#6408 [RFE] Facts for Ansible integration
Closed: duplicate 10 months ago by cheimes. Opened 2 years ago by cheimes.

User story:

As an application which deploys, configures and introspects FreeIPA, I like to get facts of a local machine from FreeIPA without requiring credentials or connecting to remote FreeIPA server. Fact gathering must be efficient and not depend on remote resources (with exception to DNS) as they might not be available.

The fact should include information such as

  • client enrollment
  • if server/CA/KRA/DNS component are installed
  • realm, domain, hostname(s) of API servers (from config or DNS query)
  • version information

If you need just api.env, you can create an Env object manually, like in install/share/wsgi.py:

from ipalib.config import Env
from ipalib.constants import DEFAULT_CONFIG

env = Env()
env._bootstrap()
env._finalize_core(**dict(DEFAULT_CONFIG))

You are calling internal and private APIs. That's not the right way to go. There should be a public, official and documented way for it.

ping

Please suggest a viable option to handle the issue.

ping, the issue is blocking me.

Replying to [comment:2 cheimes]:

You are calling internal and private APIs. That's not the right way to go. There should be a public, official and documented way for it.

We don't really have any public, well-documented and stable API. Not even api.bootstrap() fits this criterion. If you want something close to a public API, I'm afraid you will have to provide one yourself. You can start by adding .bootstrap() and .finalize() methods to Env.

We need to have an API or make the fetch operation lazy on-demand.

I got some requests for my ipa_facts Ansible module. Can we have a backport of the fix to 4.4, too?

I hate to bother you again. What is the status of a fix?

https://github.com/tiran/pki-vagans/blob/master/ansible/library/ipa_facts.py works with FreeIPA 4.4.2 when I just call api.bootstrap and omit api.finalize(). After all I just extract information from ipalib.api.env, ipaplatform.path.path and ipapython.version. The Ansible module doesn't call any plugins.

However mode of operation (bootstrap without finalize) is not documented in ipalib/__init__.py and therefore not (yet) officially supported. For Ansible integration we need to define and commit to an official and stable API that works since FreeIPA 4.2 (at least) and that has to be available long term. I guess https://github.com/freeipa/freeipa/blob/c2934aaa7eacb8390209a38029145b1c240d864c/ipalib/plugable.py#L716 has to be moved to bootstrap().

The API must also support delayed finalization, e.g.

if not api.isdone('finalize'):
    api.finalize()

Please define and document the necessary API as soon as possible.

There is no officially supported API for reading IPA config variables in FreeIPA.

We can make one though, but FreeIPA 4.2 won't obviously have it so the facts modules needs to accommodate to work with both.

What information do you from ipalib.api.env, ipaplatform.path.path and ipapython.version and for what purpose? They are all internal APIs so they can change and break the Ansible facts module. It might be actually better to e.g. define something like a facts module directly in IPA with a supported interface.

The code of https://github.com/tiran/pki-vagans/blob/master/ansible/library/ipa_facts.py is straight forward and should be self-explanatory. The module extracts useful information from an installation. Other tasks and roles then can use the information, e.g. run ipa-client-install when not ipa.configured.client.

  • All attributes of ipalib.api.env. New or removed attributes are fine as long as the API generally stays the same.
  • All paths of ipaplatform.path.path. New or removed attributes are fine as long as the API generally stays the same.
  • Some version information from ipapython.version plus a comparable version list.
  • Are client side (ipalib) and server side (ipaserver) Python packages available?
  • Is the host enrolled as client, server, CA, DNS or KRA?
  • In case ipalib is not available: default realm and basedn for a given domain name

    ~/dev/redhat/ansible/hacking/test-module -m ../ansible/library/ipa_facts.py -a '{"domain": "ipa.example.org"}'

