[Freeipa-users] Howto re-deploy an IPA-client using kickstart
Dmitri Pal
dpal at redhat.com
Fri Jan 18 17:09:29 UTC 2013
On 01/18/2013 06:52 AM, Fred van Zwieten wrote:
> Hi Dmitri,
>
> Sorry for the late reply. I basically want to do the same as Charlie
> Derwent in another tread on this mailing list: To fully automate the
> re-installation of a server using Satellite/Spacewalk using kickstart.
> As the server is an IPA client, it must first get to be un-enrolled,
> before an ipa-client-install --unattened -w secret etc. can be done in
> a %post snippet of the kickstart file. It is the automation of the
> unenrollment proces that we are not able to set up.
>
> What I can do on any ipa-client to unenroll on the command line is:
>
> ipa --disable-host <server> and ipa host-mod --password=secret --ssh=
>
> This unprovisions the client, set's an OTP and removes the host ssh keys.
>
> However, this can only be done on an IPA client, and during a
> kickstart install the server is no longer an IPA client, because it is
> freshly being set up.
>
> It's a typical chicken-and-egg issue. You must first be ipa client to
> be able to execute ipa commands, but you cannot become an ipa client
> before unprovisioning yourself using those same ipa commands.
>
> Another approuch would be to unprovision the client just before the
> reboot to be kickstarted, however, I have no idea how to set that up.
> It would mean the server has to know somehow it is being rebooted
> because of a re-install, but afaik, there is no way for
> satellite/spacewalk to tell the server this..
>
> Regards,
>
> Fred
IMO the right approach would be for the Satellite server to perform "ipa
--disable-host <server> and ipa host-mod --password=secret --ssh=" as a
part of the re-installation.
Satellite should be given an IPA identity and call into IPA when it
performs reinstall before rebooting the system.
Tough... I will see what I can do.
>
>
>
>
> On Sat, Jan 12, 2013 at 10:06 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 01/12/2013 03:28 AM, Fred van Zwieten wrote:
>> Hi there,
>>
>> We are in the process of implementing Satellite and want to
>> automate server installations 100% using kickstart, cobbler,
>> satellite.
>>
>> IPA clients can be scripted enrolled using kickstart. Plenty of
>> documentation about that.
>>
>> However, how to "re"-enroll IPA clients?
>>
>> Satellite gives me the option to re-install a server. In this
>> case, there are still host and possibly service records for this
>> host present in IPA and DNS.
>>
>> One way to think about this is, that it's actually OK to keep
>> those records there, because it is a "re"-installation, so why
>> remove and re-enroll? However, there is the krb5.keytab in /etc.
>> I could save that file during redeployment, but I'm not sure if
>> that will work. And iare there any other gotcha's.
>>
>> So, the question is, how to re-install an IPA client using
>> kickstart (silent re-install)?
>
> The question is how/do you remove the client?
> Based on what you say above you use the same system so there are
> some leftovers. If you can run ipa-client-install --uninstall it
> should clean things like keytab and certs (there have been bugs
> fixed in freeIPA 3.0). If the client has access to the server it
> will clean (not remove) the host entry too. Then you can re-run
> the install. If you use OTP you would need to reset OTP first.
>
>>
>> Regards,
>>
>> Fred
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130118/e97b99e3/attachment.htm>
More information about the Freeipa-users
mailing list