...
Internal Ports (Backend Server 간): Trusted Network 구간
8000 : Salt-API Server - CH Server와 데이터 송수신.
9094 : Kapacitor - InfluxDB와 데이터 송수신.
Intermediate Ports (Agent ↔︎ Backend Server 간): Semi-Trusted Network 구간
| Warning |
|---|
아래 포트들은 모니터링 대상 호스트들(MO: Managed Objects)과의 통신에 사용됩니다.
443 포트를 제외하고는 보안 위협이 될 수 있으므로,
Source IP 혹은 대역으로 ACL정책을 사용할 필요가 있습니다. 아래 설정 예시와 같이 firewalld filter를 사용하거나, 혹은 tcp_wrappers 등을 사용하여 hosts.allow, hosts.deny 등에 ACL을 설정할 수 있습니다.
(tcp_wrappers 설정 방법은 여기서는 다루지 않습니다. 필요한 경우, 인터넷 검색을 통하여 쉽게 사용법을 얻을 수 있으니 참고 바랍니다.) |
아래는 firewalld 설정 파일 예시이며,
물리적인 보안 장비를 따로 사용하여 설정할 경우는 위 설명한 용도와 내용에 맞게 ACL을 설정하여 사용하여야 합니다.| Code Block |
|---|
|
<!-- /etc/firewalld/zones/public.xml -->
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<port protocol="tcp" port="443"/>
<rule family="ipv4">
<source address="xxx.xxx.xxx.0/24"/>
<port protocol="tcp" port="4505-4506"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="xxx.xxx.xxx.xxx"/>
<port protocol="tcp" port="8000"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="xxx.xxx.xxx.xxx"/>
<port protocol="tcp" port="8086"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="xxx.xxx.xxx.xxx"/>
<port protocol="tcp" port="9094"/>
<accept/>
</rule>
</zone> |
...
| Note |
|---|
Host에 여러 Interface가 있을 경우 Salt-Minion과 연결 가능한 네트워크 Interface IP로 설정해야 합니다.
ex) interface: 61.254.65.58
아래 예와 같이 any(0.0.0.0)로 설정해도 master ↔︎ minion 간 통신은 문제가 없으나,
CloudHub UI에서 원하지 않는 IP로 표시될 수 있습니다. 자동 생성될 부산물 파일들을, 가상 환경 내로 격리하기 위해 root_dir을 명시해야 합니다. 아래 설정 파일에는 주석 포함하여 영문 외 2 Byte 문자(예, 한글, 일본어, 중국어 등)가 포함되지 않도록 주의합니다.
|
| Code Block |
|---|
|
## log_level ##
# One of 'garbage', 'trace', 'debug', info', 'warning'(default), 'error', 'critical'.
log_level: info
root_dir: /opt/miniconda3/envs/saltenv/master
##### Primary configuration settings #####
##########################################
# The address of the interface to bind to:
interface: x.x.x.x
# The tcp port used by the publisher:
publish_port: 4505
# Allow minions to push files to the master. This is disabled by default, for
# security purposes.
# file_recv: True
##### State System settings #####
##########################################
# The state system uses a "top" file to tell the minions what environment to
# use and what modules to use. The state_top file is defined relative to the
# root of the base environment as defined in "File Server settings" below.
state_top: top.sls
##### File Server settings #####
##########################################
# Salt runs a lightweight file server written in zeromq to deliver files to
# minions. This file server is built into the master daemon and does not
# require a dedicated port.
# The file server works on environments passed to the master, each environment
# can have multiple root directories, the subdirectories in the multiple file
# roots cannot match, otherwise the downloaded files will not be able to be
# reliably ensured. A base environment is required to house the top file.
file_roots:
base:
- /srv/salt/prod
# File Server Backend
#
# Salt supports a modular fileserver backend system, this system allows
# the salt master to link directly to third party systems to gather and
# manage the files available to minions. Multiple backends can be
# configured and will be searched for the requested file in the order in which
# they are defined here. The default setting only enables the standard backend
# "roots" which uses the "file_roots" option.
fileserver_backend:
- roots
##### Security settings #####
##########################################
# The external auth system uses the Salt auth modules to authenticate and
# validate users to access areas of the Salt system.
external_auth:
pam:
saltdev:
- .*
- '@runner'
- '@wheel'
- '@jobs'
# Allow eauth users to specify the expiry time of the tokens they generate.
# A boolean applies to all users or a dictionary of whitelisted eauth backends
# and usernames may be given.
token_expire_user_override:
pam:
- saltdev
##### API Server settings #####
##########################################
rest_cherrypy:
port: 8887
ssl_crt: /usr/lib/cloudhub/key/cloudhub_self_signed.crt
ssl_key: /usr/lib/cloudhub/key/cloudhub_self_signed.key
rest_cherrypy_ssl: True |
...
| Warning |
|---|
/opt/miniconda3/minion/etc/salt/minion.d/minion.conf와 같은 형식으로 사용 금지.