    {

    "ansible_facts": {
        "ipa": {
            "api_env": {
                "api_version": "2.164", 
                "basedn": "dc=ipa,dc=example,dc=org", 
                "bin": "/home/heimes/debug_dir", 
                "ca_agent_install_port": null, 
                "ca_agent_port": 443, 
                "ca_ee_install_port": null, 
                "ca_ee_port": 443, 
                "ca_host": "client.ipa.example.org", 
                "ca_install_port": null, 
                "ca_port": 80, 
                "conf": "/etc/ipa/cli.conf", 
                "conf_default": "/etc/ipa/default.conf", 
                "confdir": "/etc/ipa", 
                "config_loaded": true, 
                "container_accounts": "cn=accounts", 
                "container_adtrusts": "cn=ad,cn=trusts", 
                "container_applications": "cn=applications,cn=configs,cn=policies", 
                "container_automember": "cn=automember,cn=etc", 
                "container_automount": "cn=automount", 
                "container_caacl": "cn=caacls,cn=ca", 
                "container_certprofile": "cn=certprofiles,cn=ca", 
                "container_cifsdomains": "cn=ad,cn=etc", 
                "container_configs": "cn=configs,cn=policies", 
                "container_deleteuser": "cn=deleted users,cn=accounts,cn=provisioning", 
                "container_dna": "cn=dna,cn=ipa,cn=etc", 
                "container_dna_posix_ids": "cn=posix-ids,cn=dna,cn=ipa,cn=etc", 
                "container_dns": "cn=dns", 
                "container_group": "cn=groups,cn=accounts", 
                "container_hbac": "cn=hbac", 
                "container_hbacservice": "cn=hbacservices,cn=hbac", 
                "container_hbacservicegroup": "cn=hbacservicegroups,cn=hbac", 
                "container_host": "cn=computers,cn=accounts", 
                "container_hostgroup": "cn=hostgroups,cn=accounts", 
                "container_masters": "cn=masters,cn=ipa,cn=etc", 
                "container_netgroup": "cn=ng,cn=alt", 
                "container_otp": "cn=otp", 
                "container_permission": "cn=permissions,cn=pbac", 
                "container_policies": "cn=policies", 
                "container_policygroups": "cn=policygroups,cn=configs,cn=policies", 
                "container_policylinks": "cn=policylinks,cn=configs,cn=policies", 
                "container_privilege": "cn=privileges,cn=pbac", 
                "container_radiusproxy": "cn=radiusproxy", 
                "container_ranges": "cn=ranges,cn=etc", 
                "container_realm_domains": "cn=Realm Domains,cn=ipa,cn=etc", 
                "container_rolegroup": "cn=roles,cn=accounts", 
                "container_roles": "cn=roles,cn=policies", 
                "container_s4u2proxy": "cn=s4u2proxy,cn=etc", 
                "container_selinux": "cn=usermap,cn=selinux", 
                "container_service": "cn=services,cn=accounts", 
                "container_stageuser": "cn=staged users,cn=accounts,cn=provisioning", 
                "container_sudocmd": "cn=sudocmds,cn=sudo", 
                "container_sudocmdgroup": "cn=sudocmdgroups,cn=sudo", 
                "container_sudorule": "cn=sudorules,cn=sudo", 
                "container_topology": "cn=topology,cn=ipa,cn=etc", 
                "container_trusts": "cn=trusts", 
                "container_user": "cn=users,cn=accounts", 
                "container_vault": "cn=vaults,cn=kra", 
                "container_views": "cn=views,cn=accounts", 
                "container_virtual": "cn=virtual operations,cn=etc", 
                "context": "cli", 
                "debug": false, 
                "delegate": false, 
                "dogtag_version": 9, 
                "domain": "ipa.example.org", 
                "dot_ipa": "/home/heimes/.ipa", 
                "enable_ra": true, 
                "fallback": true, 
                "home": "/home/heimes", 
                "host": "client.ipa.example.org", 
                "in_server": false, 
                "in_tree": false, 
                "interactive": true, 
                "ipalib": "/usr/lib/python2.7/site-packages/ipalib", 
                "jsonrpc_uri": "https://server.ipa.example.org/ipa/json", 
                "ldap_uri": "ldap://localhost:389", 
                "log": "/home/heimes/.ipa/log/cli.log", 
                "logdir": "/home/heimes/.ipa/log", 
                "mode": "production", 
                "mount_ipa": "/ipa/", 
                "plugins_on_demand": true, 
                "prompt_all": false, 
