Re: FAI + SaltStack anybody?
Il 05/10/2023 16:58, Sinh Lam ha scritto: You can essentially establish a ’trust’ to auto-accept keys. Then you wouldn’t really have to worry about moving the minion keys around. Once your bootstrap/installation is done, have it run a state to remove the key or auto-purge it somehow. Uh? If the minion is not known to the master, it doesn't receive pillars. And can't interact with the master. Chicken and egg. Honestly I would just leave the base install and anything else that needs to be set up to FAI and run salt against the booted up server after FAI is done and the server has been rebooted. That's what I was planning to do. But without extra "glue" I'm losing context. In particular if FAI tells Salt "I'm having *this* machine reinstalled and its key is this" then Salt can auto-accept that key. But if the machine is not being reinstalled by FAI, there's no reason to auto accept a new key: it could be anybody! Does FAI use protected connections (given that usually there's no available "root of trust" stronger than the MAC address...) to the machine being installed? -- Diego Zuccato DIFA - Dip. di Fisica e Astronomia Servizi Informatici Alma Mater Studiorum - Università di Bologna V.le Berti-Pichat 6/2 - 40127 Bologna - Italy tel.: +39 051 20 95786
Re: FAI + SaltStack anybody?
Il 05/10/2023 15:54, Laura Smith via linux-fai ha scritto: Its been a while since I worked with Salt, but IIRC it sounds like what is not "clicking" is that you need to fix the TOFU problem. Actually there are 2 distinct problems: - pass the pubkey from the minion to FAI during the install (possibly in an authenticated way) - authorize that key in Salt from FAI Looking back through my notes, it seemshttps://docs.saltproject.io/en/latest/topics/tutorials/multimaster_pki.html might be worth a read. I don't understand. In my scenario, FAI is not a Salt master. And I don't see how making it one could help. It would only double the burden. In particular, maybe "master_sign_pubkey: True" on the Salt master, "verify_master_pubkey_sign: True" on the minion, and the master pubkeys put in "/etc/salt/pki/minion/" on the minions. Then on Salt master all you have to do is approve the new connections as they come online. I'd have to approve on *both* masters. :( -- Diego Zuccato DIFA - Dip. di Fisica e Astronomia Servizi Informatici Alma Mater Studiorum - Università di Bologna V.le Berti-Pichat 6/2 - 40127 Bologna - Italy tel.: +39 051 20 95786
Re: ypbind not enabled after installation
Moin, On Thu, Oct 05, 2023 at 05:22:57PM +0200, Julien Vion via linux-fai wrote: > I tried that with in script/NIS/90-misc: > > /lib/systemd/systemd-sysv-install enable ypbind > ln -s /lib/systemd/system/ypbind.service /etc/systemd/system/multi- > user.target.wants/ypbind.service > > > I have this error during install: > error: initscript does not exist: /etc/init.d/ypbind Looks like a missing prefix ``$ROOTCMD`` in your ``90-misc`` lines. During FAI install, $ROOTCMD expands to ``chroot $FAI_ROOT``, while on sofupdates it is empty. Background info: - When doing the initial install, your target 'root' and its children are mounted in a subdir of your current root (which is usually the nfsroot), so a ``chroot ...`` is required to work - when running ``fai softupdate``, you are working on ``/``, so the chroot is not required - using $ROOTCMD prefix for everything to be run inside the target system catches both cases in a convenient and readable way -- Mit freundlichen Grüßen Henning Glawe Dr. Henning Glawe Max-Planck-Institut für Struktur und Dynamik der Materie Geb. 99 (CFEL), Luruper Chaussee 149, 22761 Hamburg, Germany http://www.mpsd.mpg.de/, Email: henning.gl...@mpsd.mpg.de Building/Room: 99/O2.100, Phone: +49-40-8998-88392
Re: ypbind not enabled after installation
Diese Nachricht wurde eingewickelt um DMARC-kompatibel zu sein. Die eigentliche Nachricht steht dadurch in einem Anhang. This message was wrapped to be DMARC compliant. The actual message text is therefore in an attachment.--- Begin Message --- Hi, Le jeudi 05 octobre 2023 à 16:50 +0200, Thomas Lange a écrit : > But systemctl enable only creates a symlink, so ln -s should help. I tried that with in script/NIS/90-misc: /lib/systemd/systemd-sysv-install enable ypbind ln -s /lib/systemd/system/ypbind.service /etc/systemd/system/multi- user.target.wants/ypbind.service I have this error during install: error: initscript does not exist: /etc/init.d/ypbind Somehow the link is not here upon reboot, but /etc/init.d/ypbind is. Yours, -- Julien Vion Maitre de conférences Chef du département Info IUT de Valenciennes/Cambrai/Maubeuge LAMIH CNRS Université Polytechnique Hauts de France signature.asc Description: This is a digitally signed message part --- End Message ---
Re: FAI + SaltStack anybody?
