The firewalld zone verification tasks in ipaserver, ipareplica, and
ipabackup roles were triggering Ansible warnings due to variable
ipareplica_firewalld_zone not being defined when evaluating the task
name.
This fix remove the Jinja template from the task names and wrap the
tasks in a single block so the variable verification is done only once.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This change adds support for DNS over TLS to the ipareplica role.
New variables
ipareplica_dot_forwarders
List of DNS over TLS forwarders. Required if ipareplica_dns_over_tls
is enabled. (list of strings)
required: false
ipareplica_dns_over_tls | ipaclient_dns_over_tls
Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later.
(bool, default: false)
required: false
ipareplica_dns_over_tls_cert
Certificate to use for DNS over TLS. If empty, a new certificate will
be requested from IPA CA. (string)
required: false
ipareplica_dns_over_tls_key
Key for certificate specified in ipareplica_dns_over_tls_cert. (string)
required: false
ipareplica_dns_policy
Encrypted DNS policy. Only usable if `ipareplica_dns_over_tls` is
enabled. (choice: relaxed, enforced, default: relaxed)
required: false
New distribution specific variable
ipareplica_packages_dot
List of IPA packages needed for DNS over TLS.
The IP addresses set with ipareplica_ip_addresses have not been passed
to ipaclient role for client deployment part. This resulted in not
setting the IP addresses.
The description for ipareplica_ip_addresses in the ipareplica README and
also the role modules was wrong and have been fixed to "List of IPA
replica IP addresses".
Related: https://pagure.io/freeipa/issue/7405
Resolves: https://github.com/freeipa/ansible-freeipa/issues/1244
replicainstall.install_ca_cert has been removed, paths.IPA_CERTUPDATE is
called instead if the client was configured before deploying with
iparepica role.
FreeIPA commit 8f25b2a74a587548976f3d29f0b69d566d70125d
Refactor CA file handling in replica installer
Clean up and remove obsolete code from ipa-replica-install. For several
versions replica installer first ensures that a host is an IPA client,
then promotes the client to a replica. The client installer code sets up
CA stores like IPA_CA_CRT already.
The config attributes config_master_host_name and also config_ca_host_name
are not changed within ipareplica_install_ca_certs, therefore it is not
needed to return them and also to use the returned values for following
tasks.
Altough most of ansible-freeipa documentation and playbooks use
'ipaserver' as the group for the first server deployed for a realm, the
ipareplica role only supported the use of groups["ipaservers"] as an
alternative to set ipareplica_servers.
Also supporting groups.ipaserver, as already supported by the ipaclient
role, make ansible-freeipa playbooks more consistent and current
documentation and examples easier to follow when deploying a cluster
with a server and a replica.
The cleanup of the root IPA cache was depending on the result of the
ipaserver_enable_ipa and ipareplica_enable_ipa tasks. Instead of
"when: something.changed" a handler should be used instead. As
"/root/.ipa_cache" should be removed always (same in command line) the
removal of the file has been moded into the always section and does not
need a when anymore.
Some ipareplica role had a few module calls with parameters set like
'some_argument | default(omit)' that were not actually available in such
modules. If a user provided 'some_argument', the paramater would then
be passed to the module and ipareplica deployment would fail.
By removing the parameters from the 'install' task, ipareplica
deployment works even if the variables are set by the user.
Use Fully Qualified Collection Name (FQCN) for ansible builtins. This is
ansible.builtin.set_fact instead of set_fact for example and aplies for
all actions that are part of ansible.builtin.
All the replaced ansible.builtins:
assert, command, copy, debug, fail, fetch, file, import_playbook,
import_tasks, include_role, include_tasks, include_vars, package,
set_fact, shell, slurp, stat, systemd
The NTP server chrony was always enabled and set up due to overwriting
the parameter ipaclient_no_ntp for the client part deployment.
For IPA deployments up to 4.6 no_ntp was always used for the client
part deployment in ipa-replica-install. But afterwards ntp was
configured in the replica deployment part if no_ntp was not set.
The ipareplica roles always relied on the client for setting up the NTP
server but overwrote the setting for the client deployment part. This
did not result in a failure to enable the chrony server in RHEL and Fedora
based distributions as NTP server was always required by the ipa-server
package.
