FAI + SaltStack anybody?
Diego Zuccato
diego.zuccato at unibo.it
Fri Oct 6 06:47:34 CEST 2023
Il 05/10/2023 15:54, Laura Smith via linux-fai ha scritto:
> Its been a while since I worked with Salt, but IIRC it sounds like what is not "clicking" is that you need to fix the TOFU problem.
Actually there are 2 distinct problems:
- pass the pubkey from the minion to FAI during the install (possibly in
an authenticated way)
- authorize that key in Salt from FAI
> Looking back through my notes, it seemshttps://docs.saltproject.io/en/latest/topics/tutorials/multimaster_pki.html might be worth a read.
I don't understand. In my scenario, FAI is not a Salt master. And I
don't see how making it one could help. It would only double the burden.
> In particular, maybe "master_sign_pubkey: True" on the Salt master, "verify_master_pubkey_sign: True" on the minion, and the master pubkeys put in "/etc/salt/pki/minion/" on the minions.
> Then on Salt master all you have to do is approve the new connections as they come online.
I'd have to approve on *both* masters. :(
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
More information about the linux-fai
mailing list