3. How do you manage your users without AD?

How do you manage your users without AD?

A few issues.

The first frustration is around installation. There isn't a simple .deb or tarball to install as part of the AMI build process if you bake AMIs. Instead, you must run a script at boot. So you build yourself a systemd job, or launch it through cloud-init or whatever.

So now the agent is installed. But no one can login to it, because it's not associated with any groups to provision users. And you can't just specify groups to join in a configuration file, because that would be too easy. No, you have to call an API, which can only be done after the agent is running and has registered the instance. Sounds easy, right? But there's no reliable way to know the agent is correctly running. We ended up starting a systemd one-shot that waits for the presence of a file, which is a hack. Why not just wait for the systemd service to be running? Oh, that service doesn't exist until the install script has run, which then creates the service. So it doesn't exist to wait on at boot time. Why can't they just give a damn package to install at bake time?!

Most of the time, an instance will shutdown cleanly, and you can all the JumpCloud API again to deregister the instance as part of the shutdown process. And most of the time, that's all you do with instances. But occasionally you'll have data stores that use ephemeral storage that you'd rather reboot than replace. Now your shutdown story just got a lot more complicated.

The naive approach is just let the agent uninstall and re-install at the next boot. And that can work at lot of the time. But then there was that employee who left, and you disabled the employee's administrator account, which disabled the key used in the initial install script. So you need to keep that updated as well. Because apparently supplying a mechanism to install without being tied to one employee's credentials never occurred to JumpCloud.

Oh, and what if the JumpCloud API for installation script happens to fail at boot, as it does about 1 in 25 times because of timeouts or whatever other connectivity issues their endpoints are having? I hope you have that SSH key you specify in your launch template/configuration, so you can login and fix it. And you're back to handing that key around to everyone, which kind of defeats the point of using JumpCloud.

It's just a lot of hackery to make JumpCloud functional on AWS. The whole design of JumpCloud is really geared around legacy on-premise systems and laptops or whatever, and the product and engineering people there don't seem to understand the frustrations of trying to use their product in a cloud-native way. And they don't even document the workarounds we had to invent to make their service functional.

It's just a really bad fit on AWS, and I would strongly recommend against using it there. It's just not reliable, it's a pain to implement, and we're tired of the headaches.

It's fine for on-premise stuff though, where machines aren't ephemeral.

/r/linuxadmin Thread Parent
Previous
Next

Recently removed from /r/linuxadmin

What's the current job market like for a newer Linux admin? How important is it to understand the Kernel/Internals? Low CPU utilization, low RAM usage, yet very slow processing REST API using SHELL scripts without CURL Problem using stratis with fstab Projects for junior sysadmin Unable to boot the system after changing the root password, pxe over ipv4 Website as cover letter idea What is the optimal education and career path for a Linux Admin? Cannot modify home dir. [lsof and fuser?] Looking for info on Elasticsearch Shield How did you get your start?

More Random Comments

The hottest teens in our webcams! sign up now and get free tokens! Engaging Men as Allies in Preventing Violence Against Women Oh yeah! The MegaShifter has arrived! I love it! I saw a post from someone who seemed to have their social life killed by drugs. What happened to me was the exact opposite. Redditors who quit your boring 9 to 5 to follow your dreams, how did you do it and how did it work out? My roommate [21M] constantly brings his [20F] girlfriend to my [21M] apartment. She has a bed bug infestation at her place and they make no effort to mitigate the odds of them transferring the bugs to ours. I do not want her anywhere near our apartment. What happened to Danbearpig? Coconut Oil Made My Yeast Infection Worse! Budget/taxes: I started at a new company with a W9, as an independent contractor I'll later file with a 1099- I vaguely get that. My question: how should I budget for taxes owed come April? Is there a way to figure out what my taxes will be as a 1099? Justice Department Will Not Charge Police Officers In Freddie Gray’s Death If you have the right-of-way and you take it, believe it or not you're actually not being an asshole by doing so. Not taking the right-of-way is actually the thing that makes you an asshole here. In response to the immediate threat posed by the White Walkers, the XCOM Project has been activated... Redditors who quit your boring 9 to 5 to follow your dreams, how did you do it and how did it work out? 'Nazis Are Not Welcome Here': Protesters Greet Steve Bannon in Hong Kong - U.S. News - Haaretz.com My dog got injured during the hurricane and we can't go to the vet right now because it's closed