diff --git a/.ansible-freeipa.metadata b/.ansible-freeipa.metadata new file mode 100644 index 0000000..6c6a308 --- /dev/null +++ b/.ansible-freeipa.metadata @@ -0,0 +1 @@ +4dcce87f3b09e7c53760980e6687de575a44ee4e SOURCES/ansible-freeipa-0.1.6.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c15f2fe --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/ansible-freeipa-0.1.6.tar.gz diff --git a/SOURCES/ansible-freeipa-0.1.6-ansible_ipa_client_Drop_import_of_configure_nsswitch_database_rhbz#1748905.patch b/SOURCES/ansible-freeipa-0.1.6-ansible_ipa_client_Drop_import_of_configure_nsswitch_database_rhbz#1748905.patch new file mode 100644 index 0000000..a6ef8e6 --- /dev/null +++ b/SOURCES/ansible-freeipa-0.1.6-ansible_ipa_client_Drop_import_of_configure_nsswitch_database_rhbz#1748905.patch @@ -0,0 +1,51 @@ +From 5bb44245c6c43d752c1e066ebdc6cb3eb0253d98 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Wed, 4 Sep 2019 14:40:46 +0200 +Subject: [PATCH] ansible_ipa_client: Drop import of + configure_nsswitch_database + +configure_nsswitch_database has been removed with the freeipa commit + +https://github.com/freeipa/freeipa/commit/41ef8fba31ddbb32e2e5b7cccdc9b582a0809111 + +The 4.4 compatibility hack leads to a ALREADY installed error in +ipaclient_test because of the removal. This affects ipaclient and +ipareplica roles and also the ipaclient deployment part in ipaserver. + +configure_nsswitch_database is not used any more in ipaclient role modules +and therefore simply can be removed from ansible_ipa_client. +--- + roles/ipaclient/module_utils/ansible_ipa_client.py | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/roles/ipaclient/module_utils/ansible_ipa_client.py b/roles/ipaclient/module_utils/ansible_ipa_client.py +index 30b8d42..d45171b 100644 +--- a/roles/ipaclient/module_utils/ansible_ipa_client.py ++++ b/roles/ipaclient/module_utils/ansible_ipa_client.py +@@ -35,7 +35,7 @@ + "configure_sssd_conf", "realm_to_suffix", "run", "timeconf", + "serialization", "configure_krb5_conf", "get_ca_certs", + "SECURE_PATH", "get_server_connection_interface", +- "configure_nsswitch_database", "disable_ra", "client_dns", ++ "disable_ra", "client_dns", + "configure_certmonger", "update_ssh_keys", + "configure_openldap_conf", "hardcode_ldap_server", + "get_certs_from_ldap", "save_state", "create_ipa_nssdb", +@@ -143,7 +143,7 @@ def knobs(self): + try: + from ipaclient.install.client import configure_krb5_conf, \ + get_ca_certs, SECURE_PATH, get_server_connection_interface, \ +- configure_nsswitch_database, disable_ra, client_dns, \ ++ disable_ra, client_dns, \ + configure_certmonger, update_ssh_keys, configure_openldap_conf, \ + hardcode_ldap_server, get_certs_from_ldap, save_state, \ + create_ipa_nssdb, configure_ssh_config, configure_sshd_config, \ +@@ -204,8 +204,6 @@ def configure_krb5_conf( + + get_server_connection_interface = \ + ipa_client_install.get_server_connection_interface +- configure_nsswitch_database = \ +- ipa_client_install.configure_nsswitch_database + disable_ra = ipa_client_install.disable_ra + client_dns = ipa_client_install.client_dns + configure_certmonger = ipa_client_install.configure_certmonger diff --git a/SOURCES/ansible-freeipa-0.1.6-gen_module_docs-drop-key-dirserv_cert_files.patch b/SOURCES/ansible-freeipa-0.1.6-gen_module_docs-drop-key-dirserv_cert_files.patch new file mode 100644 index 0000000..1533cb9 --- /dev/null +++ b/SOURCES/ansible-freeipa-0.1.6-gen_module_docs-drop-key-dirserv_cert_files.patch @@ -0,0 +1,13 @@ +diff -up ansible-freeipa-0.1.6/utils/gen_module_docs.py.remove-key-dirserv_cert_files ansible-freeipa-0.1.6/utils/gen_module_docs.py +--- ansible-freeipa-0.1.6/utils/gen_module_docs.py.gen_module_docs-drop-key-dirserv_cert_files 2019-07-23 10:01:59.000000000 +0200 ++++ ansible-freeipa-0.1.6/utils/gen_module_docs.py 2019-07-23 11:27:12.921162481 +0200 +@@ -47,9 +47,6 @@ param_docs = { + "setup_ca": "Configure a dogtag CA", + "setup_kra": "Configure a dogtag KRA", + "setup_dns": "Configure bind with our zone", +- "dirserv_cert_files": [ +- "File containing the Directory Server SSL certificate and