Florence and Angus, thanks for the replies. xCAT definitely can run scripts at boot time. And the kickstart method seems to be the way to go. But I sill have some questions:
The nodes are stateless, so in a reboot all the configuration is lost and get back from the image. FreeIPA configuration will be lost and then restarted. Which appears to be ok. But there are two issues: * The password for “joining” the FreeIPA domain that expires after the first use * The necessity of the hostname on the ipa-client-install command: hostname=client.example.com <http://client.example.com/> With this two things I think we are unable to move forward, so the first question is: 1. Do I really need this password? Or better, the password can be permanent? It’s a “closed” system, so in terms of security I think there’s no problem. 2. Ipa-client-install can’t use the hostname of the node automatically? Do I really need to fill the hostname? Because this kills the ideia of a generic image. Thank you all guys. > On 23 Sep 2019, at 04:04, Florence Blanc-Renaud <f...@redhat.com> wrote: > > On 9/23/19 1:10 AM, Vinícius Ferrão via FreeIPA-users wrote: >> Hello, the subject of the message may sound a little bit strange, but let me >> explain what I’m trying to do. >> I have a machine with an provisioner (xCAT) that is able to boot and control >> different types of computer nodes. A stateless node is just a machine that >> boots over the network from a shared image on the server. >> What I’m trying to do? >> Join those stateless nodes to FreeIPA Server. >> To do this, I’m aware that I can’t just run freeipa-client-install on the >> image chroot, since it will not behave as expected. >> At this point xCAT (the provisioner) can create the DNS registers of the >> stateless nodes on FreeIPA integrated DNS (using TSIG keys). But I need to >> properly join the nodes to the server. >> There’s a way to manually register the nodes on the server? >> And about the users? How to enable them? Just Configure SSSD on the image >> and it should be fine? >> The certificates, client certificates and things like this? There’s >> something that I need to do? >> Automount? >> Any help is really appreciated. >> Thanks, >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Hi, > xCAT probably offers you the possibility to run a custom script at the end of > the installation. If it's the case, you can use a workflow similar to what is > described in "Setting up an IdM Client Through Kickstart" [1]. You need to > create a client host entry first, and the custom script on the client will > call ipa-client-install. > > HTH, > flo > > [1] > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/client-kickstart
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