                "ra_plugin": "selfsign", 
                "realm": "IPA.EXAMPLE.ORG", 
                "recommended_max_agmts": 4, 
                "rpc_protocol": "jsonrpc", 
                "script": "/home/heimes/debug_dir/ansible_module_ipa_facts.py", 
                "server": "server.ipa.example.org", 
                "session_auth_duration": "20 minutes", 
                "session_duration_type": "inactivity_timeout", 
                "site_packages": "/usr/lib/python2.7/site-packages", 
                "skip_version_check": false, 
                "startup_timeout": 300, 
                "startup_traceback": false, 
                "tls_version_max": "tls1.2", 
                "tls_version_min": "tls1.0", 
                "validate_api": false, 
                "verbose": 0, 
                "version": "4.3.2", 
                "wait_for_dns": 0, 
                "webui_prod": true, 
                "xmlrpc_uri": "https://server.ipa.example.org/ipa/xml"
            }, 
            "basedn": "dc=ipa,dc=example,dc=org", 
            "configured": {
                "ca": false, 
                "client": true, 
                "dns": false, 
                "kra": false, 
                "server": false
            }, 
            "domain": "ipa.example.org", 
            "packages": {
                "ipalib": true, 
                "ipaserver": false
            }, 
            "paths": {
                "ADMIN_CERT_PATH": "/root/.dogtag/pki-tomcat/ca_admin.cert", 
                "ALIAS_CACERT_ASC": "/etc/httpd/alias/cacert.asc", 
                "ALIAS_PWDFILE_TXT": "/etc/httpd/alias/pwdfile.txt", 
                "ALL_SLAPD_INSTANCE_SOCKETS": "/var/run/slapd-*.socket", 
                "AUTHCONFIG_LAST": "/var/lib/authconfig/last", 
                "AUTOFS_LDAP_AUTH_CONF": "/etc/autofs_ldap_auth.conf", 
                "BAK2DB": "/usr/sbin/bak2db", 
                "BASH": "/bin/bash", 
                "BIND_LDAP_DNS_IPA_WORKDIR": "/var/named/dyndb-ldap/ipa/", 
                "BIND_LDAP_DNS_ZONE_WORKDIR": "/var/named/dyndb-ldap/ipa/master/", 
                "BIND_LDAP_SO": "/usr/lib/bind/ldap.so", 
                "BIND_LDAP_SO_64": "/usr/lib64/bind/ldap.so", 
                "BIN_CURL": "/usr/bin/curl", 
                "BIN_FALSE": "/bin/false", 
                "BIN_HOSTNAME": "/bin/hostname", 
                "BIN_KVNO": "/usr/bin/kvno", 
                "BIN_NISDOMAINNAME": "/usr/bin/nisdomainname", 
                "BIN_TIMEOUT": "/usr/bin/timeout", 
                "BIN_TRUE": "/bin/true", 
                "CACERT_P12": "/root/cacert.p12", 
                "CACERT_PEM": "/var/kerberos/krb5kdc/cacert.pem", 
                "CACHE_IPA_SESSIONS": "/var/cache/ipa/sessions", 
                "CAJARSIGNINGCERT_CFG": "/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg", 
                "CASIGNEDLOGCERT_CFG": "/var/lib/pki/pki-tomcat/ca/profiles/ca/caSignedLogCert.cfg", 
                "CA_BACKUP_KEYS_P12": "/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", 
                "CA_CRT": "/usr/share/ipa/html/ca.crt", 
                "CA_CS_CFG_PATH": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg", 
                "CA_TOPOLOGY_ULDIF": "/usr/share/ipa/ca-topology.uldif", 
                "CERTMONGER": "/usr/sbin/certmonger", 
                "CERTMONGER_CAS_CA_RENEWAL": "/var/lib/certmonger/cas/ca_renewal", 
                "CERTMONGER_CAS_DIR": "/var/lib/certmonger/cas/", 
                "CERTMONGER_COMMAND_TEMPLATE": "/usr/libexec/ipa/certmonger/%s", 
                "CERTMONGER_REQUESTS_DIR": "/var/lib/certmonger/requests/", 
                "CERTUTIL": "/usr/bin/certutil", 
                "CHROMIUM_BROWSER": "/usr/bin/chromium-browser", 
                "CONNCHECK_CCACHE": "/etc/ipa/.conncheck_ccache", 
                "DB2BAK": "/usr/sbin/db2bak", 
                "DB2LDIF": "/usr/sbin/db2ldif", 
                "DEV_NULL": "/dev/null", 
                "DEV_STDIN": "/dev/stdin", 
                "DICT_WORDS": "/usr/share/dict/words", 
                "DIRSRV_BOOT_LDIF": "/var/lib/dirsrv/boot.ldif", 
                "DIRSRV_LOCK_DIR": "/var/lock/dirsrv", 
                "DNSSEC_KEYFROMLABEL": "/usr/sbin/dnssec-keyfromlabel-pkcs11", 
                "DNSSEC_SOFTHSM2_CONF": "/etc/ipa/dnssec/softhsm2.conf", 
                "DNSSEC_SOFTHSM_PIN": "/var/lib/ipa/dnssec/softhsm_pin", 
                "DNSSEC_SOFTHSM_PIN_SO": "/etc/ipa/dnssec/softhsm_pin_so", 
                "DNSSEC_TOKENS_DIR": "/var/lib/ipa/dnssec/tokens", 
                "DNSSEC_TRUSTED_KEY": "/etc/trusted-key.key", 
