This change addresses https://github.com/freeipa/ansible-freeipa/issues/1356#issuecomment-2891804763 by explicitly setting `options.dns_over_tls = False` to ensure the attribute is always defined when running ipaclient ansible role.
On RHEL 9 systems (or any environment where `ipasssd_enable_dns_updates: true`), the `ipaclient` python module references `dns_over_tls` without first checking its existence, which results in the following `AttributeError: 'installer_obj' object has no attribute 'dns_over_tls'`:
TASK \[freeipa.ansible\_freeipa.ipaclient : Install - Configure SSSD] \*\*\*\*\*\*\*\*\*\*\*\*
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AttributeError:
'installer\_obj' object has no attribute 'dns\_over\_tls'
fatal: \[vm-test-rhel9]: FAILED! => {"changed": false, "module\_stderr": "Traceback (most recent call last):\n File "
<stdin>", line 107, in <module>\n File "<stdin>", line 99, in \_ansiballz\_main\n File "<stdin>", line 47, in invoke\_module\n
File "/usr/lib64/python3.9/runpy.py", line 225, in run\_module\n return \_run\_module\_code(code, init\_globals,
run\_name, mod\_spec)\n File "/usr/lib64/python3.9/runpy.py", line 97, in \_run\_module\_code\n \_run\_code(code,
mod\_globals, init\_globals,\n File "/usr/lib64/python3.9/runpy.py", line 87, in \_run\_code\n exec(code, run\_globals)\n
File "/tmp/ansible\_freeipa.ansible\_freeipa.ipaclient\_setup\_sssd\_payload\_zkyct7sn/ansible\_freeipa.ansible\_freeipa.ipacli. ent\_setup\_sssd\_payload.zip/ansible\_collections/freeipa/ansible\_freeipa/plugins/modules/ipaclient\_setup\_sssd.py",
line 190, in <module>\n File "/tmp/ansible\_freeipa.ansible\_freeipa.ipaclient\_setup\_sssd\_payload\_zkyct7sn/ansible\_freeipa.ansible\_freeipa.ipacli. ent\_setup\_sssd\_payload.zip/ansible\_collections/freeipa/ansible\_freeipa/plugins/modules/ipaclient\_setup\_sssd.py",
line 181, in main\n File "/usr/lib/python3.9/site-packages/ipaclient/install/client.py", line 1005, in configure\_sssd\_conf\n
if options.dns\_over\_tls:\nAttributeError: 'installer\_obj' object has no attribute 'dns\_over\_tls'\n", "module\_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
To prevent this, the attribute `options.dns_over_tls` is now initialised to false in `roles/ipaclient/library/ipaclient_setup_sssd.py`.This fix is inspired by a similar pattern in [[PR #1340](https://github.com/freeipa/ansible-freeipa/pull/1340/files)](https://github.com/freeipa/ansible-freeipa/pull/1340/files).
This failure has been observed in versions `1.14.6` and `1.14.5` of the [ansible_freeipa collection](https://galaxy.ansible.com/ui/repo/published/freeipa/ansible_freeipa/) from Ansible Galaxy.
Signed-off-by: Jose Angel Morena <jmorenas@redhat.com>
readarray expects to get an item per line to be added to the array.
Printing one item per line with printf fixes this to get the proper
formatting for "${CAP_DEFAULTS[@]}" as a valid input for readarray.
Debugging is now enabled by default in the containers that are
generated with container_create. "+SYS_PTRACE" has been added to
CAP_DEFAULTS in shdefaults for this.
SSSD 2.10+ runs under non-privileged user 'sssd' and relies on system
capabilities to get access to certain resources like /etc/krb5.keytab.
Not having these capabilities result in SSSD not starting.
Podman has reduced the capabilities granted to containers, and to be
able to start SSSD it is needed to add DAC_READ_SEARCH back.
This patch adds file infra/images/shdefaults to store the defaults used
by ansible-freeipa shell utilities in a contral location.
See: https://github.com/containers/podman/discussions/24904#discussioncomment-11718823
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This change adds support for volumes to container_create. Now it can be
used like in this example:
container_create "${name}" "${local_image}" "hostname=${hostname}" \
"${capabilities:+capabilities=$capabilities}" \
volume=$PWD:/root/src
The new function container_tee has been added to enable creation of
fiiles with content from stdin like in this example:
cat <<EOF | container_tee "${name}" "/root/.gdbinit"
set debuginfod enabled on
set follow-fork-mode child
EOF
Python's module "pkg_resources" API has been deprecated in Python 3.12
and will be removed in a future release, and recent FreeIPA versions
provide a replacement for pkg_resources.parse_version.
To remove ansible-freeipa dependency on pkg_resources and not add a
dependency on the 'packaging' module, which is not available in the
standard Python distribution, we'll try to import the funcion used in
FreeIPA to parse versions, and fallback to pkg_resources when it fails.
As an equivalent class is needed, a fallback function is not provided
and execution will fail if neither the FreeIPA nor the pkg_resources
parse_version function are available.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The shadow file in a Fedora or CentOS Stream container is not readable
any more using Ubuntu 24.04.
An extra call to ensure that the shadow file is readable again has been
added to container_start.
This patch fixes an issue reported by flake8 7.2.0 and enables a pylint
test that was disable, both related to the use of 'global'.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Upstream flake8 lint test is executed with the latest available version
in pip, but the requirements-dev.txt had a pinned version, making flake8
error to be found too late.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
FreeIPA fix for https://pagure.io/freeipa/issue/9652 now produces five
elements tuple when iterating over CA certificate list, the last element
being the serial number. We do not need it, so extract only the first
four elements (certificate, nickname, trusted, EKU).
The regression was introduced by FreeIPA commit
f91b677ada376034b25d50e78475237c5976770e.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
This is a hotfix to allow deployments of clients, replicas and servers
with the dns_over_tls PR for freeipa: https://github.com/freeipa/freeipa/pull/7343/
ipaclient: client.update_ssh_keys has changed parameters,
options.dns_over_tls needs to be set for ipaclient_setup_nss.
ipareplica, ipaserver: Set new parameters globally in module_utils so
far: options.dns_over_tls, options.dns_over_tls_key, options.dns_over_tls_cert,
options.dot_forwarders and options.dns_policy.
The enablement for DNS over TLS for the deployment roles will be done later on.
2025-02-07 18:16:10 +01:00
13 changed files with 85 additions and 14 deletions
while ! podman exec"${scenario}" ps -x | grep -q "systemd-journald"
do
if[$count -ge $max];then
die "Timeout: systemd-journald is not starting up"
fi
count=$((count+1))
log none "Waiting ${wait} seconds .."
sleep ${wait}
done
# wait for FreeIPA services to be available (usually ~45 seconds)
log info "Wait for container to be initialized."
wait=15
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
