[Freeipa-users] Howto re-deploy an IPA-client using kickstart

Charlie Derwent shelltoesuperstar at gmail.com
Thu Jan 24 00:47:10 UTC 2013 

Dmitri,

Thank you so much for opening that ticket. You've captured the problem much
more eloquently than I have described it in my e-mails and I think the
solution is better than any suggestion I put forward to you. It's very much
appreciated, we will wait eagerly for that RFE to make it into a release.

Secondly, thanks for the suggestion for the short term fix. I agree
entirely about the OTP issue (which was why I raised it as an inquiry
rather than a defect) it's a much simpler solution than the ideas we had
internally and we already have accounts in our IPA server with no shell
used for similar automation purposes. While we do have to expose the
password, we can mitigate that in the short term while we wait for the
solution outlined in the RFE.

Regards,
Charlie


On Thu, Jan 24, 2013 at 12:29 AM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 01/23/2013 04:09 PM, Fred van Zwieten wrote:
>
> On Wed, Jan 23, 2013 at 10:01 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>>  On 01/23/2013 03:24 PM, Fred van Zwieten wrote:
>>
>>  Dmitri,
>>
>>  If I understand correcty this would mean I backup the keytab before
>> reinstall en restore it after (easily done with Satellite), then do a
>> ipa-client-install using the keytab. Does this mean the host record in IPA
>> will never change during this process? Sounds good to me. This makes
>> reinstalling a one-step process.
>>
>>  When the ssh keys are not preserved during reinstall they must be
>> refreshed in IPA, will ipa-client-install do that too in this case?
>>
>>
>>  Yes I suspect, but that would be the same as the initial enroll. I
>> suspect the keytab, cert and ssh keys would be regenerated. We will just
>> use keytab to acquire ticket and then start the whole enrollment from clean
>> sheet.
>>
>
> That would be a perfectly workable solution for me.
>
>
> https://fedorahosted.org/freeipa/ticket/3374
>
>
>
>> Fred
>>
>>
>>  On Wed, Jan 23, 2013 at 8:56 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>
>>>  On 01/23/2013 01:56 PM, Charlie Derwent wrote:
>>>
>>>  Hi
>>>
>>> My team and I have been around this a few times and as far as we can see
>>> the best and simplest way to make this work is if we enrol once and back up
>>> all the relevant bits of information so in the event of a rebuild we can
>>> restore the necessary components and make it appear to the IPA server that
>>> it had never left.
>>>
>>> Disabling and re-enrolling was the preferred option initially but it
>>> seems there are too many issues to make this viable going forward.
>>>
>>>    - How to allow developers/administrators/robots access securely
>>>    between the disabling the host and re-enrolment (to say reboot the server
>>>    for PXEboot)
>>>    - Having to grant users permission to enrol servers even when they
>>>    only need to re-provision existing servers.
>>>    - OTP reuse being disabled preventing something simple like the
>>>    hostname of the server being used during re-enrolment
>>>    - The lack of a reusable OTP also makes the process two-step (see
>>>    Fred's mail) rather than the single step we previously had.
>>>
>>> To that end could someone please tell us or document all the steps
>>> required to back up the key ipa-client files so we can get past these
>>> problems and move onto the more interesting things that the IPA server
>>> can provide.
>>>
>>> Any effort to simplify the backup and restore process within an IPA
>>> client (and the server for that matter) would also be greatly appreciated.
>>>
>>>
>>>  I suspect you opened the ticket:
>>> https://fedorahosted.org/freeipa/ticket/3373
>>> Anyways I replied in the ticket and I am pasting it here:
>>> Making OTP reusable defeats the purpose of the OTP. It becomes just
>>> another password. If you want this you can create an account in IPA, limit
>>> its privileges to just host enrollment and use the password associated with
>>> this account to re-provision systems. Would that solve the problem for you?
>>>
>>> If the backup seems like a good option I suggest we open an RFE to allow
>>> re-enrolling a host using keytab.
>>> I can file an RFE for it. What it would do is: add an argument to
>>> ipa-client-install to use keytab instead of OTP or password if you saved
>>> one. If the authentication successful the client will reconfigure the
>>> system once again.
>>>
>>> Would that solve the problem?
>>>
>>> I do not like the full backup idea as it is not consistent between the
>>> versions. Say you redeploy but with the updated version of software that
>>> changed something and config files from the previous version are not 100%
>>> the same. Things would break.
>>> And depending upon the commands you used we touch different files as
>>> SSSD can now be integrated with autofs, ssh, sudo.
>>> I am just not sure that backup and restore is really a sustainable
>>> approach project/product wise.
>>> We can probably craft a list but I am scared promoting it as a solution.
>>>
>>>
>>>  Regards,
>>> Charlie.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Jan 18, 2013 at 8:14 PM, Fred van Zwieten <
>>> fvzwieten at vxcompany.com> wrote:
>>>
>>>> Dmitri,
>>>>
>>>>  Sure I can do this. I can make a script, and have this executed from
>>>> Satellite (remote command) and than perform the server redeploy from
