novajoin is a project for Openstack and IPA integration. It is a service that will allow instances created in nova to be added to IPA and a host OTP generated automatically. This OTP will then be passed into the instance to be used for enrollment during the cloud-init stage.
The end result is that a new instance will seamlessly be enrolled as an IPA client upon first boot.
Additionally, a class can be associated with an instance using Glance metadata so that IPA automember rules will automatically assign this new host to the appropriate hostgroups. Once that is done you can setup HBAC and sudo rules to grant the appropriate permissons/capabilities for all hosts in that group.
In short it can simplify administration significantly.
In the current iteration, novajoin consists of two pieces: a REST microservice and an AMQP notification listener.
The REST microservice is used to return dynamically generated metadata that will be added to the information that describes a given nova instance. This metadata is available at first boot and this is how novajoin injects the OTP into the instance for use with ipa-client-install. The framework for this change is being implemented in nova in this review: https://review.openstack.org/317739 .
The REST server just handles the metadata, cloud-init does the rest. A cloud-init script is provided which glues the two together. It installs the needed packages, retrieves the metadata, then calls ipa-client-install with the requisite options.
The other server is an AMQP listener that will identify when an IPA-enrolled instance is deleted and remove host from IPA . It may eventually handle floating IP changes as well, automatically updating IPA DNS entries. The issue here is knowing what hostname to assign to the floating IP.
Glance images can have metadata as well which describes the image, such as OS distribution and version. If these have been set then novajoin will include this in the IPA entry it creates.
The basic flow looks something like this:
- Boot instance in nova. Add IPA metadata, specifying ipa_enroll True and optionally ipa_hostclass
- Instance boots. During cloud-init it will retrieve metadata
- During metadata retrieval ipa host-add is executed, adding the host to IPA and generating an OTP and any image metadata available.
- OTP and FQDN is returned in the metadata
- Our cloud-init script is called to install the IPA client packages and retrieve the OTP and FQDN
- Call ipa-client-install –hostname FQDN –password OTP
This leaves us with an IPA-enrolled client which can have permissions granted via HBAC and sudo rules (like who is allowed to log into this instance, what sudo commands are allowed, etc).