From 9e3c289562de4cf707b7e8d6fd307ed3b9a37c6c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 28 Dec 2021 10:43:45 -0500 Subject: [PATCH] remove restarting salt in ssl generation. sperate ca and ssl generation into seperate functions --- setup/so-functions | 127 ++++++++++----------------------------------- setup/so-setup | 11 +++- 2 files changed, 35 insertions(+), 103 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index e16292d74..94fe17426 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1429,6 +1429,32 @@ fleet_pillar() { "" > "$pillar_file" } +generate_ca() { + { + echo "Building Certificate Authority"; + salt-call state.apply ca; + + echo " Confirming existence of the CA certificate" + openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates + + echo "Confirming salt mine now contains the certificate"; + salt-call mine.get "$MINION_ID" x509.get_pem_entries | grep -E 'BEGIN CERTIFICATE|END CERTIFICATE'; + if [ $? -eq 0 ]; then + echo "CA in mine" + else + echo "CA not in mine" + fi + } >> "$setup_log" 2>&1 +} + +generate_ssl() { + { + echo "Applying SSL state"; + salt-call state.apply ssl; + salt-call saltutil.sync_modules; + } >> "$setup_log" 2>&1 +} + generate_passwords(){ # Generate Random Passwords for Things MYSQLPASS=$(get_random_value) @@ -2261,107 +2287,6 @@ saltify() { fi } -salt_checkin() { - case "$install_type" in - 'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') # Fix Mine usage - { - echo "Building Certificate Authority"; - salt-call state.apply ca; - echo " *** Restarting Salt to fix any SSL errors. ***"; - - local SALT_SERVICES=(\ - "salt-master" \ - "salt-minion" - ) - local count=0 - - for service in "${SALT_SERVICES[@]}"; do - { - echo "Restarting service $service" - systemctl restart "$service" & - local pid=$! - } >> "$setup_log" 2>&1 - - count=0 - while ! (check_service_status "$service"); do - # On final loop, kill the pid trying to restart service and try to manually kill then start it - if [ $count -eq 12 ]; then - { - kill -9 "$pid" - systemctl kill "$service" - systemctl start "$service" & - local pid=$! - } >> "$setup_log" 2>&1 - fi - - if [ $count -gt 12 ]; then - echo "$service could not be restarted in 120 seconds, exiting" >> "$setup_log" 2>&1 - kill -9 "$pid" - exit 1 - fi - sleep 10; - ((count++)) - done - done - - count=1 - timeout=60 - while ! (check_salt_master_status $timeout); do - echo "salt minion cannot talk to salt master after $timeout seconds" >> "$setup_log" 2>&1 - if [ $count -gt 2 ]; then - echo "salt minion could not talk to salt master after $count attempts, exiting" >> "$setup_log" 2>&1 - exit 1 - fi - sleep 1; - ((count++)) - ((timeout+=30)) # add 30s to the timeout each attempt - done - - count=1 - timeout=60 - while ! (check_salt_minion_status $timeout) ; do - echo "salt master did not get a job response from salt minion after $timeout seconds" >> "$setup_log" 2>&1 - if [ $count -gt 2 ]; then - echo "salt master did not get a job response from salt minion after $count attempts, exiting" >> "$setup_log" 2>&1 - exit 1 - fi - systemctl kill salt-minion - systemctl start salt-minion - sleep 1; - ((count++)) - ((timeout+=30)) # add 30s to the timeout each attempt - done - - echo " Confirming existence of the CA certificate" - openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates - echo " Applyng a mine hack"; - salt "$MINION_ID" mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt; - salt "$MINION_ID" mine.update; - echo "Confirming salt mine now contains the certificate"; - salt "$MINION_ID" mine.get '*' x509.get_pem_entries | grep -E 'BEGIN CERTIFICATE|END CERTIFICATE'; - if [ $? -eq 0 ]; then - echo "CA in mine" - else - echo "CA not in mine" - fi - echo " Applying SSL state"; - salt-call state.apply ssl; - } >> "$setup_log" 2>&1 - ;; - *) - { - #salt-call state.apply ca; - salt-call state.apply ssl; - } >> "$setup_log" 2>&1 - ;; - esac - { - #salt-call state.apply ca; - salt-call state.apply ssl; - salt-call saltutil.sync_modules; - } >> "$setup_log" 2>&1 -} - # Run a salt command to generate the minion key salt_firstcheckin() { salt-call state.show_top >> /dev/null 2>&1 # send output to /dev/null because we don't actually care about the ouput diff --git a/setup/so-setup b/setup/so-setup index 4aaab8ade..a40e1a6d5 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -761,8 +761,15 @@ echo "1" > /root/accept_changes salt-call state.apply -l info salt.minion >> $setup_log 2>&1 fi - set_progress_str 23 'Generating CA and checking in' - salt_checkin >> $setup_log 2>&1 + if [[ $is_manager || $is_helix || $is_import ]]; then + set_progress_str 23 'Generating CA' + generate_ca >> $setup_log 2>&1 + fi + + if [[ $is_minion ]]; then + set_progress_str 24 'Generating SSL' + generate_ssl >> $setup_log 2>&1 + fi if [[ $is_manager || $is_helix || $is_import ]]; then set_progress_str 25 'Configuring firewall'