There are few things more useful than a set of examples when starting to work with a new API. Here are some I’ve started collecting up for my work:
The first of three articles: More. Policy
Continue reading
There are few things more useful than a set of examples when starting to work with a new API. Here are some I’ve started collecting up for my work:
The first of three articles: More. Policy
Continue reading
FreeIPA offers many benefits to an OpenStack deployment: Single Sign on and DNS-as-a-Service among others. In order to take advantage of freeIPA, the new host needs to be registered with the FreeIPA server. Here’s how to automate the process.
I started out with a FreeIPA server deployed in an a virtual machine inside out teams OpenStack based cloud. The server manages a domain that I have taken the liberty of calling openstack.freeipa.org. This is a non-public deployment, so don’t expect to resolve the DNS records yourself. However, IPA likes to work with Fully Qualified Domain Names, so I created one that is self documenting.
For my virtual machines images, I am using the Fedora 19 Cloud image. This is a very bare bones virtual machine.
The general steps to take in order to deploy are:
Once the virtual machine is running, the user-data script performs the following tasks:
Here is the code:
#!/bin/bash . ./keystone.rc #These values should also come out of a configuration file: #they are specific to your deployemnt PUBKEY=ayoung-pubkey IMAGE_ID=94d1dbba-9e65-471e-97d0-eb7966982c12 FLAVOR_ID=3 SECGROUP=all DOMAIN=openstack.freeipa.org NAMESERVER=10.16.16.143 OTP=`uuidgen -r | sed 's/-//g'` #this should be initialized if does not yet exisit: #the index is an integer. #it provides a way to keep each VM unique INDEX=`cat index.dat` VM_NAME=$USER-$INDEX #get first floating IP FLOAT_IP=`nova floating-ip-list | awk ' $4~/None/ {print $2 ; exit }' ` ipa host-add $VM_NAME.$DOMAIN --ip-address=$FLOAT_IP --password=$OTP #increment the index for next time echo $(( $INDEX + 1 )) > index.dat #Generate the user-data for postboot configuration cat << END_HEREDOC > $VM_NAME.dat #!/bin/bash echo $VM_NAME.$DOMAIN > /etc/hostname hostname $VM_NAME.$DOMAIN echo nameserver $NAMESERVER > /etc/resolv.conf yum -y install freeipa-client ipa-client-install -U -w $OTP END_HEREDOC nova boot --image $IMAGE_ID --flavor $FLAVOR_ID --key_name $PUBKEY --security_groups $SECGROUP --user-data $VM_NAME.dat $VM_NAME #wait until the VM is out of the BUILD state before continuing #otherwise, adding the floating IP might fail while [ `nova show $VM_NAME | awk ' $2~ /status/ { print $4 }'` = BUILD ] do sleep 1 echo -n . done echo echo adding floating IP address $FLOAT_IP to $VM_NAME nova add-floating-ip $VM_NAME $FLOAT_IP
There is more work do be done, here. DHCP integration would be preferable to this manner of munging resolv.conf. Without that, the image need to be modified to prevent DHCP from updating the resolv.conf if the VM is ever rebooted.
Care must be taken when deleting the host entries allocated to virtual machines. Since they have DNS A records, IPA will complain if you attempt to reuse an IP address without first cleaning up the DNS A record. To delete a VM, remove it from both IPA and nova like this:
nova delete ayoung-31 ipa host-del ayoung-31 --updatedns
Special thanks to Jamie Lennox for editing support.
When reinstalling FreeIPA, you often get browser errors complaining of reissued certificates. Here is how you can deal with them:
Until a few decades ago, attendance at chapel was mandatory for all cadets at West Point. The Jewish cadets and officers used to meet in chapels for other denominations, or other buildings around the post. The Jewish Chapel was completed in the early 1980s, after chapel was no longer mandatory, but still highly encouraged. It provided a sanctuary unrivalled at West Point. The food alone was sufficient to encourage participation from beyond “The Tribe.”
Continue reading