)]}'
{"deploy-guide/source/features/tls-everywhere-standalone.rst":[{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"0b3fa5da9b2bc8d9e026f03b4a3099d66eaa79b1","unresolved":false,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The environment has two nodes - a node providing the IPA server, and a node "},{"line_number":14,"context_line":"providing the standalone deployment.  The IPA server node can be reused for many"},{"line_number":15,"context_line":"deployments, as long as the CloudDomain is distinct for each deployment."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"Note, the instructions in this section relate to TLS everywhere as provided by"},{"line_number":18,"context_line":"the ansible module tripleo-ipa, which means that this is supported by train"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff570b3c_eb0984dd","line":15,"range":{"start_line":15,"start_character":13,"end_line":15,"end_character":51},"updated":"2020-05-12 16:48:29.000000000","message":"and also each standalone node\u0027s fqdn","commit_id":"72d200bb00802fed677f1c54005e4588a23f0a7b"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"0b3fa5da9b2bc8d9e026f03b4a3099d66eaa79b1","unresolved":false,"context_lines":[{"line_number":21,"context_line":"Install the FreeIPA node"},{"line_number":22,"context_line":"------------------------"},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Follow the instructions on how to set up an IPA server here. link)"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"Configure the Standalone Node"},{"line_number":27,"context_line":"-----------------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff570b3c_abff8ca8","line":24,"range":{"start_line":24,"start_character":61,"end_line":24,"end_character":65},"updated":"2020-05-12 16:48:29.000000000","message":"link?","commit_id":"72d200bb00802fed677f1c54005e4588a23f0a7b"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"0b3fa5da9b2bc8d9e026f03b4a3099d66eaa79b1","unresolved":false,"context_lines":[{"line_number":22,"context_line":"------------------------"},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Follow the instructions on how to set up an IPA server here. link)"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"Configure the Standalone Node"},{"line_number":27,"context_line":"-----------------------------"},{"line_number":28,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff570b3c_4b84f00c","line":25,"updated":"2020-05-12 16:48:29.000000000","message":"Here\u0027s some guidance I recommend. The IPA server needs a single interface that can be reached by the standalone node\u0027s external interface. Perhaps describe this using an IPA_SERVER_IP instead of the 192.168.100.5 address.","commit_id":"72d200bb00802fed677f1c54005e4588a23f0a7b"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"0b3fa5da9b2bc8d9e026f03b4a3099d66eaa79b1","unresolved":false,"context_lines":[{"line_number":27,"context_line":"-----------------------------"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"For standalone deployments, you should start with a VM with a minimum of 2 vCPU"},{"line_number":30,"context_line":"and 8G memory, preconfigured with Centos 8.1 and a non-root stack user with sudo"},{"line_number":31,"context_line":"privileges.  Make sure the hostname is set correctly and is in /etc/hosts"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"    $ sudo hostnamectl set-hostname standalone.example.com"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff570b3c_0b62f83e","line":30,"range":{"start_line":30,"start_character":4,"end_line":30,"end_character":7},"updated":"2020-05-12 16:48:29.000000000","message":"4GB is plenty","commit_id":"72d200bb00802fed677f1c54005e4588a23f0a7b"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"0b3fa5da9b2bc8d9e026f03b4a3099d66eaa79b1","unresolved":false,"context_lines":[{"line_number":32,"context_line":""},{"line_number":33,"context_line":"    $ sudo hostnamectl set-hostname standalone.example.com"},{"line_number":34,"context_line":"    $ sudo sed -i \"1i127.0.0.1 standalone.example.com\" /etc/hosts"},{"line_number":35,"context_line":"    $ sudo sed -i \"1i192.168.100.5 ipa.example.com\" /etc/hosts"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"The above commands set the IP address of the standalone and ipa nodes at the"},{"line_number":38,"context_line":"top of the hosts file."}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff570b3c_cb77603a","line":35,"range":{"start_line":35,"start_character":22,"end_line":35,"end_character":35},"updated":"2020-05-12 16:48:29.000000000","message":"$IPA_SERVER_IP","commit_id":"72d200bb00802fed677f1c54005e4588a23f0a7b"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"0b3fa5da9b2bc8d9e026f03b4a3099d66eaa79b1","unresolved":false,"context_lines":[{"line_number":44,"context_line":"proper search domain and nameserver in resolv.conf."