On 31.1.2016 10:39, Dan Lavu wrote:
> I started playing around with Openstack and was installing FreeIPA on a 
> tenant 
> network and I wanted to replicate to a server on provider network or another 
> network entirely. If you are not familiar with Openstack, a lot of cloud 
> implementations will have a virtual private network that is entirely isolated 
> from the outside world until an IP is attached to the guest. So this had me 
> thinking about best practices and cloud implementations using FreeIPA. I 
> can't 
> seem to find a lot documentation on this. So the complication I've come 
> across 
> is that the tenant network is not route-able by default, but you can attach a 
> floating-IP which is route-able to the external FreeIPA server but the host 
> entries are going to differ. For clarification in the below diagram, (if this 
> diagram doesn't show up, it is attached).
> 
> openstack_networks
> 
> idm2, has the local IP of 192.168.50.13 and has a floating ip 0f 
> 192.168.73.7, 
> but on the guest 192.168.73.7 is not known at all, for it to be route-able it 
> does some source natting using neutron and openvswitch. So during the 
> installation, it's not possible to use the external IP because the installer 
> will indicate the IP doesn't exist or is not route-able.
> 
> So I ultimately installed FreeIPA using the internal address and modified the 
> A 
> record to point to the floating external IP address. Lastly modified the host 
> file to have the name resolve to the internal address. I feel like there is a 
> cleaner way of doing this. Now it gets even more complicated if different 
> hostnames are used, since IPA does a URL rewrite and I'm sure there are other 
> name dependencies I'm unaware of.
> 
> So my questions are, do we have a documentation about installation FreeIPA on 
> a 
> cloud platform to serve external hosts?
> 
> Do we have any instructions on adding another name to the FreeIPA server 
> certificate? (I know we have steps for client hosts) I can see this being 
> resolved by having idm2 access requests for two domains, i.e. 192.168.73.0/24 
> company.com and 192.168.50.0/24 cloud.company.com.
> 
> Is there any other solutions?

I can tell you how I'm installing IPA in OpenStack, but it is a hack:
1) Assign a floating IP to the VM
2) Configure hostname inside the VM to match the externally visible one
3) Temporarily assign floating IP address to loopback inside the VM
4) Run IPA installer
5) Remove the floating address from the loopback

> Is this something that we need to address?
Yeah, we should, but I have no idea how IPA can detect its floating IP address 
...

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to