8:32 a.m.
Hello, I'd like to run IPA server in a vm and at the same time use the host OS as an
IPA client for a uniform set-up of DNS, NTP, SSO etc across the board.
I have a replica but let's imagine that I don't. So I have only one IPA server
running on as a guest on an IPA client host.
I imagine that I would encounter issues at start-up since IPA client services should start
AFTER the VM is up and running.
What would be your recommendation of going about it? Should I start libvirt before IPA
client services in boot chain (and what exact services?) and then sleep long enough so
that VM has the time to start?
Or maybe be I should just restart some IPA client services after booting?
Thank you.
8:51 a.m.
Hi,
Am 02.08.2022 um 15:32 schrieb lol lol via FreeIPA-users:
Hello, I'd like to run IPA server in a vm and at the same time
use the host OS as an IPA client for a uniform set-up of DNS, NTP, SSO etc across the
board.
I'm running something similar here: FreeIPA in a docker container, the
host running the container is an IPA client.
I have a replica but let's imagine that I don't. So I have
only one IPA server running on as a guest on an IPA client host.
I imagine that I would encounter issues at start-up since IPA client services should
start AFTER the VM is up and running.
I don't see any problems here as long as I don't do anything that needs
KRB5 tokens and/or user data until after the container is up and running
properly.
What would be your recommendation of going about it? Should I start
libvirt before IPA client services in boot chain (and what exact services?) and then sleep
long enough so that VM has the time to start?
Or maybe be I should just restart some IPA client services after booting?
I don't really need any of that here, and it *does* take up to 5 minutes
after boot until the ipa server is actually responsive (old, cripply
hardware).
The only problem I have here is that I had to move my SMB server to a
different host - SMB as ipa client with the SMB/IPA/AD Controller inside
a container on the same host gave me any number of certificate- and
KRB5-related headaches.
cheers
MH
--
Mathias Homann
Mathias.Homann(a)openSUSE.org
Jabber (XMPP): lemmy(a)tuxonline.tech
IRC: [Lemmy] on freenode and ircnet (bouncer active)
keybase: https://keybase.io/lemmy
gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
4:44 p.m.
New subject: Freeipa in a virtual machine, host being a client
Thank you for the answer!
Glad to hear that it works without tweaking. But yeah I'm kinda in the same situation
as I'd like to run an NFS service on the host.
Not keen on moving it to another machine. Do you think starting NFS server after enough
time for IPA to start would do the trick?
In any case, I feel like I can always recreate the service or reinstall the client. Mb I
should just try and see if it's stable enough. What are your thoughts?
12:29 a.m.
Am Dienstag, 2. August 2022, 23:44:12 CEST schrieb lol lol via FreeIPA-users:
Thank you for the answer!
Glad to hear that it works without tweaking. But yeah I'm kinda in the same
situation as I'd like to run an NFS service on the host.
not a problem here, but I didn't "kerberize" my nfs yet...
Not keen on moving it to another machine. Do you think starting NFS
server
after enough time for IPA to start would do the trick?
That would be the first thing to try, yes.
In any case, I feel like I can always recreate the service or
reinstall the
client. Mb I should just try and see if it's stable enough. What are your
thoughts?
Which service?
Cheers
Mathias
--
Mathias Homann
Mathias.Homann(a)openSUSE.org
Jabber (XMPP): lemmy(a)tuxonline.tech
Matrix: @mathias:eregion.de
IRC: [Lemmy] on freenode and ircnet (bouncer active)
keybase: https://keybase.io/lemmy
gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
4:34 a.m.
New subject: Freeipa in a virtual machine, host being a client
Yeah, I need it kerberized.
"Which service?"
NFS.
5:35 a.m.
New subject: Freeipa in a virtual machine, host being a client
Hi,
Am 03.08.2022 um 11:34 schrieb lol lol via FreeIPA-users:
Yeah, I need it kerberized.
"Which service?"
NFS.
Like I said, I didn't modify any services at all. The only thing I've
noticed regarding NFS is that if I have to reboot my server while I'm
logged in on my linux desktop which is also an IPA client and gets my
$HOME via autofs from my NFS server it takes a bit longer now until my
session becomes respnsive again - so I avoid rebooting my server while
I'm logged in, or do a scheduled reboot and log out of my desktop befor
it happens.
On the **client** end I did have to play around with services a bit -
mainly with timings by inserting a delay service - just to make sure
that the graphical log in doesn't start until after everything else is
running (everything else being sssd and autofs).
