icinga2 icon indicating copy to clipboard operation
icinga2 copied to clipboard
verified publisher icon Icinga

Node setup: auto-store ticket salt

Open Al2Klimov opened this issue 5 years ago • 4 comments

... not to have to run daemon -C after node wizard before pki ticket.

pki ticket requires TicketSalt. It reads it from a file daemon -C writes. I.e. I have to run daemon -C after node wizard before I can run pki ticket. This change lets pki ticket write TicketSalt by itself.

fixes #8072 closes #8070

Al2Klimov avatar Jun 29 '20 12:06 Al2Klimov

Before

➜  icinga2 git:(master) prefix/sbin/icinga2 node setup --master
information/cli: Checking in existing certificates for common name 'alexanders-mbp.int.netways.de'...
information/cli: Certificates not yet generated. Running 'api setup' now.
information/cli: Generating new CA.
information/base: Writing private key to '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/ca//ca.key'.
information/base: Writing X509 certificate to '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/ca//ca.crt'.
information/cli: Generating new CSR in '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/certs//alexanders-mbp.int.netways.de.csr'.
information/base: Writing private key to '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/certs//alexanders-mbp.int.netways.de.key'.
information/base: Writing certificate signing request to '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/certs//alexanders-mbp.int.netways.de.csr'.
information/cli: Signing CSR with CA and writing certificate to '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/certs//alexanders-mbp.int.netways.de.crt'.
information/pki: Writing certificate to file '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/certs//alexanders-mbp.int.netways.de.crt'.
information/cli: Copying CA certificate to '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/certs//ca.crt'.
information/cli: Generating master configuration for Icinga 2.
information/cli: Adding new ApiUser 'root' in '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/conf.d/api-users.conf'.
information/cli: Reading '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/icinga2.conf'.
information/cli: Enabling the 'api' feature.
Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Generating zone and object configuration.
information/cli: Dumping config items to file '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/zones.conf'.
information/cli: Created backup file '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/zones.conf.orig'.
information/cli: Updating the APIListener feature.
information/cli: Created backup file '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/features-available/api.conf.orig'.
information/cli: Updating 'NodeName' constant in '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/constants.conf'.
information/cli: Created backup file '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/constants.conf.orig'.
information/cli: Updating 'ZoneName' constant in '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/constants.conf'.
information/cli: Backup file '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/constants.conf.orig' already exists. Skipping backup.
information/cli: Updating 'TicketSalt' constant in '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/constants.conf'.
information/cli: Backup file '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/constants.conf.orig' already exists. Skipping backup.
information/cli: Edit the api feature config file '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/features-available/api.conf' and set a secure 'ticket_salt' attribute.
information/cli: Make sure to restart Icinga 2.
➜  icinga2 git:(master) prefix/sbin/icinga2 pki ticket --cn lolcat
critical/cli: Ticket salt (--salt) must be specified.
➜  icinga2 git:(master)

After

➜  icinga2 git:(feature/node-setup-auto-store-ticket-salt-8072) prefix/sbin/icinga2 node setup --master
information/cli: Checking in existing certificates for common name 'alexanders-mbp.int.netways.de'...
information/cli: Certificates not yet generated. Running 'api setup' now.
information/cli: Generating new CA.
information/base: Writing private key to '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/ca//ca.key'.
information/base: Writing X509 certificate to '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/ca//ca.crt'.
information/cli: Generating new CSR in '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/certs//alexanders-mbp.int.netways.de.csr'.
information/base: Writing private key to '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/certs//alexanders-mbp.int.netways.de.key'.
information/base: Writing certificate signing request to '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/certs//alexanders-mbp.int.netways.de.csr'.
information/cli: Signing CSR with CA and writing certificate to '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/certs//alexanders-mbp.int.netways.de.crt'.
information/pki: Writing certificate to file '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/certs//alexanders-mbp.int.netways.de.crt'.
information/cli: Copying CA certificate to '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/certs//ca.crt'.
information/cli: Generating master configuration for Icinga 2.
information/cli: Adding new ApiUser 'root' in '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/conf.d/api-users.conf'.
information/cli: Reading '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/icinga2.conf'.
information/cli: Enabling the 'api' feature.
Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Generating zone and object configuration.
information/cli: Dumping config items to file '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/zones.conf'.
information/cli: Created backup file '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/zones.conf.orig'.
information/cli: Updating the APIListener feature.
information/cli: Created backup file '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/features-available/api.conf.orig'.
information/cli: Updating 'NodeName' constant in '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/constants.conf'.
information/cli: Created backup file '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/constants.conf.orig'.
information/cli: Updating 'ZoneName' constant in '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/constants.conf'.
information/cli: Backup file '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/constants.conf.orig' already exists. Skipping backup.
information/cli: Updating 'TicketSalt' constant in '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/constants.conf'.
information/cli: Backup file '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/constants.conf.orig' already exists. Skipping backup.
information/cli: Edit the api feature config file '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/features-available/api.conf' and set a secure 'ticket_salt' attribute.
information/cli: Make sure to restart Icinga 2.
➜  icinga2 git:(feature/node-setup-auto-store-ticket-salt-8072) prefix/sbin/icinga2 pki ticket --cn lolcat
afddb0349477dc23d35ea776e6eb26599407c424
➜  icinga2 git:(feature/node-setup-auto-store-ticket-salt-8072)

Al2Klimov avatar Jun 29 '20 12:06 Al2Klimov

@cla-bot check

Al2Klimov avatar Aug 04 '21 12:08 Al2Klimov

@julianbrost I prefer this PR in favor of the OP-closes one. And you?

Al2Klimov avatar Jun 12 '23 08:06 Al2Klimov

This change lets pki ticket write TicketSalt by itself.

But also any other constant, not just TicketSalt. This PR simply appends every single constant to the stream. For example, if you update a variable multiple times, it will be written twice with two different values. So I would not change this at all, as every Icinga 2 CLI command output explicitly if an icinga2 daemon -C is needed and users are already used it.

yhabteab avatar Mar 14 '25 15:03 yhabteab