I’m using an AWS AutoScaling group to manage my container host servers, and I’m using user_data to install docker and run the rancher/agent with somehting that looks like the following:
And this works great! I’ve stripped out the end of the URL (SOME_TOKEN) and I’m wondering if that token is considered to be a secret, or just a discovery token? Basically wondering if I should keep it with other secrets or I’m fine just committing it with my infrastructure code?
I’m also installing rancher/server automatically, currently as a single node, and I know I can configure the MySQL and redis connections to external services, I’m also wondering if I can specify some configuration file, that will setup rancher initially, so that I can pre-configure GitHub authentication, environments, api keys… ?
I would call it “moderately secret”; It’s a unique token that is used to generate an agent account for the host to talk to rancher, which is then how hosts register themselves.
So if I had your token, and physical network access to make requests to your rancher/server, I could register my own arbitrary hosts to your server. From there I could potentially do bad things to/with the containers that end up scheduling onto my hosts, and communicate with the other hosts on the IPSec overlay network.
There is not anything built-in to configure it like that… you could potentially backup and restore the MySQL DB before starting since basically everything is in there, or write a script that uses the API or CLI to preconfigure things as you like after it starts up.
@bil If you haven’t set up access control yet then there are no keys/authentication needed, you can just make requests unauthed to the API.
You will need to create a registration token by POSTing to /v1/projects/1a5/registrationTokens (where 1a5 is the project/environment ID, the “Default” one created initially will always be 1a5).
Good points, @vincent. I will test it without API key immediately after install Rancher server.
I need initialise Rancher Server automatically with ansible/puppet to get the registration token, generate API key for the first admin user, set other users, groups, and environments, etc.
And will go through the repository galal-hussein/Rancher-Ansible, (thanks, @ebuildy) seems it is better than the recommend ansible repository listed in github Rancher/Rancher's README.