Two projects that I'm really loving at the moment are The Foreman and FreeIPA.
The Foreman is lifecycle management tool for physical and virtual servers (think Cobbler on PCP), and FreeIPA provides central authentication: directory services, kerberos, policy enforcement, and a PKI infrastructure.
Why not glue them together? This is my first attempt, and it's all a bit manual and unpolished. There's an effort to get this integration into the Foreman Smart Proxy itself.
End Goal: Users can login to the Foreman using FreeIPA credentials. Individual access rights still need to be granted in the Foreman GUI itself, though.
Based on the FreeIPA Ejabberd Integration Guide
Create a foreman.ldif file, replacing dc=bitbin,dc=de with your DN, and providing an appropriately secure password:
Now login to the Foreman as an Admin, click on "LDAP Authentication" under More/Users. Then click New LDAP Source and fill in the details, changing dn's where appropriate to your own domain:
# This disables the CRL. I need to fix this at a# later time
certificate_revocation =false
In [master], change:
ca =false
Restart httpd (Foreman-configured Puppet runs in Passenger):
# service httpd restart
Browse to the Foreman, and you should see it using the new SSL certificates signed by your IPA CA. Ideally you should import the IPA CA.crt on your local box and trust it.
The idea here is that our machines when foreman creates them are automatically registered to FreeIPA with a one-time password, and if later deleted in the Foreman, they are removed from FreeIPA too. Hosts also get an SSL certificate signed by the FreeIPA server to talk to puppet. The flow looks like this:
Creating IPA User with Right Permissions
A previous version of this guide called this user "foreman" - don't do that, it'll interfere with upgrading later, as the RPM packaging expects to use a local user named "foreman."
Create the user:
# kinit admin
Password for admin@BITBIN.DE:
# ipa user-add --first="The" --last="Foreman" foreman_reg \--password
Password:
Enter Password again to verify:
--------------------
Added user "foreman_reg"--------------------
We need to modify the Host Enrollment role to actually allow the Foreman user to add brand new hosts and delete them too -- so Foreman can completely manage the machine lifecycle.
[root@gatebuilder ~]# kinit foreman_reg
Password for foreman_reg@BITBIN.DE:
Password expired. You must change it now.
Enter new password:
Enter it again:
# Are we using IPA as the CA?CREATE_SERVICE_PRINCIPAL=true# Allow Foreman to delete hosts from IPAPREVENT_DELETING_HOSTS=false# Hostname of an IPA serverIPA_SERVER="astriaporta.bitbin.de"# User with appropriate permissionsIPA_USER="registration"IPA_PASS="password"# Foreman API User/PasswordFOREMAN_USER="apiuser"FOREMAN_PASS="apipass"
Put 10_integrate_freeipa.sh into /usr/share/foreman/config/hooks/host/managed/create and create a symlink to destroy and after_commit:
Restart foreman to get it to notice the new hooks:
# service foreman restart# service httpd restart
Take a look at the logs to make sure the hooks were registered, look in /var/log/foreman/production.log:
Finished registering 1 hooks for Host::Managed#destroy
Finished registering 1 hooks for Host::Managed#after_commit
Finished registering 1 hooks for Host::Managed#create
The last step in this is integrating into your provisioning template. You'll need to get ipa-client installed in your packages list, and remove the other puppet registration thingy from the Foreman. I have a snippet that looks like this:
# Register to IPA, two times# in case of https://fedorahosted.org/freeipa/ticket/3377
ipa-client-install --mkhomedir-w <%= @host.params['ipa_onetime'] %> -f-U
ipa-client-install --mkhomedir-w <%= @host.params['ipa_onetime'] %> -f-U# Make Puppet Certificate Directoriesmkdir-p /var/lib/puppet/ssl/{private_keys,certs}# Generate IPA Certificate
ipa-getcert request -K puppet/<%= @host.name %> -D <%= @host.name %> \-k /var/lib/puppet/ssl/private_keys/<%= @host.name %>.pem \-f /var/lib/puppet/ssl/certs/<%= @host.name %>.pem
# Workaround for "stack too deep" problem# http://projects.puppetlabs.com/issues/21869cp /etc/ipa/ca.crt /var/lib/puppet/ssl/certs/ca.pem
cat<<EOF > /etc/puppet/puppet.conf
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
ssldir = /var/lib/puppet/ssl
server = <%= @host.puppetmaster %>
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
certificate_revocation = false
certname = <%= @host.name %>
EOF
puppet agent --test
chkconfig puppet on
When the machine boots it will use one-time password authentication with FreeIPA and grab an SSL certificate for use with Puppet. And you get the bonus of when you delete the machine in Foreman, it gets deleted in IPA too.