Mark, the code was updated to EL8 on the last week, if you’re already interested.
On 2 Sep 2020, at 09:18, Mark Potter <markp@dug.com<mailto:markp@dug.com>>
wrote:
I'll dig through it today! We use a homegrown deployment system but I am personally
very familiar with xcat so I ought to be able to work something out. Thanks a bunch.
On Tue, Sep 1, 2020, 8:46 PM Vinícius Ferrão
<ferrao@versatushpc.com.br<mailto:ferrao@versatushpc.com.br>> wrote:
Hi Mark, I’ve the same question in the past.
At the end of the day we “reverse engineered” what ipa-client-install does to avoid the
force-join and passing the password in plaintext. So it’s basically a bunch of files that
must be configured on the target system, so we configured it directly on the stateless
images.
Some “manual” provisioning must be done, but you can do it through your stateless manager.
For instance we are using xCAT, so when we create a new node on xCAT we automatically do
the ipa-add-host on IPA.
We’ve done this for our HPC cluster software, the code is available here:
https://bitbucket.versatushpc.com.br/projects/OPENCATTUS/repos/deployment
Feel free to look at inner workings of the code, it’s basically an Ansible Playbook.
On 1 Sep 2020, at 11:31, Mark Potter via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
We boot everything stateless in our environment and are using FreeIPA for authentication.
I started discussing this a while ago but ended up with other things taking priority. The
number of machines we have make managing keys an untenable solution so we are using
ipa-client-install -U -q -p <join user> -w <password
--domain=domain.com<http://domain.com/>
--server=ipaserver.domain.com<http://ipaserver.domain.com/> --fixed-primary
--force-join
called from rc.local during boot to rejoin machines to the FreeIPA environment (we will be
moving away from --fixed-primary but aren't there yet). While this works it,
potentially, exposes a password. I am looking for a better way to handle machines that
need to re-join at every boot.
We have access to ansible as well a decent, in house, templating system for configuration.
Please forgive my starting this discussion anew and not resurrecting a zombie and thanks
in advance for your help!
--
Mark Potter
Senior Linux Administrator
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...