Nova metadata dynamic vendordata server for enrolling IPA instances
Go to file
Rob Crittenden 861f151c4b Become 1.0.2 2016-09-07 14:39:40 -04:00
files Fix typo (?) in service_name, service vs services 2016-09-07 14:39:40 -04:00
man Installation fixups and add man pages for the scripts 2016-08-18 13:45:52 -04:00
novajoin Become 1.0.2 2016-09-07 14:39:40 -04:00
scripts Write more nova configuration in the installer 2016-09-07 09:55:12 -04:00
.gitignore Add basic .gitignore 2016-02-26 20:05:07 +00:00
LICENSE Initial commit 2016-02-26 19:47:47 +00:00
MANIFEST.in Installation fixups and add man pages for the scripts 2016-08-18 13:45:52 -04:00
Makefile Initial commit 2016-02-26 19:47:47 +00:00
README.md Document the basic flow of adding and deleting IPA hosts 2016-08-25 17:09:55 -04:00
setup.py Become 1.0.2 2016-09-07 14:39:40 -04:00

README.md

novajoin Package

This Python package provides a vendordata plugin for the OpenStack nova metadata service to manage host instantiation in an IPA server.

It consists of two services:

- REST service
- notification listener

The REST service will respond to dynamic requests from the nova metadata server. This is used to add hosts into IPA.

The notification listener will handle instance delete requests and remove the appropriate host from IPA.

Build

In this directory, run:

python setup.py build

Installation

In this directory, run:

python setup.py install

Package Requirements

Beyond those packages normally installed by Openstack, these are also required:

python-kerberos

Configuration

Run novajoin-install to install and configure the plugin on a pre-installed nova server.

nova currently needs to be manually configured to enable the novajoin REST service and enable notifications:

vendordata_providers = StaticJSON, DynamicJSON vendordata_dynamic_targets = 'join@http://127.0.0.1:9999/v1/' vendordata_dynamic_connect_timeout = 5 vendordata_dynamic_read_timeout = 30 vendordata_jsonfile_path = /etc/nova/cloud-config.json

notification_driver = messaging notification_topic = notifications notify_on_state_change = vm_state

Note that the IPA integration assumes that the IPA CA is in the system bundle. If it is not, or python-requests is not configured to use the system bundle, then you will get CERTIFICATE_VERIFY_FAILED errors.

Pre-requisites

You will need the IPA admin password, or an account that can add privileges, permissions, roles and can retrieve keytabs.

You will need to provide Openstack credentails in the environment so that the glance metadata upload can occur.

This will:

  • copy the cloud-init and enrollment script to /etc/nova
  • obtain a keytab to be used to authenticate against IPA when doing host management
  • call out to a script to create the requisite permissions and role in IPA
  • add the IPA metadata to the glance metadata service

The nova-api service will need to be manually restarted.

The installer takes the following options:

--hostname: use this value as the FQDN of the server. --user: user that the nova service runs as. This is needed to set filesystem permissions --principal: the user used to configure IPA integration: create permissions, get the keytab, etc. Default is the IPA admin account. --password: the password for the principal. If this is not set the the password is obtained interactively --password-file: the file containing the password for the principal.

Metadata REST Service Configuration

The REST service is configured in /etc/join/join.conf in the DEFAULT section. It provides the following options:

join_listen_port: The TCP port to listen on. Defaults to 9999. api_paste_config: The paste configuration file to use. debug: Enable additional debugging output. Default is False. auth_strategy: The authentication strategy to use url: The JSON RPC URL to an IPA server, e.g. https://ipa.host.domain/ipa/json keytab: The Kerberos keytab containing the credentails for the user nova will use to manage hosts. The default is /etc/krb5.keytab. service_name: The service name of the JSON RPC handler. This is normally HTTP@ domain: The domain to associate with IPA hosts. connect_retries: The number of times to attempt to contact the IPA server before failing. project_subdomain: Use the project the instance is created in as the subddomain for the fully-qualified domain name. For example if the project is admin and the domain is example.com and the instance name is test the FQDN will be test.admin.example.com normalize_project: A project name can contain values not allowed as a DNS label. This will convert invalid values to a dash (-) dropping leading and trailing dashes.

Usage

Sample usage from the command-line:

$ openstack server create --flavor m1.tiny --image cirros-0.3.4-x86_64-uec test --property ipa_enroll=True $ ssh $ curl http://169.254.169.254/openstack/2016-10-06/vendor_data2.json

The curl output will include a "join" element in the returned dict. Thsi will contain a hostname and ipaotp value. These are used for enrollment.

Design

There are quite a few moving parts in novajoin so here is a high-level overview of how it fits together.

The OpenStack Newton release added a new type of metadata to the nova metadata service: dynamic metadata. This is metadata generated on-the-fly and not stored within nova (perhaps for security reasons).

For the case of enrolling a client into IPA using a One-Time Password (OTP) the password needs to be generated when the IPA host created and then somehow passed to the instance. This is done using dynamic metadata.

The basic sequence of events is:

  1. Instance creation is requested to nova, either via Horizon or the command-line.
  2. nova starts the instance and pushes down a cloud-init script provided by novajoin.
  3. cloud-init executes the provided script which installs the ipa-client package, then executes a script which retrieves the metadata from the nova metadata service. This looks like: % curl http://169.254.169.254/openstack/2016-10-06/vendor_data2.json
  4. This request invokes the novajoin dynamic metadata service provided by the novajoin package. This is registered in /etc/nova/nova.conf.
  5. If the instance was created with the property ipa_enroll=True then a host in IPA is created and an OTP generated. The OTP and generated FQDN are returned to nova as a python dictionary. The data is returned from the metadata service as JSON. If the glance image has os_distro and os_version set in its metadata then this will be reflected in the IPA host.
  6. The script provided to cloud-init pulls out the OTP and FQDN and calls ipa-client-install

This results in an IPA-enrolled client with no user interaction.

The novajoin-notify service waits for notifications from nova that an instance deletion has been completed. If that instance has the property ipa_enroll=True then the host is removed from IPA.

Origin

This builds on the work of Rich Megginson and Nathan Kinder. Rich did the initial hooks implementation visible at https://github.com/richm/rdo-vm-factory/blob/master/rdo-ipa-nova

Copyright and License

Copyright 2016 Red Hat, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.