I'll dig through it today! We use a homegrown deployment system but I am
personally very familiar with xcat so I ought to be able to work something
out. Thanks a bunch.
On Tue, Sep 1, 2020, 8:46 PM Vinícius Ferrão <ferrao(a)versatushpc.com.br>
wrote:
Hi Mark, I’ve the same question in the past.
At the end of the day we “reverse engineered” what ipa-client-install does
to avoid the force-join and passing the password in plaintext. So it’s
basically a bunch of files that must be configured on the target system, so
we configured it directly on the stateless images.
Some “manual” provisioning must be done, but you can do it through your
stateless manager. For instance we are using xCAT, so when we create a new
node on xCAT we automatically do the ipa-add-host on IPA.
We’ve done this for our HPC cluster software, the code is available here:
https://bitbucket.versatushpc.com.br/projects/OPENCATTUS/repos/deployment
Feel free to look at inner workings of the code, it’s basically an Ansible
Playbook.
On 1 Sep 2020, at 11:31, Mark Potter via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
We boot everything stateless in our environment and are using FreeIPA for
authentication. I started discussing this a while ago but ended up with
other things taking priority. The number of machines we have make managing
keys an untenable solution so we are using
ipa-client-install -U -q -p <join user> -w <password --domain=domain.com
--server=ipaserver.domain.com --fixed-primary --force-join
called from rc.local during boot to rejoin machines to the FreeIPA
environment (we will be moving away from --fixed-primary but aren't there
yet). While this works it, potentially, exposes a password. I am looking
for a better way to handle machines that need to re-join at every boot.
We have access to ansible as well a decent, in house, templating system
for configuration. Please forgive my starting this discussion anew and not
resurrecting a zombie and thanks in advance for your help!
--
*Mark Potter*
Senior Linux Administrator
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...