You can essentially establish a ’trust’ to auto-accept keys. Then you wouldn’t really have to worry about moving the minion keys around. Once your bootstrap/installation is done, have it run a state to remove the key or auto-purge it somehow. Honestly I would just leave the base install and anything else that needs to be set up to FAI and run salt against the booted up server after FAI is done and the server has been rebooted. On October 5, 2023 at 6:54:51 AM, Laura Smith via linux-fai ( linux-fai@uni-koeln.de) wrote: Diese Nachricht wurde eingewickelt um DMARC-kompatibel zu sein. Die eigentliche Nachricht steht dadurch in einem Anhang. This message was wrapped to be DMARC compliant. The actual message text is therefore in an attachment. Hi Diego Its been a while since I worked with Salt, but IIRC it sounds like what is not "clicking" is that you need to fix the TOFU problem. Looking back through my notes, it seems https://docs.saltproject.io/en/latest/topics/tutorials/multimaster_pki.html might be worth a read. In particular, maybe "master_sign_pubkey: True" on the Salt master, "verify_master_pubkey_sign: True" on the minion, and the master pubkeys put in "/etc/salt/pki/minion/" on the minions. Then on Salt master all you have to do is approve the new connections as they come online. --- Original Message --- On Thursday, October 5th, 2023 at 13:59, Diego Zuccato < diego.zucc...@unibo.it> wrote: > Hello all. > > Does someone use FAI to install the base system that will be managed by > Salt? > I'm trying to integrate 'em but there's still something that doesn't > "click"... > > My current idea is to use Salt to orchestrate the install, but maybe > it's better left to FAI? How can I "pass around" minion key so I don't > have to manually re-approve the new key every time? > The ideal scenario would be: target generates its keypair, sends the > pubkey to FAI that "certifies" it's from the system being installed and > passes it to Salt. Should I write a custom fai-monitor (that would be > needed anyway to disable netboot once system is reinstalled)? > > TIA. > > -- > Diego Zuccato > DIFA - Dip. di Fisica e Astronomia > Servizi Informatici > Alma Mater Studiorum - Università di Bologna > V.le Berti-Pichat 6/2 - 40127 Bologna - Italy > tel.: +39 051 20 95786
Re: ypbind not enabled after installation
> On Thu, 05 Oct 2023 16:04:58 +0200, Julien Vion via linux-fai > said: > Somehow, "systemctl enable" in the script does not work. Currently FAI does not start systemd during the installation. That's why a systemctl call in a script cannot work. But systemctl enable only creates a symlink, so ln -s should help. The next FAI version will use systemd during the installation. -- regards Thomas
Re: ypbind not enabled after installation
On the ypclient: In /etc/default/nis set NISCLIENT=true In /etc/yp.conf set the yp (master and slave) server IP addresses On the yp master+slave servers: In /etc/yp.conf set the yp (master and slave) server IP addresses In /etc/ypserv.securenets list all IP addresses of all yp clients so the ypserver accepts yp requests Andreas
Re: ypbind not enabled after installation
Diese Nachricht wurde eingewickelt um DMARC-kompatibel zu sein. Die eigentliche Nachricht steht dadurch in einem Anhang. This message was wrapped to be DMARC compliant. The actual message text is therefore in an attachment.--- Begin Message --- Hi again, Apparently, it is intended behavior that ypbind is not enabled by default, as it would hang if /etc/defaultdomain is not defined. But I need to find a way to enable it automatically once the defaultdomain is fcopied. Somehow, "systemctl enable" in the script does not work. > I am currently installing FAI to manage several CS hands-on labs using Debian > 12 > bookworm. > Student authentication is managed using NIS. I created a NIS class in FAI > config, and added the packages nis, unscd and libnss-nis to > package_config/NIS. > > For some reason, the ypbind service is not started nor enabled upon reboot > after > installation. It is