[cobbler] Re: Sending keys/files to deployed hosts
Hey All, I finally got this working, it was a bit tricky getting sshd to stay open and allow connections in the Ubuntu preseed environment. Here is what worked for me; d-i preseed/late_command string in-target wget http://$http_server/xenial-sources.list -O /etc/apt/sources.list ; \ mkdir -p /target/root/.ssh ; \ chmod 600 /target/root/.ssh ; \ echo 'ssh-rsa $COBBLER_PUBLIC_KEY cobbler' > /target/root/.ssh/authorized_keys ; \ wget -O- http://$http_server/sshd.sh | chroot /target /bin/bash -s ; \ wget -O- http://$http_server/cblr/svc/op/script/$what/$name/?script=preseed_late_default | chroot /target /bin/bash -s ; \ in-target killall /usr/sbin/sshd ; sshd.sh is; [root@cobbler ~]# cat /var/www/html/sshd.sh mkdir -p /var/run/sshd chmod 0755 /var/run/sshd ssh-keygen -f /root/.ssh/id_rsa -t rsa -N '' (/usr/sbin/sshd -D &) Hope this helps others. On Wed, Nov 2, 2016 at 3:52 PM, Tyler Wilsonwrote: > Hello, > > Thank you for the replies! I tried to replicate your setup with the > following; > > [root@cobbler ~]# cat /var/lib/cobbler/triggers/install/post/chef-key.sh > #!/bin/bash > /usr/bin/scp -i /root/.ssh/id_rsa -o "StrictHostKeyChecking no" -p > /root/chef.key ${3}:/root/chef.key > > Using Ubuntu 16.04 preseed with the following post install commands; > > d-i preseed/late_command string in-target /usr/bin/ssh-keygen -f > /root/.ssh/id_rsa -t rsa -N '' ; \ >echo 'ssh-rsa $COBBLER_PUBLIC_KEY cobbler' > > /target/root/.ssh/authorized_keys ; \ >mkdir -p /target/var/run/sshd ; \ >in-target /usr/sbin/sshd ; \ >wget -O- > http://$http_server/cblr/svc/op/script/$what/$name/?script=preseed_late_default > | chroot /target /bin/sh -s ; \ >in-target wget http://$http_server/xenial-sources.list -O > /etc/apt/sources.list ; > > However I am getting a lost connection whenever it tries to run the post > trigger; > > Tue Nov 1 23:41:58 2016 - DEBUG | running shell triggers from > /var/lib/cobbler/triggers/install/post/* > Tue Nov 1 23:41:58 2016 - DEBUG | running shell trigger > /var/lib/cobbler/triggers/install/post/chef-key.sh > Tue Nov 1 23:41:58 2016 - INFO | running: > ['/var/lib/cobbler/triggers/install/post/chef-key.sh', > 'system', 'cobbler-test', '192.168.1.50'] > Tue Nov 1 23:42:13 2016 - INFO | received on stdout: > Tue Nov 1 23:42:13 2016 - DEBUG | received on stderr: > ssh_exchange_identification: read: Connection reset by peer > lost connection > > I inserted a sleep after the final post command and I could manually run > the scp command fine while the system was still in the "running preseed" > stage. > > [root@cobbler ~]# /var/lib/cobbler/triggers/install/post/chef-key.sh > system cobbler-test 192.168.1.50 > ... > Add correct host key in /root/.ssh/known_hosts to get rid of this message. > Offending ECDSA key in /root/.ssh/known_hosts:1 > Password authentication is disabled to avoid man-in-the-middle attacks. > Keyboard-interactive authentication is disabled to avoid man-in-the-middle > attacks. > chef.key > > 100% 1679 1.6KB/s 00:00 > > Thanks for your help! > > On Wed, Oct 26, 2016 at 6:51 PM, Orion Poplawski > wrote: > >> On 10/25/2016 09:49 PM, Tyler Wilson wrote: >> >>> Hey All, >>> >>> New Cobbler user here. What is the best method of ensuring deployed >>> nodes have sensitive keys (chef keys, ssh, etc) securely uploaded when >>> completed? Am I able to send them securely from the cobbler host somehow? >>> >>> Thanks for any and all tips! >>> >> >> I fire up sshd on my target system in %post: >> >> # Create temporary host key(s) >> # EL7 >> /usr/sbin/sshd-keygen >> # Fedora >> /usr/libexec/openssh/sshd-keygen rsa >> # Start sshd so that we can copy over the ansible key in the cobbler >> post trigger >> /usr/sbin/sshd >> >> Then I have a cobbler install trigger copy the ssh key over: >> >> # cat /var/lib/cobbler/triggers/install/post/ansible_key >> #!