, Thomas Lange ha scritto:
On Fri, 19 Jan 2024 15:33:02 +0100, Diego Zuccato said:
> But it seems it doesn't get mounted (at least a custom script did not
> find it mounted). I don't know FAI internals enough :(
This mounting of a partition labeled MY-DATA will only work from FAI
6.2,
8<--
And 99-disklist.d/fast00 (the host I'm installing) contains:
-8<--
#!/bin/bash
#filter='scsi-*'
#newlist='sdt '
. /usr/lib/fai/subroutines
newlist=$(smallestdisk)
-8<--
Hope it can be useful for others.
Diego
Il 22/02/2024 09:02, Diego Zuccato ha scritto:
I think there's a bug (w
"$newlist" ]; then
echo New disklist: $newlist
echo disklist=\"$newlist\" >> $LOGDIR/additional.var
fi
This script writes the new valuespf disklist to
$LOGDIR/additional.var. Then FAI will parse it and sets the new value
for disklist before calling setup-storage.
vers have NVMe drives that should be used for operating
system disks, which is why they can be skipped.
Although I see a stale comment in there now about the NVMe disks. Ah well.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.l
"preserved partition /dev/sda7 does not end
at a cylinder boundary, parted may fail to restore the partition"
messages in error.log... "disk_config" line have "align-at:1M", isn't it
enough?
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mate
i, 19 Jan 2024 09:03:57 +0100, Diego Zuccato said:
> Hello all.
> It's not too unusual that sometimes disks get recognized in a different
> order across reboots.
> How can I make sure I'm repartitioning the right disk and not another
> one containing data
sk2".
If it's not currently supported, it shouldn't be too hard to add to
20-hwdetect.sh (I can do it and share the result, if someone is
interested). But if it's already supported, better to use the official
method. :)
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
install ca-
certificates. Probably updatebase.SALT - or better,
updatebase.CACERTIFICATES and have SALT set CACERTIFICATES
Cheers,
Andrew
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
get update
$ROOTCMD apt-get install -y salt-minion
-8<--
Finally it seems to work as expected.
Thanks again!
Diego
Il 18/01/2024 08:23, Diego Zuccato ha scritto:
IIUC that's the same as adding 'em to the basefile. Every time an
install errors out, basefile/nfsroot must be regenerated to i
/etc/apt/sources
does *not* touch /etc/apt/sources.list.d/, right?
Diego
Il 17/01/2024 17:10, Markus Köberl ha scritto:
On Wednesday, 17 January 2024 16:13:02 CET Diego Zuccato wrote:
Il 17/01/2024 14:15, Carsten Aulbert ha scritto:
How can I have ca-certificates installed when the repository
attempting to install
it too soon.
Uff. Work for tomorrow...
Tks for all the hints!
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
ificates have not yet been
installed.
How can I have ca-certificates installed when the repository gets added?
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
Il 17/01/2024 10:55, Andrew Ruthven ha scritto:
On Wed, 2024-01-17 at 09:06 +0100, Diego Zuccato wrote:
I copied DEBIAN.var to BOOKWORM64.var, then changed the var to
release=bookworm .
It'll depend on what you're using as in our profile as well. You need to
have a class set that matches
Il 16/01/2024 16:20, Robert Markula ha scritto:
Am 16.01.24 um 16:13 schrieb Diego Zuccato:
But now the install is saying that it's downloading bullseye packages
even if I specified class BOOKWORM64. Surely I've messed up something.
Work for tomorrow :)
Have a look at your class/DEBIAN file
specified class BOOKWORM64. Surely I've messed up something.
Work for tomorrow :)
Tks for all the help!
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
rch for basefiles.
We set a class of $RELEASE_$ARCH and use that to select the basefile.
Cheers,
Andrew
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
Tks for the fast answer.
I'll have to dig a bit deeper (never used debootstrap explicitly), so it
will take a bit more to fully understand.
Diego
Il 16/01/2024 10:43, Henning Glawe ha scritto:
Moin,
On Tue, Jan 16, 2024 at 10:22:42AM +0100, Diego Zuccato wrote:
Is it possible to use
to the current one, to avoid breaking the working setup).
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
'em. Could
trigger a script that uses salt-cloud to provision the node...
Too many ideas :)
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
Oggetto: Re: FAI + SaltStack anybody?
Moin,
On Thu, Oct 05, 2023 at 02:59:40PM +0200, Diego Zuccato wrote:
> Does someone use FAI to install the base system that will be managed by
> Salt?
Do you have a concrete reason for introducing Salt on top of FAI?
