6.3. Client-driven approach

First of all you need to create a boot package (kernel + initrd.img) and include the SSH private key directly into the initrd.img. For this the boot over PXE is strongly discuraged in this case, because kernel and initrd.img are not encrypted during the transmission to the clients with TFTP. To create the boot package with BOEL run the following command:

  # mkdir /tmp/boot-package
  # si_mkbootpackage --destination /tmp/boot-package --kernel \
    /usr/share/systemimager/boot/i386/standard/kernel --filesystem cramfs \
    --ssh-key ~foo/.ssh/id_dsa --yes
Remember to replace i386 with the architecture of your clients to get the correct kernel (e.g. x86_64). Or if you want to use UYOK:
  # mkdir /tmp/boot-package
  # si_mkbootpackage --destination /tmp/boot-package --image YOUR_IMAGE \
    --ssh-key ~foo/.ssh/id_dsa --yes
This command will create the boot package in /tmp/boot-package and it will include the SSH private key of the user "foo" into the initrd. To enable the passwordless login for for the user "foo" run the command:
  $ cat ~foo/.ssh/id_dsa.pub >> ~foo/.ssh/authorized_keys
In a similar way you can also use the --ssh-key with si_prepareclient in your golden client. In this case you don't need to create the boot package in your image server, simply use kernel + initrd.img generated by si_prepareclient.