sysaccounts can now be used as a member for roles.
Example:
- name: Ensure role my-app role has sysaccount member my-app
iparole:
name: my-app role
sysaccount: my-app
action: member
New tests for the module:
tests/role/test_role_sysaccount_member.yml
There is a new sysaccount management module placed in the plugins folder:
plugins/modules/ipasysaccount.py
The sysaccount module allows to ensure presence or absence of system
accounts.
Here is the documentation for the module:
README-sysaccount.md
New sysaccount example playbooks:
playbooks/sysaccount/sysaccount-absent.yml
playbooks/sysaccount/sysaccount-disabled.yml
playbooks/sysaccount/sysaccount-enabled.yml
playbooks/sysaccount/sysaccount-present.yml
playbooks/sysaccount/sysaccount-privileged.yml
playbooks/sysaccount/sysaccount-unprivileged.yml
New tests for the module:
tests/sysaccount/test_sysaccount.yml
tests/sysaccount/test_sysaccount_client_context.yml
As the ansible_version variable may contain a version specification, we
need a version_name to correctly report the job label in Azure.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
By using the 'ansible-version' variable as '<2.17' allows 'pip' to
install the latest version of the 2.16 series, instead of version 2.16.0
in the case '==2.16'. This ensures we run the tests with the latest
supported version for the specific distro.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Modify nigtly pipelines to use the same distro-to-Ansible version map
so that the Ansible version matches the required version for the
specific distro. Nightly pipelines are the same used for Weekly tests.
This was required due to recent updates for Python 3.14 and Ansible
upstream versions.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Although the available ansible-core package version for c9s is 2.14, the
upstream "pip" version of this package has a broken certificate and is
unusable against Galaxy.
This patch fixes the version to 2.16, as it is the same version for c8s
and c10s, and the oldest one available as packages for the CentOS
Streams.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
With Python 3.14, the required pytest version stopped working due to
breaking changes in AST.
This patch changes the test tool versions to the most recent one, by
requiring only the minimal version, but not setting a specific one.
Recent pytest version also requires that the search path for Python
modules is defined.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Pylint 4.0.1 seems to not understand that some of the constants used by
ansible-freeipa roles and modules are constants and not variables, and
complain about the naming style.
By adding these constant names to the "good-names" list avoid pylint
errors and don't require future unnecessary changes.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
A task in 'roles/ipaclient/tasks/install.yml' uses logic that
ansible-lint and jinja are unable to evaluate due to missing type. By
refactoring the task the tools are able to evaluate the task.
With the latest pylint version, an issue is raised by inheriting from
BaseInventoryPlugin, as the class has too many ancestors
(too-many-ancestors). This is caused by a class hierarchy that is too
deep, and is not under ansible-freeipa's control.
In recent Python setups, 'setuptools' may not be readily available, and,
as we depend on it, it should be a requirement.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Older versions of ansible-doc-test are failing due to code errors in the
parsing module. This is fixed by using newer versions.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
ansible-lint is complaining that Python 3.14 requries ansible-core 2.20,
even if other versions work on that Python version.
Woraround implemented is to pin the ansible-lint Python version to 3.13.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
After a PKI update the message returned for 'cert_show' in the case of
an inexistent certificate has changed, causing tests to fail.
The fix is only required for the tests, as the behavior has not changed.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The ansible-core version used in the CI pipelines has been updated
from 2.16 to 2.18 to keep the testing environment current.
Additionally, the pull request pipeline has been enhanced to test
against the specific ansible-core versions that are packaged with the
latest stable distributions. This will help ensure that the roles remain
compatible with the versions users are likely to have installed.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The hostname command is needed to be able to execute fixnet.service. It
has been missing from some docker files and therefore the script failed
in the -base images. The server images have not been affected as
ipa-client has a requirement for hostname.
Fedora 43 and 44 switched to systemd 258 rc4. The dbus-broker service
of systemd 258 does not start any more without enabling the capability
SYS_ADMIN.
The capabilities AUDIT_WRITE, SETUID and SETGID should be enough, but
they are not sufficient to be able to start the service.
With final systemd 258 it should be tested if the capability can be
removed again.
ansible-core 2.19 is not automatically converting empty and non empty lists
to bool values. Conditionals must have a boolean result.
The solution is to evaluate the length of the lists instead.
ansible-core 2.19 is not automatically converting empty and non empty lists
to bool values. Conditionals must have a boolean result.
The solution is to evaluate the length of the lists instead.
In ansible-core 2.19 there's no automatic coercion from None or empty
strings to the boolean value "false", so we need to compare the result
of the filter 'regex_search' to 'None' and the empty string to evaluate
if any match occurred.
