lyst Cloud: | This space intentionally left blank
https://catalystcloud.nz |
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
Oggetto: Re: FAI + SaltStack anybody?
Moin,
On Thu, Oct 05, 2023 at 02:59:40PM +0200, Diego Zuccato wrote:
> Does someone use FAI to install the base system that will be managed by
> Salt?
Do you have a concrete reason for introducing Salt on top of FAI?
FAI can be used to do most of your configu
(that would be
needed anyway to disable netboot once system is reinstalled)?
TIA.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
re.
I like even less that the private key is passed from FAI to the target,
I'd prefer to only pass back the pubkey.
Does that help a bit?
Yes, tks.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 401
'em. Could
trigger a script that uses salt-cloud to provision the node...
Too many ideas :)
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
I, there's no reason to
auto accept a new key: it could be anybody!
Does FAI use protected connections (given that usually there's no
available "root of trust" stronger than the MAC address...) to the
machine being installed?
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi In
.
Then on Salt master all you have to do is approve the new connections as they
come online.
I'd have to approve on *both* masters. :(
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
ion either requires TPM or interaction.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
FAI server which serves some secrect
using:
echo secrect | nc -p 12345 -l
So only one FAI client can read the secrect from port 12345 once.
This may help a little bit.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pi
ey before the reboot) and knows it can trust that key.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
> How about having task_repository check for another file, say
> package_config/CLASS.gpg_dest that'd allow us to specify where to copy
> package_config/CLASS.gpg to?
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università
installed SO w/o any interaction, while
specifying 'reboot' seems to suggest that it reboots also in case of
errors).
Tks.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.:
ter-wipefs/394999#394999
HIH.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
some cases generate passwords (root and encrypted filesystems)
during build and have those emailled with GPG encryption to the relevant
parties.
Cheers,
Andrew
On Thu, 2022-07-07 at 08:35 +0200, Diego Zuccato wrote:
Hi Andrew.
That's an option, but is seems less secure: while PXE net have
good just for very small "secrets"
(that gets transferred in the clear, hence the need to reconfigure the
switches).
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
there's not much space... I's good just for very small "secrets"
(that gets transferred in the clear, hence the need to reconfigure the
switches).
--
Andrew Ruthven, Wellington, New Zealand
and...@etc.gen.nz |
Catalyst Cloud: | This space intentionally left blank
https:
ng install and 'reboot'
instructs FAI to reboot at the end of the installation process instead
of waiting for someone to press 'enter'.
Robert
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna -
his ensures that the disk gets
completely wiped and no partition is preserved, even if you have a
'preserve' statement in your disk_config.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
stallation processes and flagging abnormal activities. This
would not prevent successful attacks, but possible breaches could be patched
up, eg keys replaced afterwards.
This seems harder.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
Hello all.
What's the recommended way to deploy (or re-deploy) security-sensitive
objects (just to say one: private ssh key to avoid client warnings when
redeploying a server)?
TIA
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di
is
actually useful...
GPG encrypted tarballs can be a good solution if there's a trusted
person that can insert the password (or a tpm that can decrypt it) to
complete the install...
Diego
Il 13/12/2022 20:44, Andrew Ruthven ha scritto:
Hey,
On Tue, 2022-12-13 at 14:47 +0100, Diego Zuccato wrote
/msg07955.html
[2] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08003.html
[3] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08005.html
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2
rypt the needed secret files using machine's TPM and tranfer
encrypted files to FAI
- in case of reinstall, FAI transfers encrypted files to the machine and
runs clevis decrypt to restore 'em
That's just a rough idea. Any evident issues?
Diego
Il 16/01/2023 14:12, Diego Zuccato ha scritto:
"Congratulations! No errors found in log files" but
task_faiend still prompts for Enter key to reboot.
What did I miss? Specifying "reboot" flag seems wrong, since it forces
reboot even in case of errors, IIUC.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi In
calling fai-chboot and just not
bothering about DHCP ?
Diego
Il 07/06/2023 09:57, Andrew Ruthven ha scritto:
Hey,
On Wed, 2023-06-07 at 09:45 +0200, Diego Zuccato wrote:
IIUC hooks are run on the system being installed, so I could use LAST
hook to somehow signal FAI host to run "fai-chbo
FAI host to run "fai-chboot -d host". But that
would leave DHCP server sending a DHCP OFFER for a PXE boot that's been
disabled. Maybe I'm reinventing the wheel, but couldn't find anything.
Any hints?
TIA.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma M
Tks.
Quite clear & useful.
Diego
Il 07/06/2023 12:57, Andrew Ruthven ha scritto:
On Wed, 2023-06-07 at 10:05 +0200, Diego Zuccato wrote:
Hi Andrew.
