The firewalld zone verification tasks in ipaserver, ipareplica, and
ipabackup roles were triggering Ansible warnings due to variable
ipareplica_firewalld_zone not being defined when evaluating the task
name.
This fix remove the Jinja template from the task names and wrap the
tasks in a single block so the variable verification is done only once.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This change adds support for DNS over TLS to the ipareplica role.
New variables
ipareplica_dot_forwarders
List of DNS over TLS forwarders. Required if ipareplica_dns_over_tls
is enabled. (list of strings)
required: false
ipareplica_dns_over_tls | ipaclient_dns_over_tls
Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later.
(bool, default: false)
required: false
ipareplica_dns_over_tls_cert
Certificate to use for DNS over TLS. If empty, a new certificate will
be requested from IPA CA. (string)
required: false
ipareplica_dns_over_tls_key
Key for certificate specified in ipareplica_dns_over_tls_cert. (string)
required: false
ipareplica_dns_policy
Encrypted DNS policy. Only usable if `ipareplica_dns_over_tls` is
enabled. (choice: relaxed, enforced, default: relaxed)
required: false
New distribution specific variable
ipareplica_packages_dot
List of IPA packages needed for DNS over TLS.
When running under Mitogen, ipa_server and ipa_replica breaks execution
by overwriting sys.stdout with sys.stdout.
With Mitogen, sys.stdout != sys.stdout at this point in the code, and
changing it in this manner results in access to closed file descriptors
for future invocations. Generally, it is recommended not to use
sys.stdout and instead explicitly cache the current value of sys.stdout.
Python's module "pkg_resources" API has been deprecated in Python 3.12
and will be removed in a future release, and recent FreeIPA versions
provide a replacement for pkg_resources.parse_version.
To remove ansible-freeipa dependency on pkg_resources and not add a
dependency on the 'packaging' module, which is not available in the
standard Python distribution, we'll try to import the funcion used in
FreeIPA to parse versions, and fallback to pkg_resources when it fails.
As an equivalent class is needed, a fallback function is not provided
and execution will fail if neither the FreeIPA nor the pkg_resources
parse_version function are available.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This is a hotfix to allow deployments of clients, replicas and servers
with the dns_over_tls PR for freeipa: https://github.com/freeipa/freeipa/pull/7343/
ipaclient: client.update_ssh_keys has changed parameters,
options.dns_over_tls needs to be set for ipaclient_setup_nss.
ipareplica, ipaserver: Set new parameters globally in module_utils so
far: options.dns_over_tls, options.dns_over_tls_key, options.dns_over_tls_cert,
options.dot_forwarders and options.dns_policy.
The enablement for DNS over TLS for the deployment roles will be done later on.
This patch removes 'vars' files from roles for unsupported distributions
and change minimum supported Fedora to version 40+.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Current version of ansible-list pre-commit hook required changes in the
ansible-freeipa yamllint configuration and these changes triggered
issues in the current playbooks on roles and tests.
This patch adds the required changes to yaml lint configuration and
fixes the affected playbooks.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The IP addresses set with ipareplica_ip_addresses have not been passed
to ipaclient role for client deployment part. This resulted in not
setting the IP addresses.
The description for ipareplica_ip_addresses in the ipareplica README and
also the role modules was wrong and have been fixed to "List of IPA
replica IP addresses".
Related: https://pagure.io/freeipa/issue/7405
Resolves: https://github.com/freeipa/ansible-freeipa/issues/1244
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
FreeIPA commit ea0bf4020ce0b1e32572e128e9323c5af60ec93d
After an HSM replica install ensure all certs are visible
If a certificate on a token does not have NSS trust set then
it won't be visible in the softoken. This can be disconcerting
for those used to seeing all the certificates.
Loop through the possibilities and set no trust (or Peer) for
all the certificates on the token.
Also ensure that the CA certificate has the correct nickname.
Related: https://pagure.io/freeipa/issue/9273
replicainstall.install_ca_cert has been removed, paths.IPA_CERTUPDATE is
called instead if the client was configured before deploying with
iparepica role.
FreeIPA commit 8f25b2a74a587548976f3d29f0b69d566d70125d
Refactor CA file handling in replica installer
Clean up and remove obsolete code from ipa-replica-install. For several
versions replica installer first ensures that a host is an IPA client,
then promotes the client to a replica. The client installer code sets up
CA stores like IPA_CA_CRT already.
The config attributes config_master_host_name and also config_ca_host_name
are not changed within ipareplica_install_ca_certs, therefore it is not
needed to return them and also to use the returned values for following
tasks.
New versions of pylint ignore Python 2 functions and types, evaluating
'unicode' as "undefined". ansible-freeipa will always define 'unicode'
when running under Python 3, and it is always defined under Python 2.