                "DOGTAG_ADMIN_P12": "/root/ca-agent.p12", 
                "DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT": "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", 
                "DOGTAG_IPA_RENEW_AGENT_SUBMIT": "/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit", 
                "DS_KEYTAB": "/etc/dirsrv/ds.keytab", 
                "DS_NEWINST_PL": "/usr/bin/ds_newinst.pl", 
                "ENTROPY_AVAIL": "/proc/sys/kernel/random/entropy_avail", 
                "ETC_DIRSRV": "/etc/dirsrv", 
                "ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE": "/etc/dirsrv/slapd-%s", 
                "ETC_FEDORA_RELEASE": "/etc/fedora-release", 
                "ETC_HOSTNAME": "/etc/hostname", 
                "ETC_HTTPD_DIR": "/etc/httpd", 
                "ETC_IPA": "/etc/ipa", 
                "ETC_OPENDNSSEC_DIR": "/etc/opendnssec", 
                "ETC_REDHAT_RELEASE": "/etc/redhat-release", 
                "ETC_SYSCONFIG_AUTHCONFIG": "/etc/sysconfig/authconfig", 
                "ETC_SYSCONFIG_DIR": "/etc/sysconfig", 
                "ETC_SYSTEMD_SYSTEM_DIR": "/etc/systemd/system/", 
                "FFEXTENSION": "/usr/share/ipa/ffextension", 
                "FIREFOX": "/usr/bin/firefox", 
                "GENERATE_RNDC_KEY": "/usr/libexec/generate-rndc-key.sh", 
                "GETCERT": "/usr/bin/getcert", 
                "GETSEBOOL": "/usr/sbin/getsebool", 
                "GPG": "/usr/bin/gpg", 
                "GPG_AGENT": "/usr/bin/gpg-agent", 
                "GROUP": "/etc/group", 
                "GROUPADD": "/usr/sbin/groupadd", 
                "HOME_DIR": "/home", 
                "HOSTS": "/etc/hosts", 
                "HTML_KRB5_INI": "/usr/share/ipa/html/krb5.ini", 
                "HTML_KRBREALM_CON": "/usr/share/ipa/html/krbrealm.con", 
                "HTTPD": "/usr/sbin/httpd", 
                "HTTPD_ALIAS_DIR": "/etc/httpd/alias", 
                "HTTPD_CONF_D_DIR": "/etc/httpd/conf.d/", 
                "HTTPD_IPA_CONF": "/etc/httpd/conf.d/ipa.conf", 
                "HTTPD_IPA_KDCPROXY_CONF": "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf", 
                "HTTPD_IPA_KDCPROXY_CONF_SYMLINK": "/etc/httpd/conf.d/ipa-kdc-proxy.conf", 
                "HTTPD_IPA_PKI_PROXY_CONF": "/etc/httpd/conf.d/ipa-pki-proxy.conf", 
                "HTTPD_IPA_REWRITE_CONF": "/etc/httpd/conf.d/ipa-rewrite.conf", 
                "HTTPD_NSS_CONF": "/etc/httpd/conf.d/nss.conf", 
                "HTTPD_PASSWORD_CONF": "/etc/httpd/conf/password.conf", 
                "HTTPD_SSL_CONF": "/etc/httpd/conf.d/ssl.conf", 
                "IDMAPD_CONF": "/etc/idmapd.conf", 
                "IP": "/sbin/ip", 
                "IPABACKUP_LOG": "/var/log/ipabackup.log", 
                "IPACLIENT_INSTALL_LOG": "/var/log/ipaclient-install.log", 
                "IPACLIENT_UNINSTALL_LOG": "/var/log/ipaclient-uninstall.log", 
                "IPACTL": "/usr/sbin/ipactl", 
                "IPAREPLICA_CA_INSTALL_LOG": "/var/log/ipareplica-ca-install.log", 
                "IPAREPLICA_CONNCHECK_LOG": "/var/log/ipareplica-conncheck.log", 
                "IPAREPLICA_INSTALL_LOG": "/var/log/ipareplica-install.log", 
                "IPARESTORE_LOG": "/var/log/iparestore.log", 
                "IPASERVER_CA_INSTALL_LOG": "/var/log/ipaserver-ca-install.log", 
                "IPASERVER_INSTALL_LOG": "/var/log/ipaserver-install.log", 
                "IPASERVER_KRA_INSTALL_LOG": "/var/log/ipaserver-kra-install.log", 
                "IPASERVER_KRA_UNINSTALL_LOG": "/var/log/ipaserver-kra-uninstall.log", 
                "IPASERVER_UNINSTALL_LOG": "/var/log/ipaserver-uninstall.log", 
                "IPAUPGRADE_LOG": "/var/log/ipaupgrade.log", 
                "IPA_BACKUP_DIR": "/var/lib/ipa/backup", 
                "IPA_CA_CRT": "/etc/ipa/ca.crt", 
                "IPA_CA_CSR": "/var/lib/ipa/ca.csr", 
                "IPA_CLIENT_INSTALL": "/usr/sbin/ipa-client-install", 
                "IPA_CLIENT_SYSRESTORE": "/var/lib/ipa-client/sysrestore", 
                "IPA_CUSTODIA_AUDIT_LOG": "/var/log/ipa-custodia.audit.log", 
                "IPA_CUSTODIA_CONF": "/etc/ipa/custodia/custodia.conf", 
                "IPA_CUSTODIA_CONF_DIR": "/etc/ipa/custodia", 
                "IPA_CUSTODIA_SOCKET": "/run/httpd/ipa-custodia.sock", 
                "IPA_DEFAULT_CONF": "/etc/ipa/default.conf", 
                "IPA_DNSKEYSYNCD": "/usr/libexec/ipa/ipa-dnskeysyncd", 
                "IPA_DNSKEYSYNCD_KEYTAB": "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab", 