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"    search example.com"},{"line_number":47,"context_line":"    nameserver $FREEIPA_IP_ADDRESS"},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"Install additional packages"},{"line_number":50,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff570b3c_aba94c7c","line":47,"range":{"start_line":47,"start_character":17,"end_line":47,"end_character":34},"updated":"2020-05-12 16:48:29.000000000","message":"or IPA_SERVER_IP. I don\u0027t care which name, just like seeing the document use a variable.","commit_id":"72d200bb00802fed677f1c54005e4588a23f0a7b"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"0b3fa5da9b2bc8d9e026f03b4a3099d66eaa79b1","unresolved":false,"context_lines":[{"line_number":60,"context_line":""},{"line_number":61,"context_line":"The openssl-perl package is installed to provide the directories /etc/pki/CA*."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Also install python3-tripleoclient and do the \"usual\" standalone setup steps as"},{"line_number":64,"context_line":"detailed in \u003cstandalone link\u003e."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"Enroll the Standalone node as an IPA client"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff570b3c_cb2120fe","line":63,"range":{"start_line":63,"start_character":35,"end_line":63,"end_character":76},"updated":"2020-05-12 16:48:29.000000000","message":"To clarify, you must install the tripleoclient prior to enrolling it as an IPA client. This is mainly to ensure you have all the required packages, especially the tripleo-ipa ansible module.\n\nBut you don\u0027t need to do any other standalone \"prep,\" such as creating your deployment env files. Basically, you don\u0027t run any \"openstack tripleo\" commands prior to enrolling with IPA.","commit_id":"72d200bb00802fed677f1c54005e4588a23f0a7b"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"0b3fa5da9b2bc8d9e026f03b4a3099d66eaa79b1","unresolved":false,"context_lines":[{"line_number":75,"context_line":""},{"line_number":76,"context_line":"    export IPA_DOMAIN\u003dexample.com"},{"line_number":77,"context_line":"    export IPA_REALM\u003dEXAMPLE.COM"},{"line_number":78,"context_line":"    export IPA_ADMIN_USER\u003d$IPA_USER"},{"line_number":79,"context_line":"    export IPA_ADMIN_PASSWORD\u003d$IPA_PASSWORD"},{"line_number":80,"context_line":"    export IPA_SERVER_HOSTNAME\u003dipa.example.com"},{"line_number":81,"context_line":"    export UNDERCLOUD_FQDN\u003dstandalone.example.com"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff570b3c_cbe480af","line":78,"range":{"start_line":78,"start_character":26,"end_line":78,"end_character":35},"updated":"2020-05-12 16:48:29.000000000","message":"This is \"admin\" in the examples I\u0027ve followed. We just need to be sure readers don\u0027t confuse this with the non-root user at L82.","commit_id":"72d200bb00802fed677f1c54005e4588a23f0a7b"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"0b3fa5da9b2bc8d9e026f03b4a3099d66eaa79b1","unresolved":false,"context_lines":[{"line_number":79,"context_line":"    export IPA_ADMIN_PASSWORD\u003d$IPA_PASSWORD"},{"line_number":80,"context_line":"    export IPA_SERVER_HOSTNAME\u003dipa.example.com"},{"line_number":81,"context_line":"    export UNDERCLOUD_FQDN\u003dstandalone.example.com"},{"line_number":82,"context_line":"    export USER\u003dstack"},{"line_number":83,"context_line":"    export CLOUD_DOMAIN\u003dexample.com"},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"he FreeIPA user credentials must be an administrative user that can add new"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff570b3c_eb66a451","line":82,"range":{"start_line":82,"start_character":11,"end_line":82,"end_character":21},"updated":"2020-05-12 16:48:29.000000000","message":"Needs to match the non-root user mentioned on L30","commit_id":"72d200bb00802fed677f1c54005e4588a23f0a7b"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"0b3fa5da9b2bc8d9e026f03b4a3099d66eaa79b1","unresolved":false,"context_lines":[{"line_number":95,"context_line":"You should verify that the standalone node was enrolled properly by listing the"},{"line_number":96,"context_line":"hosts in FreeIPA::"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"    $ kinit"},{"line_number":99,"context_line":"    $ ipa host-find"},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"You should also confirm that the keytab ``/etc/novajoin/krb5.keytab`` exists."}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff570b3c_4bea3075","line":98,"range":{"start_line":98,"start_character":6,"end_line":98,"end_character":11},"updated":"2020-05-12 16:48:29.000000000","message":"kinit $IPA_USER","commit_id":"72d200bb00802fed677f1c54005e4588a23f0a7b"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"0b3fa5da9b2bc8d9e026f03b4a3099d66eaa79b1","unresolved":false,"context_lines":[{"line_number":97,"context_line":""},{"line_number":98,"context_line":"    $ kinit"},{"line_number":99,"context_line":"    $ ipa host-find"},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"You should also confirm that the keytab ``/etc/novajoin/krb5.keytab`` exists."},{"line_number":102,"context_line":"The ``novajoin`` directory name is purely for legacy naming reasons."