Changing the use of 'Exception' to 'RuntimeError' has the benefits of
making the error more specific and meaningful for what is being reported
and to remove warnings from linters (pylint).
The same change is applied to all deployment roles.
Since FreeIPA version 4.10 it is possible to deploy servers that use
Random Serial Number v3 support for certificates.
This patch exposes the 'random_serial_numbers' parameter, as
'ipaserver_random_serial_numbers', allowing a user to have random serial
numbers enabled for the domain.
The use of random serial numbers is allowed on new installations only.
All imports that are only available after installing IPA need to be in a
try exception clause to be able to pass the fake execution test. The old
workaround "if 'ansible.executor' in sys.modules:" is not working with
this test anymore.
If the imports can not be done, all used and needed attributes are
defines with the value None.
The new function check_imports has been added to fail with module.fail_json
if an import exception occured and ANSIBLE_IPA_SERVER_MODULE_IMPORT_ERROR is
not None. This function needs to be called in all modules.
The `copyright` date is extended with `-2022`.
This patch modifies the way that the certificate load function is
defined, depending on the dependency version, so that the resulting
identifier for the function is always set and static analysis tools,
like linters don't complain about variables being used before being
set.
The same idiom is applied to both the ipaclient role and the plugins
ansible_module_utils.
In some cases ipa code is using sys.stdout.isatty. As stdout is mapped
to AnsibleModuleLog this call will lead in a traceback as it was not
defined.
The staticmethod isatty has been added to AnsibleModuleLog in ipaserver
role module_utils/ansible_ipa_server.py and in ipareplica role
module_utils/ansible_ipa_repica.py.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2120415
ansible-freeipa Replica Install Setup DNS fails
Fixes: #251 - 'AnsibleModuleLog' object has no attribute 'isatty'
Fixes: #117 - 'AnsibleModuleLog' object has no attribute 'isatty'
The idstart needs to be larger than UID_MAX or GID_MAX from /etc/login.defs.
This is "Require idstart to be larger than UID_MAX" for freeipa.
Fixes: #896 (Invalid RID/SID SSSD backtrace after deployment)
Python 3.11 dropped compat inspect.getargspec. As the roles and modules
need to support Python2 and Python3, the code for getargspec has been
copied from Python 3.10 and is added as a fallback as soon as getargspec
can not be imported from inspect. The copied getargspec is using
getfullargspec internally.
Fixes: #855 (Python's inspect.getargspec was removed in version 3.11)
ERROR: Found 6 pylint issue(s) which need to be resolved:
ERROR: plugins/modules/ipaserver_prepare.py:395:4: invalid-name: Variable name "e" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/library/ipaserver_prepare.py:395:4: invalid-name: Variable name "e" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/module_utils/ansible_ipa_server.py:333:12: invalid-name: Variable name "ds" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/module_utils/ansible_ipa_server.py:348:12: invalid-name: Variable name "ds" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/module_utils/ansible_ipa_server.py:361:12: invalid-name: Variable name "ip" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/module_utils/ansible_ipa_server.py:364:12: invalid-name: Variable name "e" doesn't conform to snake_case naming style
e has been replaced with err, ds with _ds, ip with _ip.
The common_check function in the replica installer code has been changed
for the new memory checker code. With this the server and replica command
line installers got the option --skip-mem-check.
The server and replica role now also support the memory cheker and there
are new variables for server and replica:
ipaserver_mem_check - for ipaserver
ipareplica_mem_check - for ipaserver
These bool values default to yes and can be turned off in the inventory
or playbook if needed.
Related to freeipa PR https://pagure.io/freeipa/issue/8404 (Detect and
fail if not enough memory is available for installation)
Fixes: #450 (IPA Replica Installation Fails)
https://pagure.io/freeipa/issue/8458 moved more things to the ipalib and
ipalib.facts:
- sysrestore has been moved from ipalib.install to ipalib
- is_ipa_configured has been moved from ipaserver.install.installutils to
ipalib.facts
Fixes: #394 (TASK [ipaclient : Install - IPA client test] Error: module
'ipalib.install.sysrestore' has no attribute
'SYSRESTORE_STATEFILE')
The encode_certificate and decode_certificate are needed to encode and
decode a certificate in the way that it can be passed back from a module
and imported back into a usable certificate in another module.
For newer IPA versions the certificate is normally an IPACertificate for
older IPA versions it is simply a bytes array. But in both cases it needs
to be converted not to break Ansible.
The import of ansible_ipa_server, ansible_ipa_replica and ansible_ipa_client
might result in a permission denied error for the log file. It seems that
for collections the module utils seem to be loaded before the needed
permissions are aquired now.
The fix simply adds a wrapper for standard_logging_setup that is called in
all the modules of the server, replica and client roles to do the loggin
setup as one of the first steps of the module execution and not before.
All module_utils are now providing the __all__ structure. Alse the imports
in the modules have been updated to only import freeipa sturctures from
module_utils.
This adds support for the --external-ca option to ipaserver. Lots of
additional tests and checks from ServerInstallInterface.__init__ have
been added to ipaserver_test. Also duplicate tests cna checks have been
removed.
Installer settings in ansible_ipa_server module_util are now also set
to the defaults that are used in Installable, ServerInstallInterface,
ServerMasterInstall, ADTrustInstallInterface and Uninstall.
The /root/ipa.csr file generated on the node in ca.install_step_0 will
be copied to the controller as "{{ inventory_hostname }}-ipa.csr".
The new task file copy_external_cert.yml has been added to copy the
generated certificate defined in ipaserver_external_cert_files to the node
to continue with ca.install_step_1.
The tasks/install.yml file has been adapted to make sure that the steps
that will be done in step two will be skipped after step one has been
done.
The addtion is not oly adding the config setting, but also fixing the
deployment without the setting as functions and methods have been changed
for pki_config_override.
There is a new setting for the ipaserver role:
ipaserver_pki_config_override
There have been missing settings that have not been provided to
ipaserver_setup_adtrust. These are: enable_compat, rid_base and
secondary_rid_base.
The settings rid_base and secondary_rid_base are now initialized in
ipaserver_test and propagated in the results.
The two settings netbios_name and reset_netbios_name are placed in the
adtrust binding in the adtrust.install_check call. These are now saved
when ipaserver_test finishes and are written back in the fist steps of
ipaserver_setup_adtrust to make adtrust.install working.
The settings add_sids and add_agents are now initialized in
ansible_ipa_server in the same way as in ServerMasterInstall. These
settings are fixed in the server deployment.
The installer logs have not been created using the ansible ipaclient,
ipareplica and ipaserver roles. This has been fixed and the installer
logs are created now. This is a new and fixed version of 2113c79 where
verbose mode is turned off.
The call of standard_logging_setup results in verbose and debug output in
the ansible modules. This needs to be done in an altenative way.
This reverts commit 2113c79111.
The inspect binding is needed because of the inspection of
validate_domain_name that has been introduced with commit
818db5cb4d for FreeIPA versions prior
to 4.7.
Removed unused user_input import from ipapython.ipautil. Added import
of DN from ipapython.dn. Set ntpinstance to None if timeconf or
sync_time could not be imported on older FreeIPA releases.
The installer logs have not been created using the ansible ipaclient,
ipareplica and ipaserver roles. This has been fixed and the installer
logs are created now.
