FAI + SaltStack anybody?

[Diego Zuccato]

Il 06/10/2023 10:36, Sinh Lam ha scritto:
> Reading through your original post - I think there might be some 
> confusion as to what SaltStack does and what FAI does (if not, I 
> apologize).  SaltStack is a configuration management tool that is 
> normally used to ensure the target minion's configuration is exactly as 
> it should, while FAI is a provisioning tool that essentially builds the 
> server that SaltStack is used to manage.

No need to apologize even if I already knew the difference between FAI 
and Salt  :)

> With the above said, I do not see what you mean there is a chicken and 
> the egg problem.

To approve a minion key, Salt does have to trust the request is coming 
from the right minion, but it can't know till the key is approved.

> I do not believe that salt can do the actual installation of the 
> server’s OS because there’s no minion running to begin with.  You should 
> really leave that to FAI.

Yes, sure. Other tools (like xCat) try to do both and are IMVHO way less 
versatile.

>  Your concern was how to move the minion 
> around servers that are getting provisioned/re-provisioned so you don’t 
> have to approve the minion each time and I’m sure there’s a couple of 
> ways to do this but right now I see two :
> 
> 1) turn on auto-accept - you don’t have to worry about approving any 
> minions because they’ll be auto-approved

Can't do that on public networks. [*]

> 2) issue a call to the salt master to accept the new minion when it is 
> registered during fai.  This involves you knowing the minion id/name of 
> the key.

That's what I'd like to make FAI do. If only there was a 'hook' system 
on FAI server, triggering scripts at the different stages... The nearest 
thing I could think of is a custom fai-monitor but it seems quite unsafe :(

> This is how I’m planning on using SaltStack with FAI -
> I have a dedicated network that is tightly controlled so to that point I 
> know what connects to it and I know why those servers are connected to 
> that particular network.  In essence, I trust this particular network.  
> Because of this, I have auto-accept turned on my salt master.

Can't do that: my networks are often exposed. The alternative would mean 
having to dynamically reconfigure switches to move ports to different 
VLANs... Quite a big can of worms on its own :(

> I have FAI install the base os on the server, toward the end of the 
> process, a couple things will happen:
> * a script will be used to auto-register this server with our CMDB
> * a script will be used to enroll this minion with the salt-master and 
> set the minion_id (if needed).

How does your script authenticate the requests? Or are you just relying 
on the "secured network" to bypass authentication?

[...]
> That’s it.  FAI does the OS (and handles the registering of the server 
> with our CMDB and the minion with the master), and salt stack takes care 
> of the configuration of the server.

That's the desiderable outcome :)

> The glue I believe you’re talking about is a source of truth to populate 
> pillar data and grains so your salt states can actually do something 
> useful.

No, that's already taken care of :)

> And MAC addresses can be spoofed quite easily, so you really shouldn’t 
> rely on that as your ‘root of trust’.  I deal with a lot of VMs and each 
> one of those VMs I can easily specify whatever MAC address I want (you 
> really shouldn’t).  But spoofing a MAC while it’s in the early parts of 
> pxe/net boot process is harder (if not impossible), you still shouldn’t 
> use it as the ‘root of trust’.

Yup, I know. Already did it in DOS :)
But stronger authentication either requires TPM or interaction.

-- 
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786