Transient secrets
Diego Zuccato
diego.zuccato at unibo.it
Thu Jul 7 08:12:54 CEST 2022
Hi all.
Is there a preferred way to pass a (different) secret to every host
being installed?
Something to implement a workflow like:
- admin asks Salt to (re)install a host
- salt handles shutdown and switch reconfiguration (OT)
- salt tells FAIserver to enable install of given host
- FAI generates the secret and passes it back to Salt (or Salt generates
the secret and passes it to FAI, as long there's a shared secret)
- the host boots via network and installs as usual, saving/using the
given secret
- FAI (or the reinstalled host) tells Salt reinstall is complete and
Salt "cleans up" (reconfig switches & so on) (OT)
The only "solution" I could find is to save the secret in
/srv/tftp/fai/pxelinux.cfg/C0A8xxyy in append line, like FAI_FLAGS,
FAI_CONFIG_SRC and FAI_ACTION, but since append line can be at most 255
chars there's not much space... I's good just for very small "secrets"
(that gets transferred in the clear, hence the need to reconfigure the
switches).
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
More information about the linux-fai
mailing list