Use case:
Suggested solution:
a. Create a command to create a client stash file that would save keys needed for the recovery. b. Add a mode to the install to configure client using the stash file.
Reason:
The reason is that the client is rebuilt without needing the key regeneration. When you have diskless clients that are boot in seconds and you can have thousands of those launched in bursts you do not want them to re-register and re-generate the keys. You want to recover them to the same state the image was before the reboot.
This sounds to me like ipa-backup and ipa-restore, just for clients.
ipa-backup
ipa-restore
By keys you mean a Kerberos keytab? There may also be other "keys", like a client certificate private key or other certificate private keys tracked by certmonger. Should those be backed up to the stash as well?
What about service configuration? Should the new mode also configure the client services as during standard ipa-client-install or should the stash include the generated service configuration?
ipa-client-install
Replying to [comment:2 mkosek]:
Sort of
Yes, this is why I said "keys". Keytab + certs tracked by certmonger. As for the services probably yes if possible but I am not sure how to detect what are they and whether there any. If we can list provisioned services for this host then yes.
Yes if we can.
And SSH keys.
MAC addresses, TPM ids:
3.5 for now but might be deferred till next release
Slightly related to #4895. However, the FreeIPA 4.2 was already shaped (see [[milestone:FreeIPA 4.2]] milestone), this does not fit. Pushing out.
If anyone is willing to help and contribute to this one, please let us know!
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: Ticket Backlog
Closing as duplicate of https://fedorahosted.org/freeipa/ticket/3374
Design page: http://freeipa.org/page/V3/Client_install_using_keytab
Metadata Update from @rcritten: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.