/bin/bash >> [ "$1" = system ] && >> /usr/bin/scp -i /root/.ssh/id_rsa_cobbler -o "StrictHostKeyChecking no" >> -p /root/.ssh/id_rsa_ansible ${2}:/root/.ssh/id_rsa_ansible >> >> >> I suppose someone could the activate the trigger directly and receive the >> key, but this is the best that I was able to come up with. >> >> >> -- >> Orion Poplawski >> Technical Manager 303-415-9701 x222 >> NWRA/CoRA DivisionFAX: 303-415-9702 >> 3380 Mitchell Lane or...@cora.nwra.com >> Boulder, CO 80301 http://www.cora.nwra.com >> >> ___ >> cobbler mailing list -- cobbler@lists.fedorahosted.org >> To unsubscribe send an email to cobbler-le...@lists.fedorahosted.org >> > > ___ cobbler mailing list -- cobbler@lists.fedorahosted.org To unsubscribe send an email to cobbler-le...@lists.fedorahosted.org
[cobbler] Re: Sending keys/files to deployed hosts
Hello, Thank you for the replies! I tried to replicate your setup with the following; [root@cobbler ~]# cat /var/lib/cobbler/triggers/install/post/chef-key.sh #!/bin/bash /usr/bin/scp -i /root/.ssh/id_rsa -o "StrictHostKeyChecking no" -p /root/chef.key ${3}:/root/chef.key Using Ubuntu 16.04 preseed with the following post install commands; d-i preseed/late_command string in-target /usr/bin/ssh-keygen -f /root/.ssh/id_rsa -t rsa -N '' ; \ echo 'ssh-rsa $COBBLER_PUBLIC_KEY cobbler' > /target/root/.ssh/authorized_keys ; \ mkdir -p /target/var/run/sshd ; \ in-target /usr/sbin/sshd ; \ wget -O- http://$http_server/cblr/svc/op/script/$what/$name/?script=preseed_late_default | chroot /target /bin/sh -s ; \ in-target wget http://$http_server/xenial-sources.list -O /etc/apt/sources.list ; However I am getting a lost connection whenever it tries to run the post trigger; Tue Nov 1 23:41:58 2016 - DEBUG | running shell triggers from /var/lib/cobbler/triggers/install/post/* Tue Nov 1 23:41:58 2016 - DEBUG | running shell trigger /var/lib/cobbler/triggers/install/post/chef-key.sh Tue Nov 1 23:41:58 2016 - INFO | running: ['/var/lib/cobbler/triggers/install/post/chef-key.sh', 'system', 'cobbler-test', '192.168.1.50'] Tue Nov 1 23:42:13 2016 - INFO | received on stdout: Tue Nov 1 23:42:13 2016 - DEBUG | received on stderr: ssh_exchange_identification: read: Connection reset by peer lost connection I inserted a sleep after the final post command and I could manually run the scp command fine while the system was still in the "running preseed" stage. [root@cobbler ~]# /var/lib/cobbler/triggers/install/post/chef-key.sh system cobbler-test 192.168.1.50 ... Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /root/.ssh/known_hosts:1 Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. chef.key 100% 1679 1.6KB/s 00:00 Thanks for your help! On Wed, Oct 26, 2016 at 6:51 PM, Orion Poplawskiwrote: > On 10/25/2016 09:49 PM, Tyler Wilson wrote: > >> Hey All, >> >> New Cobbler user here. What is the best method of ensuring deployed >> nodes have sensitive keys (chef keys, ssh, etc) securely uploaded when >> completed? Am I able to send them securely from the cobbler host somehow? >> >> Thanks for any and all tips! >> > > I fire up sshd on my target system in %post: > > # Create temporary host key(s) > # EL7 > /usr/sbin/sshd-keygen > # Fedora > /usr/libexec/openssh/sshd-keygen rsa > # Start sshd so that we can copy over the ansible key in the cobbler post > trigger > /usr/sbin/sshd > > Then I have a cobbler install trigger copy the ssh key over: > > # cat /var/lib/cobbler/triggers/install/post/ansible_key > #!