FAI + SaltStack anybody?

Sinh Lam sinh.lam at inviarobotics.com
Thu Oct 5 16:58:59 CEST 2023


You can essentially establish a ’trust’ to auto-accept keys.  Then you
wouldn’t really have to worry about moving the minion keys around.  Once
your bootstrap/installation is done, have it run a state to remove the key
or auto-purge it somehow.

Honestly I would just leave the base install and anything else that needs
to be set up to FAI and run salt against the booted up server after FAI is
done and the server has been rebooted.




On October 5, 2023 at 6:54:51 AM, Laura Smith via linux-fai (
linux-fai at uni-koeln.de) wrote:

Diese Nachricht wurde eingewickelt um DMARC-kompatibel zu sein. Die
eigentliche Nachricht steht dadurch in einem Anhang.

This message was wrapped to be DMARC compliant. The actual message
text is therefore in an attachment.
Hi Diego

Its been a while since I worked with Salt, but IIRC it sounds like what is
not "clicking" is that you need to fix the TOFU problem.

Looking back through my notes, it seems
https://docs.saltproject.io/en/latest/topics/tutorials/multimaster_pki.html
might be worth a read.

In particular, maybe "master_sign_pubkey: True" on the Salt master,
"verify_master_pubkey_sign: True" on the minion, and the master pubkeys put
in "/etc/salt/pki/minion/" on the minions.

Then on Salt master all you have to do is approve the new connections as
they come online.

------- Original Message -------
On Thursday, October 5th, 2023 at 13:59, Diego Zuccato <
diego.zuccato at unibo.it> wrote:


> Hello all.
>
> Does someone use FAI to install the base system that will be managed by
> Salt?
> I'm trying to integrate 'em but there's still something that doesn't
> "click"...
>
> My current idea is to use Salt to orchestrate the install, but maybe
> it's better left to FAI? How can I "pass around" minion key so I don't
> have to manually re-approve the new key every time?
> The ideal scenario would be: target generates its keypair, sends the
> pubkey to FAI that "certifies" it's from the system being installed and
> passes it to Salt. Should I write a custom fai-monitor (that would be
> needed anyway to disable netboot once system is reinstalled)?
>
> TIA.
>
> --
> Diego Zuccato
> DIFA - Dip. di Fisica e Astronomia
> Servizi Informatici
> Alma Mater Studiorum - Università di Bologna
> V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
> tel.: +39 051 20 95786
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20231005/c468eb62/attachment.html>


More information about the linux-fai mailing list