Il 05/10/2023 16:58, Sinh Lam ha scritto:
You can essentially establish a ’trust’ to auto-accept keys. Then you
wouldn’t really have to worry about moving the minion keys around. Once
your bootstrap/installation is done, have it run a state to remove the
key or auto-purge it somehow.
Uh? If the minion is not known to the master, it doesn't receive
pillars. And can't interact with the master. Chicken and egg.
Honestly I would just leave the base install and anything else that
needs to be set up to FAI and run salt against the booted up server
after FAI is done and the server has been rebooted.
That's what I was planning to do. But without extra "glue" I'm losing
context. In particular if FAI tells Salt "I'm having *this* machine
reinstalled and its key is this" then Salt can auto-accept that key. But
if the machine is not being reinstalled by FAI, there's no reason to
auto accept a new key: it could be anybody!
Does FAI use protected connections (given that usually there's no
available "root of trust" stronger than the MAC address...) to the
machine being installed?
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