이 경우, salt-minion을 실행할 경우, /opt/miniconda3/minion/etc/salt/minion.d가 아닌, /minion/etc/salt/minion.d에 _schedule.conf가 생성됩니다.
|
| Note |
|---|
자동 생성될 부산물 파일들을, 가상 환경 내로 격리하기 위해 root_dir을 명시해야 합니다. 아래 설정 파일에는 주석 포함하여 영문 외 2 Byte 문자(예, 한글, 일본어, 중국어 등)가 포함되지 않도록 주의합니다.
|
Config path:
| Code Block |
|---|
$ mkdir -p /opt/miniconda3/envs/saltenv/minion/etc/salt && vim /opt/miniconda3/envs/saltenv/minion/etc/salt/minion |
| Code Block |
|---|
|
## log_level ##
# One of 'garbage', 'trace', 'debug', info', 'warning'(default), 'error', 'critical'.
log_level: info
root_dir: /opt/miniconda3/envs/saltenv/minion
master: <master ip address>
id: <유일한 minion id 설정해야 하며, 생략 시, hostname = minion id> |
계정 생성 및 패스워드 설정
| Note |
|---|
아래 추가된 saltdev에 대한 password는 추후 salt-api authentication을 위한 pam_token를 발급 받는데 쓰이므로, 잘 기억해두어야 합니다. |
| Code Block |
|---|
|
$ useradd saltdev
$ passwd <password>
Changing password for user saltdev.
New password: |
...
$ vim /etc/systemd/system/multi-user.target.wants/cloudhub.service
| Code Block |
|---|
|
[Unit]
After=network-online.target
[Service]
User=root
Group=root
Environment="HOST=0.0.0.0"
Environment="PORT=8888"
Environment="TLS_CERTIFICATE=/usr/lib/cloudhub/key/cloudhub_self_signed.pem"
#Environment="TLS_PRIVATE_KEY=my.key"
Environment="BOLT_PATH=/var/lib/cloudhub/cloudhub-v1.db"
#Environment="ETCD_ENDPOINTS={ETCD_CLIENT_IP}:2379"
Environment="CANNED_PATH=/usr/share/cloudhub/cloudhub-canned"
Environment="PROTOBOARDS_PATH=/usr/share/cloudhub/cloudhub-protoboards"
EnvironmentFile=-/etc/default/cloudhub
ExecStart=/usr/bin/cloudhub $CLOUDHUB_OPTS
KillMode=control-group
Restart=on-failure
[Install]
WantedBy=multi-user.target |
localhost 인증서(cloudhub_self_signed.pem) 발급
| Code Block |
|---|
$ cd /usr/lib/cloudhub/key/
$ openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout cloudhub_self_signed.pem -out cloudhub_self_signed.pem -subj "/CN=localhost" -days 365
$ openssl rsa -in cloudhub_self_signed.pem -text > cloudhub_self_signed.key
$ openssl x509 -inform PEM -in cloudhub_self_signed.pem -out cloudhub_self_signed.crt |
<salt_token> 발급
/wiki/spaces/CM/pages/254050538
위 페이지 접근 권한이 없는 경우에는 Snetsystems CloudHub 팀에 문의/발급 받은 후,
아래 4번 -k=salt:<salt_token>에 기입하세요.$ vim /etc/default/cloudhub
| Code Block |
|---|
|
CLOUDHUB_OPTS="-l=debug \
--auth-duration=0 \
-t=74c1e9e2450886060b5bf736b935cd0bf960837f \
-i=any \
-s=any \
-u=salt:https://{salt-master-ip}:8000/run \
-k=salt:<salt_token> \
-u=vsphere:on \
-u=aws:on \
-u=k8s:on \
-u=salt-env-path:/opt/miniconda3/envs/saltenv/master \
--login-auth-type=basic \
--password-policy='(?=.*[0-9]{1,50})(?=.*[~`!@#$%\\^&*()-+=]{1,50})(?=.*[a-zA-Z]{2,50}).{8,50}$' \
--password-policy-message='Enter at least 8 digits using at least 1 number and at least 1 special sentence, and at least 2 English characters.' \
--mail-subject='[Notifiy] $user_id Password is reset' \
--mail-body-message='Reset OTP for $user_id is '$user_pw'.<br>Do not forget this!<br>This OTP will use just once when login into cloudhub.<br>Then you must set up the new password' \
--kapacitor-url=http://{Kapacitor_IP}:9094 \
--influxdb-url=http://{InfluxDB_IP}:8086 \
--retry-policy=count:3 \
--retry-policy=delaytime:5 \
--retry-policy=type:delay" |
...
https://seversky.atlassian.net/wiki/spaces/CSHD/pages/248676461/Looking+around#InfluxDB 의 “Retention Policy Duration” 지침을 반드시 따라야 합니다.