internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-05-07 13:53:23 +00:00
Code Issues Projects Releases Wiki Activity

ipareplica: Add support for hidden replica

Browse Source 
The hidden replica support introduced some incompatible changes to replica
deployment. The methods find_providing_server and find_providing_serves
have been moved from ipaserver.install.service to ipaserver.masters.
Additionally the host_name argument for find_providing_server is a list
now. This breaks existing ipareplica Ansible modules ipareplica_prepare
and ipareplica_enable_ipa.
This commit is contained in:
Thomas Woerner
2019-05-31 18:05:02 +02:00
parent 5951b954be
commit 5057b3cfe0
6 changed files with 58 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
roles/ipareplica/defaults/main.yml
View File

@@ -4,6 +4,7 @@
### basic ###
ipareplica_no_host_dns: no
ipareplica_skip_conncheck: no
ipareplica_hidden_replica: no
### server ###
ipareplica_setup_adtrust: no
ipareplica_setup_ca: no

16
roles/ipareplica/library/ipareplica_enable_ipa.py
View File

@@ -69,6 +69,7 @@ def main():
ansible_module = AnsibleModule(
argument_spec = dict(
hostname=dict(required=False),
hidden_replica=dict(required=False, type='bool', default=False),
### server ###
### certificate system ###
subject_base=dict(required=True),
@@ -88,6 +89,7 @@ def main():
options = installer
options.host_name = ansible_module.params.get('hostname')
options.hidden_replica = ansible_module.params.get('hidden_replica')
### server ###
### certificate system ###
options.subject_base = ansible_module.params.get('subject_base')
@@ -112,6 +114,7 @@ def main():
env = gen_env_boostrap_finalize_core(paths.ETC_IPA,
constants.DEFAULT_CONFIG)
api_bootstrap_finalize(env)
config = gen_ReplicaConfig()
remote_api = gen_remote_api(config_master_host_name, paths.ETC_IPA)
installer._remote_api = remote_api
@@ -122,11 +125,16 @@ def main():
api.Backend.ldap2.connect()
with redirect_stdout(ansible_log):
# Enable configured services and update DNS SRV records
service.enable_services(options.host_name)
if options.hidden_replica:
# Set services to hidden
service.hide_services(config.host_name)
else:
# Enable configured services
service.enable_services(config.host_name)
# update DNS SRV records. Although it's only really necessary in
# enabled-service case, also perform update in hidden replica case.
api.Command.dns_update_system_records()
ca_servers = service.find_providing_servers('CA', api.Backend.ldap2,
api)
ca_servers = find_providing_servers('CA', api.Backend.ldap2, api=api)
api.Backend.ldap2.disconnect()
# Everything installed properly, activate ipa service.

34
roles/ipareplica/library/ipareplica_prepare.py
View File

@@ -293,10 +293,14 @@ def main():
# pylint: disable=no-member
xmlrpc_uri = 'https://{}/ipa/xml'.format(ipautil.format_netloc(env.host))
if hasattr(ipaldap, "realm_to_ldapi_uri"):
realm_to_ldapi_uri = ipaldap.realm_to_ldapi_uri
else:
realm_to_ldapi_uri = installutils.realm_to_ldapi_uri
api.bootstrap(in_server=True,
context='installer',
confdir=paths.ETC_IPA,
ldap_uri=installutils.realm_to_ldapi_uri(env.realm),
ldap_uri=realm_to_ldapi_uri(env.realm),
xmlrpc_uri=xmlrpc_uri)
# pylint: enable=no-member
api.finalize()
@@ -308,13 +312,19 @@ def main():
config.host_name = api.env.host
config.domain_name = api.env.domain
config.master_host_name = api.env.server
config.ca_host_name = api.env.ca_host
if not api.env.ca_host or api.env.ca_host == api.env.host:
# ca_host has not been configured explicitly, prefer source master
config.ca_host_name = api.env.server
else:
# default to ca_host from IPA config
config.ca_host_name = api.env.ca_host
config.kra_host_name = config.ca_host_name
config.ca_ds_port = 389
config.setup_ca = options.setup_ca
config.setup_kra = options.setup_kra
config.dir = installer._top_dir
config.basedn = api.env.basedn
#config.hidden_replica = options.hidden_replica
# load and check certificates #
@@ -550,8 +560,11 @@ def main():
ansible_log.debug("-- SEARCH FOR CA --")
# Find if any server has a CA
ca_host = service.find_providing_server(
'CA', conn, config.ca_host_name)
if not hasattr(service, "find_providing_server"):
_host = [config.ca_host_name]
else:
_host = config.ca_host_name
ca_host = find_providing_server('CA', conn, _host)
if ca_host is not None:
config.ca_host_name = ca_host
ca_enabled = True
@@ -574,14 +587,17 @@ def main():
ansible_log.debug("-- SEARCH FOR KRA --")
kra_host = service.find_providing_server(
'KRA', conn, config.kra_host_name)
if not hasattr(service, "find_providing_server"):
_host = [config.kra_host_name]
else:
_host = config.kra_host_name
kra_host = find_providing_server('KRA', conn, _host)
if kra_host is not None:
config.kra_host_name = kra_host
kra_enabled = True
else:
if options.setup_kra:
logger.error("There is no KRA server in the domain, "
logger.error("There is no active KRA server in the domain, "
"can't setup a KRA clone")
raise ScriptError(rval=3)
kra_enabled = False
@@ -673,6 +689,10 @@ def main():
if add_to_ipaservers:
os.environ['KRB5CCNAME'] = ccache
if hasattr(tasks, "configure_pkcs11_modules"):
if tasks.configure_pkcs11_modules(fstore):
ansible_log.info("Disabled p11-kit-proxy")
installer._ca_enabled = ca_enabled
installer._kra_enabled = kra_enabled
installer._ca_file = cafile