This patch fixes these false positives.
Altough most of ansible-freeipa documentation and playbooks use
'ipaserver' as the group for the first server deployed for a realm, the
ipareplica role only supported the use of groups["ipaservers"] as an
alternative to set ipareplica_servers.
Also supporting groups.ipaserver, as already supported by the ipaclient
role, make ansible-freeipa playbooks more consistent and current
documentation and examples easier to follow when deploying a cluster
with a server and a replica.
The use of del os.environ assumes that the environment variable exists.
If the variable does not exist, this call will result in a traceback.
The solution is to use os.environ.pop(VARIABLE, None) instead.
This is the ansible-freeipa fix for https://pagure.io/freeipa/issue/9446
(Nightly test failure for replica installation with --setup-ca)
Changing the use of 'Exception' to 'RuntimeError' has the benefits of
making the error more specific and meaningful for what is being reported
and to remove warnings from linters (pylint).
The same change is applied to all deployment roles.
Currently, the minimum supported Ansible version is 2.13, and
ansible-freeipa roles does not work with any version less than 2.9,
altough ansible-freeipa documentation states that the minimum version to
use is 2.8.
This patch fixes documentation and roles metadata to require that the
minimum Ansible version used is 2.13.
Ubuntu does not have a FreeIPA server package since version 20.04. As
versions 16.04 (Xenial Xerus) and 18.04 (Bionic Beaver) will be
supported by Canonical until 2026 and 2028, repectively, we should keep
existing support for both versions in the ipaserver, ipareplica and
ipabackup roles until them.
This patch changes documentation to reflect that only those versions are
supported.
If server FQDN matches the domain name, the installation will succeed,
but DNS records will not work. If 'setup_dns: true' is used, there will
be no A record for the host, only a NS record, and the PTR record will
point to the domain name.
Based on: https://github.com/freeipa/freeipa/pull/6853
Related to: https://pagure.io/freeipa/issue/9003
New variables have been added to ipareplica and ipaserver role to enable
the removal from the domein with the undeployment.
`ipaserver_remove_from_domain`
This enables the removal of the server from the domain additionally to the
undeployment.
`ipaserver_remove_on_server`
The value defines the server/replica in the domain that will to be used to
remove the server/replica from the domain if
`ipaserver_ignore_topology_disconnect` and `ipaserver_remove_from_domain`
are enabled. Without the need to enable
`ipaserver_ignore_topology_disconnect`, the value will be automatically
detected using the replication agreements of the server/replica.
For the replica role it is possible to use the server variables, but
also the replica versions: `ipareplica_remove_from_domain` and
`ipareplica_remove_on_server`.
The already existing parameters `ipaserver_ignore_topology_disconnect` and
`ipaserver_ignore_last_of_role` have been added to the README files for
server and replica with descriptions. The same for the replica versions
of the parameters.
The ipareplica role is not calling the `ipa-server-install` anymore, it
is instead using (including) the server role for the task.
The new module `ipaserver_get_connected_server` has been added to the
server role to be able to get a connected server using the replication
agreements. This module is only used if
`ipaserver_ignore_topology_disconnect` is not needed.
The cleanup of the root IPA cache was depending on the result of the
ipaserver_enable_ipa and ipareplica_enable_ipa tasks. Instead of
"when: something.changed" a handler should be used instead. As
"/root/.ipa_cache" should be removed always (same in command line) the
removal of the file has been moded into the always section and does not
need a when anymore.
Some ipareplica role had a few module calls with parameters set like
'some_argument | default(omit)' that were not actually available in such
modules. If a user provided 'some_argument', the paramater would then
be passed to the module and ipareplica deployment would fail.
By removing the parameters from the 'install' task, ipareplica
deployment works even if the variables are set by the user.
This is an ansible-freeipa update for the freeipa RFE:
https://pagure.io/freeipa/issue/9159
"`ipa-client-install` should provide option to enable `subid: sss`
in `/etc/nsswitch.conf`".
This option allows to configure authselect with the sssd
profile + with-subid feature, in order to have SSSD setup as
a datasource for subid in /etc/nsswitch.conf.
The default behavior remains unchanged: without the option,
/etc/nsswitch.conf keeps the line subid: files
Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>
Use Fully Qualified Collection Name (FQCN) for ansible builtins. This is
ansible.builtin.set_fact instead of set_fact for example and aplies for
all actions that are part of ansible.builtin.
