Skip to content

WIP: ipxe installer

Charlie Turner requested to merge cturner/ipxe-iso-generator into master

The goal is to simplify the installer image we provide. Currently, it's a customized Arch distro, weighing in at 700MB, and generally not designed to be upgraded in a resilient way (just ssh in and hack!).

This new design pushes all the configuration of the container to a central place (a container registry), rather than living permanently on the gateway machines. Instead, the gateway machines are now going to be treated more like a DUT: some machine with a cache drive installed, onto which we provision a functional infra, on every boot.

There are two parts to this series,

  1. The iPXE boot ISO generator. This is a thin wrapper around the iPXE-provided Makefile, it eases the creation of iPXE ISOs with client certificates baked in. For a new farm, use the provided script to generate a client key-pair, and the pass that key material into the build wrap, and voila, a 1MB boot ISO for the gateway machine.

  2. A very small web app that sits behind an nginx SSL proxy (that part deals with client certificates / auth). The nginx conf is not in this series for now. Once the app gets an authenticated request from nginx, it returns an iPXE configuration pointing at boot assets specific for this client (keyed off the client certificate fingerprint, in fact)

Part 1 seems to be working fine, part 2. there are some TODOs I've identified already,

  • Push the static iPXE configuration in fingerprint-keyed locations in the files store, just like for kernels and ramdisks. This gives us flexibility to change the config, restart free, for any of the gateways.
  • Automate the backblaze configuration. Right now, backblaze is manually provisioned with buckets of the form <fingerprint>-perm which contain the gateway's secret configuration. This s3 bucket is mirrored via b2c into the valve-infra container. The web app should grow the ability to provision a bbz bucket via the b2-python-sdk.
  • More tests.
  • Time permitting, remove some of the jank in this very-WIP series!

@craftyguy Since I will be going away for some weeks, I figure this would be a good following on task to work with @mupuf on, in addition to getting the ansible branch landed in the new valve-infra system container.

Edited by Charlie Turner

Merge request reports

Loading