I'll dig through it today! We use a homegrown deployment system but I am personally very familiar with xcat so I ought to be able to work something out. Thanks a bunch.
On Tue, Sep 1, 2020, 8:46 PM Vinícius Ferrão <fer...@versatushpc.com.br> wrote: > Hi Mark, I’ve the same question in the past. > > At the end of the day we “reverse engineered” what ipa-client-install does > to avoid the force-join and passing the password in plaintext. So it’s > basically a bunch of files that must be configured on the target system, so > we configured it directly on the stateless images. > > Some “manual” provisioning must be done, but you can do it through your > stateless manager. For instance we are using xCAT, so when we create a new > node on xCAT we automatically do the ipa-add-host on IPA. > > We’ve done this for our HPC cluster software, the code is available here: > https://bitbucket.versatushpc.com.br/projects/OPENCATTUS/repos/deployment > > Feel free to look at inner workings of the code, it’s basically an Ansible > Playbook. > > On 1 Sep 2020, at 11:31, Mark Potter via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > We boot everything stateless in our environment and are using FreeIPA for > authentication. I started discussing this a while ago but ended up with > other things taking priority. The number of machines we have make managing > keys an untenable solution so we are using > > ipa-client-install -U -q -p <join user> -w <password --domain=domain.com > --server=ipaserver.domain.com --fixed-primary --force-join > > called from rc.local during boot to rejoin machines to the FreeIPA > environment (we will be moving away from --fixed-primary but aren't there > yet). While this works it, potentially, exposes a password. I am looking > for a better way to handle machines that need to re-join at every boot. > > We have access to ansible as well a decent, in house, templating system > for configuration. Please forgive my starting this discussion anew and not > resurrecting a zombie and thanks in advance for your help! > > -- > *Mark Potter* > Senior Linux Administrator > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