In fixing this issue, it was found that the tests were incorrectly
evaluating the results, and the comparisons were fixed.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The new argument was introduced with the IPA change e6445b8 to disable
the previous Unbound configuration before setting up new configuration
for DNS over TLS.
Related: https://pagure.io/freeipa/issue/9814
This change adds support for DNS over TLS to the ipareplica role.
New variables
ipareplica_dot_forwarders
List of DNS over TLS forwarders. Required if ipareplica_dns_over_tls
is enabled. (list of strings)
required: false
ipareplica_dns_over_tls | ipaclient_dns_over_tls
Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later.
(bool, default: false)
required: false
ipareplica_dns_over_tls_cert
Certificate to use for DNS over TLS. If empty, a new certificate will
be requested from IPA CA. (string)
required: false
ipareplica_dns_over_tls_key
Key for certificate specified in ipareplica_dns_over_tls_cert. (string)
required: false
ipareplica_dns_policy
Encrypted DNS policy. Only usable if `ipareplica_dns_over_tls` is
enabled. (choice: relaxed, enforced, default: relaxed)
required: false
New distribution specific variable
ipareplica_packages_dot
List of IPA packages needed for DNS over TLS.
This change adds support for DNS over TLS to the ipaserver role.
New variables
ipaserver_dot_forwarders
List of DNS over TLS forwarders. Required if ipaserver_dns_over_tls
is enabled. (list of strings)
required: false
ipaserver_dns_over_tls | ipaclient_dns_over_tls
Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later.
(bool, default: false)
required: false
ipaserver_dns_over_tls_cert
Certificate to use for DNS over TLS. If empty, a new certificate will
be requested from IPA CA. (string)
required: false
ipaserver_dns_over_tls_key
Key for certificate specified in ipaserver_dns_over_tls_cert. (string)
required: false
ipaserver_dns_policy
Encrypted DNS policy. Only usable if `ipaserver_dns_over_tls` is
enabled. (choice: relaxed, enforced, default: relaxed)
required: false
New distribution specific variable
ipaserver_packages_dot
List of IPA packages needed for DNS over TLS.
This change adds support for DNS over TLS to the ipaclient role.
New variables
ipaclient_dns_over_tls
Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later.
(bool, default: false)
required: false
ipaclient_no_dnssec_validation
Disable DNSSEC validation for DNS over TLS. This turns off DNSSEC
validation for unbound. Only usable if `ipaserver_dns_over_tls` is
enabled. (bool, default: false)
reqiured: false
New distribution specific variable
ipaclient_packages_dot
List of IPA packages needed for DNS over TLS.
The resolver configuratoin for DNS over TLS is not part of this change
and will be added later on. Therefore it is needed to configure the
resolver for DNS over TLS before starting the deployment with ipaclient
role. This is essential for using an IPA DNS server with DoT and enforced
DNS policy so that only DoT is usable.
When running under Mitogen, ipa_server and ipa_replica breaks execution
by overwriting sys.stdout with sys.stdout.
With Mitogen, sys.stdout != sys.stdout at this point in the code, and
changing it in this manner results in access to closed file descriptors
for future invocations. Generally, it is recommended not to use
sys.stdout and instead explicitly cache the current value of sys.stdout.
As ansible-core 2.19 'upper' and 'lower' filters make lists into strings
and these strings are not interpreted as lists when running the plugins,
it is needed to use 'map(<filter>)' to apply the filter to all entries
of a list.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
In ansible-core, templates and expressions must use trusted sources,
such as playbooks or roles, and module results are considered untrusted
sources.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
In ansible-core 2.19, when clauses (when, failed_when, etc) do not
convert values to bool automatically, also, templating with "|bool" does
not work too, so an actual value comparison is required.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
When adding a new idrange of type 'ipa-local', the 'base_id',
'range_size', 'rid_base' and 'secondary_rid_base' are required so that
range entries are correctly set when SID are enabled.
Fixes: https://issues.redhat.com/browse/RHEL-79820
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The services are now active by default and do not need to be activated
after IPA has been deployed.
The fixnet service is always activated and removes all lines containing
the hostname from /etc/hosts and adds a new line with the IP and the
hostname with and without domain. If IPA is deployed with DNS (the
config file /etc/named.conf exists and there is a '^dyndb "ipa"' line
in /etc/named.conf) then /etc/resolv.conf is also changed to use the
local DNS server.
The fixipaip service is now also always activated, but only started IF
IPA has been deployed and the ipa service was started before.
infra/image/build.sh is not actvating the services anymore, the services
are now actiavted in alll dockerfiles.