>>>> Satellite. However, that makes it a two step process, and that is what I
>>>> now also have. However, I would like to make it fully automated in a single
>>>> step.
>>>>
>>>>  Come to think of it...there is also an api for Satellite. Maybe I can
>>>> make a script that will first do the IPA stuff and then call Satellite to
>>>> redeploy the server.....
>>>> ....hmmm....will look into this...and report my findings
>>>>
>>>>
>>>> Met vriendelijke groeten,
>>>> *
>>>> Fred van Zwieten
>>>> *
>>>> *Enterprise Open Source Services*
>>>>  *
>>>> Consultant*
>>>> *(vrijdags afwezig)*
>>>>
>>>> *VX Company IT Services B.V.*
>>>> *T* (035) 539 09 50 mobiel (06) 41 68 28 48
>>>> *F* (035) 539 09 08
>>>> *E* fvzwieten at vxcompany.com
>>>> *I*  www.vxcompany.com
>>>>
>>>>
>>>> On Fri, Jan 18, 2013 at 6:09 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>>
>>>>>  On 01/18/2013 06:52 AM, Fred van Zwieten wrote:
>>>>>
>>>>> Hi Dmitri,
>>>>>
>>>>>  Sorry for the late reply. I basically want to do the same as Charlie
>>>>> Derwent in another tread on this mailing list: To fully automate the
>>>>> re-installation of a server using Satellite/Spacewalk using kickstart. As
>>>>> the server is an IPA client, it must first get to be un-enrolled, before an
>>>>> ipa-client-install --unattened -w secret etc. can be done in a %post
>>>>> snippet of the kickstart file. It is the automation of the unenrollment
>>>>> proces that we are not able to set up.
>>>>>
>>>>>  What I can do on any ipa-client to unenroll on the command line is:
>>>>>
>>>>>  ipa --disable-host <server> and ipa host-mod --password=secret --ssh=
>>>>>
>>>>>  This unprovisions the client, set's an OTP and removes the host ssh
>>>>> keys.
>>>>>
>>>>>  However, this can only be done on an IPA client, and during a
>>>>> kickstart install the server is no longer an IPA client, because it is
>>>>> freshly being set up.
>>>>>
>>>>>  It's a typical chicken-and-egg issue. You must first be ipa client
>>>>> to be able to execute ipa commands, but you cannot become an ipa client
>>>>> before unprovisioning yourself using those same ipa commands.
>>>>>
>>>>>  Another approuch would be to unprovision the client just before the
>>>>> reboot to be kickstarted, however, I have no idea how to set that up. It
>>>>> would mean the server has to know somehow it is being rebooted because of a
>>>>> re-install, but afaik, there is no way for satellite/spacewalk to tell the
>>>>> server this..
>>>>>
>>>>>  Regards,
>>>>>
>>>>>  Fred
>>>>>
>>>>>
>>>>>  IMO the right approach would be for the Satellite server to perform
>>>>> "ipa --disable-host <server> and ipa host-mod --password=secret --ssh=" as
>>>>> a part of the re-installation.
>>>>> Satellite should be given an IPA identity and call into IPA when it
>>>>> performs reinstall before rebooting the system.
>>>>>
>>>>> Tough... I will see what I can do.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Jan 12, 2013 at 10:06 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>>>
>>>>>>   On 01/12/2013 03:28 AM, Fred van Zwieten wrote:
>>>>>>
>>>>>> Hi there,
>>>>>>
>>>>>>  We are in the process of implementing Satellite and want to
>>>>>> automate server installations 100% using kickstart, cobbler, satellite.
>>>>>>
>>>>>>  IPA clients can be scripted enrolled using kickstart. Plenty of
>>>>>> documentation about that.
>>>>>>
>>>>>>  However, how to "re"-enroll IPA clients?
>>>>>>
>>>>>>  Satellite gives me the option to re-install a server. In this case,
>>>>>> there are still host and possibly service records for this host present in
>>>>>> IPA and DNS.
>>>>>>
>>>>>>  One way to think about this is, that it's actually OK to keep those
>>>>>> records there, because it is a "re"-installation, so why remove and
>>>>>> re-enroll? However, there is the krb5.keytab in /etc. I could save that
>>>>>> file during redeployment, but I'm not sure if that will work. And iare
>>>>>> there any other gotcha's.
>>>>>>
>>>>>>  So, the question is, how to re-install an IPA client using
>>>>>> kickstart (silent re-install)?
>>>>>>
>>>>>>
>>>>>>  The question is how/do you remove the client?
>>>>>> Based on what you say above you use the same system so there are some
>>>>>> leftovers. If you can run ipa-client-install --uninstall it should clean
>>>>>> things like keytab and certs (there have been bugs fixed in freeIPA 3.0).
>>>>>> If the client has access to the server it will clean (not remove) the host
>>>>>> entry too. Then you can re-run the install. If you use OTP you would need
>>>>>> to reset OTP first.
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>>  Fred
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Thank you,
>>>>>> Dmitri Pal
>>>>>>
>>>>>> Sr. Engineering Manager for IdM portfolio
>>>>>> Red Hat Inc.
>>>>>>
>>>>>>
>>>>>> -------------------------------
>>>>>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thank you,
>>>>> Dmitri Pal
>>>>>
>>>>> Sr. Engineering Manager for IdM portfolio
>>>>> Red Hat Inc.
>>>>>
>>>>>
>>>>> -------------------------------
>>>>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager for IdM portfolio
>>> Red Hat Inc.
>>>
>>>
>>> -------------------------------
>>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>>
>>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130124/88554173/attachment.htm>

More information about the Freeipa-users mailing list