Fixes: #871 (ipa-replica-install with no-ntp is ignored)
The internal parameter sid_generation_always is generated in
ipareplica_test to enable SID generation if ipareplica_setup_adtrust is
not enabled.
This parameter was not used for ipareplica_prepare though, therefore
adtrust.install_check was not executed and did not set the attribute
adtrust.netbios_name. As a result adtrust.netbios_name was None and the
try to use this as the new NetBIOS domain name failed with an
INVALID_SYNTAX error in adtrustinstance while executing
ipareplica_setup_adtrust.
This issue only occurs if SIDs are not enabled in the domain yet for
example with an old deployment.
The SID is always generated in the command line installers in newer IPA
versions. This also needs to be done in the ipaserver and ipareplica roles.
For the IPA versions that are supporting this, the adtrust setup is always
executed to generated the SIDs, but only configures AD trust if
ipaserver_setup_adtrust or ipareplica_setup_adtrust is also enabled. A
check has been added to ipaserver_test and ipareplica_test to only enable
the SID generation for the IPA versions supporting this.
This is related to https://pagure.io/freeipa/8995
Fixes:
- https://bugzilla.redhat.com/show_bug.cgi?id=2110478
- https://bugzilla.redhat.com/show_bug.cgi?id=2110491
With the support for Random Serial Numbers v3 in FreeIPA 4.10, the
attribute random_serial_numbers has been added to the installer options.
options._random_serial_numbers is generated by ca.install_check and
later used by ca.install in the _setup_ca module.
ca.install_check is using options.random_serial_numbers and generating
options._random_serial_numbers which is later used by ca.install in
ca.install the _setup_ca module.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2103928https://bugzilla.redhat.com/show_bug.cgi?id=2103924
Without this change the "Import variables specific to distribution"
tasks fail with "Could not find file on the Ansible Controller..."
on environments with inject facts disabled.
This changes the tests to run with ansible with
inject_facts_as_vars = false and fixes other roles and playbooks.
The common_check function in the replica installer code has been changed
for the new memory checker code. With this the server and replica command
line installers got the option --skip-mem-check.
The server and replica role now also support the memory cheker and there
are new variables for server and replica:
ipaserver_mem_check - for ipaserver
ipareplica_mem_check - for ipaserver
These bool values default to yes and can be turned off in the inventory
or playbook if needed.
Related to freeipa PR https://pagure.io/freeipa/issue/8404 (Detect and
fail if not enough memory is available for installation)
Fixes: #450 (IPA Replica Installation Fails)
The new variables ipa[server,replica]_firewalld_zone have been added to
be able to set the zone in which the needed services for IPA are enabled.
New tasks have been added to check if the zone is available in the runtime
and also permamanet environment.
The code to enable firewalld has been moved out of thee
ipa[server,replica]_install_packages blocks to make sure that the firewalld
service is also enabled if the package is already installed.
Fixes: issue #177 (How to set up firewalld zones?)
The parameters master_host_name, config_setup_ca, dirman_password have not
been set for some modules. Also there was no ldap2 connection within
ipareplica_setup_kra. All this resulted in improper configuration where
for example KRA deployment failed in the end.
A conversion warning in ipareplica_setup_adtrust has also been fixed for
the setup_ca parameter.
Fixes#314 (IPA replica installation failure - DS enabled SSL - second part)
With the CA-less patches the types for the pkcs12 infos have been changed
to lists in the modules. This is resulting in a bad conversion from None
to [''] for the parameters. Because of this a normal replica deployment is
failing as [''] is not a valid value.
The install.yml files for ipareplica and also ipaserver have been changed
in the way that the pkcs12 values are checked if they are None. The
parameter will simply be omitted in this case and the parameter in the
module will become None by default.
Use ipaserver_realm as a fallback if ipareplica_realm is not defined. This
had been done for ipareplica_domain and ipaserver_domain, but was missing
for ipareplica_realm and ipaserver_realm.
Related: #114 (ipareplica 'Env' object has no attribute 'realm')
ipareplica role by default tries to configure firewalld but it didn't
check if firewalld related packages were installed.
Similar to DNS and trust to AD features, install firewalld-related
packages before trying to configure firewalld.
Additionally, enable and start firewalld.service because otherwise
firewall-cmd cannot communicate with firewalld itself (it is not
starting on demand).