private key" +- ], + "force_join": "Force client enrollment even if already enrolled", + "subject_base": [ + "The certificate subject base (default O=).", diff --git a/SOURCES/ansible-freeipa-0.1.6-ipatopologysegment-command-suffix-e4497c18_rhbz#1733547.patch b/SOURCES/ansible-freeipa-0.1.6-ipatopologysegment-command-suffix-e4497c18_rhbz#1733547.patch new file mode 100644 index 0000000..053f6c3 --- /dev/null +++ b/SOURCES/ansible-freeipa-0.1.6-ipatopologysegment-command-suffix-e4497c18_rhbz#1733547.patch @@ -0,0 +1,62 @@ +From e4497c18e9fb39b4e8c022eb0898060005cf6af6 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Fri, 26 Jul 2019 18:33:41 +0200 +Subject: [PATCH] ipatopologysegment: Store suffix for commands in command list + +With adding the domain and ca suffixes with `suffix: domain+ca` only ca +has been added as the suffix was only used from the last command. The +suffix is now stored together with the command and the argument. This +will fix this error. + +Fixes: #106 (Last suffix adding twice in the list of topology segments) +--- + plugins/modules/ipatopologysegment.py | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/plugins/modules/ipatopologysegment.py b/plugins/modules/ipatopologysegment.py +index d64c7be..e768f72 100644 +--- a/plugins/modules/ipatopologysegment.py ++++ b/plugins/modules/ipatopologysegment.py +@@ -256,12 +256,12 @@ def main(): + del args[key] + if len(args) > 1: + # cn needs to be in args always +- commands.append(["topologysegment_mod", args]) ++ commands.append(["topologysegment_mod", args, suffix]) + # else: Nothing to change + else: + if name is None: + args["cn"] = to_text("%s-to-%s" % (left, right)) +- commands.append(["topologysegment_add", args]) ++ commands.append(["topologysegment_add", args, suffix]) + + elif state in ["absent", "disabled"]: + # Make sure topology segment does not exist +@@ -274,7 +274,7 @@ def main(): + args = { + "cn": res_find["cn"][0] + } +- commands.append(["topologysegment_del", args]) ++ commands.append(["topologysegment_del", args, suffix]) + + elif state == "checked": + # Check if topology segment does exists +@@ -309,14 +309,15 @@ def main(): + elif direction == "right-to-left": + args["right"] = True + +- commands.append(["topologysegment_reinitialize", args]) ++ commands.append(["topologysegment_reinitialize", args, ++ suffix]) + else: + ansible_module.fail_json(msg="Unkown state '%s'" % state) + + # Execute command + +- for command, args in commands: +- api_command(ansible_module, command, to_text(suffix), args) ++ for command, args, _suffix in commands: ++ api_command(ansible_module, command, to_text(_suffix), args) + changed = True + + except Exception as e: diff --git a/SOURCES/ansible-freeipa-0.1.6-ipatopologysegment-reinitialized-c212b435_rhbz#1733559.patch b/SOURCES/ansible-freeipa-0.1.6-ipatopologysegment-reinitialized-c212b435_rhbz#1733559.patch new file mode 100644 index 0000000..afcdbfb --- /dev/null +++ b/SOURCES/ansible-freeipa-0.1.6-ipatopologysegment-reinitialized-c212b435_rhbz#1733559.patch @@ -0,0 +1,38 @@ +From c212b43516cb870bbaa86c607dde33f373768043 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Fri, 26 Jul 2019 19:30:11 +0200 +Subject: [PATCH] ipatopologysegment: Fail for missing entry with reinitialized + +Currently it is ignored if the entry for reinitialized can not be found if +the name or left and right are not correct. Now there is a failure in this +case. + +Fixes: #107 (Reinitialize are failed to find the node in ipatopology ..) +Signed-off-by: Thomas Woerner +--- + plugins/modules/ipatopologysegment.py | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/plugins/modules/ipatopologysegment.py b/plugins/modules/ipatopologysegment.py +index e768f72..e506b53 100644 +--- a/plugins/modules/ipatopologysegment.py ++++ b/plugins/modules/ipatopologysegment.py +@@ -311,6 +311,18 @@ def main(): + + commands.append(["topologysegment_reinitialize", args, + suffix]) ++ else: ++ params = [] ++ if name is not None: ++ params.append("name=%s" % name) ++ if left is not None: ++ params.append("left=%s" % left) ++ if right is not None: ++ params.append("right=%s" % right) ++ ansible_module.fail_json( ++ msg="No entry '%s' for suffix '%s'" % ++ (",".join(params), suffix)) ++ + else: + ansible_module.fail_json(msg="Unkown state '%s'" % state) + diff --git a/SPECS/ansible-freeipa.spec b/SPECS/ansible-freeipa.spec new file mode 100644 index 0000000..5f91374 --- /dev/null +++ b/SPECS/ansible-freeipa.spec @@ -0,0 +1,209 @@ +# Turn off automatic python byte compilation because these are Ansible +# roles and the files are transferred to the node and compiled there with +# the python verison used in the node +%define __brp_python_bytecompile %{nil} + +Summary: Roles and playbooks to deploy FreeIPA servers, replicas and clients +Name: ansible-freeipa +Version: 0.1.6 +Release: 4%{?dist} +URL: https://github.com/freeipa/ansible-freeipa +License: GPLv3+ +Source: https://github.com/freeipa/ansible-freeipa/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch1: ansible-freeipa-0.1.6-gen_module_docs-drop-key-dirserv_cert_files.patch +Patch2: ansible-freeipa-0.1.6-ipatopologysegment-command-suffix-e4497c18_rhbz#1733547.patch +Patch3: ansible-freeipa-0.1.6-ipatopologysegment-reinitialized-c212b435_rhbz#1733559.patch +Patch4: ansible-freeipa-0.1.6-ansible_ipa_client_Drop_import_of_configure_nsswitch_database_rhbz#1748905.patch +BuildArch: noarch + +#Requires: ansible + +%description +ansible-freeipa provides Ansible roles and playbooks to install and uninstall +FreeIPA servers, replicas and clients. + +Note: The ansible playbooks and roles require a configured ansible environment +where the ansible nodes are reachable and are properly set up to have an IP +address and a working package manager. + +Features + +- Server, replica and client deployment +- Cluster deployments: Server, replicas and clients in one playbook +- One-time-password (OTP) support for client installation +- Repair mode for clients + +Supported FreeIPA Versions + +FreeIPA versions 4.6 and up are supported by all roles. + +The client role supports versions 4.4 and up, the server role is working with +versions 4.5 and up, the replica role is currently only working with versions +4.6 and up. + +Supported Distributions + +- RHEL/CentOS 7.4+ +- Fedora 26+ +- Ubuntu + +Requirements + + Controller + - Ansible version: 2.5+ + - python3-gssapi is required on the controller if a one time password (OTP) + is used to install the client. + + Node + - Supported FreeIPA version (see above) + - Supported distribution (needed for package installation only, see above) + +Limitations + +External CA support is not supported or working. The currently needed two step +process is an issue for the processing in the role. The configuration of the +server is partly done already and needs to be continued after the CSR has been +handled. This is for example breaking the deployment of a server with replicas +or clients in one playbook. + +%prep +%setup -q +# Do not create backup files with patches +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +# Fix python modules and module utils: +# - Remove shebang +# - Remove execute flag +for i in roles/ipa*/library/*.py roles/ipa*/module_utils/*.py plugins/*/*.py; do + sed -i '/\/usr\/bin\/python*/d' $i + chmod a-x $i +done +# Add execute flag to py3test.py scripts +chmod a+x roles/ipa*/files/py3test.py + +%build + +%install +install -m 755 -d %{buildroot}%{_datadir}/ansible/roles/ +cp -rp roles/ipaserver %{buildroot}%{_datadir}/ansible/roles/ +cp -rp roles/ipaserver/README.md README-server.md +cp -rp roles/ipareplica %{buildroot}%{_datadir}/ansible/roles/ +cp -rp roles/ipareplica/README.md README-replica.md +cp -rp roles/ipaclient %{buildroot}%{_datadir}/ansible/roles/ +cp -rp roles/ipaclient/README.md README-client.md +install -m 755 -d %{buildroot}%{_datadir}/ansible/plugins/ +cp -rp plugins/* %{buildroot}%{_datadir}/ansible/plugins/ + +%files +%license COPYING +%{_datadir}/ansible/roles/ipaserver +%{_datadir}/ansible/roles/ipareplica +%{_datadir}/ansible/roles/ipaclient +%{_datadir}/ansible/plugins/module_utils +%{_datadir}/ansible/plugins/modules +%doc README.md +%doc README-topology.md +%doc