FAI + SaltStack anybody?

Rémy Dernat remy.d1 at gmail.com
Tue Oct 24 20:13:07 CEST 2023 

Hi,

I did not read this whole threads, but yes, here we are currently managing
a FAI server through SaltStack. It configures pxelinux files and my DHCP
server. FAI rootfs installs the SaltStack repository with a script class,
and my SaltStack server auto-accept keys from known hostnames through a
SaltStack reactor or orchestrator, depending on the machine. When the key
is accepted, a highstate is deployed to finish the install when the
orchestrator is launched. All my machines configurations are stored on the
SaltStack pillars. Those pillars contains the SaltStack minion's name, the
hostname, the mac address, the IP address, the boot state and some other
useful informations. When a machine is finally installed, the orchestrator
change the value "boot" in my pillar corresponding to the machine to "OS"
instead of "install" and the value is deployed to the tftp FAI server to
changed the pxelinux file like fai-chboot would have done with states tftp
and dhcp.
When a machine needs to be reinstalled, orchestrator starts by changing its
boot state, deploys the tftp state, reboot the machine and removes the key.
Then the machine is installed; there is a big timeout in order to wait for
the reinstall. Then the machine tries to reconnect to the machine "salt",
key is auto-accepted, highstate is deployed, etc..


Problem with the orchestrator is that it is only one machine by one
machine, contrary to a fully reactor system.


Hope it helps,

Best regards,
Rémy

Le mer. 11 oct. 2023, 13:33, Markus Köberl via linux-fai <
linux-fai at uni-koeln.de> a écrit :

> Diese Nachricht wurde eingewickelt um DMARC-kompatibel zu sein. Die
> eigentliche Nachricht steht dadurch in einem Anhang.
>
> This message was wrapped to be DMARC compliant. The actual message
> text is therefore in an attachment.
>
>
> ---------- Forwarded message ----------
> From: "Markus Köberl" <markus.koeberl at tugraz.at>
> To: linux-fai at uni-koeln.de
> Cc:
> Bcc:
> Date: Wed, 11 Oct 2023 13:32:46 +0200
> Subject: Re: FAI + SaltStack anybody?
> On Thursday, 5 October 2023 14:59:40 CEST Diego Zuccato wrote:
> > Hello all.
> >
> > Does someone use FAI to install the base system that will be managed by
> > Salt?
> > I'm trying to integrate 'em but there's still something that doesn't
> > "click"...
> >
> > My current idea is to use Salt to orchestrate the install, but maybe
> > it's better left to FAI? How can I "pass around" minion key so I don't
> > have to manually re-approve the new key every time?
> > The ideal scenario would be: target generates its keypair, sends the
> > pubkey to FAI that "certifies" it's from the system being installed and
> > passes it to Salt. Should I write a custom fai-monitor (that would be
> > needed anyway to disable netboot once system is reinstalled)?
> >
> > TIA.
>
> My solution at the moment is non-interactive.
> In classes I have a script which asks for username and password for the
> salt
> api to save a cookie which is valid for a 30min.
> Later during the fai installation a script uses the cookie to get the salt
> key
> via the salt api. After the first boot salt is doing the rest...
>
> Instead of using the non-interactive approach I guess you could also
> provide
> the cookie base64 encoded via boot parameter or dhcp.
>
>
> regards
> Markus
> --
> Markus Koeberl
> Graz University of Technology
> Signal Processing and Speech Communication Laboratory
> E-mail: markus.koeberl at tugraz.at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20231024/b8a9e0b1/attachment.html>

More information about the linux-fai mailing list