fedora-infra / ansible

Clone
Source Code
GIT

#1609 Fix IPA replica installation
Merged a year ago by zlopez. Opened a year ago by abompard.
fedora-infra/ abompard/ansible ipa-replica  into  main

file added
+4 
@@ -0,0 +1,4 @@ 
 

+ dn: cn=config
 

+ changetype: modify
 

+ replace: nsslapd-maxsasliosize
 

+ nsslapd-maxsasliosize: 3145728

file modified
+89 -91 
@@ -86,96 +86,110 @@ 
 

    - config
 

    when: ipa_initial
 

  

- - name: determine whether we need to set up replication
 

-   stat: path=/etc/ipa/default.conf
 

-   register: replication_status
 

-   tags:
 

-   - ipa/server
 

-   - config
 

-   when: not ipa_initial
 

- 

- - name: create replica file
 

-   delegate_to: ipa01{{ env_suffix }}.iad2.fedoraproject.org
 

-   command: ipa-replica-prepare
 

-            --password={{ipa_dm_password}}
 

-            {{inventory_hostname}}
 

-            creates=/var/lib/ipa/replica-info-{{inventory_hostname}}.gpg
 

-   tags:
 

-   - ipa/server
 

-   - config
 

-   when: not ipa_initial and ansible_distribution_major_version|int < 8 and not replication_status.stat.exists
 

- 

- - name: retrieve replica file
 

-   delegate_to: ipa01{{ env_suffix }}.iad2.fedoraproject.org
 

-   fetch: src=/var/lib/ipa/replica-info-{{inventory_hostname}}.gpg
 

-          dest=/tmp/ipa_replica_{{inventory_hostname}}.gpg
 

-          flat=yes
 

-   tags:
 

-   - ipa/server
 

-   - config
 

-   when: not ipa_initial and ansible_distribution_major_version|int < 8 and not replication_status.stat.exists
 

- 

- - name: deploy replica file
 

-   copy: src=/tmp/ipa_replica_{{inventory_hostname}}.gpg
 

-         dest=/root/ipa_replica_{{inventory_hostname}}.gpg
 

-         mode=0600 owner=root group=root
 

+ - name: Create LDIF directory
 

+   file:
 

+     path: /root/ldif
 

+     state: directory
 

+     owner: root
 

+     group: root
 

+     mode: 0750
 

    tags:
 

    - ipa/server
 

    - config
 

-   when: not ipa_initial and ansible_distribution_major_version|int < 8 and not replication_status.stat.exists
 

  

- - name: destroy replica file on ansible host
 

-   delegate_to: localhost
 

-   file: path=/tmp/ipa_replica_{{inventory_hostname}}.gpg state=absent
 

+ - name: Copy LDIF files
 

+   copy:
 

+     src: "{{item}}"
 

+     dest: /root/ldif/{{item}}
 

+   with_items:
 

+   - grant_anonymous_replication_view.ldif
 

+   - grant_fas_sync.ldif
 

+   - use_id_fp_o.ldif
 

+   - replica-install.ldif
 

    tags:
 

    - ipa/server
 

    - config
 

-   when: not ipa_initial and ansible_distribution_major_version|int < 8 and not replication_status.stat.exists
 

  

- - name: deploy replica
 

-   command: ipa-replica-install
 

-            --setup-ca
 

-            --setup-kra
 

-            --password={{ipa_dm_password}}
 

-            --admin-password={{ipa_admin_password}}
 

-            --mkhomedir
 

-            --no-ntp
 

-            --unattended
 

-            --no-ssh
 

-            --no-sshd
 

-            --setup-dns
 

-            --forwarder=10.3.163.33
 

-            --forwarder=10.3.163.34
 

-            --skip-conncheck
 

-            --log-file=/var/log/ipainstall.log
 

-            /root/ipa_replica_{{inventory_hostname}}.gpg
 

-            creates=/etc/ipa/default.conf
 

+ - name: determine whether we need to set up replication
 

+   stat: path=/etc/ipa/default.conf
zlopez commented a year ago

I'm actually not sure if this will work as this file is already created in ipa-client-install, which is called before this. I mentioned this in https://pagure.io/fedora-infrastructure/issue/10358#comment-875614, but I'm not sure how to exactly fix it.

