Category Archives: FreeIPA

Standing up OpenStack with FreeIPA and TLS Everywhere using TripleO-Quickstart

UPDATE: 24-May-2017

The three reviews[3] mentioned in the original post have merged and this feature is now part of OOOQ/OOOQ-E. I have updated the deployment script[10] on GitHub for your convenience.

Original Post:

Over the past month, I have been working with TripleO-Quickstart (OOOQ)[1] and TripleO-Quickstart-Extras (OOOQ-E)[2] to automate the deployment of a FreeIPA server and enable TLS Everywhere. There three reviews[3] on review.openstack.org that comprise the majority of my work. All of this is coming to a head after many, many months of work from my teammates Ozz[4], Rob[5], and Ade[6] who put together all the leg work in relevant libraries and communities. Without their effort and headaches, this wouldn’t be possible.

Automating this process is a big deal. Once this it is streamlined this will allow for greatly expanding the security and compliance coverage throughout OpenStack CI. Needless to say, I am pretty excited to be working on this topic. Without any further ado, here is the present workflow to conduct a deployment:

Assumptions:

  1. One machine is set up[7] as the controller from which you will call OOOQ to conduct the deployment. I am deploying from a ThinkPad T450S running Fedora 24.
  2. Once machine, referred to as the virthost, 1 quad core CPU, 24GB of memory, and 160 GB of free space. Running with fewer resources is possible but not tested, and will likely result in difficult errors difficult to diagnose.

Preparing Our Environment To deploy:

The first thing we need to do is pull down the OOOQ and OOOQ-E repositories.

cd ~/git

git clone https://github.com/openstack/tripleo-quickstart

git clone https://github.com/openstack/tripleo-quickstart-extras

Next we have to pull down the two reviews required to run the code that hasn’t been merged yet.

cd ~/git/tripleo-quickstart

git fetch https://git.openstack.org/openstack/tripleo-quickstart refs/changes/23/453223/17 && git checkout FETCH_HEAD

cd ~/git/tripleo-quickstart-extras

git fetch https://git.openstack.org/openstack/tripleo-quickstart-extras refs/changes/98/436198/18 && git checkout FETCH_HEAD

In order to ensure that we use our local version of OOOQ-E, we must modify tripleo-quickstart/quickstart-extras-requirements.txt to the repo on our file system.

cd ~/git/tripleo-quickstart

sed -e ‘s/.*#/file:\/\/\/~\/git\/tripleo-quickstart-extras\/#/’ quickstart-extras-requirements.txt

Now, let’s go ahead and create a special working directory to house our deployment data, artifacts, and keep our modified repos clean in the process.

export WORKING_DIR=~/.quickstart-freeipa

mkdir $WORKING_DIR

cp -rf ~/git/tripleo-quickstart $WORKING_DIR

At this point we are ready to deploy. The only thing we have to do is ensure that we can ssh into our virthost from the controller as root. This is a requirement for Ansible.

Deployment:

cd ~/git/tripleo-quickstart

export VIRTHOST=<your virthost’s IP or FQDN>

bash quickstart.sh \

–bootstrap \

–ansible-debug \

–no-clone \

–playbook quickstart-extras.yml \

–working-dir $WORKING_DIR \

–release master \

–config $WORKING_DIR/config/general_config/ipa.yml \

–nodes $WORKING_DIR/config/nodes/1ctlr_1comp_1supp.yml \

–tags “all” \

$VIRTHOST

After calling quickstart.sh, you will see OOOQ take over and begin installing all the necessary libraries for deployment. After completing it’s environment preparations, it will call the Ansible playbook, quickstart-extras.yml[7]. Pay close attention to the two config files we are explicitly using, ipa.yml[8] and 1ctlr_1comp_1supp.yml[9]. These two configuration files specify how OOOQ deploys a single compute, control, and supplemental node (housing the FreeIPA server), as well as sets all of the various flags needed for the FreeIPA server and enabling TLS Everywhere.

The deployment itself should take around two hours to complete. While we are adding some additional time fetching the Centos image, provisioning the supplemental node, and deploying the FreeIPA server itself — the majority of the deployment time still lands on installing the undercloud and deploying the overcloud.

After deployment has completed — you have full access to the undercloud:

ssh -F $WORKING_DIR/ssh.config.ansible undercloud

as well as the supplemental node which is running the FreeIPA server:

ssh -F $WORKING_DIR/ssh.config.ansible supplemental

Please note that a log of the FreeIPA server deployment can be located on the supplemental node at ~/deploy_freeipa.log. The IPA server admin password can be located in either the Ansible logs (look for freeipa_admin_password) or in the deployment script ~/deploy_freeipa.sh (look for CA_ADMIN_PASSWORD).

Afterthoughts:

Once the reviews[3] have merged, this process will be come much simpler. In the meantime, I have a created a simple bash script[10] which automates all of the above steps requiring only a single parameter, the virthost.

git clone https://gist.github.com/6cf1e6bc32085dd358365f44267f7188.git

chmod +x ./6cf1e6bc32085dd358365f44267f7188/run_oooq_with_ipa.sh

./6cf1e6bc32085dd358365f44267f7188/run_oooq_with_ipa.sh <your virthost’s IP or FQDN>

Relevant Links:

[1] – https://github.com/openstack/tripleo-quickstart

[2] – https://github.com/openstack/tripleo-quickstart-extras

[3] – https://review.openstack.org/#/q/topic:bug/1662923

[4] – http://jaormx.github.io/

[5] – https://blog-rcritten.rhcloud.com/

[6] – https://vakwetu.wordpress.com/

[7] – https://github.com/openstack/tripleo-quickstart/blob/master/playbooks/quickstart-extras.yml

[8] – https://review.openstack.org/#/c/451523/27/config/general_config/ipa.yml

[9] – https://review.openstack.org/#/c/451523/27/config/nodes/1ctlr_1comp_1supp.yml

[10] – https://gist.github.com/HarryRybacki/6cf1e6bc32085dd358365f44267f7188