FAI + SaltStack anybody?
Diego Zuccato
diego.zuccato at unibo.it
Fri Oct 6 06:58:46 CEST 2023
Il 05/10/2023 16:58, Sinh Lam ha scritto:
> You can essentially establish a ’trust’ to auto-accept keys. Then you
> wouldn’t really have to worry about moving the minion keys around. Once
> your bootstrap/installation is done, have it run a state to remove the
> key or auto-purge it somehow.
Uh? If the minion is not known to the master, it doesn't receive
pillars. And can't interact with the master. Chicken and egg.
> Honestly I would just leave the base install and anything else that
> needs to be set up to FAI and run salt against the booted up server
> after FAI is done and the server has been rebooted.
That's what I was planning to do. But without extra "glue" I'm losing
context. In particular if FAI tells Salt "I'm having *this* machine
reinstalled and its key is this" then Salt can auto-accept that key. But
if the machine is not being reinstalled by FAI, there's no reason to
auto accept a new key: it could be anybody!
Does FAI use protected connections (given that usually there's no
available "root of trust" stronger than the MAC address...) to the
machine being installed?
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
More information about the linux-fai
mailing list