documentation proposals and bugfix proposal

Henning Sprang henning_sprang at gmx.net
Fri Aug 30 14:20:00 CEST 2002 

Hy,
I have found some undocumented problems with fai, which maybe should go in
the
install docs. (i would be able to write that part myself and post it to
merge into the docs, if it's cleared here that the information really
belongs in
there) At some poionts i am not shure if it's really the correct solution
and if i
don't do aomething wrong elsewhere.

1) i have problems booting the client when i don't have a link on the server
in 

/etc/boot/fai/CLIENTHOSTNAME
which leads to 
/etc/boot/fai/installimage

without the link there is a message then which ends with VFS: insert root
floppy

it's a bit hard to imagine that one has to do these links when installing a
real big bunch of machines, when testing with one it's not a big trouble, so
there might be another solution


2)  This is mentioned as a side comment in the troubleshooting section of
the install guide already,  but i think it would be better included in the
install steps, which would have spared me some reboots and tries:

To make the fai nfsroot bootable, one needs to have entries in /etc/exports
for the install clients to be allowed to mount /usr/lib/fai/nfsroot and
/usr/local/share/fai.
Fai-setup writes entries there which assume that a fai-client belongs to the
nis group faiclients, but when you neither have that group, nor  the fai
client belongs to it, nor you have nis anyway, this is really not a bit
useful,
so it would make fai more usable, even for beginners, if this was a
explained
in the install steps in a few words.

3)  the measures for logfile-saving on the server should be better
explained. 
When using rsh here, one needs a correct entry in in /home/fai/.rhosts
Again, fai-setup seems to assume here, that we have a nis group faiclients.
I admit that when working with big infrastructures, it makes sense to use
nis, but when is don't have it or don't want it, it#s wrong for fai to
simply
assume that (especially because nis is not even mentioned as nice-to-have in
the requirements!)

4) When using ssh as login for logfile-saving on the server, i ran into
another problem.

My install server is a woody system, just upgraded from potato. so i use
newer ssh versions.

When running fai-setup, i get an error which tells me, i must  set the ssh
key type parameter.

it seems to me this is an issue with ssh 3 which enables the use of multiple
ssh key versions. As i did not find it acceptable to modify my ssh config
for this, i changed the fai setup script, so the ssh-keygen lines there read
now:


    if [ $FAI_REMOTESH = "ssh" -o $FAI_REMOTECP = "scp" ]; then
        # set up ssh on the server
        mkdir -p -m 700 $loguserhome/.ssh
        [ -f $sshdir/identity ] || ssh-keygen -t $FAI_SSH_KEYTYPE -N '' -f
$sshdir/identity -C "$LOGUSER@$HOST"
        cat $sshdir/identity.pub >> $sshdir//authorized_keys
        chmod 0700 $sshdir/authorized_keys
        echo "$sshdir/authorized_keys created."
    fi

and the /etc/fai/fai.config file has now an extra entry:

# when using ssh (higher than 3?) for logfile-saving, we need to tell the
keytype
# we want to use. as of now, values  "dsa" ,"rsa" nad "rsa1" are supported.
# read "man ssh-keygen" for information about the -t option
FAI_SSH_KEYTYPE=dsa

I don't know what happens when using other or older ssh versions, especially
prior to 3, so this has to be tested before merging.


5) again, when using ssh as protocol for saving the install logfiles,  the
problem arises, that the client need s manual input when it doesn't have the
install server's key in his ssh/known_hosts list.
make-fai-nfsroot copies the file /etc/ssh/known_hosts to the nfsroot
directory, but at least we here don't have a host itself in its own
known_hosts
file. so adding the hosts own host key to the nfsroot's known_hosts list is
necessary. 

I did this by doing:
   # chroot /usr/lib/fai/nfsroot/
   # ssh <FAI-SERVER-IPD ADDRESS>
accept servers ssh key manually, then cancel the ssh connection
   # exit
   # cat /usr/local/fai/nfsroot/root/.ssh/known_hosts
>>/etc/ssh/ssh_known_hosts

it was important to use the fai-servers IP Address, not the hostname,  as in
dthe fai-chroot noa name resolution worked. That's one reason why i didn't
just take the hosts public rsa key in /etc/ssh on the fai server. Another one
why i did it with the chroot was because the host key in /etc/ssh on the fai
server  looks slightly different than that stored in /root/.ssh/known_hosts
in the nfsroot / chroot and i am too lazy and don't have the time to test this
now with another handful of reboots. 

Maybe somebody has a better idea how to do this correctly?


ok, that's my 2 cent for now, i will send further things when i find
solutions for problems i ran in, and as said, i wann avolunteer to update
the documentation whith th einformation provided is this desired :-)

Henning

ps: sorry for the wracked last sentence in the previous post, , too
unconcentrated :-)

More information about the linux-fai mailing list