Description of problem:
We have a team which runs many build jobs in AWS that provision hosts, register to RedHat IdM/freeIPA, run a task, then terminate the EC2. They do their best to always de-register hosts before terminating, but when build jobs are aborted or fail mid-run, we often end up having to manually terminate the EC2s. The same is true in rare cases when hosts become corrupted or unreachable. If there was a way that the ephemeral hosts could enroll with a way to indicate that the hosts should expire in after a set amount of time, then it would help the admins with the regular maintenance and cleanup of expired hosts.
Version-Release number of selected component (if applicable):
There is already krbPrincipalExpiration attribute that defines the time after which the principal is not active anymore.
It can be modified on the host entries manually, by setting time in Zulu format (YYYYMMDDHHmmZ):
ipa host-mod foo.bar.z --setattr krbprincipalexpiration=202009290000Z
this would set host/foo.bar.z principal to expire on 00:00 of 2020/09/29 in UTC timezone
Unfortunately, IPA CLI does not allow to search by the principal expiration in host-find or service-find commands.
Since this attribute is not set by default for hosts, it can be then used in cleanup scripts with LDAP searches to match hosts with explicitly set expiration.
For example, I have a host 'client.ipa.test' to which I set krbPrincipalExpiration to 00:00 of 2020/09/29 in UTC timezone:
# ipa host-mod client.ipa.test --setattr krbprincipalexpiration=202009290000Z
Modified host "client.ipa.test"
Host name: client.ipa.test
Operating system: 5.7.17-200.fc32.x86_64
Principal name: host/client.ipa.test@IPA.TEST
Principal alias: host/client.ipa.test@IPA.TEST
SSH public key fingerprint: SHA256:MmZwEvtbk+JmTij6kU1twCTEZKGgaijyKGNZx9+CNuk email@example.com (ssh-dss), SHA256:wHymevFCzMOM2izMawZ+U+5enECUaxjGTuw31uWfPTs firstname.lastname@example.org (ssh-rsa),
SHA256:qAGO0Yweyh0hxlpNyO/cUYJjiVACndL3+0gZNt9xLeo email@example.com (ecdsa-sha2-nistp256), SHA256:I1V7/xsYjxUqeupQuD6NrWoH9hLCAAFw8AqU31yPA34 firstname.lastname@example.org (ssh-ed25519)
Managed by: client.ipa.test
The search below would match only those hosts that have expiration time between 00:00 of 2020/09/23 and 00:00 of 2020/10/01 in UTC timezone:
# ldapsearch -Y GSSAPI -b cn=computers,cn=accounts,dc=ipa,dc=test '(&(objectclass=ipaHost)(&(krbprincipalexpiration<=202010010000Z)(krbprincipalexpiration>=202009230000Z)))' fqdn
SASL/GSSAPI authentication started
SASL username: admin@IPA.TEST
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
# base <cn=computers,cn=accounts,dc=ipa,dc=test> with scope subtree
# filter: (&(objectclass=ipaHost)(&(krbprincipalexpiration<=202010010000Z)(krbprincipalexpiration>=202009230000Z)))
# requesting: fqdn
# client.ipa.test, computers, accounts, ipa.test
# search result
result: 0 Success
# numResponses: 2
# numEntries: 1
Let me know if this helps to define a workaround time being.
I would assume that the hosts that belong to a specific environment can be easily put into a host group.
So then we can have a script or a system role/playbook to reset all the hosts in a specific group making all of them ready for re-enrollment. But this solves the problem of re-enrollment of the same hosts. If we are talking about dead bodies that need cleanup then yes, an attribute with time stamp and some periodic cleanup should solve the problem.
This is a regular request.
Thanks for the help, cu closed the case.