Skip to content

Commit

Permalink
saltsshpush methods: lack of reverse tunnel (#3367) (#3383)
Browse files Browse the repository at this point in the history 
* lack of reverse tunnel
SUSE/spacewalk#25534
* clarify inside/outside container (per feedback)
  • Loading branch information
@keichwa
keichwa authored Oct 23, 2024
1 parent 2d95859 commit 4eb7e43
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 25 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
- Fixed SSH Push and SSH Push (with tunnel) contact method sections in
Client Configuration Guide
- Added missing architecture to Installation and Upgrade Guide
(bsc#1230670)
- Corrected command for containerized proxy in Installation and Upgrade
Expand Down
48 changes: 29 additions & 19 deletions modules/client-configuration/pages/contact-methods-saltssh-tunnel.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@ SSH Push (with tunnel) ([literal]``ssh-push-tunnel``) is used in environments wh
In this environment, clients are located in a firewall-protected zone called a DMZ.
No system within the DMZ is authorized to open a connection to the internal network, including the {productname} Server.

This SSH method creates an encrypted tunnel from the {productname} Server on the internal network to the clients located on the DMZ.
After all actions and events are executed, the tunnel is closed.
// CHECKIT: Maybe, we can delete the following sentence. It is already
// described in the second "important" admonition
In other words: SSH Push (with tunnel) also creates a reverse tunnel from the client to the {productname} Server, not only from the server to the client.

The server uses SSH to contact the clients at regular intervals, checking in and performing scheduled actions and events.


[IMPORTANT]
====
Re-installing systems using the provisioning model is not currently supported on clients managed with SSH Push.
Expand All @@ -26,25 +26,36 @@ In other words, access is only possible if the session is initiated by the serve
All package managing operations on the client can be performed from the server side only.
====


[IMPORTANT]
====
Use [literal]``mgrctl term`` before running steps inside the server container.
====

For tunneling connections via SSH, a port number is required for tunneling via HTTPS.
The port number used by default is `1233`.
To overwrite it, you can add a custom port numbers greater than 1024 to [path]``/etc/rhn/rhn.conf``:
The port number used by default is [literal]``1233``.
To overwrite it, inside the container, you can add a custom port numbers greater than 1024 to [path]``/etc/rhn/rhn.conf``:

----
ssh_push_port_https = high_port
----

After changing this configuration parameter you must restart services
such as [systemitem]``salt-secrets-config.service``,
[systemitem]``tomcat.service``, and
[systemitem]``taskomatic.service``. To cover all needed services, it
is the best to restart [command]``spacewalk-service`` as root:
After changing this configuration parameter you must restart services such as [systemitem]``salt-secrets-config.service``, [systemitem]``tomcat.service``, and
[systemitem]``taskomatic.service``.
To cover all needed services, it is the best to restart the {productname} Server as root.
Outside of the container, from the container host, enter:

----
spacewalk-service restart
mgradm restart
----


////
[IMPORTANT]
====
Use [literal]``mgrctl term`` before running steps inside the server container.
====
////

For security reasons, you might want to use sudo with SSH, to access the system as an unprivileged user instead of as root.

Expand All @@ -70,25 +81,24 @@ When the client is successfully installed it runs with root privileges, so the a
We recommend that you remove the line from the [path]``sudoers`` file after the client has been successfully installed.
====

. On the {productname} Server, in the [path]``/etc/rhn/rhn.conf`` configuration file, add or amend this line to include the unprivileged username:
. Inside the {productname} Server container, edit the [path]``/etc/rhn/rhn.conf`` configuration file, and add or amend this line to include the unprivileged username:
+
----
ssh_push_sudo_user = <user>
----


After changing this configuration parameter you must restart services
such as [systemitem]``salt-secrets-config.service``,
[systemitem]``tomcat.service``, and
[systemitem]``taskomatic.service``. To cover all needed services, it
is the best to restart [command]``spacewalk-service`` as root:
After changing this configuration parameter you must restart services such as [systemitem]``salt-secrets-config.service``, [systemitem]``tomcat.service``, and
[systemitem]``taskomatic.service``.
To cover all needed services, it is the best to restart the {productname} Server as root.
Outside of the container, from the container host, enter:


----
spacewalk-service restart
mgradm restart
----



You need to use the {webui} or API to register these clients with the {productname} Server.


Expand Down
19 changes: 13 additions & 6 deletions modules/client-configuration/pages/contact-methods-saltssh.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@ SSH Push ([literal]``ssh-push``) is used in environments where Salt clients cann
In this environment, clients are located in a firewall-protected zone called a DMZ.
No system within the DMZ is authorized to open a connection to the internal network where the {productname} Server is located.

SSH Push opens a tunnel only from {productname} to the client, but the reverse channel goes directly.
Such a scenario might not work everywhere.
Therefore also SSH Push (with tunnel) is available as contact method.
That also opens a reverse tunnel and thus you can communicate through all firewalls which otherwise might block the connection from client to server.

SSH Push is also to use if installing a daemon agent on clients is not possible.

[WARNING]
Expand Down Expand Up @@ -75,6 +80,10 @@ These parameters are configured in menu:Systems[Bootstrapping].
You can also configure persistent parameters that are used system-wide, including the sudo user to access the system as an unprivileged user instead of as root.


[IMPORTANT]
====
Use [literal]``mgrctl term`` before running steps inside the server container.
====

.Procedure: Configuring unprivileged SSH access
. Ensure you have the latest [path]``spacewalk-taskomatic`` and [path]``spacewalk-certs-tools`` packages installed on the {productname} Server.
Expand All @@ -98,18 +107,16 @@ When the client is successfully installed it runs with root privileges, so the a
We recommend that you remove the line from the [path]``sudoers`` file after the client has been successfully installed.
====

. On the {productname} Server, in the [path]``/etc/rhn/rhn.conf`` configuration file, add or amend this line to include the unprivileged username:
. Inside the {productname} Server container, edit the [path]``/etc/rhn/rhn.conf`` configuration file, and add or amend this line to include the unprivileged username:
+
----
ssh_push_sudo_user = <user>
----


After changing this configuration parameter you must restart services
such as [systemitem]``salt-secrets-config.service``,
[systemitem]``tomcat.service``, and
[systemitem]``taskomatic.service``.
To cover all needed services, it is the best to restart the {productname} Server as root:
After changing this configuration parameter you must restart services such as [systemitem]``salt-secrets-config.service``, [systemitem]``tomcat.service``, and [systemitem]``taskomatic.service``.
To cover all needed services, it is the best to restart the {productname} Server as root.
Outside of the container, from the container host, enter:

----
mgradm restart
Expand Down

0 comments on commit 4eb7e43

Please sign in to comment.