Saltstack
  • Willkommen
  • Einführung
  • Testumgebung
    • Salt-Master öffentlicher FQDN
  • Salt installieren
    • Minions und Master "verheiraten"
  • Salt Module
    • Beispiel Benutzer anlegen
    • Dateien hin und her kopieren
  • Salt States
    • Yaml verstehen
    • Editoren anpassen
    • Beispiel Benutzer verwalten
    • Abhängigkeiten
    • Dateien editieren
    • Shell Kommandos
    • Beispiel Caddy Webserver
  • Linter
  • Minions adressieren
    • Grains
    • Hostgruppen - Node Groups
  • Jinja
    • Beispiel Caddy PHP
  • top.sls
  • Output
  • Pillars
    • Hosts Pillars
    • GPG
    • Vault
    • Datenbanken
    • Beispiel Benutzerverwaltung
  • Salt-Mine
  • Eigene Module erstellen
  • Orchestrierung
  • Returner & Job-Cache
  • Salt SSH
  • Salt API
  • Salt Cloud
    • Hinweise und Fallen
    • KVM und Libvirt
    • Scaleway
    • Digitalocean
    • Hetzner Cloud
    • eigene Deploymentscripte
    • Dynamische Portforwarding
    • Keys automatisch aufräumen
    • Start Aktionen
  • GIT
    • Alternative CD
  • Salt Reactor
  • Salt für Windows
    • Software ohne Repository installieren
    • PowerShell
    • Chocolatey Paktemanager
    • Lokales Logon Skript
    • Software Repository
  • Beispiele
    • Restic Backup
    • Apache Web-Proxy
    • Wartungstunnel
    • Unattended Upgrades
  • Salt & Etcd
  • Salt ACS
Powered by GitBook
On this page
  1. Beispiele

Wartungstunnel

Wenn man einmal einen Reverse-SSH-Tunnel braucht

Vorbereitungen auf dem Host, welche als Endpunkt für den Tunnel dient, z.B. der Salt-Master

mkdir /srv/salt/mtunnel
useradd -m -r -d /var/lib/mtunnel mtunnel
mkdir /var/lib/mtunnel/.ssh
ssh-keygen -q -t ed25519 -N "" -f /var/lib/mtunnel/.ssh/id_ed25519 -C "mtunnel@salt-master.local"
cp /var/lib/mtunnel/.ssh/id_ed25519.pub /var/lib/mtunnel/.ssh/authorized_keys
cp /var/lib/mtunnel/.ssh/id_ed25519 /srv/salt/mtunnel/
chown -R mtunnel:mtunnel /var/lib/mtunnel/
chmod 0700 /var/lib/mtunnel/.ssh
chmod 0600 /var/lib/mtunnel/.ssh/*
/srv/salt/mtunnel/init.sls
#
# Create a mtunnel user
#
mtunnel:
  group.present: []
  user.present:
    - fullname: Maintenance SSH Reverse Tunnel
    - shell: /usr/sbin/nologin
    - home: /var/lib/mtunnel
    - createhome: true
    - system: true
    - groups:
      - mtunnel

ssh-dir:
  file.directory:
    - name: /var/lib/mtunnel/.ssh
    - user: mtunnel
    - group: mtunnel
    - mode: 0700
    - require:
      - user: mtunnel

#
# Deploy a pre-generated priv key from the salt-master
#
priv-key:
  file.managed:
    - name: /var/lib/mtunnel/.ssh/id_ed25519
    - source: salt://mtunnel/id_ed25519
    - user: mtunnel
    - group: mtunnel
    - mode: 0600
    - require: 
      - file: ssh-dir

#
# Create a default config read later by systemd
#
mtunnel-default:
  file.managed:
    - name: /etc/default/mtunnel.conf
    - require:
      - file: priv-key
    - contents: |
        PORT={{ pillar['mtunnel']['port'] }}
        HOST={{ pillar['mtunnel']['host'] }}

mtunnel-service-file:
  file.managed:
    - name: /etc/systemd/system/mtunnel.service
    - require:
      - file: mtunnel-default
    - contents: |
        [Unit]
        Description=Create a reverse SSH Tunnel for maintenance
        After=network.target

        [Service]
        EnvironmentFile=/etc/default/mtunnel.conf
        ExecStart=/usr/bin/ssh -NT \
          -o ServerAliveInterval=60 \
          -o StrictHostKeyChecking=no \
          -o ExitOnForwardFailure=yes \
          -R ${PORT}:localhost:22 ${HOST}
        RestartSec=5
        Restart=always
        User=mtunnel
        Group=mtunnel

        [Install]
        WantedBy=multi-user.target

mtunnel.service:
  service.dead:
    - enable: False

{% if pillar['mtunnel']['http_proxy'] is defined %}
corkscrew:
  pkg.installed: []

{% if pillar['mtunnel']['http_proxy_user'] is defined %}
cork-auth:
  file.managed:
    - name: ~/.ssh/cork.auth
    - contents: {{pillar['mtunnel']['http_proxy_user']}}:{{pillar['mtunnel']['http_proxy_password']}}
ssh-conf:
  file.managed:
    - name: /var/lib/mtunnel/.ssh/config
    - contents: |
        Host *
             ProxyCommand /usr/bin/corkscrew {{pillar['mtunnel']['http_proxy']}} {{pillar['mtunnel']['http_proxy_port']}} %h %p ~/.ssh/cork.auth
    - require:
      - file: cork-auth
{% else %}
ssh-conf:
  file.managed:
    - name: /var/lib/mtunnel/.ssh/config
    - contents: |
        Host *
             ProxyCommand /usr/bin/corkscrew {{pillar['mtunnel']['http_proxy']}} {{pillar['mtunnel']['http_proxy_port']}} %h %p
{%endif %}
{% endif %}

Beispiel Pillar (hostspezifisch, Type file_tree)

/srv/pillar/hosts/minion1/mtunnel
host: 192.168.3.136
port: 2222
http_proxy: 192.168.3.136
http_proxy_port: 8888

Tunnel vorbereiten und starten

salt minion1 state.apply mtunnel
salt minion1 service.start mtunnel
netstat -tulpen|grep sshd.*mtunnel
salt minion1 service.stop mtunnel
PreviousApache Web-ProxyNextUnattended Upgrades

Last updated 1 year ago