boot into newly installed SO w/o any interaction, while
specifying 'reboot' seems to suggest that it reboots also in case of
errors).
Tks.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 401
ll-encrypted-with-luks-after-wipefs/394999#394999
HIH.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
tevt'
I can switch to a dedicated virtual terminal during install and 'reboot'
instructs FAI to reboot at the end of the installation process instead
of waiting for someone to press 'enter'.
Robert
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
had
a problem ever since. But be careful - this ensures that the disk gets
completely wiped and no partition is preserved, even if you have a
'preserve' statement in your disk_config.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
ce... I's good just for very small "secrets"
(that gets transferred in the clear, hence the need to reconfigure the
switches).
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
most 255
chars there's not much space... I's good just for very small "secrets"
(that gets transferred in the clear, hence the need to reconfigure the
switches).
--
Andrew Ruthven, Wellington, New Zealand
and...@etc.gen.nz |
Catalyst Cloud: | This space intentio
ypt them.
We do in some cases generate passwords (root and encrypted filesystems)
during build and have those emailled with GPG encryption to the relevant
parties.
Cheers,
Andrew
On Thu, 2022-07-07 at 08:35 +0200, Diego Zuccato wrote:
Hi Andrew.
That's an option, but is seems less se
Hello all.
What's the recommended way to deploy (or re-deploy) security-sensitive
objects (just to say one: private ssh key to avoid client warnings when
redeploying a server)?
TIA
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Universi
e a TPM is
actually useful...
GPG encrypted tarballs can be a good solution if there's a trusted
person that can insert the password (or a tpm that can decrypt it) to
complete the install...
Diego
Il 13/12/2022 20:44, Andrew Ruthven ha scritto:
Hey,
On Tue, 2022-12-13 at 14:47 +0100, Dieg
oring of installation processes and flagging abnormal activities. This
would not prevent successful attacks, but possible breaches could be patched
up, eg keys replaced afterwards.
This seems harder.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Univer
%40uni-koeln.de/msg07955.html
[2] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08003.html
[3] https://www.mail-archive.com/linux-fai%40uni-koeln.de/msg08005.html
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le B
the needed secret files using machine's TPM and tranfer
encrypted files to FAI
- in case of reinstall, FAI transfers encrypted files to the machine and
runs clevis decrypt to restore 'em
That's just a rough idea. Any evident issues?
Diego
Il 16/01/2023 14:12, Diego Zuccato ha s
e LAST
hook to somehow signal FAI host to run "fai-chboot -d host". But that
would leave DHCP server sending a DHCP OFFER for a PXE boot that's been
disabled. Maybe I'm reinventing the wheel, but couldn't find anything.
Any hints?
TIA.
--
Diego Zuccato
DIFA - Dip. di F
nderstand and you're calling fai-chboot and just not
bothering about DHCP ?
Diego
Il 07/06/2023 09:57, Andrew Ruthven ha scritto:
Hey,
On Wed, 2023-06-07 at 09:45 +0200, Diego Zuccato wrote:
IIUC hooks are run on the system being installed, so I could use LAST
hook to somehow signal FAI h
Tks.
Quite clear & useful.
Diego
Il 07/06/2023 12:57, Andrew Ruthven ha scritto:
On Wed, 2023-06-07 at 10:05 +0200, Diego Zuccato wrote:
Hi Andrew.
That would be OK, but I don't need (and it's actually undesirable) to
reinstall at every reboot: one of the systems actually req
d).
Now I get "Congratulations! No errors found in log files" but
task_faiend still prompts for Enter key to reboot.
What did I miss? Specifying "reboot" flag seems wrong, since it forces
reboot even in case of errors, IIUC.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astron
Seems I still missed the little patch that have to be applied to
savelog.LAST.sh hook (adding "export flag_reboot=1" after printing the
congrats message).
Diego
Il 08/06/2023 15:22, Diego Zuccato ha scritto:
Hi.
I just noticed that FAI installs were waiting at the end because of
to specify which GPG keyring to trust for our various
additional
> repositories.
> How about having task_repository check for another file, say
> package_config/CLASS.gpg_dest that'd allow us to specify where to copy
> package_config/CLASS.gpg to?
--
Diego Z
.@etc.gen.nz |
Catalyst Cloud: | This space intentionally left blank
https://catalystcloud.nz |
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
Should I write a custom fai-monitor (that would be
needed anyway to disable netboot once system is reinstalled)?
TIA.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
the keys anymore.
I like even less that the private key is passed from FAI to the target,
I'd prefer to only pass back the pubkey.
Does that help a bit?
Yes, tks.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Be
minions.
Then on Salt master all you have to do is approve the new connections as they
come online.
I'd have to approve on *both* masters. :(
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
eing reinstalled by FAI, there's no reason to
auto accept a new key: it could be anybody!
Does FAI use protected connections (given that usually there's no
available "root of trust" stronger than the MAC address...) to the
machine being installed?
--
Diego Zuccato
DIFA - Dip
Already did it in DOS :)
But stronger authentication either requires TPM or interaction.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
the FAI server which serves some secrect
using:
echo secrect | nc -p 12345 -l
So only one FAI client can read the secrect from port 12345 once.
This may help a little bit.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Ber
s rebooting (or, even better, it receives the
minion key before the reboot) and knows it can trust that key.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
Linux
Oggetto: Re: FAI + SaltStack anybody?
Moin,
On Thu, Oct 05, 2023 at 02:59:40PM +0200, Diego Zuccato wrote:
> Does someone use FAI to install the base system that will be managed by
> Salt?
Do you have a concrete reason for introducing Salt on top of FAI?
FAI can be used to do most of your co
considere 'em. Could
trigger a script that uses salt-cloud to provision the node...
Too many ideas :)
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
no
changes to the current one, to avoid breaking the working setup).
