We boot everything stateless in our environment and are using FreeIPA for authentication. I started discussing this a while ago but ended up with other things taking priority. The number of machines we have make managing keys an untenable solution so we are using
called from rc.local during boot to rejoin machines to the FreeIPA environment (we will be moving away from --fixed-primary but aren't there yet). While this works it, potentially, exposes a password. I am looking for a better way to handle machines that need to re-join at every boot.
We have access to ansible as well a decent, in house, templating system for configuration. Please forgive my starting this discussion anew and not resurrecting a zombie and thanks in advance for your help!
--
Mark Potter
Senior Linux Administrator