 
+   register: replication_status
 

    tags:
 

    - ipa/server
 

    - config
 

-   when: not ipa_initial and ansible_distribution_major_version|int < 8 and not replication_status.stat.exists
 

+   when: not ipa_initial
 

  

- - name: deploy replica
 

-   command: ipa-replica-install
 

-            --setup-ca
 

-            --setup-kra
 

-            --admin-password={{ipa_admin_password}}
 

-            --no-host-dns
 

-            --mkhomedir
 

-            --no-ntp
 

-            --unattended
 

-            --no-ssh
 

-            --no-sshd
 

-            --skip-conncheck
 

-            --force-join
 

-            --log-file=/var/log/ipainstall.log
 

-            --domain={{ipa_realm}}
 

-            --server=ipa01{{ env_suffix }}.iad2.fedoraproject.org
 

-            creates=/etc/ipa/default.conf
 

+ - name: configure replication
 

+   block:
 

+   - name: create replica file
 

+     delegate_to: ipa01{{ env_suffix }}.iad2.fedoraproject.org
 

+     command: ipa-replica-prepare
 

+              --password={{ipa_dm_password}}
 

+              {{inventory_hostname}}
 

+              creates=/var/lib/ipa/replica-info-{{inventory_hostname}}.gpg
 

+     when: ansible_distribution_major_version|int < 8
 

+ 

+   - name: retrieve replica file
 

+     delegate_to: ipa01{{ env_suffix }}.iad2.fedoraproject.org
 

+     fetch: src=/var/lib/ipa/replica-info-{{inventory_hostname}}.gpg
 

+            dest=/tmp/ipa_replica_{{inventory_hostname}}.gpg
 

+            flat=yes
 

+     when: ansible_distribution_major_version|int < 8
 

+ 

+   - name: deploy replica file
 

+     copy: src=/tmp/ipa_replica_{{inventory_hostname}}.gpg
 

+           dest=/root/ipa_replica_{{inventory_hostname}}.gpg
 

+           mode=0600 owner=root group=root
 

+     when: ansible_distribution_major_version|int < 8
 

+ 

+   - name: destroy replica file on ansible host
 

+     delegate_to: localhost
 

+     file: path=/tmp/ipa_replica_{{inventory_hostname}}.gpg state=absent
 

+     when: ansible_distribution_major_version|int < 8
 

+ 

+   - name: deploy replica
 

+     command: ipa-replica-install
 

+              --setup-ca
 

+              --setup-kra
 

+              --password={{ipa_dm_password}}
 

+              --admin-password={{ipa_admin_password}}
 

+              --mkhomedir
 

+              --no-ntp
 

+              --unattended
 

+              --no-ssh
 

+              --no-sshd
 

+              --setup-dns
 

+              --forwarder=10.3.163.33
 

+              --forwarder=10.3.163.34
 

+              --skip-conncheck
 

+              --log-file=/var/log/ipainstall.log
 

+              --dirsrv-config-file=/root/ldif/replica-install.ldif
 

+              /root/ipa_replica_{{inventory_hostname}}.gpg
 

+              creates=/etc/ipa/default.conf
 

+     when: ansible_distribution_major_version|int < 8
 

+ 

+   - name: deploy replica
 

+     command: ipa-replica-install
 

+              --setup-ca
 

+              --setup-kra
 

+              --admin-password={{ipa_admin_password}}
 

+              --no-host-dns
 

+              --mkhomedir
 

+              --no-ntp
 

+              --unattended
 

+              --no-ssh
 

+              --no-sshd
 

+              --skip-conncheck
 

+              --force-join
 

+              --log-file=/var/log/ipainstall.log
 

+              --domain={{ipa_realm}}
 

+              --server=ipa01{{ env_suffix }}.iad2.fedoraproject.org
 

+              --dirsrv-config-file=/root/ldif/replica-install.ldif
 

+              creates=/etc/ipa/default.conf
 

+     when: ansible_distribution_major_version|int >= 8
 

+   when: not ipa_initial and not replication_status.stat.exists
 

    tags:
 

    - ipa/server
 

    - config
 

-   when: not ipa_initial and ansible_distribution_major_version|int >= 8 and not replication_status.stat.exists
 