                "IPA_DNSKEYSYNCD_REPLICA": "/usr/libexec/ipa/ipa-dnskeysync-replica", 
                "IPA_DNSSEC_DIR": "/var/lib/ipa/dnssec", 
                "IPA_DNS_CCACHE": "/etc/ipa/.dns_ccache", 
                "IPA_DNS_INSTALL": "/usr/sbin/ipa-dns-install", 
                "IPA_DNS_UPDATE_TXT": "/etc/ipa/.dns_update.txt", 
                "IPA_GETCERT": "/usr/bin/ipa-getcert", 
                "IPA_GETKEYTAB": "/usr/sbin/ipa-getkeytab", 
                "IPA_HTML_DIR": "/usr/share/ipa/html", 
                "IPA_JS_PLUGINS_DIR": "/usr/share/ipa/ui/js/plugins", 
                "IPA_KASP_DB_BACKUP": "/var/lib/ipa/ipa-kasp.db.backup", 
                "IPA_KEYTAB": "/etc/httpd/conf/ipa.keytab", 
                "IPA_MEMCACHED_DIR": "/var/run/ipa_memcached", 
                "IPA_NSSDB_DIR": "/etc/ipa/nssdb", 
                "IPA_NSSDB_PWDFILE_TXT": "/etc/ipa/nssdb/pwdfile.txt", 
                "IPA_ODS_EXPORTER": "/usr/libexec/ipa/ipa-ods-exporter", 
                "IPA_ODS_EXPORTER_CCACHE": "/var/opendnssec/tmp/ipa-ods-exporter.ccache", 
                "IPA_ODS_EXPORTER_KEYTAB": "/etc/ipa/dnssec/ipa-ods-exporter.keytab", 
                "IPA_P11_KIT": "/etc/pki/ca-trust/source/ipa.p11-kit", 
                "IPA_PLUGINS": "/usr/share/ipa/plugins", 
                "IPA_RENEWAL_LOCK": "/var/run/ipa/renewal.lock", 
                "IPA_REPLICA_CONNCHECK": "/usr/sbin/ipa-replica-conncheck", 
                "IPA_RMKEYTAB": "/usr/sbin/ipa-rmkeytab", 
                "IPA_SERVER_GUARD": "/usr/libexec/certmonger/ipa-server-guard", 
                "KADMIND_LOG": "/var/log/kadmind.log", 
                "KDCPROXY_CONFIG": "/etc/ipa/kdcproxy/kdcproxy.conf", 
                "KDC_PEM": "/var/kerberos/krb5kdc/kdc.pem", 
                "KDESTROY": "/usr/bin/kdestroy", 
                "KERBEROSAUTH_XPI": "/usr/share/ipa/html/kerberosauth.xpi", 
                "KINIT": "/usr/bin/kinit", 
                "KRACERT_P12": "/root/kracert.p12", 
                "KRA_AGENT_PEM": "/etc/httpd/alias/kra-agent.pem", 
                "KRA_BACKUP_KEYS_P12": "/var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12", 
                "KRA_CS_CFG_PATH": "/var/lib/pki/pki-tomcat/conf/kra/CS.cfg", 
                "KRB5CC_HTTPD": "/var/run/httpd/ipa/krbcache/krb5ccache", 
                "KRB5CC_SAMBA": "/var/run/samba/krb5cc_samba", 
                "KRB5KDC_KADM5_ACL": "/var/kerberos/krb5kdc/kadm5.acl", 
                "KRB5KDC_KADM5_KEYTAB": "/var/kerberos/krb5kdc/kadm5.keytab", 
                "KRB5KDC_KDC_CONF": "/var/kerberos/krb5kdc/kdc.conf", 
                "KRB5_CONF": "/etc/krb5.conf", 
                "KRB5_KEYTAB": "/etc/krb5.keytab", 
                "KRB_CON": "/usr/share/ipa/html/krb.con", 
                "KRB_JS": "/usr/share/ipa/html/krb.js", 
                "LDAPMODIFY": "/usr/bin/ldapmodify", 
                "LDAPPASSWD": "/usr/bin/ldappasswd", 
                "LDAP_CONF": "/etc/ldap.conf", 
                "LDIF2DB": "/usr/sbin/ldif2db", 
                "LIB64_FIREFOX": "/usr/lib64/firefox", 
                "LIBNSS_LDAP_CONF": "/etc/libnss-ldap.conf", 
                "LIBSOFTHSM2_SO": "/usr/lib64/pkcs11/libsofthsm2.so", 
                "LIBSOFTHSM2_SO_64": "/usr/lib64/pkcs11/libsofthsm2.so", 
                "LIB_FIREFOX": "/usr/lib/firefox", 
                "LIB_SYSTEMD_SYSTEMD_DIR": "/usr/lib/systemd/system/", 
                "LIMITS_CONF": "/etc/security/limits.conf", 
                "LOG_SECURE": "/var/log/secure", 
                "LS": "/bin/ls", 
                "MESSAGES": "/var/log/messages", 
                "NAMED": "/usr/sbin/named", 
                "NAMED_BINDKEYS_FILE": "/etc/named.iscdlv.key", 
                "NAMED_CONF": "/etc/named.conf", 
                "NAMED_KEYTAB": "/etc/named.keytab", 
                "NAMED_MANAGED_KEYS_DIR": "/var/named/dynamic", 
                "NAMED_PID": "/run/named/named.pid", 
                "NAMED_PKCS11": "/usr/sbin/named-pkcs11", 
                "NAMED_RFC1912_ZONES": "/etc/named.rfc1912.zones", 
                "NAMED_ROOT_KEY": "/etc/named.root.key", 
                "NAMED_RUN": "/var/named/data/named.run", 
                "NAMED_VAR_DIR": "/var/named", 
                "NET": "/usr/bin/net", 
                "NETWORK_MANAGER_CONFIG_DIR": "/etc/NetworkManager/conf.d", 
                "NIS_ULDIF": "/usr/share/ipa/nis.uldif", 
                "NIS_UPDATE_ULDIF": "/usr/share/ipa/nis-update.uldif", 
                "NOLOGIN": "/sbin/nologin", 
                "NSLCD_CONF": "/etc/nslcd.conf", 