6
roles/ipareplica/library/ipareplica_test.py
View File

@@ -64,6 +64,7 @@ def main():
realm=dict(required=False),
hostname=dict(required=False),
ca_cert_files=dict(required=False, type='list', default=[]),
hidden_replica=dict(required=False, type='bool', default=False),
### server ###
setup_adtrust=dict(required=False, type='bool', default=False),
setup_kra=dict(required=False, type='bool', default=False),
@@ -106,6 +107,7 @@ def main():
options.realm_name = ansible_module.params.get('realm')
options.host_name = ansible_module.params.get('hostname')
options.ca_cert_files = ansible_module.params.get('ca_cert_files')
options.hidden_replica = ansible_module.params.get('hidden_replica')
### server ###
options.setup_adtrust = ansible_module.params.get('setup_adtrust')
options.setup_kra = ansible_module.params.get('setup_kra')
@@ -173,6 +175,10 @@ def main():
# # options.setup_kra = False
# # ansible_module.warn(msg="kra is not supported, disabling")
if options.hidden_replica and not hasattr(service, "hide_services"):
ansible_module.fail_json(
msg="Hidden replica is not supported in this version.")
# From ipa installer classes
# pkinit is not supported on DL0, don't allow related options

9
roles/ipareplica/module_utils/ansible_ipa_replica.py
View File

@@ -79,6 +79,12 @@ if NUM_VERSION >= 40600:
adtrust, bindinstance, ca, certs, dns, dsinstance, httpinstance,
installutils, kra, krbinstance,
otpdinstance, custodiainstance, service, upgradeinstance)
try:
from ipaserver.masters import (
find_providing_servers, find_providing_server)
except ImportError:
from ipaserver.install.service import (
find_providing_servers, find_providing_server)
from ipaserver.install.installutils import (
ReplicaConfig, load_pkcs12, is_ipa_configured)
from ipaserver.install.replication import (
@@ -162,6 +168,9 @@ class AnsibleModuleLog():
def debug(self, msg):
self.module.debug(msg)
def info(self, msg):
self.module.debug(msg)
def write(self, msg):
self.module.debug(msg)
#self.module.warn(msg)

3
roles/ipareplica/tasks/install.yml
View File

@@ -46,6 +46,7 @@
realm: "{{ ipareplica_realm | default(omit) }}"
hostname: "{{ ipareplica_hostname | default(ansible_fqdn) }}"
ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"
hidden_replica: "{{ ipareplica_hidden_replica }}"
### server ###
setup_adtrust: "{{ ipareplica_setup_adtrust }}"
setup_kra: "{{ ipareplica_setup_kra }}"
@@ -637,6 +638,8 @@
- name: Install - Enable IPA
ipareplica_enable_ipa:
hostname: "{{ result_ipareplica_test.hostname }}"
hidden_replica: "{{ ipareplica_hidden_replica }}"
### server ###
### certificate system ###
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###