On 02/08/2022 14:32, lol lol via FreeIPA-users wrote:
Hello, I'd like to run IPA server in a vm and at the same time use the host OS as an IPA client for a uniform set-up of DNS, NTP, SSO etc across the board.
I do this, with libvirt. Host is RHEL 8, there are actually two guests at the moment, RHEL 8 and RHEL 9. Haven't gotten around to killing the RHEL 8 server off yet... :)
I've not had any problems with this setup, only downside is as Mathias reported, it takes a little while after the guest boots up before the servers finish booting. During this time you should still be able to log in with password authentication, assuming sssd has already cached the password of your IPA user.
(If you have a replica then it shouldn't matter, unless all your IPA servers are down) :)
The networking setup I use is to connect the host's ethernet interface to a bridge, to which the two servers are also attached. i.e., as far as the client is concerned, the servers are perfectly normal hosts on my LAN.
Regarding NTP, I point both host and guests to external NTP servers, since as of RHEL 8 FreeIPA no longer configures the IPA servers to run NTP.
If you're using libvirt on EL, it's worth tweaking your setup so that the VMs start at boot (I use 'virsh autostart' on the guests and set ON_BOOT=ignore) and so that they are powered off when you shut the host down (ON_SHUTDOWN=shutdown). I prefer this to having the libvirt-guests service try to suspend on shutdown and restore at boot, or anything like that. There are some other settings in there regarding how long to wait for guests to shut down before killing them, I haven't needed to set them as the default timeout seems fine.
-- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
