Hi all.
Is there a preferred way to pass a (different) secret to every host
being installed?
Something to implement a workflow like:
- admin asks Salt to (re)install a host
- salt handles shutdown and switch reconfiguration (OT)
- salt tells FAIserver to enable install of given host
- FAI gene
Hey,
I'm not sure if this is preferred or not, but the approach I take is to
have a command we run first, that copies any required secrets (and will
generate SSH host keys and puppet certs if required first) into the NFS
root. A cron job runs every 15 minutes and cleans up any of those
secrets whi
Hi Andrew.
That's an option, but is seems less secure: while PXE net have to be
quite "locked down", NFS could potentially be exposed on a "public"
network (say to handle reinstalls on many networks with a single server).
If only machines had an "attestation key" by default... Maybe an USB key
Hey,
Yes, agreed, depends on the use case. For the gear I'm dealing with
they're on physically very secure networks and NFS is firewalled off.
You could potentially have a kernel token as you suggest and then go to
fetch the secrets from a HashiCorp Vault with an approval needing to be
issued.
The more I think about it, the more I convince myself that an USB key
(preferably connected to the internal USB connector) could be quite a
good compromise: cannot be stolen too easily (requires opening the
chassis), can be installed w/o requiring special skills, is cheap, and
stores "more than
On Thu, 2022-07-07 at 11:16:33 +0200, Diego Zuccato wrote:
> Now I only have to figure out how to reliably detect its presence during
> install, then it's just matter of copying files.
Give each USB key a (filesystem) label, and check for its presence in
/dev/disk/by-partlabel - you could even ma
We distribute secrets via configuration management (in our case, via
Cfengine).
During the first reboot after FAI the Cfengine client registers itself
to the Cfengine server and pulls its credentials from a dedicated part
of the repository. In Cfengine, it is possible to restrict the allowed
Diese Nachricht wurde eingewickelt um DMARC-kompatibel zu sein. Die
eigentliche Nachricht steht dadurch in einem Anhang.
This message was wrapped to be DMARC compliant. The actual message
text is therefore in an attachment.--- Begin Message ---
On Thursday, 7 July 2022 08:12:54 CEST Diego Zuccato