Mark, the code was updated to EL8 on the last week, if you’re already interested.
On 2 Sep 2020, at 09:18, Mark Potter <ma...@dug.com<mailto:ma...@dug.com>> wrote: I'll dig through it today! We use a homegrown deployment system but I am personally very familiar with xcat so I ought to be able to work something out. Thanks a bunch. On Tue, Sep 1, 2020, 8:46 PM Vinícius Ferrão <fer...@versatushpc.com.br<mailto:fer...@versatushpc.com.br>> wrote: Hi Mark, I’ve the same question in the past. At the end of the day we “reverse engineered” what ipa-client-install does to avoid the force-join and passing the password in plaintext. So it’s basically a bunch of files that must be configured on the target system, so we configured it directly on the stateless images. Some “manual” provisioning must be done, but you can do it through your stateless manager. For instance we are using xCAT, so when we create a new node on xCAT we automatically do the ipa-add-host on IPA. We’ve done this for our HPC cluster software, the code is available here: https://bitbucket.versatushpc.com.br/projects/OPENCATTUS/repos/deployment Feel free to look at inner workings of the code, it’s basically an Ansible Playbook. On 1 Sep 2020, at 11:31, Mark Potter via FreeIPA-users <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> wrote: We boot everything stateless in our environment and are using FreeIPA for authentication. I started discussing this a while ago but ended up with other things taking priority. The number of machines we have make managing keys an untenable solution so we are using ipa-client-install -U -q -p <join user> -w <password --domain=domain.com<http://domain.com/> --server=ipaserver.domain.com<http://ipaserver.domain.com/> --fixed-primary --force-join called from rc.local during boot to rejoin machines to the FreeIPA environment (we will be moving away from --fixed-primary but aren't there yet). While this works it, potentially, exposes a password. I am looking for a better way to handle machines that need to re-join at every boot. We have access to ansible as well a decent, in house, templating system for configuration. Please forgive my starting this discussion anew and not resurrecting a zombie and thanks in advance for your help! -- Mark Potter Senior Linux Administrator _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
