From f6e6921655bb0e601e6a2ceb0f0adc1f1245aaeb Mon Sep 17 00:00:00 2001 From: Aurélien Bompard Date: Nov 09 2023 09:33:15 +0000 Subject: [PATCH 1/2] Factor the replication tasks in a block Signed-off-by: Aurélien Bompard --- diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml index e934d14..3129bec 100644 --- a/roles/ipa/server/tasks/main.yml +++ b/roles/ipa/server/tasks/main.yml @@ -94,88 +94,76 @@ - config when: not ipa_initial -- name: create replica file - delegate_to: ipa01{{ env_suffix }}.iad2.fedoraproject.org - command: ipa-replica-prepare - --password={{ipa_dm_password}} - {{inventory_hostname}} - creates=/var/lib/ipa/replica-info-{{inventory_hostname}}.gpg - tags: - - ipa/server - - config - when: not ipa_initial and ansible_distribution_major_version|int < 8 and not replication_status.stat.exists - -- name: retrieve replica file - delegate_to: ipa01{{ env_suffix }}.iad2.fedoraproject.org - fetch: src=/var/lib/ipa/replica-info-{{inventory_hostname}}.gpg - dest=/tmp/ipa_replica_{{inventory_hostname}}.gpg - flat=yes - tags: - - ipa/server - - config - when: not ipa_initial and ansible_distribution_major_version|int < 8 and not replication_status.stat.exists - -- name: deploy replica file - copy: src=/tmp/ipa_replica_{{inventory_hostname}}.gpg - dest=/root/ipa_replica_{{inventory_hostname}}.gpg - mode=0600 owner=root group=root - tags: - - ipa/server - - config - when: not ipa_initial and ansible_distribution_major_version|int < 8 and not replication_status.stat.exists - -- name: destroy replica file on ansible host - delegate_to: localhost - file: path=/tmp/ipa_replica_{{inventory_hostname}}.gpg state=absent - tags: - - ipa/server - - config - when: not ipa_initial and ansible_distribution_major_version|int < 8 and not replication_status.stat.exists - -- name: deploy replica - command: ipa-replica-install - --setup-ca - --setup-kra - --password={{ipa_dm_password}} - --admin-password={{ipa_admin_password}} - --mkhomedir - --no-ntp - --unattended - --no-ssh - --no-sshd - --setup-dns - --forwarder=10.3.163.33 - --forwarder=10.3.163.34 - --skip-conncheck - --log-file=/var/log/ipainstall.log - /root/ipa_replica_{{inventory_hostname}}.gpg - creates=/etc/ipa/default.conf - tags: - - ipa/server - - config - when: not ipa_initial and ansible_distribution_major_version|int < 8 and not replication_status.stat.exists - -- name: deploy replica - command: ipa-replica-install - --setup-ca - --setup-kra - --admin-password={{ipa_admin_password}} - --no-host-dns - --mkhomedir - --no-ntp - --unattended - --no-ssh - --no-sshd - --skip-conncheck - --force-join - --log-file=/var/log/ipainstall.log - --domain={{ipa_realm}} - --server=ipa01{{ env_suffix }}.iad2.fedoraproject.org - creates=/etc/ipa/default.conf +- name: configure replication + block: + - name: create replica file + delegate_to: ipa01{{ env_suffix }}.iad2.fedoraproject.org + command: ipa-replica-prepare + --password={{ipa_dm_password}} + {{inventory_hostname}} + creates=/var/lib/ipa/replica-info-{{inventory_hostname}}.gpg + when: ansible_distribution_major_version|int < 8 + + - name: retrieve replica file + delegate_to: ipa01{{ env_suffix }}.iad2.fedoraproject.org + fetch: src=/var/lib/ipa/replica-info-{{inventory_hostname}}.gpg + dest=/tmp/ipa_replica_{{inventory_hostname}}.gpg + flat=yes + when: ansible_distribution_major_version|int < 8 + + - name: deploy replica file + copy: src=/tmp/ipa_replica_{{inventory_hostname}}.gpg + dest=/root/ipa_replica_{{inventory_hostname}}.gpg + mode=0600 owner=root group=root + when: ansible_distribution_major_version|int < 8 + + - name: destroy replica file on ansible host + delegate_to: localhost + file: path=/tmp/ipa_replica_{{inventory_hostname}}.gpg state=absent + when: ansible_distribution_major_version|int < 8 + + - name: deploy replica + command: ipa-replica-install + --setup-ca + --setup-kra + --password={{ipa_dm_password}} + --admin-password={{ipa_admin_password}} + --mkhomedir + --no-ntp + --unattended + --no-ssh + --no-sshd + --setup-dns + --forwarder=10.3.163.33 + --forwarder=10.3.163.34 + --skip-conncheck + --log-file=/var/log/ipainstall.log + /root/ipa_replica_{{inventory_hostname}}.gpg + creates=/etc/ipa/default.conf + when: ansible_distribution_major_version|int < 8 + + - name: deploy replica + command: ipa-replica-install + --setup-ca + --setup-kra + --admin-password={{ipa_admin_password}} + --no-host-dns + --mkhomedir + --no-ntp + --unattended + --no-ssh + --no-sshd + --skip-conncheck + --force-join + --log-file=/var/log/ipainstall.log + --domain={{ipa_realm}} + --server=ipa01{{ env_suffix }}.iad2.fedoraproject.org + creates=/etc/ipa/default.conf + when: ansible_distribution_major_version|int >= 8 + when: not ipa_initial and not replication_status.stat.exists tags: - ipa/server - config - when: not ipa_initial and ansible_distribution_major_version|int >= 8 and not replication_status.stat.exists - name: Disable rewrites copy: src=ipa-rewrite.conf dest=/etc/httpd/conf.d/ipa-rewrite.conf From 94478cc88bdd5062e5651069ae8b3ab604f1af84 Mon Sep 17 00:00:00 2001 From: Aurélien Bompard Date: Nov 09 2023 09:33:15 +0000 Subject: [PATCH 2/2] Install IPA replicas with a larger `nsslapd-maxsasliosize` Related to https://pagure.io/fedora-infrastructure/issue/10358 Signed-off-by: Aurélien Bompard --- diff --git a/roles/ipa/server/files/replica-install.ldif b/roles/ipa/server/files/replica-install.ldif new file mode 100644 index 0000000..27dc8ad --- /dev/null +++ b/roles/ipa/server/files/replica-install.ldif @@ -0,0 +1,4 @@ +dn: cn=config +changetype: modify +replace: nsslapd-maxsasliosize +nsslapd-maxsasliosize: 3145728 diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml index 3129bec..bd8385a 100644 --- a/roles/ipa/server/tasks/main.yml +++ b/roles/ipa/server/tasks/main.yml @@ -86,6 +86,30 @@ - config when: ipa_initial +- name: Create LDIF directory + file: + path: /root/ldif + state: directory + owner: root + group: root + mode: 0750 + tags: + - ipa/server + - config + +- name: Copy LDIF files + copy: + src: "{{item}}" + dest: /root/ldif/{{item}} + with_items: + - grant_anonymous_replication_view.ldif + - grant_fas_sync.ldif + - use_id_fp_o.ldif + - replica-install.ldif + tags: + - ipa/server + - config + - name: determine whether we need to set up replication stat: path=/etc/ipa/default.conf register: replication_status @@ -138,6 +162,7 @@ --forwarder=10.3.163.34 --skip-conncheck --log-file=/var/log/ipainstall.log + --dirsrv-config-file=/root/ldif/replica-install.ldif /root/ipa_replica_{{inventory_hostname}}.gpg creates=/etc/ipa/default.conf when: ansible_distribution_major_version|int < 8 @@ -158,6 +183,7 @@ --log-file=/var/log/ipainstall.log --domain={{ipa_realm}} --server=ipa01{{ env_suffix }}.iad2.fedoraproject.org + --dirsrv-config-file=/root/ldif/replica-install.ldif creates=/etc/ipa/default.conf when: ansible_distribution_major_version|int >= 8 when: not ipa_initial and not replication_status.stat.exists @@ -608,22 +634,6 @@ - config -- name: Create LDIF directory - file: path=/root/ldif state=directory owner=root group=root mode=0750 - tags: - - ipa/server - - config - -- name: Copy LDIF files - copy: src={{item}} dest=/root/ldif/{{item}} - with_items: - - grant_anonymous_replication_view.ldif - - grant_fas_sync.ldif - - use_id_fp_o.ldif - tags: - - ipa/server - - config - # This is a special one, in that it needs to apply on each master since it's non-replicated. - name: Grant access to replication status command: ldapmodify -Y EXTERNAL -H {{ ipa_ldap_socket }}