That would be OK, but I don't need (and it's actually undesirable) to
reinstall at every reboot: one of the systems actually requires an e
Seems I still missed the little patch that have to be applied to
savelog.LAST.sh hook (adding "export flag_reboot=1" after printing the
congrats message).
Diego
Il 08/06/2023 15:22, Diego Zuccato ha scritto:
Hi.
I just noticed that FAI installs were waiting at the end because of
i, 19 Jan 2024 09:03:57 +0100, Diego Zuccato said:
> Hello all.
> It's not too unusual that sometimes disks get recognized in a different
> order across reboots.
> How can I make sure I'm repartitioning the right disk and not another
> one containing data
sk2".
If it's not currently supported, it shouldn't be too hard to add to
20-hwdetect.sh (I can do it and share the result, if someone is
interested). But if it's already supported, better to use the official
method. :)
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
"$newlist" ]; then
echo New disklist: $newlist
echo disklist=\"$newlist\" >> $LOGDIR/additional.var
fi
This script writes the new valuespf disklist to
$LOGDIR/additional.var. Then FAI will parse it and sets the new value
for disklist before calling setup-storage.
to the current one, to avoid breaking the working setup).
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
Tks for the fast answer.
I'll have to dig a bit deeper (never used debootstrap explicitly), so it
will take a bit more to fully understand.
Diego
Il 16/01/2024 10:43, Henning Glawe ha scritto:
Moin,
On Tue, Jan 16, 2024 at 10:22:42AM +0100, Diego Zuccato wrote:
Is it possible to use
specified class BOOKWORM64. Surely I've messed up something.
Work for tomorrow :)
Tks for all the help!
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
rch for basefiles.
We set a class of $RELEASE_$ARCH and use that to select the basefile.
Cheers,
Andrew
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
Il 17/01/2024 10:55, Andrew Ruthven ha scritto:
On Wed, 2024-01-17 at 09:06 +0100, Diego Zuccato wrote:
I copied DEBIAN.var to BOOKWORM64.var, then changed the var to
release=bookworm .
It'll depend on what you're using as in our profile as well. You need to
have a class set that matches
Il 16/01/2024 16:20, Robert Markula ha scritto:
Am 16.01.24 um 16:13 schrieb Diego Zuccato:
But now the install is saying that it's downloading bullseye packages
even if I specified class BOOKWORM64. Surely I've messed up something.
Work for tomorrow :)
Have a look at your class/DEBIAN file
ificates have not yet been
installed.
How can I have ca-certificates installed when the repository gets added?
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
attempting to install
it too soon.
Uff. Work for tomorrow...
Tks for all the hints!
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
/etc/apt/sources
does *not* touch /etc/apt/sources.list.d/, right?
Diego
Il 17/01/2024 17:10, Markus Köberl ha scritto:
On Wednesday, 17 January 2024 16:13:02 CET Diego Zuccato wrote:
Il 17/01/2024 14:15, Carsten Aulbert ha scritto:
How can I have ca-certificates installed when the repository
install ca-
certificates. Probably updatebase.SALT - or better,
updatebase.CACERTIFICATES and have SALT set CACERTIFICATES
Cheers,
Andrew
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
get update
$ROOTCMD apt-get install -y salt-minion
-8<--
Finally it seems to work as expected.
Thanks again!
Diego
Il 18/01/2024 08:23, Diego Zuccato ha scritto:
IIUC that's the same as adding 'em to the basefile. Every time an
install errors out, basefile/nfsroot must be regenerated to i
"preserved partition /dev/sda7 does not end
at a cylinder boundary, parted may fail to restore the partition"
messages in error.log... "disk_config" line have "align-at:1M", isn't it
enough?
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mate
vers have NVMe drives that should be used for operating
system disks, which is why they can be skipped.
Although I see a stale comment in there now about the NVMe disks. Ah well.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.l
, Thomas Lange ha scritto:
On Fri, 19 Jan 2024 15:33:02 +0100, Diego Zuccato said:
> But it seems it doesn't get mounted (at least a custom script did not
> find it mounted). I don't know FAI internals enough :(
This mounting of a partition labeled MY-DATA will only work from FAI
6.2,
8<--
And 99-disklist.d/fast00 (the host I'm installing) contains:
-8<--
#!/bin/bash
#filter='scsi-*'
#newlist='sdt '
. /usr/lib/fai/subroutines
newlist=$(smallestdisk)
-8<--
Hope it can be useful for others.
Diego
Il 22/02/2024 09:02, Diego Zuccato ha scritto:
I think there's a bug (w
46 matches
Mail list logo