                "NSSWITCH_CONF": "/etc/nsswitch.conf", 
                "NSS_DB_DIR": "/etc/pki/nssdb", 
                "NSS_LDAP_CONF": "/etc/nss_ldap.conf", 
                "NSUPDATE": "/usr/bin/nsupdate", 
                "NTPD": "/usr/sbin/ntpd", 
                "NTP_CONF": "/etc/ntp.conf", 
                "NTP_STEP_TICKERS": "/etc/ntp/step-tickers", 
                "ODS_KSMUTIL": "/usr/bin/ods-ksmutil", 
                "ODS_SIGNER": "/usr/sbin/ods-signer", 
                "OPENDNSSEC_CONF_FILE": "/etc/opendnssec/conf.xml", 
                "OPENDNSSEC_KASP_DB": "/var/opendnssec/kasp.db", 
                "OPENDNSSEC_KASP_FILE": "/etc/opendnssec/kasp.xml", 
                "OPENDNSSEC_ZONELIST_FILE": "/etc/opendnssec/zonelist.xml", 
                "OPENLDAP_LDAP_CONF": "/etc/openldap/ldap.conf", 
                "OPENSSL": "/usr/bin/openssl", 
                "PAM_LDAP_CONF": "/etc/pam_ldap.conf", 
                "PASSWD": "/etc/passwd", 
                "PK12UTIL": "/usr/bin/pk12util", 
                "PKCS12EXPORT": "/usr/bin/PKCS12Export", 
                "PKIDESTROY": "/usr/sbin/pkidestroy", 
                "PKISPAWN": "/usr/sbin/pkispawn", 
                "PKI_CA_PUBLISH_DIR": "/var/lib/ipa/pki-ca/publish", 
                "PKI_TOMCAT": "/etc/pki/pki-tomcat", 
                "PKI_TOMCAT_ALIAS_DIR": "/etc/pki/pki-tomcat/alias", 
                "PKI_TOMCAT_PASSWORD_CONF": "/etc/pki/pki-tomcat/password.conf", 
                "PROC_FIPS_ENABLED": "/proc/sys/crypto/fips_enabled", 
                "REMOVE_DS_PL": "/usr/sbin/remove-ds.pl", 
                "REPLICA_INFO_GPG_TEMPLATE": "/var/lib/ipa/replica-info-%s.gpg", 
                "REPLICA_INFO_TEMPLATE": "/var/lib/ipa/replica-info-%s", 
                "RESOLV_CONF": "/etc/resolv.conf", 
                "RESTORECON": "/usr/sbin/restorecon", 
                "ROOT_IPA_CACHE": "/root/.ipa_cache", 
                "ROOT_IPA_CSR": "/root/ipa.csr", 
                "ROOT_PKI": "/root/.pki", 
                "SAMBA_DIR": "/var/lib/samba/", 
                "SAMBA_KEYTAB": "/etc/samba/samba.keytab", 
                "SBIN_IPA_JOIN": "/usr/sbin/ipa-join", 
                "SBIN_REBOOT": "/sbin/reboot", 
                "SBIN_RESTORECON": "/sbin/restorecon", 
                "SBIN_SERVICE": "/sbin/service", 
                "SCHEMA_COMPAT_ULDIF": "/usr/share/ipa/schema_compat.uldif", 
                "SELINUXENABLED": "/usr/sbin/selinuxenabled", 
                "SETPASSWD": "/usr/bin/setpasswd", 
                "SETSEBOOL": "/usr/sbin/setsebool", 
                "SETUP_DS_PL": "/usr/sbin/setup-ds.pl", 
                "SH": "/bin/sh", 
                "SIGNTOOL": "/usr/bin/signtool", 
                "SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE": "/var/log/dirsrv/slapd-%s/access", 
                "SLAPD_INSTANCE_BACKUP_DIR_TEMPLATE": "/var/lib/dirsrv/slapd-%s/bak/%s", 
                "SLAPD_INSTANCE_DB_DIR_TEMPLATE": "/var/lib/dirsrv/slapd-%s/db/%s", 
                "SLAPD_INSTANCE_ERROR_LOG_TEMPLATE": "/var/log/dirsrv/slapd-%s/errors", 
                "SLAPD_INSTANCE_LDIF_DIR_TEMPLATE": "/var/lib/dirsrv/slapd-%s/ldif", 
                "SLAPD_INSTANCE_SOCKET_TEMPLATE": "/var/run/slapd-%s.socket", 
                "SMBD": "/usr/sbin/smbd", 
                "SMB_CONF": "/etc/samba/smb.conf", 
                "SOFTHSM2_UTIL": "/usr/bin/softhsm2-util", 
                "SSHD_CONFIG": "/etc/ssh/sshd_config", 
                "SSH_CONFIG": "/etc/ssh/ssh_config", 
                "SSLGET": "/usr/bin/sslget", 
                "SSSD_CONF": "/etc/sssd/sssd.conf", 
                "SSSD_CONF_BKP": "/etc/sssd/sssd.conf.bkp", 
                "SSSD_CONF_DELETED": "/etc/sssd/sssd.conf.deleted", 
                "SSSD_DB": "/var/lib/sss/db", 
                "SSSD_MC_GROUP": "/var/lib/sss/mc/group", 
                "SSSD_MC_PASSWD": "/var/lib/sss/mc/passwd", 
                "SSSD_PUBCONF_KNOWN_HOSTS": "/var/lib/sss/pubconf/known_hosts", 
                "SSSD_PUBCONF_KRB5_INCLUDE_D_DIR": "/var/lib/sss/pubconf/krb5.include.d/", 
                "SSS_SSH_AUTHORIZEDKEYS": "/usr/bin/sss_ssh_authorizedkeys", 
                "SSS_SSH_KNOWNHOSTSPROXY": "/usr/bin/sss_ssh_knownhostsproxy", 
                "STATEFILE_DIR": "/var/lib/ipa/sysupgrade", 
                "SVC_LIST_FILE": "/var/run/ipa/services.list", 
                "SYSCONFIG_AUTOFS": "/etc/sysconfig/autofs", 
                "SYSCONFIG_DIRSRV": "/etc/sysconfig/dirsrv", 
                "SYSCONFIG_DIRSRV_INSTANCE": "/etc/sysconfig/dirsrv-%s", 