correctly installed and configured (as long as I can > figure > out), but I have to run "systemctl enable ypbind" and "systemctl start ypbind" > manually on each machine before it starts working. > > I tried to add the two lines before to scripts/NIS/90-misc but then I get this > error during install: > > scripts.log:Failed to enable unit, unit ypbind.service does not exist. > > I also tried to add > > ln -s /lib/systemd/system/ypbind.service /etc/systemd/system/multi- > user.target.wants > > or > > /lib/systemd/systemd-sysv-install enable ypbind > > in the script instead, but it won't work either. "systemctl enable" will only > work correctly after first reboot. > > I cannot find any other error related to ypbind in the logs. > > Any clues? Maybe it is a bug in the Debian ypbind package? -- Julien Vion Maitre de conférences Chef du département Info IUT de Valenciennes/Cambrai/Maubeuge LAMIH CNRS Université Polytechnique Hauts de France --- End Message ---
Re: FAI + SaltStack anybody?
Diese Nachricht wurde eingewickelt um DMARC-kompatibel zu sein. Die eigentliche Nachricht steht dadurch in einem Anhang. This message was wrapped to be DMARC compliant. The actual message text is therefore in an attachment.--- Begin Message --- Hi Diego Its been a while since I worked with Salt, but IIRC it sounds like what is not "clicking" is that you need to fix the TOFU problem. Looking back through my notes, it seems https://docs.saltproject.io/en/latest/topics/tutorials/multimaster_pki.html might be worth a read. In particular, maybe "master_sign_pubkey: True" on the Salt master, "verify_master_pubkey_sign: True" on the minion, and the master pubkeys put in "/etc/salt/pki/minion/" on the minions. Then on Salt master all you have to do is approve the new connections as they come online. --- Original Message --- On Thursday, October 5th, 2023 at 13:59, Diego Zuccato wrote: > Hello all. > > Does someone use FAI to install the base system that will be managed by > Salt? > I'm trying to integrate 'em but there's still something that doesn't > "click"... > > My current idea is to use Salt to orchestrate the install, but maybe > it's better left to FAI? How can I "pass around" minion key so I don't > have to manually re-approve the new key every time? > The ideal scenario would be: target generates its keypair, sends the > pubkey to FAI that "certifies" it's from the system being installed and > passes it to Salt. Should I write a custom fai-monitor (that would be > needed anyway to disable netboot once system is reinstalled)? > > TIA. > > -- > Diego Zuccato > DIFA - Dip. di Fisica e Astronomia > Servizi Informatici > Alma Mater Studiorum - Università di Bologna > V.le Berti-Pichat 6/2 - 40127 Bologna - Italy > tel.: +39 051 20 95786 --- End Message ---
Re: FAI + SaltStack anybody?
Il 05/10/2023 15:17, Carsten Aulbert ha scritto: we usually try with the hardware level configuration being the "border", i.e. everything related to partitioning, initial OS install, at least initial networking set-up is done with FAI (well, and salt is installed configured as well). Ok, that's good. Then FAI reboots the server and upon service start, the server starts a highstate and performs the remaining configuration. Ok, no problem here. To set-up salt, we wrote our own script around fai-chboot which ssh into the salt-master, creates a keypair and copies the files to the appropriate places. Uhm... I don't really like that ssh step. But probably can be straightened out making salt get the pubkey from FAI's state. FAI will install the private key during the installation and the public key is already known on the master, no need to accept the keys anymore. I like even less that the private key is passed from FAI to the target, I'd prefer to only pass back the pubkey. Does that help a bit? Yes, tks. -- Diego Zuccato DIFA - Dip. di Fisica e Astronomia Servizi Informatici Alma Mater Studiorum - Università di Bologna V.le Berti-Pichat 6/2 - 40127 Bologna - Italy tel.: +39 051 20 95786
Re: FAI + SaltStack anybody?
