The biggest challenge is that pieces of the oVirt project require there to be persistent storage locally. For example, when you register a node with the engine, a manual step is required to approve the node. After this manual step, some certificates are copied locally into the node and stored. That way, the node can immediately identify itself with the engine and start working with no need to identify itself.
To solve this problem, we need to either 1. remove the need to store stuff locally 2. provide some way to package up this config and store it somewhere, then retrieve on boot 3. embed some sort of key or certificate in the pxe image that allows the engine to know that this valid machine and automatically approve it.
Is there a method to pre-generate a set of certificates/configuration files for a node? It is not that hard to let the boot server serve the node-specific configuration files as a cpio (initramfs) archive, based on the MAC-address of the node. The kernel supports having more than one initramfs file, and simply combines the files from both archives. -- Yours sincerely, Floris Bos
On Thu, 2012-02-09 at 00:11 +0100, Floris Bos / Maxnet wrote:
The biggest challenge is that pieces of the oVirt project require there to be persistent storage locally. For example, when you register a node with the engine, a manual step is required to approve the node. After this manual step, some certificates are copied locally into the node and stored. That way, the node can immediately identify itself with the engine and start working with no need to identify itself.
To solve this problem, we need to either 1. remove the need to store stuff locally 2. provide some way to package up this config and store it somewhere, then retrieve on boot 3. embed some sort of key or certificate in the pxe image that allows the engine to know that this valid machine and automatically approve it.
Is there a method to pre-generate a set of certificates/configuration files for a node?
It is not that hard to let the boot server serve the node-specific configuration files as a cpio (initramfs) archive, based on the MAC-address of the node. The kernel supports having more than one initramfs file, and simply combines the files from both archives.
It could certainly be a possible solution. There isn't a way to do this today, but the ability to pre-generate a config bundle is certainly an interesting thought. My inclination is that this would be a V2 feature of stateless. First, we need to know everything that we need in the config bundle. Then we need a way to deploy that on boot. Having it provided through the pxe interface is something that was brought up as a way to embed some form of key, but not the config bundle. Mike
participants (2)
-
Floris Bos / Maxnet -
Mike Burns