On 08/20/2014 05:24 PM, Rich Megginson wrote: > On 08/20/2014 09:18 AM, Baird, Josh wrote: >> Hi, >> >> We are attempting to run ipa-client-install in the %post section of a >> Kickstart in order to join the host to an IPA domain (3.3/RHEL7 IdM). We are >> using something like: >> >> /usr/sbin/ipa-client-install -w 'one-time-password' --realm=REALM.COM -U >> --no-ssh --no-sshd --no-ntp --domain=realm.com >> >> The machine does indeed join the domain correctly, but the certmonger request >> fails. Looking at the logs, we can see this: >> >> 2014-08-19T15:02:45Z DEBUG Starting external process >> 2014-08-19T15:02:45Z DEBUG args=/bin/systemctl is-active certmonger.service >> 2014-08-19T15:02:45Z DEBUG Process finished, return code=0 >> 2014-08-19T15:02:45Z DEBUG stdout= >> 2014-08-19T15:02:45Z DEBUG stderr=Running in chroot, ignoring request. >> >> The error is occurring because the certmonger service fails to start. This >> is because systemd is not able to manipulate services in a chrooted >> environment (ala the anaconda installation environment). Prior to systemd, >> this would work fine as services could start normally via init in a >> chroot/%post. >> >> Additionally, we see the error: >> >> Unable to find 'admin' user with 'getent passwd ad...@domain.com' >> >> Again, this is because systemd is unable to start sssd in the chrooted >> installation environment. I'm wondering if anyone else has experienced these >> issues with systemd unable to start these required services during >> installation and what you did to work around them. One option would be to >> move the ipa-client-install out of Kickstart and have Puppet join the host to >> the domain post-installation (after firstboot), but this isn't really ideal. >> >> Any advice or suggestions would be appreciated. > > Create a file that is run at boot, presumably after networking and certmonger > are started.
What I saw as the common approach in OpenStack or other projects are scripts and configurations for Cloud-init [1]. Are there people using it for this purpose or are there other (better) approaches? [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/4/html/End_User_Guide/user-data.html Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project