Hi Mark, I’ve the same question in the past.

At the end of the day we “reverse engineered” what ipa-client-install does to avoid the force-join and passing the password in plaintext. So it’s basically a bunch of files that must be configured on the target system, so we configured it directly on the stateless images.

Some “manual” provisioning must be done, but you can do it through your stateless manager. For instance we are using xCAT, so when we create a new node on xCAT we automatically do the ipa-add-host on IPA.

We’ve done this for our HPC cluster software, the code is available here:

Feel free to look at inner workings of the code, it’s basically an Ansible Playbook.

On 1 Sep 2020, at 11:31, Mark Potter via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

We boot everything stateless in our environment and are using FreeIPA for authentication. I started discussing this a while ago but ended up with other things taking priority. The number of machines we have make managing keys an untenable solution so we are using 

ipa-client-install -U -q -p <join user> -w <password --domain=domain.com --server=ipaserver.domain.com --fixed-primary --force-join 

called from rc.local during boot to rejoin machines to the FreeIPA environment (we will be moving away from --fixed-primary but aren't there yet). While this works it, potentially, exposes a password. I am looking for a better way to handle machines that need to re-join at every boot. 

We have access to ansible as well a decent, in house, templating system for configuration. Please forgive my starting this discussion anew and not resurrecting a zombie and thanks in advance for your help!

Mark Potter
Senior Linux Administrator
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org