On 08/20/2014 05:24 PM, Rich Megginson wrote:
> On 08/20/2014 09:18 AM, Baird, Josh wrote:
>> Hi,
>> We are attempting to run ipa-client-install in the %post section of a
>> Kickstart in order to join the host to an IPA domain (3.3/RHEL7 IdM).  We are
>> using something like:
>> /usr/sbin/ipa-client-install -w 'one-time-password' --realm=REALM.COM -U
>> --no-ssh --no-sshd --no-ntp --domain=realm.com
>> The machine does indeed join the domain correctly, but the certmonger request
>> fails.  Looking at the logs, we can see this:
>> 2014-08-19T15:02:45Z DEBUG Starting external process
>> 2014-08-19T15:02:45Z DEBUG args=/bin/systemctl is-active certmonger.service
>> 2014-08-19T15:02:45Z DEBUG Process finished, return code=0
>> 2014-08-19T15:02:45Z DEBUG stdout=
>> 2014-08-19T15:02:45Z DEBUG stderr=Running in chroot, ignoring request.
>> The error is occurring because the certmonger service fails to start.  This
>> is because systemd is not able to manipulate services in a chrooted
>> environment (ala the anaconda installation environment).  Prior to systemd,
>> this would work fine as services could start normally via init in a
>> chroot/%post.
>> Additionally, we see the error:
>> Unable to find 'admin' user with 'getent passwd ad...@domain.com'
>> Again, this is because systemd is unable to start sssd in the chrooted
>> installation environment.  I'm wondering if anyone else has experienced these
>> issues with systemd unable to start these required services during
>> installation and what you did to work around them.  One option would be to
>> move the ipa-client-install out of Kickstart and have Puppet join the host to
>> the domain post-installation (after firstboot), but this isn't really ideal.
>> Any advice or suggestions would be appreciated.
> Create a file that is run at boot, presumably after networking and certmonger
> are started.

What I saw as the common approach in OpenStack or other projects are scripts
and configurations for Cloud-init [1].

Are there people using it for this purpose or are there other (better) 



Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to