FAI + SaltStack anybody?

Matthew Pounsett matt at conundrum.com
Fri Oct 6 18:33:48 CEST 2023


On Thu, Oct 5, 2023 at 9:00 AM Diego Zuccato <diego.zuccato at unibo.it> wrote:
>
> My current idea is to use Salt to orchestrate the install, but maybe
> it's better left to FAI? How can I "pass around" minion key so I don't
> have to manually re-approve the new key every time?

This is how we manage it.  FAI knows what our "base server" should
look like in terms of, how we partition disks, and what network
interfaces get used for what.  The only package beyond the base OS
that it installs is salt-minion, and it puts in place our
/etc/salt/minion.d/* files.   On first boot, the minion tries to join
the master, and we approve the new key there manually.  The first
highstate takes care of adding our site standard base packages,
configuration, etc.

In our case manually approving the minion key on the master is a small
extra step, but I can see how if you're doing dozens of servers a day,
or if you have a strong motive for completely unattended reinstalls
(fire and forget) that having to approve the minion's key would be a
problem.

Someone has suggested something like this up-thread, but I think the
only way you're going to eliminate that step is if you push a keypair
to the minion from FAI, and then have FAI share the public key with
the master.  You're probably not going to be able to get the minion to
start up and do its thing properly until the system boots, and by that
time I think you've lost any opportunity to transfer its public key
securely without a manual approval step.   You could store the public
keys that FAI generates in a repository on the FAI server, and have it
trigger a Salt webhook to tell the master when it needs to retrieve
and install new ones.


More information about the linux-fai mailing list