FreeIPA enroll can't work
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| tripleo |
Invalid
|
Medium
|
Unassigned | ||
Bug Description
OpenStack version: Ocata
Heat templates: 564e3feeb9c5188
Hello,
Using tripleO on a CentOS 7, the FreeIPA enroll for the overcloud can't work.
The puppet/
- needs a fixed OTP
- uses the CloudDomain as realm without any way to override that
The OTP stands for "one time password" and is attached to a host - using it like that means we must configure nodes beforehand in the IPA, and generate an OTP. But we can't pass per-host OTP. So that won't work.
More over, the undercloud being in the freeIPA, using novajoin command, allow that host to create other hosts - the right way would be to make the undercloud generate the hosts in freeIPA, and inject the OTP on the fly for each host.
The undercloud has an /etc/krb5.keytab that can be used for authentication.
The CloudDomain used as realm issue is less important, but in our case, the realm is not the same value, hence the ipa-client-install won't work either.
Unless I missed some documentation in some obscure place, this receipt can't work for the said reasons.
For the records, I used the following documentation:
http://
I also stumbled on that one:
https:/
The latter is a bit more complete (among things, the generation of the environment file…), but still, the OTP part is a blocker if we deploy on more than one host. And still, the enrollment shouldn't need any manual step in freeIPA, providing the host names are generated by the installer…
Any advice (or correction) would be good :).
Thank you in advance!
Cheers,
C.
| Changed in tripleo: | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| milestone: | none → queens-1 |
| Cédric Jeanneret deactivated (cjeanneret-c2c-deactivated) wrote | #1 |
| Juan Antonio Osorio Robles (juan-osorio-robles) wrote | #2 |
| Cédric Jeanneret deactivated (cjeanneret-c2c-deactivated) wrote | #3 |
| Changed in tripleo: | |
| milestone: | queens-1 → queens-2 |
| Changed in tripleo: | |
| milestone: | queens-2 → queens-3 |
| Changed in tripleo: | |
| milestone: | queens-3 → queens-rc1 |
| Changed in tripleo: | |
| milestone: | queens-rc1 → rocky-1 |
| Changed in tripleo: | |
| milestone: | rocky-1 → rocky-2 |
| Changed in tripleo: | |
| milestone: | rocky-2 → rocky-3 |
| Changed in tripleo: | |
| milestone: | rocky-3 → rocky-rc1 |
| Changed in tripleo: | |
| milestone: | rocky-rc1 → stein-1 |
| Juan Antonio Osorio Robles (juan-osorio-robles) wrote | #4 |
| Changed in tripleo: | |
| status: | Triaged → Invalid |
Hello,
Some more information, in case that might help as well.
After digging a lot in novajoin part, I stumbled on the novajoin-server service. That service serves as a proxy to freeIPA, using the undercloud keytab credentials in order to create the host and get an OTP.
That part is exactly what I was talking about, but apparently it's not really documented, at least not in the doc I pointed earlier.
That said, there are some issues there:
- apparently, it's not working with the cloud-init version (0.7.5) shipped in the centos overcloud images we can find here:
https:/
- apparently, it won't work either with 0.7.9
- apparently, it needs 0.7.6, which isn't shipped in Centos7 at all
- more over, there's apparently a login for the service itself, and I can't find anything about it
If I understand well, the novajoin-server is called/accessed by nova when we hit http://
And the README for novajoin is, well, deprecated: almost all the settings we can set are flagged as deprecated.
So for now: nothing is working as expected…
Cheers,
C.