We boot everything stateless in our environment and are using FreeIPA for authentication. I started discussing this a while ago but ended up with other things taking priority. The number of machines we have make managing keys an untenable solution so we are using 

ipa-client-install -U -q -p <join user> -w <password --domain=domain.com --server=ipaserver.domain.com --fixed-primary --force-join 

called from rc.local during boot to rejoin machines to the FreeIPA environment (we will be moving away from --fixed-primary but aren't there yet). While this works it, potentially, exposes a password. I am looking for a better way to handle machines that need to re-join at every boot. 

We have access to ansible as well a decent, in house, templating system for configuration. Please forgive my starting this discussion anew and not resurrecting a zombie and thanks in advance for your help!


Mark Potter

Senior Linux Administrator