On Fri, 2023-10-06 at 11:18 +0200, Thomas Lange wrote: > > > > > > On Fri, 06 Oct 2023 21:57:28 +1300, Andrew Ruthven > > > > > > <and...@etc.gen.nz> said: > > > This isn't ideal as the secrets are still present in the NFSROOT for > a short > > period of time, but does solve the chicken and egg issue others > mentioned > This reminds me of a solution I once saw. > Put some info into a fifo (named pipe), so only one receiver can read > it. After that the fifo is empty. > > What about having a daemon on the FAI server which serves some secrect > using: > echo secrect | nc -p 12345 -l > > So only one FAI client can read the secrect from port 12345 once. > This may help a little bit.
This could help. It could also do some level of validation of the IP/MAC that the request is coming from, especially if you've used fai-chboot. Again not ideal, but better. The thing I like about my solution is that fcopy just works. :) Cheers, Andrew -- Andrew Ruthven, Wellington, New Zealand and...@etc.gen.nz | Catalyst Cloud: | This space intentionally left blank https://catalystcloud.nz |