If and administrator considers not to use firewalld, a default for
ipareplica_setup_firewalld variable has to be set to 'no'.
Fixes: https://github.com/freeipa/ansible-freeipa/issues/116
These two varibles in the dns binding are initialized in the installation
check in the install_check parts of ipareplica_prepare and used later on
in the dns configuration in ipareplica_setup_dns.
Some settings for kra have not been correct for kra with the change to
use single Custodia instance in the installer (freeipa 994f71ac8).
These modules have been adapted:
ipareplica_custodia_import_dm_password
ipareplica_enable_ipa
ipareplica_setup_ca
ipareplica_setup_custodia
ipareplica_setup_kra
This is related to freeipa#0f31564b35aac250456233f98730811560eda664
During ipa-replica-install, http installation first creates a service
principal for http/hostname (locally on the soon-to-be-replica), then
waits for this entry to be replicated on the master picked for the
install.
In a later step, the installer requests a certificate for HTTPd. The local
certmonger first tries the master defined in xmlrpc_uri (which is
pointing to the soon-to-be-replica), but fails because the service is not
up yet. Then certmonger tries to find a master by using the DNS and looking
for a ldap service. This step can pick a different master, where the
principal entry has not always be replicated yet.
As the certificate request adds the principal if it does not exist, we can
end by re-creating the principal and have a replication conflict.
The replication conflict later causes kerberos issues, preventing
from installing a new replica.
The proposed fix forces xmlrpc_uri to point to the same master as the one
picked for the installation, in order to make sure that the master already
contains the principal entry.
https://pagure.io/freeipa/issue/7041
The module ipareplica_master_password has been a copy from ipaserver role
and still contained code to read the cache file. This is not needed for
the replica. Therefore there is no need also to provide the dm password
to ipareplica_master_password any more.
The use of squash_actions to invoke a package module, such as “yum”, to
only invoke the module once is deprecated, and will be removed in
Ansible 2.11.
Instead of relying on implicit squashing, tasks should instead supply
the list directly to the name, pkg or package parameter of the module.
See [1] for a reference to the upstream documentation.
The ipa-krb5 and ipa-sssd modules include *_packages variables in both
defaults/ and vars/, additionally, the list of packages in ipa-sssd differs
from one to the other.
Unify list of packages into vars/
[1]: https://docs.ansible.com/ansible/latest/porting_guides/porting_guide_2.7.html#using-a-loop-on-a-package-module-via-squash-actions
This test is not properly working with EL-8 nodes as the default system
python is not located in /usr/bin. Additionally Ansible 2.8 is able to
detect the default python version on the system. As the installation
base for IPA 4.5.90 where the Python 3 bindings have not been working
properly should be really small or not existing any more the deactivation
of this test should be fine.
The hidden replica support introduced some incompatible changes to replica
deployment. The methods find_providing_server and find_providing_serves
have been moved from ipaserver.install.service to ipaserver.masters.
Additionally the host_name argument for find_providing_server is a list
now. This breaks existing ipareplica Ansible modules ipareplica_prepare
and ipareplica_enable_ipa.
The freeipa-trust service has not been added if adtrust was enabled. For
ipareplica the addition of freeipa-replication has been removed as the
used port is not used anymore since some time.
Fixes: #83 (when installing with ipaserver_setup_adtrust: true the firewalld
service freeipa-trust is not added)
There have been missing settings that have not been provided to
ipareplica_setup_adtrust. These are: enable_compat, rid_base and
secondary_rid_base.
The settings rid_base and secondary_rid_base are now initialized in
ipareplica_prepare and propagated in the results.
The two settings netbios_name and reset_netbios_name are placed in the
adtrust binding in the adtrust.install_check call. These are now saved
when ipareplica_prepare finishes and are written back in the fist steps of
ipareplica_setup_adtrust to make adtrust.install working.
The settings add_sids and add_agents are now initialized in
ansible_ipa_replica in the same way as in ServerMasterInstall. These
settings are fixed in the replica deployment.
Related: #73 (ipaserver_setup_adtrust fails on default smb.conf)
Meta end_play has been used as a simple solution to end the playbook
processing in special conditions, like for example when the deployment
was already done before.
meta end_play has been replaced with blocks and conditions for these
blocks.
Fixes: #70 (Avoid using meta end_play)
