ansible-doc is reporting several issues in modules. Most of them have benn
due to misspelled description key word or due to use of multi line text
without the | in the description line.
The import of ansible_ipa_server, ansible_ipa_replica and ansible_ipa_client
might result in a permission denied error for the log file. It seems that
for collections the module utils seem to be loaded before the needed
permissions are aquired now.
The fix simply adds a wrapper for standard_logging_setup that is called in
all the modules of the server, replica and client roles to do the loggin
setup as one of the first steps of the module execution and not before.
The documentation of the module paramaters have been updated. The parameter
list has been updated and all parameters are providing a description and
the required argument has been updated to reflect current setting in the
modules.
When OTP is used for installation of a client or the client part of
a replica and also there is no DNS record for the client, then
ipaclient_get_otp fails in the host_add call.
With the force mode the host_add call will ignore the missing DNS
record and will properly add the host. The host information and also
the DNS record will be updated while deploying the client according
to the given settings.
Fixes: #74 (ipaclient fails when ipaclient_use_otp is true and client ..)
sync_time is not using options anymore, but has two new arguments. These
are ntp_servers and ntp_pool. The options argument is not used anymore.
This requires to use inspect on sync_time to be able to detect if the old
or the new function is available.
The call for get_time_source has been added, but is documented out as the
call is only useful in interactive mode.
ipaclient_test now returns ntp_servers and ntp_pool, which are then used
for ipaclient_setup_ntp.
This has not been done so far in the ansible_ipa_client, but only in the
modules where it was really needed. But as these places are getting more
with 4.7.90, this setting makes it into the module_utils.
ipaadmin_keytab has been supported only with with ipaclient_use_otp. But
it can also be used without for ipa-join.
Important is that ipaadmin_keytab needs to be placed on the cliend node
and ipaadmin_keytab needs to be a full path. Otherwise the file will not
be found.
Password and keytab do not need to be set explicitely to an empty string
when they are not set. Also there is no need to have string length checks
in the role tasks.
With the deactivation of the Python2/3 test the handling of
ansible_python_interpreter needs to be removed as the setting might
not exist and is not changed in with the Python2/3 test any more.
There have been several settings in ipaclient_setup_nss that have been
hard coded instead of using the settings from the role. This has been
fixed and the code in ipaclient_setup_nss has been updated to the latest
version of FreeIPA with compatibility changes for older FreeIPA versions.
Additionally the api is now properly configured so that the DNS SSHFP
records are now properly created if no_dns_sshfp is not enabled.
The old name ntpconf has been still used in one place of the NTP
configuration for FreeIPA versions that do not provide the sync_time
function.
Fixes: #76 (Ansible Configure NTP Task)
The use of version numbers for backward compatibility checks is not
optimal because the version number is not changed if changes are back
ported. The version dependant check has been replaced with an inspect
argspec check.
The FreeIPA versions since 4.7.0 are using chrony and also the new
sync_time function for time synchronization which has been added to
ipaclient/install/client.py.
The old version in ipaclient_setup_ntp has been updated to the code that
has been used in 4.6.4.
The installer logs have not been created using the ansible ipaclient,
ipareplica and ipaserver roles. This has been fixed and the installer
logs are created now. This is a new and fixed version of 2113c79 where
verbose mode is turned off.
cli_servers from ipaclient_test was missing in ipaclient_setup_ntp. This
resulted in a backtrace and is fixed now. Fix options.ntp_servers check
to not use length on NoneType.
The call of standard_logging_setup results in verbose and debug output in
the ansible modules. This needs to be done in an altenative way.
This reverts commit 2113c79111.
check_ldap_conf is only available in FreeIPA 4.7 and later and
tasks.is_nosssd_supported is only available since 4.6.90.pre2.
check_ldap_conf is None (ansible_ipa_client) if it can not be imported.
hasattr has been added to check if is_nosssd_supported is a valid
attribute in tasks.
Fixes: #61 (ipaserver role - Fails on ipaclient install)
The entity argument for validate_domain_name is only available in
FreeIPA 4.7 and later. This has been fixed using inspect to be able to
detect if entity is a valid argument. If not the whole realm name check
is skipped.
