A couple question:
- I’m using an AWS AutoScaling group to manage my container host servers, and I’m using user_data to install docker and run the rancher/agent with somehting that looks like the following:
sudo docker run -d --privileged \
-e CATTLE_HOST_LABELS='monitored=true' \
-v /var/run/docker.sock:/var/run/docker.sock rancher/agent:v0.7.10 \
And this works great! I’ve stripped out the end of the URL (
SOME_TOKEN) and I’m wondering if that token is considered to be a secret, or just a discovery token? Basically wondering if I should keep it with other secrets or I’m fine just committing it with my infrastructure code?
- I’m also installing
rancher/server automatically, currently as a single node, and I know I can configure the MySQL and redis connections to external services, I’m also wondering if I can specify some configuration file, that will setup rancher initially, so that I can pre-configure GitHub authentication, environments, api keys… ?
I would call it “moderately secret”; It’s a unique token that is used to generate an agent account for the host to talk to rancher, which is then how hosts register themselves.
So if I had your token, and physical network access to make requests to your
rancher/server, I could register my own arbitrary hosts to your server. From there I could potentially do bad things to/with the containers that end up scheduling onto my hosts, and communicate with the other hosts on the IPSec overlay network.
There is not anything built-in to configure it like that… you could potentially backup and restore the MySQL DB before starting since basically everything is in there, or write a script that uses the API or CLI to preconfigure things as you like after it starts up.
This is an Ansible project, didn’t test it but look promising.
Just for completeness, there are Rancher Server and Host ServerTemplates in the RightScale Marketplace:
If you have trouble accessing these let me know. Its a little more complicated than a couple of inline scripts to do it properly in a scalable way.
Your answer and the script is not helpful for original question, which you have to manually feed the Rancher API keys to the python script.
So how to get Rancher API automatically from beginning? And same question for Rancher Registration Token for adding hosts.
@bil If you haven’t set up access control yet then there are no keys/authentication needed, you can just make requests unauthed to the API.
You will need to create a registration token by POSTing to
1a5 is the project/environment ID, the “Default” one created initially will always be 1a5).
Good points, @vincent. I will test it without
API key immediately after install Rancher server.
I need initialise Rancher Server automatically with ansible/puppet to get the registration token, generate API key for the first admin user, set other users, groups, and environments, etc.
And will go through the repository
galal-hussein/Rancher-Ansible, (thanks, @ebuildy) seems it is better than the recommend ansible repository listed in github
i had the same issue and solved it with a very simple lookup plugin for Ansible.