},{"line_number":103,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff570b3c_abfaec3e","line":100,"updated":"2020-05-12 16:48:29.000000000","message":"And maybe \"ipa dnsrecord-find example.com\" to check for standalone node\u0027s IP","commit_id":"72d200bb00802fed677f1c54005e4588a23f0a7b"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"0b3fa5da9b2bc8d9e026f03b4a3099d66eaa79b1","unresolved":false,"context_lines":[{"line_number":112,"context_line":"    parameter_defaults:"},{"line_number":113,"context_line":"      CloudDomain: example.com"},{"line_number":114,"context_line":"      NeutronDnsDomain: example.com"},{"line_number":115,"context_line":"      CloudName: sacloud.example.com"},{"line_number":116,"context_line":"      CloudNameInternal: sacloud.internalapi.example.com"},{"line_number":117,"context_line":"      CloudNameStorage: sacloud.storage.example.com"},{"line_number":118,"context_line":"      CloudNameStorageManagement: sacloud.storagemgmt.example.com"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff570b3c_eeed1226","line":115,"range":{"start_line":115,"start_character":17,"end_line":115,"end_character":24},"updated":"2020-05-12 16:48:29.000000000","message":"Maybe just clarify the point that CloudName cannot match the \"standalone\" node name. Here, \"sacloud\" is simply an abbreviation for \"standalone cloud\"","commit_id":"72d200bb00802fed677f1c54005e4588a23f0a7b"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"0b3fa5da9b2bc8d9e026f03b4a3099d66eaa79b1","unresolved":false,"context_lines":[{"line_number":120,"context_line":"      AddVipsToEtcHosts: true"},{"line_number":121,"context_line":"      InternalTLSVncProxyCAFile: /etc/pki/CA/certs/vnc-proxy.crt"},{"line_number":122,"context_line":"      IdMDomain: example.com"},{"line_number":123,"context_line":"      IdMServer: freeipa.example.com"},{"line_number":124,"context_line":"      DnsServers:"},{"line_number":125,"context_line":"        - 192.168.100.5"},{"line_number":126,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff570b3c_ce02ceb4","line":123,"range":{"start_line":123,"start_character":17,"end_line":123,"end_character":24},"updated":"2020-05-12 16:48:29.000000000","message":"Or would it be ipa.example.com (needs to match the instructions they followed when creating the IPA server)","commit_id":"72d200bb00802fed677f1c54005e4588a23f0a7b"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"0b3fa5da9b2bc8d9e026f03b4a3099d66eaa79b1","unresolved":false,"context_lines":[{"line_number":122,"context_line":"      IdMDomain: example.com"},{"line_number":123,"context_line":"      IdMServer: freeipa.example.com"},{"line_number":124,"context_line":"      DnsServers:"},{"line_number":125,"context_line":"        - 192.168.100.5"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"* The ``DnsServers`` value above assumes we have FreeIPA available at 192.168.100.5."},{"line_number":128,"context_line":"* The ``AddVipsToEtcHosts`` parameter is needed to add the relevant DNS entries to the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff570b3c_8e21f650","line":125,"range":{"start_line":125,"start_character":10,"end_line":125,"end_character":23},"updated":"2020-05-12 16:48:29.000000000","message":"$IPA_SERVER_IP or $FREEIPA_IP_ADDRESS (whichever variable name you choose)\n\nWait, now I see comment at L127","commit_id":"72d200bb00802fed677f1c54005e4588a23f0a7b"},{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"7a9e8116538a5e9e58a895e278b2899285890bca","unresolved":false,"context_lines":[{"line_number":91,"context_line":"services, users and permissions.  Usually, in a standard IPA install, this user"},{"line_number":92,"context_line":"would be \"admin\"."},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"The ``USER`` is the non-root user with sudo privileges on the standalone"},{"line_number":95,"context_line":"node (typically, stack)."},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"Next, run the playbook::"},{"line_number":98,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"ff570b3c_829542e7","line":95,"range":{"start_line":94,"start_character":55,"end_line":95,"end_character":23},"updated":"2020-05-12 22:02:49.000000000","message":"I think it needs to be the non-root user on the IPA server (which happens to also be \u0027stack\u0027 in my sandbox)?","commit_id":"b89a1cfb59a4846468766533e22e284c1fd05945"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"34379869bd1da9952f5f6ef1577137e22c3c2bcb","unresolved":false,"context_lines":[{"line_number":91,"context_line":"services, users and permissions.  Usually, in a standard IPA install, this user"},{"line_number":92,"context_line":"would be \"admin\"."},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"The ``USER`` is the non-root user with sudo privileges on the standalone"},{"line_number":95,"context_line":"node (typically, stack)."},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"Next, run the playbook::"},{"line_number":98,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"ff570b3c_a5121008","line":95,"range":{"start_line":94,"start_character":55,"end_line":95,"end_character":23},"in_reply_to":"ff570b3c_829542e7","updated":"2020-05-12 22:28:43.000000000","message":"Thanks for the comment.  Actually, I think we need to chase this down and probably eliminate it entirely.","commit_id":"b89a1cfb59a4846468766533e22e284c1fd05945"}]}