                "SYSCONFIG_DIRSRV_SYSTEMD": "/etc/sysconfig/dirsrv.systemd", 
                "SYSCONFIG_HTTPD": "/etc/sysconfig/httpd", 
                "SYSCONFIG_IPA_DNSKEYSYNCD": "/etc/sysconfig/ipa-dnskeysyncd", 
                "SYSCONFIG_IPA_ODS_EXPORTER": "/etc/sysconfig/ipa-ods-exporter", 
                "SYSCONFIG_KRB5KDC_DIR": "/etc/sysconfig/krb5kdc", 
                "SYSCONFIG_NAMED": "/etc/sysconfig/named", 
                "SYSCONFIG_NETWORK": "/etc/sysconfig/network", 
                "SYSCONFIG_NETWORK_IPABKP": "/etc/sysconfig/network.ipabkp", 
                "SYSCONFIG_NFS": "/etc/sysconfig/nfs", 
                "SYSCONFIG_NTPD": "/etc/sysconfig/ntpd", 
                "SYSCONFIG_ODS": "/etc/sysconfig/ods", 
                "SYSCONFIG_PKI": "/etc/sysconfig/pki", 
                "SYSCONFIG_PKI_TOMCAT": "/etc/sysconfig/pki-tomcat", 
                "SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR": "/etc/sysconfig/pki/tomcat/pki-tomcat", 
                "SYSRESTORE": "/var/lib/ipa/sysrestore", 
                "SYSRESTORE_INDEX": "/var/lib/ipa-client/sysrestore/sysrestore.index", 
                "SYSTEMCTL": "/bin/systemctl", 
                "SYSTEMD_CERTMONGER_SERVICE": "/etc/systemd/system/multi-user.target.wants/certmonger.service", 
                "SYSTEMD_IPA_SERVICE": "/etc/systemd/system/multi-user.target.wants/ipa.service", 
                "SYSTEMD_PKI_TOMCAT_SERVICE": "/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service", 
                "SYSTEMD_SSSD_SERVICE": "/etc/systemd/system/multi-user.target.wants/sssd.service", 
                "SYSTEMWIDE_IPA_CA_CRT": "/etc/pki/ca-trust/source/anchors/ipa-ca.crt", 
                "TAR": "/bin/tar", 
                "TMP": "/tmp", 
                "TMP_CA_P12": "/tmp/ca.p12", 
                "TMP_KRB5CC": "/tmp/krb5cc_%d", 
                "TOMCAT_CA_ARCHIVE_DIR": "/var/log/pki/pki-tomcat/ca/archive", 
                "TOMCAT_CA_DIR": "/var/log/pki/pki-tomcat/ca", 
                "TOMCAT_KRA_ARCHIVE_DIR": "/var/log/pki/pki-tomcat/kra/archive", 
                "TOMCAT_KRA_DIR": "/var/log/pki/pki-tomcat/kra", 
                "TOMCAT_KRA_SIGNEDAUDIT_DIR": "/var/log/pki/pki-tomcat/kra/signedAudit", 
                "TOMCAT_SIGNEDAUDIT_DIR": "/var/log/pki/pki-tomcat/ca/signedAudit", 
                "TOMCAT_TOPLEVEL_DIR": "/var/log/pki/pki-tomcat", 
                "UPDATES_DIR": "/usr/share/ipa/updates/", 
                "UPDATE_CA_TRUST": "/usr/bin/update-ca-trust", 
                "USERADD": "/usr/sbin/useradd", 
                "USR_DIR": "/usr", 
                "USR_LIB_DIRSRV": "/usr/lib/dirsrv", 
                "USR_LIB_DIRSRV_64": "/usr/lib64/dirsrv", 
                "USR_SHARE_IPA_DIR": "/usr/share/ipa/", 
                "VAR_KERBEROS_KRB5KDC_DIR": "/var/kerberos/krb5kdc/", 
                "VAR_KRB5KDC_K5_REALM": "/var/kerberos/krb5kdc/.k5.", 
                "VAR_LIB": "/var/lib", 
                "VAR_LIB_CERTMONGER_DIR": "/var/lib/certmonger", 
                "VAR_LIB_DIRSRV": "/var/lib/dirsrv", 
                "VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE": "/var/lib/dirsrv/scripts-%s", 
                "VAR_LIB_IPA": "/var/lib/ipa", 
                "VAR_LIB_KDCPROXY": "/var/lib/kdcproxy", 
                "VAR_LIB_PKI_CA_ALIAS_DIR": "/var/lib/pki-ca/alias", 
                "VAR_LIB_PKI_DIR": "/var/lib/pki", 
                "VAR_LIB_PKI_TOMCAT_DIR": "/var/lib/pki/pki-tomcat", 
                "VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE": "/var/lib/dirsrv/slapd-%s", 
                "VAR_LOG_DIRSRV_INSTANCE_TEMPLATE": "/var/log/dirsrv/slapd-%s", 
                "VAR_LOG_HTTPD_DIR": "/var/log/httpd", 
                "VAR_LOG_PKI_DIR": "/var/log/pki/", 
                "VAR_OPENDNSSEC_DIR": "/var/opendnssec", 
                "VAR_RUN_DIRSRV_DIR": "/var/run/dirsrv", 
                "VAR_RUN_IPA_MEMCACHED": "/var/run/ipa_memcached/ipa_memcached", 
                "ZIP": "/usr/bin/zip"
            }, 
            "realm": "IPA.EXAMPLE.ORG", 
            "version": {
                "api_version": "2.164", 
                "num_version": 40302, 
                "vendor_version": "4.3.2-4.fc24", 
                "version": "4.3.2", 
                "version_info": [
                    4, 
                    3, 
                    2
                ]
            }
        }
    }, 
    "changed": false, 
    "invocation": {
        "module_args": {
            "context": "cli", 
            "domain": "ipa.example.org", 
            "realm": null
        }
    }
    