All the replaced ansible.builtins:
assert, command, copy, debug, fail, fetch, file, import_playbook,
import_tasks, include_role, include_tasks, include_vars, package,
set_fact, shell, slurp, stat, systemd
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `type: str` needs to be set for string parameters
- `type: list` needs to be set for list parameters
- `elements: str` needs to be given for list of string parameters
- `required` tags need to be fixed according to the `argument_spec`
- `type` tag needs to match `argument_spec`
- `default` tag needs to match `argument_spec`
- `author` needs to be given with the github user also: `Name (@user)`
argument_spec
- `type='str'` needs to be set for string parameters
- `elements='str'` needs to be added to all list of string parameters
A call to ansible_ipa_replica.check_imports has been added to check for import
errors.
The `copyright` date is extended with `-2022`.
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `type: str` needs to be set for string parameters
- `required` tags need to be fixed according to the `argument_spec`
- `type` tag needs to match `argument_spec`
- `author` needs to be given with the github user also: `Name (@user)`
argument_spec
- `type='str'` needs to be set for string parameters
supports_check_mode is turned off as it is not supported.
A call to ansible_ipa_replica.check_imports has been added to check for import
errors.
The `copyright` date is extended with `-2022`.
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `type: str` needs to be set for string parameters
- `type: list` needs to be set for list parameters
- `elements: str` needs to be given for list of string parameters
- `required` tags need to be fixed according to the `argument_spec`
- `type` tag needs to match `argument_spec`
- `author` needs to be given with the github user also: `Name (@user)`
argument_spec
- `type='str'` needs to be set for string parameters
- `elements='str'` needs to be added to all list of string parameters
supports_check_mode is turned off as it is not supported.
A call to ansible_ipa_replica.check_imports has been added to check for import
errors.
The `copyright` date is extended with `-2022`.
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `type: str` needs to be set for string parameters
- `type: list` needs to be set for list parameters
- `elements: str` needs to be given for list of string parameters
- `required` tags need to be fixed according to the `argument_spec`
- `type` tag needs to match `argument_spec`
- `default` tag needs to match `argument_spec`
- `author` needs to be given with the github user also: `Name (@user)`
- all parameters need to be defined
argument_spec
- `type='str'` needs to be set for string parameters
- `elements='str'` needs to be added to all list of string parameters
supports_check_mode is turned off as it is not supported.
A call to ansible_ipa_replica.check_imports has been added to check for import
errors.
The `copyright` date is extended with `-2022`.
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `type: str` needs to be set for string parameters
- `type: list` needs to be set for list parameters
- `elements: str` needs to be given for list of string parameters
- `required` tags need to be fixed according to the `argument_spec`
- `type` tag needs to match `argument_spec`
- `author` needs to be given with the github user also: `Name (@user)`
argument_spec
- `type='str'` needs to be set for string parameters
- `elements='str'` needs to be added to all list of string parameters
supports_check_mode is turned off as it is not supported.
A call to ansible_ipa_replica.check_imports has been added to check for import
errors.
The `copyright` date is extended with `-2022`.
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `type: str` needs to be set for string parameters
- `type: list` needs to be set for list parameters
- `elements: str` needs to be given for list of string parameters
- `required` tags need to be fixed according to the `argument_spec`
- `type` tag needs to match `argument_spec`
- `default` tag needs to match `argument_spec`
- `author` needs to be given with the github user also: `Name (@user)`
argument_spec
- `type='str'` needs to be set for string parameters
- `elements='str'` needs to be added to all list of string parameters
supports_check_mode is turned off as it is not supported.
A call to ansible_ipa_replica.check_imports has been added to check for import
errors.
The `copyright` date is extended with `-2022`.
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `type: str` needs to be set for string parameters
- `type: list` needs to be set for list parameters
- `elements: str` needs to be given for list of string parameters
- `required` tags need to be fixed according to the `argument_spec`
- `type` tag needs to match `argument_spec`
- `author` needs to be given with the github user also: `Name (@user)`
argument_spec
- `type='str'` needs to be set for string parameters
- `elements='str'` needs to be added to all list of string parameters
supports_check_mode is turned off as it is not supported.
A call to ansible_ipa_replica.check_imports has been added to check for import
errors.
The `copyright` date is extended with `-2022`.
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `type: str` needs to be set for string parameters
- `type: list` needs to be set for list parameters
- `elements: str` needs to be given for list of string parameters
- `required` tags need to be fixed according to the `argument_spec`
- `type` tag needs to match `argument_spec`
- `author` needs to be given with the github user also: `Name (@user)`
argument_spec
- `type='str'` needs to be set for string parameters
- `elements='str'` needs to be added to all list of string parameters
supports_check_mode is turned off as it is not supported.
A call to ansible_ipa_replica.check_imports has been added to check for import
errors.
The `copyright` date is extended with `-2022`.
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `suboptions` needs to be removed without arguments
- `author` needs to be given with the github user also: `Name (@user)`
supports_check_mode is turned off as it is not supported.
A call to ansible_ipa_replica.check_imports has been added to check for import
errors.
The `copyright` date is extended with `-2022`.
