Installing IPA on a Raspberry Pi 4

Introduction

For years, I have been using IPA in my personal lab to serve as both DNS servers and LDAP servers. But I was always annoyed that I had to take them down whenever I had to perform maintenance on the underlying hypervisors. My old Raspberry Pi 3B+ didn’t have enough RAM (1GB) to act as a dedicated IPA server, but the newer Pi 4 has an option for 4GB of RAM, which is plenty for a lab of my size.

Install Fedora 32 on the Raspberry Pi 4

The first thing we need to do is install an OS on the Raspberry Pi. What follows may be possible on Raspbian or some other OS, but I prefer to use some sort of RPM-based distribution, so we will use Fedora 32.

Obviously, the first step is to ensure that you have a Raspberry Pi 4. If you don’t have one yet, go do that first. You’re also going to need a micro-SD card that is at least 8GB large.

Next, we will need to download the Fedora 32 raw image from here. You want to grab the “Fedora Minimal” image. At the time of writing, this will download a file called “Fedora-Minimal-32-1.6.aarch64.raw.xz”.

You will also need to install a package on your existing Fedora workstation called “fedora-arm-installer”

# dnf install -y fedora-arm-installer

Now you should have everything you need, so put the micro-SD card into your Fedora workstation. If there are existing partitions/filesystems on your SD card, then unmount them. Note that my laptop has an NVMe drive, so the first USB drive is /dev/sda. Be careful because often /dev/sda is the boot drive, so don’t just copy/paste any of these things!

# umount /dev/sda1
# umount /dev/sda2
# umount /dev/sda3

Once everything is unmounted from the SD card, we are ready to write the downloaded image file to the SD card. This process will take a little while, so go grab a coffee while it runs!

# fedora-arm-image-installer --image /path/to/image/Fedora-Minimal-32-1.6.aarch64.raw.xz \
    --media=/dev/sda --addkey /home/<mydir>/.ssh/id_rsa.pub \
    --relabel --resizefs --target=rpi4

=====================================================
= Selected Image:
= /path/to/image/Fedora-Minimal-32-1.6.aarch64.raw.xz
= Selected Media : /dev/sda
= U-Boot Target : rpi4
= SELinux relabel will be completed on first boot.
= Root partition will be resized
= SSH Public Key /home/<mydir>/.ssh/id_rsa.pub will be added.
=====================================================

***********************************************************
***********************************************************
*********** WARNING! ALL DATA WILL BE DESTROYED ***********
***********************************************************
***********************************************************

Type 'YES' to proceed, anything else to exit now

= Proceed? YES
= Writing:
= /path/to/image/Fedora-Minimal-32-1.6.aarch64.raw.xz
= To: /dev/sda ….
5364056064 bytes (5.4 GB, 5.0 GiB) copied, 301 s, 17.8 MB/s
0+523705 records in
0+523705 records out
5368709120 bytes (5.4 GB, 5.0 GiB) copied, 660.313 s, 8.1 MB/s
= Writing image complete!
= Resizing /dev/sda ….
Checking that no-one is using this disk right now … OK

Disk /dev/sda: 29.74 GiB, 31914983424 bytes, 62333952 sectors
Disk model: Storage Device
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x8b1dd6db

Old situation:
Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 1230847 1228800 600M 6 FAT16
/dev/sda2 1230848 3327999 2097152 1G 83 Linux
/dev/sda3 3328000 10485759 7157760 3.4G 83 Linux

/dev/sda3:
New situation:
Disklabel type: dos
Disk identifier: 0x8b1dd6db

Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 1230847 1228800 600M 6 FAT16
/dev/sda2 1230848 3327999 2097152 1G 83 Linux
/dev/sda3 3328000 62333951 59005952 28.1G 83 Linux

The partition table has been altered.
Calling ioctl() to re-read partition table.
Re-reading the partition table failed.: Device or resource busy
The kernel still uses the old table. The new table will be used at the next reboot or after you run partprobe(8) or partx(8).
Syncing disks.
e2fsck 1.45.5 (07-Jan-2020)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/sda3: 36495/224000 files (0.1% non-contiguous), 341493/894720 blocks
resize2fs 1.45.5 (07-Jan-2020)
Resizing the filesystem on /dev/sda3 to 7375744 (4k) blocks.
The filesystem on /dev/sda3 is now 7375744 (4k) blocks long.

= No U-Boot files found for rpi4.
= Adding SSH key to authorized keys.
= Touch /.autorelabel on rootfs.

= Installation Complete! Insert into the rpi4 and boot.

If you’ve gotten this far, then you’re doing very well! Now remove the SD card from your laptop and install it in the Raspberry Pi 4.

Set Up the Raspberry Pi 4

The next step will be to configure the OS. When I bought my Raspberry Pi 4, I neglected to buy the mini-HDMI dongle, so I was forced to continue headless. But if you have that cable, you can do the network configuration with a keyboard and monitor.

When you plug in a network cable and power on the Pi4, it will start to boot. It could take 5 minutes or more for the system to boot because we asked for a full SELinux relabel when we ran fedora-arm-image-installer. So be patient.

Eventually, your Pi will come up with a DHCP address (check your switch or router for which IP was used). Because you passed the option to copy your SSH public key, you can just ssh in as root without a password.