    }

PS: I like your idea to have a dedicated interface to extract information from FreeIPA's runtime!

This behavior is now blocking OpenStack and IPA integration.

All I want to do is in initialize the API so I can make calls to IPA methods:

api.bootstrap(context='novajoin')
api.finalize()

This blows up with a similar "did not receive Kerberos credentials" error.

This code has worked since v2.0.0.

Rob, what is the OpenStack use case?

You get "did not receive Kerberos credentials" and finalize. But if you call a command and doesn't have a ticket then you will get the error as well. So how would not loading schema change it?

Same as Christian's, I just want to initialize the API and make ipalib calls.

It seems very very strange to require a ticket in order to just initialize the API.

I'm looking at working around this as you described, by calling kinit_keytab prior to initialization, but IMHO this is a regression.

I don't necessarily not want to load the schema but given that I already know what I'm calling, don't think I really need it.

Metadata Update from @cheimes:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.5

2 years ago

Metadata Update from @cheimes:
- Custom field affects_doc reset
- Custom field blocking reset
- Custom field component reset
- Custom field on_review reset
- Custom field rhbz reset
- Custom field type reset
- Issue close_status updated to: None
- Issue set to the milestone: None (was: FreeIPA 4.5)
- Issue tagged with: integration

2 years ago

Metadata Update from @pvoborni:
- Custom field affects_doc reset
- Custom field tester adjusted to wanted
- Issue set to the milestone: FreeIPA 4.5

2 years ago

We are not able to implement it in 4.5 given the remaining time. I hope it is not an issue. But AFAIK both of you - Rob and Christian should already have workarounds.

Metadata Update from @pvoborni:
- Issue priority set to: 2 (was: 1)
- Issue set to the milestone: FreeIPA 4.6 (was: FreeIPA 4.5)

2 years ago

@cheimes, @jcholast Can we switch the ticket description into following which actually describes the goal:

User story is:

As an application which integrates with FreeIPA, I want to initialize API and then call api commands. I already know what are the commands names and versions or type and names of theirs parameters and options.

Acceptance criteria:

  • the command should not require any interaction with users
  • if client side preprocessing of arguments which would be otherwise/usually entered and then processed by CLI is needed(e.g. as in vault-archive), then it needs to be done as well
  • It should not download metadata automatically unless asked. Because I know what to call.
  • authentication should be done automatically on first command call (assuming Kerberos)

My use case for this ticket is differently, see https://pagure.io/freeipa/issue/6408#comment-319879

As an application which deploys, configures and introspects FreeIPA, I like to get facts of a local machine from FreeIPA without requiring credentials or connecting to remote FreeIPA server. Fact gathering must be efficient and not depend on remote resources (with exception to DNS) as they might not be available. The fact should include information such as client enrolment, if server/CA/KRA/DNS component are installed, realm, domain, hostname(s) of API servers (from config or DNS query), version information and other useful information from ipalib.api.env.

Most of the user story can be implemented by providing an official API that initializes enough of ipalib.api to fetch the information from ipalib.api.env.

Metadata Update from @cheimes:
- Custom field tester reset
- Issue set to the milestone: None (was: FreeIPA 4.6)

2 years ago

I think we should use both. I see https://pagure.io/freeipa/issue/6408#comment-433310 as a use case for e.g. Ansible integration. But https://pagure.io/freeipa/issue/6408#comment-433307 rather for Custodia or OpenStack.

But you are right that this ticket was first about Ansible and it is wrong to change it to something different - but my story is what Rob wrote in https://pagure.io/freeipa/issue/6408#comment-319870

So let's change this ticket description to the Ansible one and create new for the API one.

I modified the description of this one. But I did not add and other useful information from ipalib.api.env - it's vague and therefore unrestricted scope.

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to todo
- Issue priority set to: blocker (was: critical)
- Issue set to the milestone: FreeIPA 4.7
- Issue tagged with: userstory

2 years ago

I think we could use custom facts to provide the needed information without depending on remote resources.

During ipa-server installation or upgrade (and maybe even client), we could create facts file /etc/ansible/facts.d/ipa.fact. It'd be the responsibility of IPA to keep this file up to date. In ansible, these facts would be accessed using ansible_local.ipa

This approach would allow us to provide reliable information for each system instead of guessing and making assumptions (such as if a certain file exists, CA in probably installed).

The downside is, if this file is missing (for example in old installations), we wouldn't have any information about the system. Perhaps the ipa.fact file could be created during an upgrade to alleviate the issue.

That's an interesting proposal. We'd need the file on both servers and clients. It should work for static facts. However the file may come out of sync if somebody modifies /etc/ipa/default.conf.

By the way ipa facts should not perform guesswork at all. My PoC uses existing methods from ipalib and ipaserver to detect installation state of client, server, and components. Internally some of the methods use presence of files to detect state. Maybe we should rather change these functions to use a state file in /var/lib/ipa?

The fact file can be an executable script that returns the data in JSON format. We could read some data from /etc/ipa/default.conf or other locations.

Metadata Update from @pvoborni:
- Issue priority set to: important (was: critical)
- Issue set to the milestone: FreeIPA 4.8 (was: FreeIPA 4.7)

a year ago

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1509603 (was: todo)

11 months ago

Metadata Update from @cheimes:
- Issue assigned to twoerner (was: jcholast)

10 months ago

I'm closing this issue in favor of its duplicate #6645

Metadata Update from @cheimes:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

10 months ago

Login to comment on this ticket.

Metadata