<div dir="ltr">Dmitri,<div><br></div><div style>Sure I can do this. I can make a script, and have this executed from Satellite (remote command) and than perform the server redeploy from Satellite. However, that makes it a two step process, and that is what I now also have. However, I would like to make it fully automated in a single step.</div>
<div style><br></div><div style>Come to think of it...there is also an api for Satellite. Maybe I can make a script that will first do the IPA stuff and then call Satellite to redeploy the server.....</div><div style>....hmmm....will look into this...and report my findings</div>
<div class="gmail_extra"><br clear="all"><div><br>Met vriendelijke groeten,<br><b><br><font style="color:rgb(51,102,255)" color="#000099">Fre</font><font style="color:rgb(51,102,255)" color="#000099">d van Zwieten</font><br style="color:rgb(51,102,255)">
</b>
<div><font color="#3333ff"><span style="COLOR:rgb(0,0,153)"><b style="color:rgb(51,102,255)">Enterprise Open Source Services</b><br></span></font></div>
<div><b><br><span style="color:rgb(51,102,255)">Consultant</span></b><br><font size="1"><i>(vrijdags afwezig)</i></font></div>
<div><br><b><span style="COLOR:rgb(255,0,0)">VX Company IT Services B.V.</span></b><br><span style="COLOR:rgb(0,0,153)"><b><span style="COLOR:rgb(255,0,0)">T</span></b><span style="background-color:rgb(255,255,255);color:rgb(255,255,255)"> <span style="color:rgb(51,102,255)">(035) 539 09 50 mobiel (06) 41 68 28 48</span></span></span><span style="background-color:rgb(255,255,255);color:rgb(51,102,255)"></span><br style="COLOR:rgb(0,0,153)">
<span style="COLOR:rgb(0,0,153)"><b><span style="COLOR:rgb(255,0,0)">F</span></b> <span style="color:rgb(51,102,255)">(035) 539 09 08</span></span><br style="COLOR:rgb(0,0,153)"><span style="COLOR:rgb(0,0,153)"><b style="COLOR:rgb(255,0,0)">E</b><span style="color:rgb(51,102,255)"> </span></span><a style="color:rgb(51,102,255)" href="mailto:fvzwieten@vxcompany.com" target="_blank">fvzwieten@vxcompany.com</a><br style="COLOR:rgb(0,0,153)">
<span style="COLOR:rgb(0,0,153)"><b style="COLOR:rgb(255,0,0)">I</b> </span><a style="color:rgb(51,102,255)" href="http://www.vxcompany.com/" target="_blank">www.vxcompany.com</a></div></div>
<br><br><div class="gmail_quote">On Fri, Jan 18, 2013 at 6:09 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
On 01/18/2013 06:52 AM, Fred van Zwieten wrote:
<blockquote type="cite">
<div dir="ltr">Hi Dmitri,
<div><br>
</div>
<div>Sorry for the late reply. I basically want to do
the same as Charlie Derwent in another tread on this mailing
list: To fully automate the re-installation of a server using
Satellite/Spacewalk using kickstart. As the server is an IPA
client, it must first get to be un-enrolled, before an
ipa-client-install --unattened -w secret etc. can be done in a
%post snippet of the kickstart file. It is the automation of
the unenrollment proces that we are not able to set up.</div>
<div><br>
</div>
<div>What I can do on any ipa-client to unenroll on the
command line is:</div>
<div><br>
</div>
<div>ipa --disable-host <server> and ipa host-mod
--password=secret --ssh=</div>
<div>
<br>
</div>
<div>This unprovisions the client, set's an OTP and
removes the host ssh keys.</div>
<div><br>
</div>
<div>However, this can only be done on an IPA client,
and during a kickstart install the server is no longer an IPA
client, because it is freshly being set up.</div>
<div><br>
</div>
<div>It's a typical chicken-and-egg issue. You must
first be ipa client to be able to execute ipa commands, but
you cannot become an ipa client before unprovisioning yourself
using those same ipa commands.</div>
<div><br>
</div>
<div>Another approuch would be to unprovision the
client just before the reboot to be kickstarted, however, I
have no idea how to set that up. It would mean the server has
to know somehow it is being rebooted because of a re-install,
but afaik, there is no way for satellite/spacewalk to tell the
server this..</div>
<div><br>
</div>
<div class="gmail_extra">Regards,</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Fred<br clear="all">
</div>
</div>
</blockquote>
<br></div>
IMO the right approach would be for the Satellite server to perform
"ipa --disable-host <server> and ipa host-mod
--password=secret --ssh=" as a part of the re-installation.<br>
Satellite should be given an IPA identity and call into IPA when it
performs reinstall before rebooting the system.<br>
<br>
Tough... I will see what I can do.<div><div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div><br>
<br>
</div>
<br>
<br>
<div class="gmail_quote">On Sat, Jan 12, 2013 at 10:06 PM,
Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div> On 01/12/2013 03:28 AM, Fred van
Zwieten wrote:
<blockquote type="cite">
<div dir="ltr">Hi there,
<div><br>
</div>
<div>We are in the process of implementing
Satellite and want to automate server
installations 100% using kickstart, cobbler,
satellite.</div>
<div><br>
</div>
<div>IPA clients can be scripted enrolled using
kickstart. Plenty of documentation about that.</div>
<div><br>
</div>
<div>However, how to "re"-enroll IPA clients?</div>
<div><br>
</div>
<div>Satellite gives me the option to re-install
a server. In this case, there are still host
and possibly service records for this host
present in IPA and DNS.</div>
<div><br>
</div>
<div>One way to think about this is, that it's
actually OK to keep those records there,
because it is a "re"-installation, so why
remove and re-enroll? However, there is the
krb5.keytab in /etc. I could save that file
during redeployment, but I'm not sure if that
will work. And iare there any other gotcha's.</div>
<div><br>
</div>
<div>So, the question is, how to re-install an
IPA client using kickstart (silent
re-install)?</div>
</div>
</blockquote>
<br>
</div>
</div>
The question is how/do you remove the client?<br>
Based on what you say above you use the same system so
there are some leftovers. If you can run
ipa-client-install --uninstall it should clean things
like keytab and certs (there have been bugs fixed in
freeIPA 3.0). If the client has access to the server it
will clean (not remove) the host entry too. Then you can
re-run the install. If you use OTP you would need to
reset OTP first.<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div><br>
Regards,<br>
<div><br>
</div>
</div>
<div>Fred</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div></div></div>
</blockquote></div><br></div></div>