[Freeipa-devel] Hosts, A recs, and AAAA recs

Dmitri Pal dpal at redhat.com
Wed Feb 9 15:56:06 UTC 2011 

On 02/08/2011 11:30 PM, Simo Sorce wrote:
> On Tue, 08 Feb 2011 22:10:16 -0500
> Adam Young <ayoung at redhat.com> wrote:
>
>> The current process to add a host today is:
>>
>> Create an A record
>> run add host
>>
>> We have --force which will allow us to add the host even if the A
>> record doesn't exist, but do we have a way to say,  add this host, A
>> record, and AAAA record all at the same time?
>>
>>
>>  From a cloud perspective, it seems like we are going to get a lot of 
>> short lived VMs that will need all three at once.  I can see a work
>> flow like this:
>>
>>
>> User requests a number of VMs.
>> VMs get clones from templates and spun up
>> VMs get IP address from DHCP server.
>> DHCP server notifies IPA server of new hosts
> What do you mean by this ^^^^ ?
> Do you want to give the DHCP server the power to perform DNS updates ?
> Can be done although I am not sure DHCP Servers know how to do GSS-TSIG
> protected updates, we may have to open up DNS access control to accept
> everything from the DHCP Server.
>
>> IPA server adds host entries, A and AAAA records
> Host entries must be added by the cloud engine as it needs to set the
> enrollment password it passes down to the VM.
>
>> VM runs ipa-client install as part of firstboot
> ipa-client-install could also add DNS records, but there is a
> credential problem if it is an automated process.
>
>> The IPA server might even get notified earlier.  I could see the
>> cloud provider pushing the info to ipa prior to cloning the VM.
> This might be a better choice as long as the cloud provider can also
> change the DHCP configuration to assign the right IP address to the
> VMs using the MAC address.
>
>> How would we go about doing that today?
> I think we are missing the part that creates the VMs yet, so ...
>
> Simo.
>

In the cloud the cloud provider gives a VM a name and IP that it knows
about.
It is completely different from what you want the machine to think about
itself.
I did some emulation of the bootstrapping sequence as a proof of concept
to make sure we can enroll the host with a different hostname.

To emulate the provisioning of a new VM in the cloud I created a new
host in IPA with corresponding DNS entries. I gave it a generated static
IP of 1.1.1.1.
It created an OTP for me.
Then I turned around and to the client added ipa to the resolve.conf of
the client and ran the ipa-client-install passing in the OTP, ipa host
name and machine name.
That completed the provisioning.

The cloud engine will be driving the creation of the DNS and host
entries. IPA already has all capabilities that are needed.
What you suggest seems to be an optimization that would save cloud
engine a line in a script.

Simo is right about firstboot - it is not implemented yet. 

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list