I’ve been talking about using FreeIPA to secure OpenStack since the Havana summit in Portland. I’m now working with Tripleo to install OpenStack. To get the IPA server installed along with Tripleo Quickstart requires a VM accessible from the Ansible playbook.
UPDATE: This is changing rapidly. I’ll post complete updates in a bit, but the commit below is now one in a chain, and the isntracutrions are in the git messages for the commits. One missing step in order to run ansible is:export ANSIBLE_CONFIG=$HOME/.quickstart/tripleo-quickstart/ansible.cf
Build the Identity VM
- Apply the patch to quickstart that builds the VM
- Run quickstartm at least up to the undercloud stage. The steps below do the complete install.
Since Quickstart makes a git repo under ~/.quickstart, I’ve been using that as my repo. It avoids duplication, and makes my changes visible.
mkdir ~/.quickstart cd ~/.quickstart git clone https://github.com/openstack/tripleo-quickstart cd tripleo-quickstart git review -d 315749 ~/.quickstart/tripleo-quickstart/quickstart.sh -t all warp.lab4.eng.bos.redhat.com
If you are not set up for git review, you can pull the patch manually from Gerrit.
Set the hostname FQDN for the identity machine
ssh -F /home/ayoung/.quickstart/ssh.config.ansible identity-root hostnamectl set-hostname --static identity.warp.lab4.eng.bos.redhat.com
Add variables to the inventory file ~/.quickstart/hosts
[vms:vars] ipa_server_password=FreeIPA4All ipa_domain=warp.lab4.eng.bos.redhat.com deployment_dir=/home/ayoung/.ossipee/deployments/warp.lab4.eng.bos.redhat.com ipa_realm=WARP.LAB4.ENG.BOS.REDHAT.COM cloud_user=stack ipa_admin_user_password=FreeIPA4All ipa_forwarder= nameserver=
Activate the Venv:
. ~/.quickstart/bin/activate
Use Rippowam branch
cd ~/devel git clone https://github.com/admiyo/rippowam cd rippowam git checkout origin/tripleo
Run ansible
ansible-playbook -i ~/.quickstart/hosts ~/devel/rippowam/ipa.yml
Making this VM available to the overcloud requires some network wizardry. That deserves a post itself.