[Freeipa-devel] [RFC] Improve FreeIPA usability in cloud environments
Petr Spacek
pspacek at redhat.com
Fri Sep 13 08:26:38 UTC 2013
Hello list,
FreeIPA deployments in cloud environments do not work very well because
'clouds' break some assumptions we made during FreeIPA's design.
We should fix it somehow :-)
=== Problems ===
- A machine has two host names in DNS:
-- The first name is internal to the cloud and resolvable only from inside of
the cloud.
--- This name should be used for communication inside cloud.
--- E.g. 'ipa.cust1.cloud.'
--- Internal name is mapped to internal IP address, see below.
-- The second name is external to the cloud and should be used for
communication between the Internet and cloud.
--- E.g. 'ipa.example.com.'
--- External name maps to external IP address, see below.
- A machine has two IP addresses:
-- Internal, private IP address configured at the machine's interface
--- Typically the only IP address known to the machine.
--- E.g. 192.0.2.22
--- IP address can change dynamically, at least after a machine reboot.
-- External, public IP address:
--- Typically mapped to internal address at cloud boundary (NAT).
--- E.g. 203.0.113.113
--- IP address can change dynamically, at least after a machine reboot.
Related tickets:
https://fedorahosted.org/freeipa/ticket/2648
https://fedorahosted.org/freeipa/ticket/2715
The natural request is to add support for DNS views/split horizon DNS into
FreeIPA, so different names and IP addresses can be served to clients inside
and outside of the cloud.
Is it enough? What else should we change to make FreeIPA reliable in clouds?
What are use cases?
Do we want to support clients *outside* of the cloud connecting to FreeIPA
servers *inside* of the cloud?
What about PKI certificates? Should we put two names to each certificate? What
we should do after host name change? (I do not have enough information when
the host name changes.)
What about Kerberos? How it will play with host name change? How should we
handle the fact that internal and external names are different? Should we use
some sort of referral mechanism?
Cloud users, please speak now :-) Opinions are more than welcome!
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list