sync_time is not using options anymore, but has two new arguments. These
are ntp_servers and ntp_pool. The options argument is not used anymore.
This requires to use inspect on sync_time to be able to detect if the old
or the new function is available.
The call for get_time_source has been added, but is documented out as the
call is only useful in interactive mode.
ipaserver_test now returns ntp_servers and ntp_pool, which are then used
for ipaserver_setup_ntp.
This adds support for the --external-ca option to ipaserver. Lots of
additional tests and checks from ServerInstallInterface.__init__ have
been added to ipaserver_test. Also duplicate tests cna checks have been
removed.
Installer settings in ansible_ipa_server module_util are now also set
to the defaults that are used in Installable, ServerInstallInterface,
ServerMasterInstall, ADTrustInstallInterface and Uninstall.
The /root/ipa.csr file generated on the node in ca.install_step_0 will
be copied to the controller as "{{ inventory_hostname }}-ipa.csr".
The new task file copy_external_cert.yml has been added to copy the
generated certificate defined in ipaserver_external_cert_files to the node
to continue with ca.install_step_1.
The tasks/install.yml file has been adapted to make sure that the steps
that will be done in step two will be skipped after step one has been
done.
The install checks have been done temporarily in _test and finally also
in _prepare. This is not needed and also not done this way in the command
line installers.
The addtion is not oly adding the config setting, but also fixing the
deployment without the setting as functions and methods have been changed
for pki_config_override.
There is a new setting for the ipaserver role:
ipaserver_pki_config_override
The use of squash_actions to invoke a package module, such as “yum”, to
only invoke the module once is deprecated, and will be removed in
Ansible 2.11.
Instead of relying on implicit squashing, tasks should instead supply
the list directly to the name, pkg or package parameter of the module.
See [1] for a reference to the upstream documentation.
The ipa-krb5 and ipa-sssd modules include *_packages variables in both
defaults/ and vars/, additionally, the list of packages in ipa-sssd differs
from one to the other.
Unify list of packages into vars/
[1]: https://docs.ansible.com/ansible/latest/porting_guides/porting_guide_2.7.html#using-a-loop-on-a-package-module-via-squash-actions
This test is not properly working with EL-8 nodes as the default system
python is not located in /usr/bin. Additionally Ansible 2.8 is able to
detect the default python version on the system. As the installation
base for IPA 4.5.90 where the Python 3 bindings have not been working
properly should be really small or not existing any more the deactivation
of this test should be fine.
The freeipa-trust service has not been added if adtrust was enabled. For
ipareplica the addition of freeipa-replication has been removed as the
used port is not used anymore since some time.
Fixes: #83 (when installing with ipaserver_setup_adtrust: true the firewalld
service freeipa-trust is not added)
There have been missing settings that have not been provided to
ipaserver_setup_adtrust. These are: enable_compat, rid_base and
secondary_rid_base.
The settings rid_base and secondary_rid_base are now initialized in
ipaserver_test and propagated in the results.
The two settings netbios_name and reset_netbios_name are placed in the
adtrust binding in the adtrust.install_check call. These are now saved
when ipaserver_test finishes and are written back in the fist steps of
ipaserver_setup_adtrust to make adtrust.install working.
The settings add_sids and add_agents are now initialized in
ansible_ipa_server in the same way as in ServerMasterInstall. These
settings are fixed in the server deployment.
Meta end_play has been used as a simple solution to end the playbook
processing in special conditions, like for example when the deployment
was already done before.
meta end_play has been replaced with blocks and conditions for these
blocks.
Fixes: #70 (Avoid using meta end_play)
The ansible_fqdn hostname has been enforced to be set and used in
ipaserver, ipareplica and also ipaclient role. This has been removed as
the hostname should only be set if specified explicitly with
ipa[server,replica,client]_hostname.
The role test is executed in the ipa[server,replica,client] roles first.
These tests are usable in the Ansible test mode, but the folllowing steps
in the task list are not. Therefore the blocks following the tests are
limited to not being executed in test mode.
python_2_3_test needs to be executed also in test mode to make sure that the
follwing ipa[server,replica,client]_test modules could be executed also in
test mode.
With these settings for server, replica and client it is possible to skip
package installation. This is for example useful if the packages are already
installed. The settings default to yes
The setting ipareplica_no_package_install has been removed.
As the old way to include tasks is deprecated, replace static include
statements with import_tasks and dynamic ones with include_tasks.
Increaded the required ansible version to 2.5.0 to make sure that
include_tasks and import_tasks is working as expected.
Fixes issue #38
Service entries in cn=FQDN,cn=masters,cn=ipa,cn=etc are no longer
created as enabled. Instead they are flagged as configuredService. At
the very end of the installer, the service entries are switched from
configured to enabled service.
This is related to freeipa upstream commit:
Delay enabling services until end of installer:
https://github.com/freeipa/freeipa/commit/7284097
With IPA 4.7 bigger changes have been introduced
Changes:
- Use of timeconf and chrony instead of ntpconf and ntpd.
- New IPAChangeConf (not used in ipaserver modules)
- New check_ldap_conf form ipaclient.install.client
- custodia instance needed for ca and kra
- no_ntp defaults to yes for client installation part
- A new option ntp_pool has been introduced (set to None).
When forwarders list or the no_forwarders flag has been set, the
configuraiton does not reflect the setting. With no_forwarders
the preparation step of the DNS server could fail in ipaserver_prepare.
This is addressing the issue of pull request #25.
- Do not register a change in the playbook run when registering the
variable checking for whether or not Python 3 imports work
Signed-off-by: Kellin <kellin@retromud.org>
A new section has been added to configure firewalld automatically as the
last step of the server installation.
A new switch has been added to be able to turn firewalld configuration off:
ipaserver_no_firewalld. It defaults to no.
The client role is used also while installing the server. There has been an
issue where the server installation has not been complete because of a
playbook termination in the client.
This has been fixed and the client and also the server are fully configured
in the server installation.
forward_policy needs to be None for the DNS check for proper initialization
if the user is not providing another forward_policy value. forward_policy will
be set in the DNS check.
no_dnssec_validation is enabled in the DNS check if the forwarders do not
provide DNSSEC validation. Therefore this needs to be handed over to the dns
installation later on.
New return values for forward_policy and no_dnssec_validation have been added
to the ipaserver_test module.
These global variables are initialized in the dns module in the
dns.install_check function. The settings are needed to be able to do a
proper dns setup in the ipaserver_setup_dns ansible module.
