<html><head></head><body><div>On Fri, 2023-10-06 at 11:18 +0200, Thomas Lange wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>On Fri, 06 Oct 2023 21:57:28 +1300, Andrew Ruthven <<a href="mailto:andrew@etc.gen.nz">andrew@etc.gen.nz</a>> said:<br></div></blockquote></blockquote></blockquote></blockquote></blockquote><div><br></div><div> > This isn't ideal as the secrets are still present in the NFSROOT for a short<br></div><div> > period of time, but does solve the chicken and egg issue others mentioned<br></div><div>This reminds me of a solution I once saw.<br></div><div>Put some info into a fifo (named pipe), so only one receiver can read<br></div><div>it. After that the fifo is empty.<br></div><div><br></div><div>What about having a daemon on the FAI server which serves some secrect<br></div><div>using:<br></div><div>echo secrect | nc -p 12345 -l<br></div><div><br></div><div>So only one FAI client can read the secrect from port 12345 once.<br></div><div>This may help a little bit.<br></div></blockquote><div><br></div><div>This could help. It could also do some level of validation of the IP/MAC that the request is coming from, especially if you've used fai-chboot. Again not ideal, but better.</div><div><br></div><div>The thing I like about my solution is that fcopy just works. :)</div><div><br></div><div>Cheers,</div><div>Andrew</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"></blockquote><div><br></div><div><span><pre>-- <br></pre><pre>Andrew Ruthven, Wellington, New Zealand
andrew@etc.gen.nz |
Catalyst Cloud: | This space intentionally left blank
https://catalystcloud.nz |
</pre></span></div></body></html>