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
Tks for the fast answer.
I'll have to dig a bit deeper (never used debootstrap explicitly), so it
will take a bit more to fully understand.
Diego
Il 16/01/2024 10:43, Henning Glawe ha scritto:
Moin,
On Tue, Jan 16, 2024 at 10:22:42AM +0100, Diego Zuccato wrote:
Is it possible to
nd search for basefiles.
We set a class of $RELEASE_$ARCH and use that to select the basefile.
Cheers,
Andrew
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
even if I specified class BOOKWORM64. Surely I've messed up something.
Work for tomorrow :)
Tks for all the help!
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
Il 16/01/2024 16:20, Robert Markula ha scritto:
Am 16.01.24 um 16:13 schrieb Diego Zuccato:
But now the install is saying that it's downloading bullseye packages
even if I specified class BOOKWORM64. Surely I've messed up something.
Work for tomorrow :)
Have a look at your class/DEBI
Il 17/01/2024 10:55, Andrew Ruthven ha scritto:
On Wed, 2024-01-17 at 09:06 +0100, Diego Zuccato wrote:
I copied DEBIAN.var to BOOKWORM64.var, then changed the var to
release=bookworm .
It'll depend on what you're using as in our profile as well. You need to
have a class set that m
vious, since ca-certificates have not yet been
installed.
How can I have ca-certificates installed when the repository gets added?
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
x27;m attempting to install
it too soon.
Uff. Work for tomorrow...
Tks for all the hints!
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
t to be sure:
fcopy /etc/apt/sources
does *not* touch /etc/apt/sources.list.d/, right?
Diego
Il 17/01/2024 17:10, Markus Köberl ha scritto:
On Wednesday, 17 January 2024 16:13:02 CET Diego Zuccato wrote:
Il 17/01/2024 14:15, Carsten Aulbert ha scritto:
How can I have ca-certificates installed
$ROOTCMD apt-get update
$ROOTCMD apt-get install -y salt-minion
-8<--
Finally it seems to work as expected.
Thanks again!
Diego
Il 18/01/2024 08:23, Diego Zuccato ha scritto:
IIUC that's the same as adding 'em to the basefile. Every time an
install errors out, basefile/nfsroot
hook that install ca-
certificates. Probably updatebase.SALT - or better,
updatebase.CACERTIFICATES and have SALT set CACERTIFICATES
Cheers,
Andrew
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bolog
of "disk2".
If it's not currently supported, it shouldn't be too hard to add to
20-hwdetect.sh (I can do it and share the result, if someone is
interested). But if it's already supported, better to use the official
method. :)
--
Diego Zuccato
DIFA - Dip. di Fisica e A
to:
On Fri, 19 Jan 2024 09:03:57 +0100, Diego Zuccato said:
> Hello all.
> It's not too unusual that sometimes disks get recognized in a different
> order across reboots.
> How can I make sure I'm repartitioning the right disk and not another
>
ling with "preserved partition /dev/sda7 does not end
at a cylinder boundary, parted may fail to restore the partition"
messages in error.log... "disk_config" line have "align-at:1M", isn't it
enough?
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Inform
of our servers have NVMe drives that should be used for operating
system disks, which is why they can be skipped.
Although I see a stale comment in there now about the NVMe disks. Ah well.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di B
t.sh in your config space (/s/rv/fai/config)
These are the imprtant lines:
if [ -n "$newlist" ]; then
echo New disklist: $newlist
echo disklist=\"$newlist\" >> $LOGDIR/additional.var
fi
This script writes the new valuespf disklist to
$LOGDIR/additional.var. Then
wlist\" # $0" >> $LOGDIR/additional.var
fi
-8<--
And 99-disklist.d/fast00 (the host I'm installing) contains:
-8<--
#!/bin/bash
#filter='scsi-*'
#newlist='sdt '
. /usr/lib/fai/subroutines
newlist=$(smallestdisk)
-8<--
Hope it can be useful for ot
, Thomas Lange ha scritto:
On Fri, 19 Jan 2024 15:33:02 +0100, Diego Zuccato said:
> But it seems it doesn't get mounted (at least a custom script did not
> find it mounted). I don't know FAI internals enough :(
This mounting of a partition labeled MY-DATA will only work fro
22.04 LTS or higher
is it possible to choose automatically the smaller disk?
In my case there is a Dell Server with RAID-Controller, configured:
sda = ca. 5 TB SSD for data - during install shall be not
touched/formatted...
sdb = ca. 900 GB SAS = shall be root and OS installed
In other
I into a Debian Bookwork (or
any other) installation? I have been trying to set this up for over a week now
- yet no success.
Regards, Stephan
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bolo
17/01/2025 12:00, Thomas Lange ha scritto:
Add this to dhcpd.conf:
if substring(option vendor-class-identifier, 0, 20) = "PXEClient:Arch:00011" {
filename "boot/grub/grubnetaa64.efi";
}
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi In
hen I see a deprecation notice I always worry, but it seems
isc-kea is not yet ready for prime time. I'll have a look at dnsmask too.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Ita
H(0x555682c295d0)) called at
/usr/share/fai/setup-storage/commands.pm line 531
FAI::build_raid_commands called at /usr/sbin/setup-storage line 209
-8<--
Any hints?
Tks.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Ber
disk1.3,disk2.3,disk3.3:preserve_lazy ext4 noauto createopts="-L
PERMDATA"
but it fails.
Any help appreciated. Nobody have had to preserve a RAID volume between
installs and can share an example?
TIA
Diego
Il 04/03/2025 07:12, Diego Zuccato ha scritto:
Hello all.
I'm having is
wiped
(IIUC if flag_initial=1 it shouldn't even try to read partitions info).
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
53 matches
Mail list logo
