be DMARC compliant. The actual message
> text is therefore in an attachment.
>
>
> -- Forwarded message --
> From: "Markus Köberl"
> To: linux-fai@uni-koeln.de
> Cc:
> Bcc:
> Date: Wed, 11 Oct 2023 13:32:46 +0200
> Subject: Re: FAI + SaltStack anybody?
&g
Diese Nachricht wurde eingewickelt um DMARC-kompatibel zu sein. Die
eigentliche Nachricht steht dadurch in einem Anhang.
This message was wrapped to be DMARC compliant. The actual message
text is therefore in an attachment.--- Begin Message ---
On Thursday, 5 October 2023 14:59:40 CEST Diego
Il 06/10/2023 18:33, Matthew Pounsett ha scritto:
You could store the public
keys that FAI generates in a repository on the FAI server, and have it
trigger a Salt webhook to tell the master when it needs to retrieve
and install new ones.
I'll have to have a look at webhooks. Didn't considere
On Fri, 2023-10-06 at 20:02 +0200, Henning Glawe wrote:
> p.s.: call me biased, as I implemented ``softupdate`` almost 20 years ago
> and use it since then as a configuration manager for a few 1k hosts in
> various contexts
softupdate is very handy. We used to use it at work (and I still do at
Moin,
as I mentioned: check ``fai softupdate``, this feature of
FAI makes it a configuration manager.
Your running system gets updated to the state you define
in your FAI config without a downtime. No reinstall required.
p.s.: call me biased, as I implemented ``softupdate`` almost 20 years
On Thu, Oct 5, 2023 at 9:00 AM Diego Zuccato wrote:
>
> My current idea is to use Salt to orchestrate the install, but maybe
> it's better left to FAI? How can I "pass around" minion key so I don't
> have to manually re-approve the new key every time?
This is how we manage it. FAI knows what
Oggetto: Re: FAI + SaltStack anybody?
Moin,
On Thu, Oct 05, 2023 at 02:59:40PM +0200, Diego Zuccato wrote:
> Does someone use FAI to install the base system that will be managed by
> Salt?
Do you have a concrete reason for introducing Salt on top of FAI?
FAI can be used to do most of your configu
On Fri, Oct 06, 2023 at 05:21:30PM +0200, Henning Glawe wrote:
> Do you have a concrete reason for introducing Salt on top of FAI?
I don't wanna speak for the original poster, but your question sounds a bit
like "Do you have a concrete reason for introducing LibreOffice on top of
this Unix system
Moin,
On Thu, Oct 05, 2023 at 02:59:40PM +0200, Diego Zuccato wrote:
> Does someone use FAI to install the base system that will be managed by
> Salt?
Do you have a concrete reason for introducing Salt on top of FAI?
FAI can be used to do most of your configuration management via
``fai
Il 06/10/2023 15:15, Johan Beisser ha scritto:
With that, on the salt-master, either autoaccept, or find a way to place the minion's
public key in `/etc/salt/pki/master/minions/` and that will bypass
the key acceptance entirely. Keys, inside of salt, are just managing where the file
sits
> On Oct 6, 2023, at 10:59, Diego Zuccato wrote:
>
> Il 06/10/2023 10:36, Sinh Lam ha scritto:
>> With the above said, I do not see what you mean there is a chicken and the
>> egg problem.
>
> To approve a minion key, Salt does have to trust the request is coming from
> the right minion,
On Fri, 2023-10-06 at 11:18 +0200, Thomas Lange wrote:
> > > > > > On Fri, 06 Oct 2023 21:57:28 +1300, Andrew Ruthven
> > > > > > said:
>
> > This isn't ideal as the secrets are still present in the NFSROOT for
> a short
> > period of time, but does solve the chicken and egg issue others
On Fri, 2023-10-06 at 11:36 +0200, Diego Zuccato wrote:
> I really like it a lot!
> Not bulletproof but more secure than a file.
>
> Still no way to have "hooks" run on FAI server?
We kind of do this, we call it Semi Automatic Installer (SAI). But the
problem is that you still need to have some
I really like it a lot!
Not bulletproof but more secure than a file.
Still no way to have "hooks" run on FAI server?
Diego
Il 06/10/2023 11:18, Thomas Lange ha scritto:
On Fri, 06 Oct 2023 21:57:28 +1300, Andrew Ruthven said:
> This isn't ideal as the secrets are still present in the
> On Fri, 06 Oct 2023 21:57:28 +1300, Andrew Ruthven
> said:
> This isn't ideal as the secrets are still present in the NFSROOT for a
short
> period of time, but does solve the chicken and egg issue others mentioned
This reminds me of a solution I once saw.
Put some info into a
Il 06/10/2023 10:36, Sinh Lam ha scritto:
Reading through your original post - I think there might be some
confusion as to what SaltStack does and what FAI does (if not, I
apologize). SaltStack is a configuration management tool that is
normally used to ensure the target minion's
On Fri, 2023-10-06 at 06:47 +0200, Diego Zuccato wrote:
> Il 05/10/2023 15:54, Laura Smith via linux-fai ha scritto:
> > Its been a while since I worked with Salt, but IIRC it sounds like what
> > is not "clicking" is that you need to fix the TOFU problem.
>
> Actually there are 2 distinct
Reading through your original post - I think there might be some confusion
as to what SaltStack does and what FAI does (if not, I apologize).
SaltStack is a configuration management tool that is normally used to
ensure the target minion's configuration is exactly as it should, while FAI
is a
Il 05/10/2023 16:58, Sinh Lam ha scritto:
You can essentially establish a ’trust’ to auto-accept keys. Then you
wouldn’t really have to worry about moving the minion keys around. Once
your bootstrap/installation is done, have it run a state to remove the
key or auto-purge it somehow.
Uh?
Il 05/10/2023 15:54, Laura Smith via linux-fai ha scritto:
Its been a while since I worked with Salt, but IIRC it sounds like what is not
"clicking" is that you need to fix the TOFU problem.
Actually there are 2 distinct problems:
- pass the pubkey from the minion to FAI during the install
You can essentially establish a ’trust’ to auto-accept keys. Then you
wouldn’t really have to worry about moving the minion keys around. Once
your bootstrap/installation is done, have it run a state to remove the key
or auto-purge it somehow.
Honestly I would just leave the base install and
Diese Nachricht wurde eingewickelt um DMARC-kompatibel zu sein. Die
eigentliche Nachricht steht dadurch in einem Anhang.
This message was wrapped to be DMARC compliant. The actual message
text is therefore in an attachment.--- Begin Message ---
Hi Diego
Its been a while since I worked with Salt,
Il 05/10/2023 15:17, Carsten Aulbert ha scritto:
we usually try with the hardware level configuration being the "border",
i.e. everything related to partitioning, initial OS install, at least
initial networking set-up is done with FAI (well, and salt is installed
configured as well).
Ok,
Hi Diego,
On 10/5/23 14:59, Diego Zuccato wrote:
Does someone use FAI to install the base system that will be managed by
Salt?
I'm trying to integrate 'em but there's still something that doesn't
"click"...
My current idea is to use Salt to orchestrate the install, but maybe
it's better
24 matches
Mail list logo