Cheers
MH
--
Mathias Homann
Mathias.Homann(a)openSUSE.org
Jabber (XMPP): lemmy(a)tuxonline.tech
IRC: [Lemmy] on freenode and ircnet (bouncer active)
keybase: https://keybase.io/lemmy
gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
6:55 a.m.
New subject: Freeipa in a virtual machine, host being a client
Thank you for the detailed answer.
Yes I am aware of the $HOME issue, I do the same as you.
My concern is the following scenario:
Host is an ipa client, VM is an ipa server.
When I reboot the machine, some services like certmonger do not start correctly on the
client because the server is still down.
So it's logical that some services running on the host enrolled with ipa (or even the
host itselft, i'm not sure) will fail to get a new certificate and I'd have to
bother with resetting/updating some components manually which is dirty.
That's why I'd like to identify all ipa services and make them sleep for a few
minutes before starting so that the vm has the time to boot.
What are your thoughts?
I'd also like to hear a developer's opinion, I bet they deal with such scenarios
as they mention vms in documentation, when describing replication for example.
Cheers.
7 a.m.
New subject: Freeipa in a virtual machine, host being a client
lol lol via FreeIPA-users wrote:
Thank you for the detailed answer.
Yes I am aware of the $HOME issue, I do the same as you.
My concern is the following scenario:
Host is an ipa client, VM is an ipa server.
When I reboot the machine, some services like certmonger do not start correctly on the
client because the server is still down.
So it's logical that some services running on the host enrolled with ipa (or even the
host itselft, i'm not sure) will fail to get a new certificate and I'd have to
bother with resetting/updating some components manually which is dirty.
That's why I'd like to identify all ipa services and make them sleep for a few
minutes before starting so that the vm has the time to boot.
What are your thoughts?
I'd also like to hear a developer's opinion, I bet they deal with such scenarios
as they mention vms in documentation, when describing replication for example.
Things are simpler if you have a client. SSSD will work offine if the
server isn't available yet.
certmonger also doesn't require IPA to be immediately available at
startup. The worst that would happen is if a cert was detected as
expiring soon and IPA wasn't update you'd get a CA_UNREACHABLE state and
it would try again later.
rob
7:10 a.m.
New subject: Freeipa in a virtual machine, host being a client
Thank you for the answer!
So that means that I can go ahead and enroll host as a client without the tweaks I
suggested and it should be safe to use?
If I understand you correctly SSSD and other ipa services will try to reconnect so the
server's not being immediately available is not an issue at start-up.
Cheers.
2:29 p.m.
On 02/08/2022 14:32, lol lol via FreeIPA-users wrote:
Hello, I'd like to run IPA server in a vm and at the same time
use the host OS as an IPA client for a uniform set-up of DNS, NTP, SSO etc across the
board.
I do this, with libvirt. Host is RHEL 8, there are actually two guests
at the moment, RHEL 8 and RHEL 9. Haven't gotten around to killing the
RHEL 8 server off yet... :)
I've not had any problems with this setup, only downside is as Mathias
reported, it takes a little while after the guest boots up before the
servers finish booting. During this time you should still be able to log
in with password authentication, assuming sssd has already cached the
password of your IPA user.
(If you have a replica then it shouldn't matter, unless all your IPA
servers are down) :)
The networking setup I use is to connect the host's ethernet interface
to a bridge, to which the two servers are also attached. i.e., as far as
the client is concerned, the servers are perfectly normal hosts on my LAN.
Regarding NTP, I point both host and guests to external NTP servers,
since as of RHEL 8 FreeIPA no longer configures the IPA servers to run NTP.
If you're using libvirt on EL, it's worth tweaking your setup so that
the VMs start at boot (I use 'virsh autostart' on the guests and set
ON_BOOT=ignore) and so that they are powered off when you shut the host
down (ON_SHUTDOWN=shutdown). I prefer this to having the libvirt-guests
service try to suspend on shutdown and restore at boot, or anything like
that. There are some other settings in there regarding how long to wait
for guests to shut down before killing them, I haven't needed to set
them as the default timeout seems fine.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
4:49 p.m.
New subject: Freeipa in a virtual machine, host being a client
Thank you for the answer!
Yes, I use the same kind of bridged connection.
Glad to hear that it works for you.
What do you think of Mathias's problem with SMB? I'm in the same situation as I
want to run NFS on the host. I have detailed it in my reply to Mathias's answer.
Cheers!
631
days inactive
632
days old
freeipa-users@lists.fedorahosted.org
10 comments
4 participants
participants (4)
-
lol lol -
Mathias Homann -
Rob Crittenden -
Sam Morris