First-run of state fails on arch due to missing keys

saltstack-formulas / openssh-formula

http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html

Other

90 stars 297 forks source link

First-run of state fails on arch due to missing keys #139

Closed stooj closed 5 years ago

stooj commented 6 years ago

On Arch, the hostkeys are generated the first time the service is started. However, sshd_config fails because the keys don't exist yet, so the service can't be started.

----------
          ID: sshd_config
    Function: file.managed
        Name: /etc/ssh/sshd_config
      Result: False
     Comment: check_cmd execution failed
              Could not load host key: /etc/ssh/ssh_host_rsa_key
              Could not load host key: /etc/ssh/ssh_host_dsa_key
              Could not load host key: /etc/ssh/ssh_host_ecdsa_key
              Could not load host key: /etc/ssh/ssh_host_ed25519_key
              sshd: no hostkeys available -- exiting.
     Started: 17:56:05.599505
    Duration: 352.189 ms
     Changes:   
----------
          ID: openssh
    Function: service.running
        Name: sshd
      Result: False
     Comment: One or more requisite failed: openssh.config.sshd_config
     Started: 17:56:05.962233
    Duration: 0.015 ms
     Changes:

A workaround is to start the service manually, then apply the highstate.

aboe76 commented 6 years ago

@stooj, could you check if you moved the following part in config.sls to the end of the file.

{% if manage_sshd_config %}
sshd_config:
  file.managed:
    - name: {{ openssh.sshd_config }}
    - source: {{ openssh.sshd_config_src }}
    - template: jinja
    - user: {{ openssh.sshd_config_user }}
    - group: {{ openssh.sshd_config_group }}
    - mode: {{ openssh.sshd_config_mode }}
    - check_cmd: {{ openssh.sshd_binary }} -t -f
    {%- if openssh.sshd_config_backup  %}
    - backup: minion
    {%- endif %}
    - watch_in:
      - service: {{ openssh.service }}
{% endif %}

that way the ssh_host_keys are generated before the config file is placed... maybe it's just an ordering issue...

alxwr commented 6 years ago

@stooj Did you try setting generate_<type>_keys: True in your Pillar data? This should cause the keys to be generated before the sshd_config is checked. If that succeeds, we could set generate_<type>_keys: True for Arch by default.

(Another way would be to start & stop the server if no host key file is present, but I'm very reluctant to start a not configured service.)

stooj commented 5 years ago

Sorry for the delay, I was away.

I will give this a try over the weekend.

stooj commented 5 years ago

I take long weekends, apparently.

@alxwr I tried adding those keys to my pillar data, and that solved the issue. :+1:

Sorry it took so long to get back to you; I let this slip by.

alxwr commented 5 years ago

@stooj don't be sorry. I take looooog weekends to. :-) (Paid word does not always coincide with FLOSS work.)

alxwr commented 5 years ago

(@stooj Thanks for setting a good example and replying back what solved your issue.)

This is @stooj. @stooj tells people what solved the issue. Be like @stooj.