efa-project.org

We are trying to automate EFA deployment with Ansible.
Is there a documentation on what each step of setup script does - config files, command etc. so that it can be scripted?

EFA creates a config file, called /etc/EFA-Config.

However, EFA-Init is interactive.

So, we need a non-interactive version that accepts an EFA-Config file.

This is a very good idea. I'm going to work on this.

https://github.com/E-F-A/v3/issues/226

If this can be done that would be awesome. Thank you for looking at that.

Just to make sure we are on the same page. Ideally we would like to deploy a VM, connect it to the network (i.e. assign IP, gateway etc.) and then run deployment script which will feed it EFA-Config and do other config tasks. So we are talking about network deployment rather than local script.

Also, is there a way to import greylist optout domains from a file? I found scripts for black and white lists but not for greylist.

Are you able to execute a script remotely on EFA, or do you need the script to target EFA remotely from another machine? Or do you need it to query a specific server for information (like over SSH/SCP)?

Target remotely from another machine or trigger an execution of local script from remote machine.
Ansible works via ssh.

Great, what I will do is create a non-interactive EFA-Init and post it here for you to try out.

Awesome, thank you!

*bump*

A few problems

1) ssh is disabled until EFA-Init runs (console only because of unsecure password)

2) EFA-Init interactively runs upon first login

So, we need to think about this some more. Enabling ssh at this point is not safe, because of the default password. So that kills the ability to execute a script remotely at this point.

So that leaves only one option, have EFA pull from a server as a client during startup.

Next problems

1) /etc/EFA-Config contains passwords. So this is not safe to store and transport over unencrypted channels.

Securely pulling a config will require encryption, either SCP, SFTP, or HTTPS. Without key exchange possible in advance, non-interactive SCP and SFTP may not be possible. HTTPS may be possible if the server running HTTPS has a valid PKI cert, but what is to stop any other system from pulling the sensitive config as well? Perhaps an ACL to limit access to just the systems that should have access.

Another approach may be to support the concept of preparing EFA for cloning, such as an option in EFA-Init at the beginning that gathers info and shuts down the unit in preparation for VM-based cloning. When the clones are started, they would process a script and self-configure.

Thoughts?

Well, the way I see it:

Step 1: ability to disable interactive init. Perhaps a separate image or a setting during VM deployment. Then I'll be able to script password change and ssh enable. This can be a part of my VM deployment script.
If you don't want to do that for whatever reason - that's fine. I'll create my own image and use it for deployments.

Step 2: ability to import EFA-config. This will be a part of my configuration script. Because I'll be using SSH it will be safe to transfer the file.

Makes sense?

Yes, this is similar to the cloning idea. Once you have your own password on the VMs, you can enable ssh and be good for remote access. I will keep working on this.

Do you happen to know if there is a way to import greylist optout domains from a file? I found scripts for black and white lists but not for greylist.