FAI + SaltStack anybody?

Laura Smith n5d9xq3ti233xiyif2vp at protonmail.ch
Thu Oct 5 15:54:27 CEST 2023


Hi Diego

Its been a while since I worked with Salt, but IIRC it sounds like what is not "clicking" is that you need to fix the TOFU problem.

Looking back through my notes, it seems https://docs.saltproject.io/en/latest/topics/tutorials/multimaster_pki.html might be worth a read.

In particular, maybe "master_sign_pubkey: True" on the Salt master, "verify_master_pubkey_sign: True" on the minion, and the master pubkeys put in "/etc/salt/pki/minion/" on the minions.

Then on Salt master all you have to do is approve the new connections as they come online.

------- Original Message -------
On Thursday, October 5th, 2023 at 13:59, Diego Zuccato <diego.zuccato at unibo.it> wrote:


> Hello all.
> 
> Does someone use FAI to install the base system that will be managed by
> Salt?
> I'm trying to integrate 'em but there's still something that doesn't
> "click"...
> 
> My current idea is to use Salt to orchestrate the install, but maybe
> it's better left to FAI? How can I "pass around" minion key so I don't
> have to manually re-approve the new key every time?
> The ideal scenario would be: target generates its keypair, sends the
> pubkey to FAI that "certifies" it's from the system being installed and
> passes it to Salt. Should I write a custom fai-monitor (that would be
> needed anyway to disable netboot once system is reinstalled)?
> 
> TIA.
> 
> --
> Diego Zuccato
> DIFA - Dip. di Fisica e Astronomia
> Servizi Informatici
> Alma Mater Studiorum - Università di Bologna
> V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
> tel.: +39 051 20 95786


More information about the linux-fai mailing list