Hi Diego, On 10/5/23 14:59, Diego Zuccato wrote: Does someone use FAI to install the base system that will be managed by Salt? I'm trying to integrate 'em but there's still something that doesn't "click"... My current idea is to use Salt to orchestrate the install, but maybe it's better left to FAI? How can I "pass around" minion key so I don't have to manually re-approve the new key every time? The ideal scenario would be: target generates its keypair, sends the pubkey to FAI that "certifies" it's from the system being installed and passes it to Salt. Should I write a custom fai-monitor (that would be needed anyway to disable netboot once system is reinstalled)? we usually try with the hardware level configuration being the "border", i.e. everything related to partitioning, initial OS install, at least initial networking set-up is done with FAI (well, and salt is installed configured as well). Then FAI reboots the server and upon service start, the server starts a highstate and performs the remaining configuration. To set-up salt, we wrote our own script around fai-chboot which ssh into the salt-master, creates a keypair and copies the files to the appropriate places. FAI will install the private key during the installation and the public key is already known on the master, no need to accept the keys anymore. Does that help a bit? Cheers Carsten -- Dr. Carsten Aulbert, Max Planck Institute for Gravitational Physics, Callinstraße 38, 30167 Hannover, Germany, Phone +49 511 762 17185 smime.p7s Description: S/MIME Cryptographic Signature
FAI + SaltStack anybody?
Hello all. Does someone use FAI to install the base system that will be managed by Salt? I'm trying to integrate 'em but there's still something that doesn't "click"... My current idea is to use Salt to orchestrate the install, but maybe it's better left to FAI? How can I "pass around" minion key so I don't have to manually re-approve the new key every time? The ideal scenario would be: target generates its keypair, sends the pubkey to FAI that "certifies" it's from the system being installed and passes it to Salt. Should I write a custom fai-monitor (that would be needed anyway to disable netboot once system is reinstalled)? TIA. -- Diego Zuccato DIFA - Dip. di Fisica e Astronomia Servizi Informatici Alma Mater Studiorum - Università di Bologna V.le Berti-Pichat 6/2 - 40127 Bologna - Italy tel.: +39 051 20 95786
ypbind not enabled after installation
Diese Nachricht wurde eingewickelt um DMARC-kompatibel zu sein. Die eigentliche Nachricht steht dadurch in einem Anhang. This message was wrapped to be DMARC compliant. The actual message text is therefore in an attachment.--- Begin Message --- Hi all, I am currently installing FAI to manage several CS hands-on labs using Debian 12 bookworm. Student authentication is managed using NIS. I created a NIS class in FAI config, and added the packages nis, unscd and libnss-nis to package_config/NIS. For some reason, the ypbind service is not started nor enabled upon reboot after installation. It is correctly installed and configured (as long as I can figure out), but I have to run "systemctl enable ypbind" and "systemctl start ypbind" manually on each machine before it starts working. I tried to add the two lines before to scripts/NIS/90-misc but then I get this error during install: scripts.log:Failed to enable unit, unit ypbind.service does not exist. I also tried to add ln -s /lib/systemd/system/ypbind.service /etc/systemd/system/multi- user.target.wants or /lib/systemd/systemd-sysv-install enable ypbind in the script instead, but it won't work either. "systemctl enable" will only work correctly after first reboot. I cannot find any other error related to ypbind in the logs. Any clues? Maybe it is a bug in the Debian ypbind package? Yours, -- Julien Vion Maitre de conférences Chef du département Info IUT de Valenciennes/Cambrai/Maubeuge LAMIH CNRS Université Polytechnique Hauts de France signature.asc Description: This is a digitally signed message part --- End Message ---