FreeIPA offers many benefits to an OpenStack deployment: Single Sign on and DNS-as-a-Service among others. In order to take advantage of freeIPA, the new host needs to be registered with the FreeIPA server. Here’s how to automate the process.

I started out with a FreeIPA server deployed in an a virtual machine inside out teams OpenStack based cloud. The server manages a domain that I have taken the liberty of calling openstack.freeipa.org. This is a non-public deployment, so don’t expect to resolve the DNS records yourself. However, IPA likes to work with Fully Qualified Domain Names, so I created one that is self documenting.

For my virtual machines images, I am using the Fedora 19 Cloud image. This is a very bare bones virtual machine.

The general steps to take in order to deploy are:

1. Allocate a Floating IP address
2. Generate an One Time Password (OTP)
3. Create a Host entry in FreeIPA, using the IP Address and OTP
4. Generate a user-data script
5. Boot the virtual machine
6. wait until the machine is running
7. Allocate the Floating IP address to the Virtual Machine

Once the virtual machine is running,  the user-data script performs the following tasks:

1. Sets the hostname of the virtual machine to match the VM name and the domain name of the IPA server
2. Sets the FreeIPA install as the DNS server
3. install freeipa-client via Yum
4. register the host using the OTP

Here is the code:

#!/bin/bash
. ./keystone.rc

#These values should also come out of a configuration file:
#they are specific to your deployemnt

PUBKEY=ayoung-pubkey
IMAGE_ID=94d1dbba-9e65-471e-97d0-eb7966982c12
FLAVOR_ID=3
SECGROUP=all
DOMAIN=openstack.freeipa.org
NAMESERVER=10.16.16.143

OTP=`uuidgen -r | sed 's/-//g'`

#this should be initialized if does not yet exisit: 
#the index is an integer.
#it provides a way to keep each VM unique

INDEX=`cat index.dat`
VM_NAME=$USER-$INDEX

#get first floating IP
FLOAT_IP=`nova floating-ip-list | awk ' $4~/None/  {print $2 ; exit }' `

ipa host-add $VM_NAME.$DOMAIN --ip-address=$FLOAT_IP --password=$OTP

#increment  the index for next time
echo $(( $INDEX + 1 )) > index.dat


#Generate the user-data for postboot configuration
cat << END_HEREDOC > $VM_NAME.dat
#!/bin/bash
echo $VM_NAME.$DOMAIN > /etc/hostname
hostname $VM_NAME.$DOMAIN
echo nameserver $NAMESERVER > /etc/resolv.conf
yum -y install freeipa-client
ipa-client-install -U -w $OTP
END_HEREDOC

nova boot   --image $IMAGE_ID --flavor $FLAVOR_ID --key_name $PUBKEY --security_groups $SECGROUP  --user-data $VM_NAME.dat  $VM_NAME

#wait until the VM is out of the BUILD state before continuing
#otherwise, adding the floating IP might fail
while [ `nova show $VM_NAME | awk ' $2~ /status/ { print $4 }'` = BUILD ]
do
sleep 1
echo -n .
done
echo
echo  adding floating IP address $FLOAT_IP to $VM_NAME

nova add-floating-ip $VM_NAME $FLOAT_IP

There is more work do be done, here. DHCP integration would be preferable to this manner of munging resolv.conf. Without that, the image need to be modified to prevent DHCP from updating the resolv.conf if the VM is ever rebooted.

Care must be taken when deleting the host entries allocated to virtual machines. Since they have DNS A records, IPA will complain if you attempt to reuse an IP address without first cleaning up the DNS A record. To delete a VM, remove it from both IPA and nova like this:

nova delete ayoung-31
ipa host-del ayoung-31 --updatedns

Special thanks to Jamie Lennox for editing support.