/vmware: The un-official VMware Reddit. I used the article /u/eck79 cited as well. I found out the hard way though that even though this is a supported scenario be prepared to have third party solutions break when you change the default certificates to subordinate signed certs.
The reason for this is that I had an issue trying to do an upgrade from 4.1 to 5 and it came down to the hardware; as a result, I couldn't use the VMware issued upgrade, but had to get a modified version from the hardware vendor. It was something to do with the driver for the RAID card which was not supported by the standard VMware upgrade. (Can't remember the exact error, but it sounds similar to the message that you are having.)
I logged onto vmware.com and upgraded my 4.1 license key to 5. Then i started to upgrade Vcenter Server, and it wouldn't take the new license key, throwing an error: 'No matching licenses found'. I posted a question in the VMware forums and someone suggested installing Vcenter server in evaluation mode, then entering the license key. Description of Issue/Question. Salt-cloud vmware provider cannot ssh to machines after provisioning. I have a ESX6 lab running VMware vCenter Server 6.0.0 build-3634794, my whole provisioning process seems to be running great, aside from salt not able to ssh into the guest during provisioning.
When automating software and infrastructure, it is not uncommon to need to supply a user id and password for installation or other operations. While it is certainly possible to pass these plaintext credentials directly in the state, this is not best practice.
There are several issues with this approach.
States are accessible to all minions, so using the example state file above, not only does your mysql host have access to the password, but all your salt managed hosts. Additionally, in the world of infrastructure-as-code, we have to assume that it is checked into source control, and the plaintext password is now accessible to anyone with repository access. As a last point, even if all this was acceptable, a pillar is a more appropriate place to store this information because it provides flexibility to do things like have a different password for frank in dev/test/prod environments.
Luckily we can address all these issues by using the SaltStack GPG renderer. It provides secure encryption/decryption of pillar data, limited to only those minions that absolutely require it.
Generate key pair on Salt Master
Generating a key pair takes a certain amount of entropy, or randomness. Especially on a virtualized machine, you can find that not enough operations have been executed to generate GPG keys. Installing the ‘rng-tools’ package can address this issue [1,2]. For Ubuntu, run the following:
Then generate the key pair:
The gpg utility will ask several questions, you can customize or accept the default values for RSA key size of 2048 with no expiration. Then when it asks for real name, this is the identifier for your key and it is common to use the hostname. You can leave email address and comment blank by just pressing <ENTER>. Then when it asks for a passphrase, just press <ENTER> again twice. If you specify a passphrase, it won’t work with Salt because Salt works in non-interactive mode.
Error Generating Key Null Salt Vmware Server
At this point you will have the following files in your /etc/salt/gpgkeys directory: pubring.gpg, pubring.gpg~, random_seed, secring.gpg, and trustdb.gpg.
The list of keys stored in the general GPG keyring as well as our new directory can be see with the commands below.
When you list the keys in /etc/salt/gpgkeys, you should see that one of them has the identifier you typed as the ‘Real name’ when generating the key pair. This is the identifier used in future operations.
Key Distribution
At this stage, it is a good idea to export your private key for safe keeping and export your public key for general distribution.
You will want to put this secret key into the best secure, encrypted-at-rest solution you have (whether this is a USB stick in a vault or Thycotic). And then export the public key, which you can check into source control or distribute in any way you choose.
Now import the public key we just generated into the general public key keyring:
The resulting output will tell you that one key was imported, and then it will show you the identifier used, which corresponds to the ‘Real name’ used when generating the key pair.
Encrypt a Secret
To encrypt a secret, run gpg, being sure to pass the identifier (i.e. Real name) as a parameter so it knows which key to use. My identifier is ‘saltserver’, obviously you need to replace this with yours.
The resulting output will be a Base64 encoded message that can be put into a pillar sls file. If instead of a string, you have a file such as a private ssh key that needs encoding the command would look like this:
Encoded Secret in Pillar
When creating the pillar .sls file, you need to do a couple of things. First, specify the rendering order in the first shebang line so that gpg is done last. And then when you specify a multiline string using the pipe, make sure you add the proper number of spaces so that yaml indentation is honored (the line below are truncated because long lines messed up the blog formatting).
Now, if you assign this pillar to a minion (e.g. ‘myminion’), you should be able to see the unencrypted value if you list the pillar values:
Error Generating Key Null Salt Vmware Version
Or directly from the salt minion, you can see the unencrypted value.
Error Generating Key Null Salt Vmware 10
Note that only the minions that are assigned this pillar would have access to the secret.
Using the secret in a state file
To use this encrypted value in a state, you need to pull it from the pillar, as shown below.
As stated earlier, all minions have access to state files, but now the secret is no longer divulged in the .sls, and unless a minion is assigned the pillar, the value will be empty.
REFERENCES
If you get error messages in your Salt execution that GPG cannot be found, make sure you install the python-gnupg package.
NOTES
GPG for encryption/decryption without SaltStack
댓글