탐색 도움말
가입하기 로그인
AFS
/
infrastructure-notes
2
0
포크 0
파일 이슈 0 풀 리퀘스트 0 위키
브렌치: master
브랜치 태그
infrastructure-...
/
Packer Salt Master FIPS Notes.md

Packer Salt Master FIPS Notes.md 2.2 KB
고유링크 히스토리 Raw

Packer Salt Master FIPS Notes

Check for FIPS cat /proc/sys/crypto/fips_enabled 1

  • Latest in test: MSOC_RedHat_Master_201909301534
  • Latest in prod: MSOC_RedHat_Master_201907012051

move this terraform/02-msoc_vpc/conf/provision_salt_master.sh

to here packer/rhel7_hardened_saltmaster_ami.json

AWS_PROFILE=mdr-test aws secretsmanager get-secret-value --secret-id saltmaster/ssh_key --query SecretString --output text

Build error
==> master: + sudo firewall-cmd --permanent --zone=public --add-port=4505-4506/tcp
    master: success
==> master: + sudo firewall-cmd --reload
==> master: + sudo systemctl enable salt-master
    master: success
==> master: Created symlink from /etc/systemd/system/multi-user.target.wants/salt-master.service to /usr/lib/systemd/system/salt-master.service.
==> master: /home/centos/script_7740.sh: line 56: unexpected EOF while looking for matching `"'
==> master: Provisioning step had errors: Running the cleanup provisioner, if present...
==> master: Terminating the source AWS instance...

test instance packer_5e700a93-aa62-0731-0405-1488fc6aa8

PROD Steps

  1. Document the salt keys currently accepted to ensure they all come back.
  2. Poweroff salt-master
  3. Create snapshot of salt-master EBS
  4. Check on TF plan
  5. Terminate salt-master
  6. Use TF to re-create salt-master
  7. Log into salt-master via bastion + msoc_build key
  8. Wait for cloud-init scripts to finish running
  9. Wait for state.highstate to finish running (like solid 15 minutes)
  10. Verify cloud-init scripts completed successfully (check on stuff) /var/lib/cloud/instance/scripts/part-002
  11. Ensure vault.conf is not foobar and messing up pillars

  12. If needed run salt_master state like this:

    salt-call state.sls salt_master
salt salt* pillar.item my-pillar
salt-call state.sls os_modifications.ssh_motd
salt-call state.sls os_modifications.ssh_banner
salt-call state.sls sensu_agent

  13. Clean up SFT and remove old salt-master

  14. Restart local minions via SSM/SSH

  15. Pop nodes should reconnect to elastic IP of salt master ( no DNS issue)

  16. Run with SSM systemctl restart salt-minion

"missing" minions github-enterprise-0 qualys_scanner qualys_scanner_2