FAI can be used to do most of your configu
ey before the reboot) and knows it can trust that key.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
FAI server which serves some secrect
using:
echo secrect | nc -p 12345 -l
So only one FAI client can read the secrect from port 12345 once.
This may help a little bit.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pi
ion either requires TPM or interaction.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
I, there's no reason to
auto accept a new key: it could be anybody!
Does FAI use protected connections (given that usually there's no
available "root of trust" stronger than the MAC address...) to the
machine being installed?
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi In
.
Then on Salt master all you have to do is approve the new connections as they
come online.
I'd have to approve on *both* masters. :(
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
re.
I like even less that the private key is passed from FAI to the target,
I'd prefer to only pass back the pubkey.
Does that help a bit?
Yes, tks.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 401
(that would be
needed anyway to disable netboot once system is reinstalled)?
TIA.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
lyst Cloud: | This space intentionally left blank
https://catalystcloud.nz |
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
> How about having task_repository check for another file, say
> package_config/CLASS.gpg_dest that'd allow us to specify where to copy
> package_config/CLASS.gpg to?
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università
Seems I still missed the little patch that have to be applied to
savelog.LAST.sh hook (adding "export flag_reboot=1" after printing the
congrats message).
Diego
Il 08/06/2023 15:22, Diego Zuccato ha scritto:
Hi.
I just noticed that FAI installs were waiting at the end because of
"Congratulations! No errors found in log files" but
task_faiend still prompts for Enter key to reboot.
What did I miss? Specifying "reboot" flag seems wrong, since it forces
reboot even in case of errors, IIUC.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi In
Tks.
Quite clear & useful.
Diego
Il 07/06/2023 12:57, Andrew Ruthven ha scritto:
On Wed, 2023-06-07 at 10:05 +0200, Diego Zuccato wrote:
Hi Andrew.
That would be OK, but I don't need (and it's actually undesirable) to
reinstall at every reboot: one of the systems actually requires an e
calling fai-chboot and just not
bothering about DHCP ?
Diego
Il 07/06/2023 09:57, Andrew Ruthven ha scritto:
Hey,
On Wed, 2023-06-07 at 09:45 +0200, Diego Zuccato wrote:
IIUC hooks are run on the system being installed, so I could use LAST
hook to somehow signal FAI host to run "fai-chbo
FAI host to run "fai-chboot -d host". But that
would leave DHCP server sending a DHCP OFFER for a PXE boot that's been
disabled. Maybe I'm reinventing the wheel, but couldn't find anything.
Any hints?
TIA.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma M
rypt the needed secret files using machine's TPM and tranfer
encrypted files to FAI
- in case of reinstall, FAI transfers encrypted files to the machine and
runs clevis decrypt to restore 'em
That's just a rough idea. Any evident issues?
Diego
Il 16/01/2023 14:12, Diego Zuccato ha scritto:
/msg07955.html
[2] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08003.html
[3] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08005.html
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2
stallation processes and flagging abnormal activities. This
would not prevent successful attacks, but possible breaches could be patched
up, eg keys replaced afterwards.
This seems harder.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
is
actually useful...
GPG encrypted tarballs can be a good solution if there's a trusted
person that can insert the password (or a tpm that can decrypt it) to
complete the install...
Diego
Il 13/12/2022 20:44, Andrew Ruthven ha scritto:
Hey,
On Tue, 2022-12-13 at 14:47 +0100, Diego Zuccato wrote
Hello all.
What's the recommended way to deploy (or re-deploy) security-sensitive
objects (just to say one: private ssh key to avoid client warnings when
redeploying a server)?
TIA
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di
some cases generate passwords (root and encrypted filesystems)
during build and have those emailled with GPG encryption to the relevant
parties.
Cheers,
Andrew
On Thu, 2022-07-07 at 08:35 +0200, Diego Zuccato wrote:
Hi Andrew.
That's an option, but is seems less secure: while PXE net have
there's not much space... I's good just for very small "secrets"
(that gets transferred in the clear, hence the need to reconfigure the
switches).
--
Andrew Ruthven, Wellington, New Zealand
and...@etc.gen.nz |
Catalyst Cloud: | This space intentionally left blank
https:
good just for very small "secrets"
(that gets transferred in the clear, hence the need to reconfigure the
switches).
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
his ensures that the disk gets
completely wiped and no partition is preserved, even if you have a
'preserve' statement in your disk_config.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
ng install and 'reboot'
instructs FAI to reboot at the end of the installation process instead
of waiting for someone to press 'enter'.
Robert
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna -
ter-wipefs/394999#394999
HIH.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
installed SO w/o any interaction, while
specifying 'reboot' seems to suggest that it reboots also in case of
errors).
Tks.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.:
46 matches
Mail list logo