On 9 Feb 2010, at 4:59 pm, John G. Heim wrote: > Hi, > > I am trying to configure our automatic linux install system (Fully > Automated > Install or FAI) to do a mimimal debian linux install and then to run > cfengine to install all of the config files and additional packages. I > already have cfengine to do stuff like copying a ntp.conf file to > the linux > client and install the ntp package. This all works as intended > stand-alone. > I mean that I can make a change to the ntp.conf file on the server > and all > the cfengine clients automatically download it. > > I have a couple of problems the biggest is that I don't know how to > get the > cfengine server to know that when I'm doing a reinstall, it has to > accept a > new key. When I run cfagent on the new install, it generates an error > message that says the keys don't match. If I delete the key from the > server, > it works. I guess I'm asking how to break the security on cfagent > just for > reinstalls. > > The second problem is that only some of the packages get installed > when I > run cfagent on the client. If I run it 3 or 4 times, eventually, > they all > get installed. Perhaps this is an apt system question but I was hoping > someone on this list had dealt with this problem before.
The way I get around this is that the run during FAI installation doesn't use the policy server (at least directly). cfagent runs on the FAI server, and makes a copy of the current policy within FAI's config tree. This is then available to the target machine as it's being installed, and cfagent is quite happy. It still doesn't quite get around the key problem (which you presumably also get with your SSH keys, since FAI creates a new ssh key on reinstallation). I've never got around to fixing this properly myself. There are two methods that I can think of: 1) This version will make the security people scream: have all FAI- installed machines use the same key. A reinstallation doesn't cause a problem then. Since only FAI can put the key there, you'll still notice if someone reinstalls the machine some other way, so it's not a *total* security disaster. In our case, our FAI config server and our cfengine policy server are [usually] the same machine, so any key it puts in place ought to be trusted. 2) Put some hooks into FAI so that very early in the process, before the filesystem is recreated, you mount the old root fs, temporarily make a copy of the key files in the tmpfs /tmp, and then put them back after the machine has been rebuilt. The FAI people, if you ask them, will almost certainly tell you not to reinstall machines, but to use softupdate instead. If it's the same machine, then softupdate should be all you need to keep it up to date. If it's a reinstall, then it's arguable that it's no longer the same machine, and it's correct behaviour to change the host keys. Regards, Tim -- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
