Greetings FreeIPA mailing list:
Thinking outside of the box for a moment, is it possible to divorce the
FreeIPA "master" feature of deploying FreeIPA servers from the FreeIPA
cluster which handles everything else? Keeps it safe and out of harms way,
especially considering it has the CA key on it.
This could be done a couple of different ways. One would be to just have
the master FreeIPA "server" deployed as a VM instance -- we only dust it off
and start it up when a new server needs deployment, and shut it back down
after it's generated the replica file. While crude for my environment, this
would work really well for a VM based shop.
The elegant approach for us is to run the FreeIPA replica generation feature
on our kickstart+puppet server, where it only generates FreeIPA replica
files and simply doesn't handle any FreeIPA requests.
Since KickStart would most likely need to generate the replica file as I
believe the way puppet works prevents it from doing much server side
execution, is there a problem with generating replica files willy nilly and
then deleting them? I.E.: Running ipa-replica-prepare for each server
deployed, but simply deleting the gpg file for all servers excluding those
being deployed as FreeIPA slave/peer(s).
Regardless, taking a step back from specific implementation details, is the
general idea sound? Beyond generating replica files, must there be any
other communication between the master server and the other slave/peer(s)?
E.G.: The master must make updates to ldap/kerberos/etc. as a part of
generating the replica file.
Many thanks for the product, and the support!
Freeipa-users mailing list