Related: #61 (ipaserver role - Fails on ipaclient install)
Fixes: #66 (Python 2 error with validate_domain)
The installer logs have not been created using the ansible ipaclient,
ipareplica and ipaserver roles. This has been fixed and the installer
logs are created now.
The use of ScriptError without an error message but with rval resulted in
very limited information in ansible. The error messages from logger.error
calls have have added to these ScriptError raises.
If the client is already installed and the allow_repair and force_join
options are not set end the playbook processing. This is useful if an
inventory file contains existing and new machines.
The advantage of this is that the krb5 configuration is created in the same
way as in the normal installers. The same functionality as in the normal
installers is used in ipaclient_setup_krb5. There is no need to adapt the
ipa-krb5 role or the the ask file for changes in how the krb5 configuration
is done. Additionally ipaclient_force is now a supported parameter as
it is in the normal installer.
New config option:
ipaclient_force
The variable has been added to ipaclient/defaults/main.yml.
The advantage of this is that the ipa default configuration is created in
the same way as in the normal installers. The same functionality as in the
normal installers is used in ipaclient_ipa_conf.
The no_ prefix for the ssh and sshd settings has been added back. The
naming of the settings should be the same all over the ipcalient role.
The exception is sssd here as it has been deprected and is used from
ipaclient_test.
The name for the setting ssh_trust_dns has been fixed to the command line
option name and not the internl optinos name.
ipaclient_setup_sssd is now using configure_sssd_conf from
ipaclient/install/client.py instead. This simplified the module a lot
and also adds more configuratino options for sssd.
These are new config options supported by ipaclient_setup_sssd:
ipaclient_no_sudo
ipassd_fixed_primary
ipassd_permit
ipassd_enable_dns_updates
ipassd_no_krb5_offline_passwords
ipassd_preserve_sssd
These variables have been added to ipaclient/defaults/main.yml.
The ipaclient_test module was not doing all tests that should be done
with the provided settings. All tests from ipaclient installer parts
are now part of ipaclient_test. There are some minor changes though to
make sure that the repair mode could still be used.
ansible_ipa_client bindings have been updated to fullfill new needs.
The import line of ansible_ipa_client was not correct and used a test
version of the binding that is not possible anymore due to the move of
the module_utils directories into the specific role locations.
The new module ipaclient_setup_ntp to configure and sync time with the NTP
server has been added. The irregular setting ipaclient_ntp has been removed.
The ipaclient_setup_ntp module is using either the new sync_time call or
for compatibility with older FreeIPA versions synconce_ntp.
The reference for ipaclient_ntp in REPLICA.md has been removed also.
This also fixes#55.
ipaclient_extras could configure several things internally according to
provided settings. These have been ssh, sshd, automount, firefox an also
nis. The ssh and sshd configuration is now plocated in ipaclient_setup_ssh,
the automount configuration in ipaclient_setup_automount, the firefox
configuration in ipaclient_setup_firefox and the nis configuration in
ipaclient_setup_nis.
The following additional settings have been added to
roles/ipaclient/defaults/main.yml to provide the same configruation options
as ipa-client-install does:
ipaclient_no_ssh: no
ipaclient_no_sshd: no
ipaclient_no_nisdomain: no
ipaclient_configure_firefox: no
The naming in the ipaclient role has not been following the naming scheme
and conventions used in the ipaserver and ipareplica roles. Also registered
results of modules and commands have not been unsing the result_ prefix as
in the other roles. All this has been fixed and the naming is consistent
now.
These are the renames:
ipahost -> ipaclient_get_otp
ipaapi -> ipaclient_api
ipaextras -> ipaclient_extras
ipafixca -> ipaclient_fix_ca
ipafstore -> ipaclient_fstore
ipa_facts -> ipaclient_get_facts
ipahost -> ipaclient_get_otp
ipajoin -> ipaclient_join
ipanss -> ipaclient_setup_nss
ipasssd -> ipaclient_setup_sssd
ipadiscovery -> ipaclient_test
ipatest -> ipaclient_test_keytab
The api command to get the server config is failing with more recent
freeipa versions. Therefore another way to gather the server config using
api.Backend.rpcclient.forward has been added in case the first version
fails.
The new code is from freeipa commit 8af6accfa5734a7e9a7c92fcf38d5440482413d4
(https://github.com/freeipa/freeipa/commit/8af6accf)
