Transient secrets
Andrew Ruthven
andrew at etc.gen.nz
Thu Jul 7 08:22:05 CEST 2022
Hey,
I'm not sure if this is preferred or not, but the approach I take is to
have a command we run first, that copies any required secrets (and will
generate SSH host keys and puppet certs if required first) into the NFS
root. A cron job runs every 15 minutes and cleans up any of those
secrets which are older than 2 hours (this could be much shorter).
Cheers,
Andrew
On Thu, 2022-07-07 at 08:12 +0200, Diego Zuccato wrote:
> Hi all.
>
> Is there a preferred way to pass a (different) secret to every host
> being installed?
>
> Something to implement a workflow like:
> - admin asks Salt to (re)install a host
> - salt handles shutdown and switch reconfiguration (OT)
> - salt tells FAIserver to enable install of given host
> - FAI generates the secret and passes it back to Salt (or Salt
> generates
> the secret and passes it to FAI, as long there's a shared secret)
> - the host boots via network and installs as usual, saving/using the
> given secret
> - FAI (or the reinstalled host) tells Salt reinstall is complete and
> Salt "cleans up" (reconfig switches & so on) (OT)
>
> The only "solution" I could find is to save the secret in
> /srv/tftp/fai/pxelinux.cfg/C0A8xxyy in append line, like FAI_FLAGS,
> FAI_CONFIG_SRC and FAI_ACTION, but since append line can be at most
> 255
> chars there's not much space... I's good just for very small
> "secrets"
> (that gets transferred in the clear, hence the need to reconfigure
> the
> switches).
>
--
Andrew Ruthven, Wellington, New Zealand
andrew at etc.gen.nz |
Catalyst Cloud: | This space intentionally left blank
https://catalystcloud.nz |
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20220707/e4800351/attachment.html>
More information about the linux-fai
mailing list