FreeIPA offers many benefits to an OpenStack deployment: Single Sign on and DNS-as-a-Service among others. In order to take advantage of freeIPA, the new host needs to be registered with the FreeIPA server. Here’s how to automate the process.
I started out with a FreeIPA server deployed in an a virtual machine inside out teams OpenStack based cloud. The server manages a domain that I have taken the liberty of calling openstack.freeipa.org. This is a non-public deployment, so don’t expect to resolve the DNS records yourself. However, IPA likes to work with Fully Qualified Domain Names, so I created one that is self documenting.
For my virtual machines images, I am using the Fedora 19 Cloud image. This is a very bare bones virtual machine.
The general steps to take in order to deploy are:
Allocate a Floating IP address
Generate an One Time Password (OTP)
Create a Host entry in FreeIPA, using the IP Address and OTP
Generate a user-data script
Boot the virtual machine
wait until the machine is running
Allocate the Floating IP address to the Virtual Machine
Once the virtual machine is running, the user-data script performs the following tasks:
Sets the hostname of the virtual machine to match the VM name and the domain name of the IPA server
Sets the FreeIPA install as the DNS server
install freeipa-client via Yum
register the host using the OTP
Here is the code:
There is more work do be done, here. DHCP integration would be preferable to this manner of munging resolv.conf. Without that, the image need to be modified to prevent DHCP from updating the resolv.conf if the VM is ever rebooted.
Care must be taken when deleting the host entries allocated to virtual machines. Since they have DNS A records, IPA will complain if you attempt to reuse an IP address without first cleaning up the DNS A record. To delete a VM, remove it from both IPA and nova like this:
Special thanks to Jamie Lennox for editing support.