$ ssh -l root 192.168.0.34
The authenticity of host '192.168.0.34 (192.168.0.34)' can't be established.
ECDSA key fingerprint is SHA256:9UWwZBlZRuNq3B6y0bDrr2KSI8aWytinXZF0TqVC0/I.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.34' (ECDSA) to the list of known hosts.

[root@localhost ~]#

Set the hostname with hostnamectl set-hostname:

[root@localhost ~]# hostnamectl set-hostname lt01ldap01.matt.lab

Next, we want to rename the Network Manager connection name, and set the IP address to a static address:

[root@lt01ldap01 ~]# nmcli c modify "Wired connection 1" connection.id eth0
[root@lt01ldap01 ~]# nmcli con mod eth0 ipv4.addresses 192.168.0.34/24
[root@lt01ldap01 ~]# nmcli con mod eth0 ipv4.gateway 192.168.0.1
[root@lt01ldap01 ~]# nmcli con mod eth0 ipv4.method manual
[root@lt01ldap01 ~]# nmcli con mod eth0 ipv4.dns "192.168.0.1"
[root@lt01ldap01 ~]# nmcli con up eth0

If you changed the IP address above, you will need to login again.

Change the root password:

[root@lt01ldap01 ~]# passwd
Changing password for user root
New password: ********
Retype new password: ********
passwd: all authentication tokens updated successfully.

These steps are optional, but I recommend them to make management more easy. Update your sshd configuration to allow you to login as root with a password. Add these options to the /etc/ssh/sshd_config:

PermitRootLogin yes
PasswordAuthentication yes
PermitEmptyPasswords no

Then restart sshd:

[root@lt01ldap01 ~]# systemctl restart sshd

Finally, update the system and reboot:

[root@lt01ldap01 ~]# dnf -y update && reboot

Install IPA on the Raspberry Pi 4

Once your raspberry Pi4 has rebooted, you’re ready to install IPA. IPA has a lot of features and options and you will need to understand what to use in your environment. But the examples given here do work in my lab.

Start by installing the IPA software:

[root@lt01ldap01 ~]# dnf -y install ipa-server ipa-server-dns

Before we run the installer, we have some steps we have to do. Mostly, the process to install IPA on the Pi4 is the same as any other server, but because the encryption pieces run so much more slowly on the Pi4, we need to make some adjustments to timeouts.

Create a text file in root’s home directory. The name of this file is irrelevant:

[root@lt01ldap01 ~]# vi /root/pki-conf

[DEFAULT]
startup_timeout=900

Next, we need to make some changes to the systemd unit file for tomcatd. We don’t normally want to change these files, but in this case, we don’t really have a choice. Add these options to /usr/lib/systemd/system/pki-tomcatd@.service in the [Service] section:

TimeoutStartSec=900
TimeoutStopSec=900

Make sure you run systemctl daemon-reload after changing the unit file to reload those new options you put there.

[root@lt01ldap01 ~]# systemctl daemon-reload

One step for the IPA installation that is exactly the same as for a normal server is the firewall configuration. Since there is nothing special here, I will leave you to find the right ports to open from the documentation. But make sure they are open before you start, or else you will get failures.

Finally, we are ready to run the IPA installation. This process will take longer on the Raspberry Pi4 than on a normal server or VM, but with the changes we made above, you should be ready to go! As mentioned earlier, the exact options you need for your install command line will have to be changed to match your environment, but the most important difference for the Pi4 is the option --pki-config-override /root/pki-conf (this is the file you created in root’s home directory earlier).

[root@lt01ldap01 ~]# ipa-server-install --realm MATT.LAB \
    --ds-password <password> --admin-password <password> \
    --setup-dns --setup-kra --no-forwarders --mkhomedir \
    --reverse-zone=0.168.192.in-addr.arpa. --no-dnssec-validation \
    --pki-config-override /root/pki-conf

Conclusion

In a world of massive virtualization, sometimes it is still convenient to have a small, purpose-built physical machine that does its task reliably and doesn’t require much intervention. Such is the case for this inexpensive Raspberry Pi 4 that is more than enough to run an IPA server for a small lab. This certainly isn’t the kind of solution you would see in a production environment, but for something where speed or size isn’t critical, the Raspberry Pi 4 is an excellent addition to your home lab.

2 thoughts on “Installing IPA on a Raspberry Pi 4

  1. Hi, Hein,

    Thanks for the correction. It was an errant copy/paste.

    As far as the actual ipa-server-install options, the goal was merely to give one example of a working configuration. If –allow-zone-overlap is what you need, I’m sure it will work fine.

    Thanks!

  2. Please correct your last command from:

    dnf -y install ipa-server-install –realm MATT.LAB \
    –ds-password –admin-password \
    –setup-dns –setup-kra –no-forwarders –mkhomedir \
    –reverse-zone=0.168.192.in-addr.arpa. –no-dnssec-validation \
    –pki-config-override /root/pki-conf

    to:
    ipa-server-install –realm MATT.LAB \
    –ds-password –admin-password \
    –setup-dns –setup-kra –no-forwarders –mkhomedir \
    –reverse-zone=0.168.192.in-addr.arpa. –no-dnssec-validation \
    –pki-config-override /root/pki-conf

    and I would suggest to add also “–allow-zone-overlap” to the command to make it possible that the ipa-server can be part of an internet connected environment with mixed dns servers.

Comments are closed.