/bin/bash > [ "$1" = system ] && > /usr/bin/scp -i /root/.ssh/id_rsa_cobbler -o "StrictHostKeyChecking no" > -p /root/.ssh/id_rsa_ansible ${2}:/root/.ssh/id_rsa_ansible > > > I suppose someone could the activate the trigger directly and receive the > key, but this is the best that I was able to come up with. > > > -- > Orion Poplawski > Technical Manager 303-415-9701 x222 > NWRA/CoRA DivisionFAX: 303-415-9702 > 3380 Mitchell Lane or...@cora.nwra.com > Boulder, CO 80301 http://www.cora.nwra.com > > ___ > cobbler mailing list -- cobbler@lists.fedorahosted.org > To unsubscribe send an email to cobbler-le...@lists.fedorahosted.org > ___ cobbler mailing list -- cobbler@lists.fedorahosted.org To unsubscribe send an email to cobbler-le...@lists.fedorahosted.org
[cobbler] Re: Sending keys/files to deployed hosts
On 10/25/2016 09:49 PM, Tyler Wilson wrote: Hey All, New Cobbler user here. What is the best method of ensuring deployed nodes have sensitive keys (chef keys, ssh, etc) securely uploaded when completed? Am I able to send them securely from the cobbler host somehow? Thanks for any and all tips! I fire up sshd on my target system in %post: # Create temporary host key(s) # EL7 /usr/sbin/sshd-keygen # Fedora /usr/libexec/openssh/sshd-keygen rsa # Start sshd so that we can copy over the ansible key in the cobbler post trigger /usr/sbin/sshd Then I have a cobbler install trigger copy the ssh key over: # cat /var/lib/cobbler/triggers/install/post/ansible_key #!/bin/bash [ "$1" = system ] && /usr/bin/scp -i /root/.ssh/id_rsa_cobbler -o "StrictHostKeyChecking no" -p /root/.ssh/id_rsa_ansible ${2}:/root/.ssh/id_rsa_ansible I suppose someone could the activate the trigger directly and receive the key, but this is the best that I was able to come up with. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA DivisionFAX: 303-415-9702 3380 Mitchell Lane or...@cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com ___ cobbler mailing list -- cobbler@lists.fedorahosted.org To unsubscribe send an email to cobbler-le...@lists.fedorahosted.org
[cobbler] Re: Sending keys/files to deployed hosts
Look into koan, --template-files and --update-files Http://fedorahosted.org/cobbler/wiki//BuiltinConfigManagement On Oct 25, 2016 10:50 PM, "Tyler Wilson"wrote: > Hey All, > > New Cobbler user here. What is the best method of ensuring deployed nodes > have sensitive keys (chef keys, ssh, etc) securely uploaded when completed? > Am I able to send them securely from the cobbler host somehow? > > Thanks for any and all tips! > > ___ > cobbler mailing list -- cobbler@lists.fedorahosted.org > To unsubscribe send an email to cobbler-le...@lists.fedorahosted.org > > ___ cobbler mailing list -- cobbler@lists.fedorahosted.org To unsubscribe send an email to cobbler-le...@lists.fedorahosted.org
[cobbler] Re: Sending keys/files to deployed hosts
Hi Tyler, In your kickstart file, create a post install step that set up a management account called chef and also upload chef ssh authorization key You can then push any sensitives file to the deployed system using ssh tunnel between chef and system x at account chef Regards, William From: Tyler Wilson [mailto:k...@linuxdigital.net] Sent: October-25-16 11:49 PM To: cobbler@lists.fedorahosted.org Subject: [cobbler] Sending keys/files to deployed hosts Hey All, New Cobbler user here. What is the best method of ensuring deployed nodes have sensitive keys (chef keys, ssh, etc) securely uploaded when completed? Am I able to send them securely from the cobbler host somehow? Thanks for any and all tips! ___ cobbler mailing list -- cobbler@lists.fedorahosted.org To unsubscribe send an email to cobbler-le...@lists.fedorahosted.org