  

  - name: Disable rewrites
 

    copy: src=ipa-rewrite.conf dest=/etc/httpd/conf.d/ipa-rewrite.conf
 
@@ -620,22 +634,6 @@ 
 

    - config
 

  

  

- - name: Create LDIF directory
 

-   file: path=/root/ldif state=directory owner=root group=root mode=0750
 

-   tags:
 

-   - ipa/server
 

-   - config
 

- 

- - name: Copy LDIF files
 

-   copy: src={{item}} dest=/root/ldif/{{item}}
 

-   with_items:
 

-   - grant_anonymous_replication_view.ldif
 

-   - grant_fas_sync.ldif
 

-   - use_id_fp_o.ldif
 

-   tags:
 

-   - ipa/server
 

-   - config
 

- 

  # This is a special one, in that it needs to apply on each master since it's non-replicated.
 

  - name: Grant access to replication status
 

    command: ldapmodify -Y EXTERNAL -H {{ ipa_ldap_socket }}

Install IPA replicas with a configuration value set to allow for larger sasl packets.

Related to https://pagure.io/fedora-infrastructure/issue/10358

I think we should wait for the freeze to be over before merging, as there is no distinction between staging and prod.

See the two commits separately for clarity, the first one only refactors some of the tasks into a block without functional change.

+1
Hopefully this will allow us to update the IPA to RHEL9

I'm actually not sure if this will work as this file is already created in ipa-client-install, which is called before this. I mentioned this in https://pagure.io/fedora-infrastructure/issue/10358#comment-875614, but I'm not sure how to exactly fix it.

I'm actually not sure if this will work as this file is already created in ipa-client-install, which is called before this. I mentioned this in https://pagure.io/fedora-infrastructure/issue/10358#comment-875614, but I'm not sure how to exactly fix it.

Actually, ipa-client-install is only run when ipa_initial is True, and the replication step is only run when ipa_initial is False, so it should not conflict.

I don't think you are right, this is called before the ipa/server role and I don't see any condition for ipa_initial https://pagure.io/fedora-infra/ansible/blob/main/f/roles/ipa/client/tasks/main.yml#_17

Indeed! That's a bit weird, why would we want to run the ipa/client role on the ipa servers? Should we delete that role from playbooks/groups/ipa.yml?

Well, the servers are also clients right? We want to manage access to them via ipa and sudo and all the things we normally do on a client?

Unless somehow the server eroll also enrolls them as a client? I thought they had to be a client before it could setup a server on them? (but it's been a while since I looked at this)

I think that running ipa-replica-install will enroll the host, at least it looks like it from the log output in /var/log/ipainstall.log:

2023-10-24T16:15:42Z DEBUG ipa-replica-install was invoked with arguments [] and options: {...}
[...]
2023-10-24T16:15:42Z DEBUG Configuring client side components
2023-10-24T16:15:42Z DEBUG Starting external process
2023-10-24T16:15:42Z DEBUG args=['/usr/sbin/ipa-client-install', '--unattended', '--domain', 'STG.FEDORAPROJECT.ORG', '--server', 'ipa01.stg.iad2.fedoraproject.org', '--principal', 'admin', '--no-ssh', '--no-sshd', '--mkhomedir', '--force-join', '--no-ntp']
2023-10-24T16:15:51Z DEBUG Process finished, return code=0

Running the ipa-client-install first will actually raise error on ipa-replica-install as it says that you need to run uninstall first to be able to install replica. At least this is how it's behave on RHEL 9.

rebased onto dacdacf8bb8b8455b17428149ad7fd5152fa3e24
a year ago

ok then. Is this ready to merge and try again to make a ipa03 in stg?

rebased onto dacdacf8bb8b8455b17428149ad7fd5152fa3e24
a year ago

I think we can merge this and continue from this one.

rebased onto f6e6921
a year ago

rebased onto f6e6921
a year ago

Pull-Request has been merged by zlopez
a year ago
Metadata
None
No Tags
Changes Summary 2
+4
file added
roles/ipa/server/files/replica-install.ldif
+89 -91
file changed
roles/ipa/server/tasks/main.yml
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.