Server management with salt – h2: Pkg-File-Server

(Torstain ryhmä)
This assignment was completed in full from my personal desktop, with a live-USB running Xubuntu 18.04.1 and a virtual machine running Ubuntu 18.04.1

Setting up salt (11:40) 02.11

Master$

My virtual machine already has salt-master installed and configured from the previous assignment. (Read it here)

Minion$

sudo apt-get update
sudo apt-get install salt-minion

# Configure minion (/etc/salt/minion)
cat /etc/salt/minion
master: masters IP
id: h2

# restart minion
sudo systemctl restart salt-minion.service
# accept keys @ master

sudo salt-key -A

The following keys are going to be accepted:
Unaccepted Keys:
h2
Proceed? [n/Y] Y
Key for minion h2 accepted.

b) Install SSH via Pkg-File-Server model (12:03)

States are stored in /srv/salt

I used this article as a reference

cat top.sls 
base:
  'h2':
    - ssh_installer
sudo mkdir ssh_installer
cd ssh_installer

# create the .sls file
sudo nano ssh_installer.sls
cat ssh_installer.sls

openssh-server:
  pkg.installed

/etc/ssh/sshd_config:
  file.managed
    - source: salt://sshd_config

sshd:
  service.running:
    - watch:
      - file: /etc/ssh/sshd_config

I created the idempotent version of sshd_config

sudo nano sshd_config
cat sshd_config

# MANAGED FILE - changes will be overwritten
Port 8888
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
# This is the default sshd_config file for Ubuntu -
# but without comments and a different port.

I then ran this command to test the configuration…

sudo salt "h2" state.highstate

…and got a mixed response:

ID: /etc/ssh/sshd_config
    Function: file.managed
      Result: False
     Comment: Source file salt://sshd_config not found
     Started: 10:42:46.100583
    Duration: 177.801 ms
     Changes:

The actual installation went fine, but salt was unable to find “sshd_config” from the master’s side. This is because i forgot to include the whole path to said file. Here’s the fix:

# /srv/salt/ssh_installer/init.sls

#BEFORE
/etc/ssh/sshd_config:
  file.managed:
    - source: salt://sshd_config

#AFTER
/etc/ssh/sshd_config:
  file.managed:
    - source: salt://ssh_installer/sshd_config

As the picture demonstrates, everything works great!

Connecting to minion with the new 8888 port given by the master config file also works:

ssh -p 8888 xubuntu@192.168.0.14

State also successfully restarts the daemon if it finds the watched “sshd_config file has been tampered with.
I re-commented some rows in sshd_config and ran the state:

ID: /etc/ssh/sshd_config
    Function: file.managed
      Result: True
     Comment: File /etc/ssh/sshd_config updated
     Started: 11:28:20.021568
    Duration: 265.946 ms
     Changes:   
              ----------
              diff:
                  --- 
                  +++ 
                  @@ -11,9 +11,9 @@
                   SyslogFacility AUTH
                   LogLevel INFO
                   LoginGraceTime 120
                  -#PermitRootLogin prohibit-password
                  -#StrictModes yes
                  -#RSAAuthentication yes
                  +PermitRootLogin prohibit-password
                  +StrictModes yes
                  +RSAAuthentication yes
                   PubkeyAuthentication yes
                   IgnoreRhosts yes
                   RhostsRSAAuthentication no
----------
          ID: sshd
    Function: service.running
      Result: True
     Comment: Service restarted
     Started: 11:28:20.315405
    Duration: 16.848 ms
     Changes:   
              ----------
              sshd:
                  True

c) Apache with salt. (5.11 – 12:29)

I first went through the process of installing apache2 manually.

sudo apt-get update
sudo apt-get install apache2

sudo a2enmod userdir
sudo systemctl restart apache2
cd ~
mkdir public_html
cd public_html
nano index.html

As the picture illustrates, these are the steps necessary to both install apache2, and enable user homepages.

Installing apache2 with a salt state.

I used this article as a reference to create the state.

Apache_installer/init.sls
apache2:
  pkg.installed

/var/www/html/index.html:
  file.managed:
    - source: salt://apache_installer/index.html

/etc/apache2/mods-enabled/userdir.conf:
  file.symlink:
    - target: ../mods-available/userdir.conf

/etc/apache2/mods-enabled/userdir.load:
  file.symlink:
    - target: ../mods-available/userdir.load

apache2service:
  service.running:
    - name: apache2
    - watch:
      - file: /etc/apache2/mods-enabled/userdir.conf
      - file: /etc/apache2/mods-enabled/userdir.load

master$ sudo salt "h2" state.highstate


d) Something new with salt (12:53)

So we now have a state that installs apache, creates symlinks to enable userdir, and keeps an eye on those links.
I think the next logical step would be to modify the state to create the user homepage-directories.

I modified my init.sls by appending the following:

/home/xubuntu/public_html:
  file.recurse:
    - source: salt://apache_installer/public_html
    - include_empty: True

file.recurse is a function used to copy directories. (documentation found here) Just like file.managed, the first line tells salt where to place the directories, and source: tells salt where the directories to be copied can be found.
Setting include_empty to True allows salt to make empty directories.
(Not necessary here, since public_html contains index.html)

I then created the source material in the aforementioned location, and ran the module.

master$ sudo salt "h2" state.highstate

It works! Here are some pictures:


Sources:

Leave a Reply

Your email address will not be published. Required fields are marked *