[Freeipa-devel] [RFC] Improve FreeIPA usability in cloud environments

James purpleidea at gmail.com
Mon Sep 16 04:32:41 UTC 2013 

On Fri, Sep 13, 2013 at 4:26 AM, Petr Spacek <pspacek at redhat.com> wrote:
> Hello list,
Hey
>
> FreeIPA deployments in cloud environments do not work very well because
> 'clouds' break some assumptions we made during FreeIPA's design.
>
> We should fix it somehow :-)
Agreed !

>
> === Problems ===
> - A machine has two host names in DNS:
> -- The first name is internal to the cloud and resolvable only from inside
> of the cloud.
> --- This name should be used for communication inside cloud.
> --- E.g. 'ipa.cust1.cloud.'
> --- Internal name is mapped to internal IP address, see below.
>
> -- The second name is external to the cloud and should be used for
> communication between the Internet and cloud.
> --- E.g. 'ipa.example.com.'
> --- External name maps to external IP address, see below.
>
> - A machine has two IP addresses:
> -- Internal, private IP address configured at the machine's interface
> --- Typically the only IP address known to the machine.
> --- E.g. 192.0.2.22
> --- IP address can change dynamically, at least after a machine reboot.
In my situation, the IP's are always constant.

>
> -- External, public IP address:
> --- Typically mapped to internal address at cloud boundary (NAT).
> --- E.g. 203.0.113.113
> --- IP address can change dynamically, at least after a machine reboot.
>
> Related tickets:
> https://fedorahosted.org/freeipa/ticket/2648
> https://fedorahosted.org/freeipa/ticket/2715
>
> The natural request is to add support for DNS views/split horizon DNS into
> FreeIPA, so different names and IP addresses can be served to clients inside
> and outside of the cloud.
I've asked about split view DNS support before. It would be extremely valuable!

>
> Is it enough? What else should we change to make FreeIPA reliable in clouds?
>
> What are use cases?
As described above, my particular use case is one machine with one
consistent hostname, but with multiple IP addresses. Internally the VM
sees itself as say 10.10.10.1, but externally it might have one or
more different addresses that are used to NAT directly to it for
example.

>
> Do we want to support clients *outside* of the cloud connecting to FreeIPA
> servers *inside* of the cloud?
>
> What about PKI certificates? Should we put two names to each certificate?
> What we should do after host name change? (I do not have enough information
> when the host name changes.)
I never have any issues about different host names. All are consistent.

>
> What about Kerberos? How it will play with host name change? How should we
> handle the fact that internal and external names are different? Should we
> use some sort of referral mechanism?
>
>
> Cloud users, please speak now :-) Opinions are more than welcome!
Some comments are given above. Please keep me in the loop. Once this
is cooking, I'd love to add puppet-ipa support to match.
https://github.com/purpleidea/puppet-ipa
I'm happy to answer any questions you have.

>
> --
> Petr^2 Spacek
Thanks,
James


>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

More information about the Freeipa-devel mailing list