Diese Nachricht wurde eingewickelt um DMARC-kompatibel zu sein. Die eigentliche Nachricht steht dadurch in einem Anhang.
This message was wrapped to be DMARC compliant. The actual message text is therefore in an attachment.
--- Begin Message ---Hi Diego Its been a while since I worked with Salt, but IIRC it sounds like what is not "clicking" is that you need to fix the TOFU problem. Looking back through my notes, it seems https://docs.saltproject.io/en/latest/topics/tutorials/multimaster_pki.html might be worth a read. In particular, maybe "master_sign_pubkey: True" on the Salt master, "verify_master_pubkey_sign: True" on the minion, and the master pubkeys put in "/etc/salt/pki/minion/" on the minions. Then on Salt master all you have to do is approve the new connections as they come online. ------- Original Message ------- On Thursday, October 5th, 2023 at 13:59, Diego Zuccato <diego.zucc...@unibo.it> wrote: > Hello all. > > Does someone use FAI to install the base system that will be managed by > Salt? > I'm trying to integrate 'em but there's still something that doesn't > "click"... > > My current idea is to use Salt to orchestrate the install, but maybe > it's better left to FAI? How can I "pass around" minion key so I don't > have to manually re-approve the new key every time? > The ideal scenario would be: target generates its keypair, sends the > pubkey to FAI that "certifies" it's from the system being installed and > passes it to Salt. Should I write a custom fai-monitor (that would be > needed anyway to disable netboot once system is reinstalled)? > > TIA. > > -- > Diego Zuccato > DIFA - Dip. di Fisica e Astronomia > Servizi Informatici > Alma Mater Studiorum - Università di Bologna > V.le Berti-Pichat 6/2 - 40127 Bologna - Italy > tel.: +39 051 20 95786
--- End Message ---