README-server.md +%doc README-replica.md +%doc README-client.md +%doc playbooks + +%changelog +* Fri Sep 6 2019 Thomas Woerner - 0.1.6-4 +- ansible_ipa_client: Drop import of configure_nsswitch_database + (RHBZ#1748905) + +* Wed Jul 31 2019 Thomas Woerner - 0.1.6-3 +- ipatopologysegment: Store suffix for commands in command list (RHBZ#1733547) +- ipatopologysegment: Fail for missing entry with reinitialized (RHBZ#1733559) + +* Tue Jul 23 2019 Thomas Woerner - 0.1.6-2 +- Drop dirserv_cert_files key from utils/gen_module_docs.py for covscan + +* Tue Jul 23 2019 Thomas Woerner - 0.1.6-1 +- update to version 0.1.6 + - Lots of documentation updates in READMEs and modules + - library/ipaclient_get_otp: Enable force mode for host_add call (fixes #74) + - Flake8 and pylint reated fixes + - Fixed wrong path to CheckedIPAddress class in ipareplica_test + - Remove unused ipaserver/library/ipaserver.py + - No not use wildcard imports for modules + - ipareplica: Add support for pki_config_override + - ipareplica: Initialize dns.ip_addresses and dns.reverse_zones for dns setup + - ipareplica_prepare: Properly initialize pin and cert_name variables + - ipareplica: Fail with proper error messages + - ipaserver: Properly set settings related to pkcs12 files + - ipaclient: RawConfigParser is not always provided by six.moves.configparser + - ipaclient_setup_nss: paths.GETENT is not available before + freeipa-4.6.90.pre1 + - ipaserver_test: Initialize value from options.zonemgr + - ipareplica_setup_custodia: create_replica only available in newer releases + - ipaclient: Fix typo in dnsok assignment for ipaclient_setup_nss + - ipa[server,replica]: Set _packages_adtrust for Ubuntu + - New build script for galaxy release + - New utils script to update module docs +- Changes from ansible-freeipa-0.1.5 + - Support for IPA 4.8.0 + - New user management module + - New group management module + - ipaserver: Support external signed CA + - RHEL-8 specific vars files to be able to install needed modules + automatically + - ipareplica: Fixes for certmonger and kra setup + - New tests folder + - OTP related updates to README files + +* Thu Jul 4 2019 Thomas Woerner - 0.1.4-2 +- ansible_ipa_client: Always set options.unattended (RHBZ#1726645) +- ipaserver_prepare: Properly report error, do show trace back (RHBZ#1726668) +- ipa[server,replica,client]: RHEL-8 specific vars files (RHBZ#1727095) +- ipatopology modules: Use ipaadmin_ prefix for principal and password + (RHBZ#1727101) + +* Mon Jun 17 2019 Thomas Woerner - 0.1.4-1 +- update to version 0.1.4 + - ipatopologysegment: Use commands, not command + +* Mon Jun 17 2019 Thomas Woerner - 0.1.3-1 +- update to version 0.1.3 + - ipaclient_test: Fix Python2 decode use with Python3 + - Fixed: #86 (AttributeError: 'str' object has no attribute 'decode') + - ipaclient_get_otp: Remove ansible_python_interpreter handling + - ipaclient: Use omit (None) for password, keytab, no string length checks + - ipaclient_join: Support to use ipaadmin_keytab without ipaclient_use_otp + - ipaclient: Report error message if ipaclient_get_otp failed + - Fixes #17 Improve how tasks manage package installation + - ipareplica: The dm password is not needed for ipareplica_master_password + - ipareplica: Use ipareplica_server if set + - ipatopologysegment: Allow domain+ca suffix, new state: checked + - Documentation updates + - Cleanups + +* Tue Jun 11 2019 Thomas Woerner - 0.1.2-3 +- bump release for functional test + +* Tue Jun 11 2019 Thomas Woerner - 0.1.2-2 +- bump release for functional test + +* Fri Jun 7 2019 Thomas Woerner - 0.1.2-1 +- update to version 0.1.2 + - Now a new Ansible Collection + - Fix gssapi requirement for OTP: It is only needed if keytab is used with + OTP now. + - Fix wrong ansible argument types + - Do not fail on textwrap for replica deployments with CA + - Ansible lint and galaxy fixes + - Disable automatic removal of replication agreements in uninstall + - Enable freeipa-trust service if adtrust is enabled + - Add support for hidden replica + - New topology managament modules + - Add support for pki_config_override + - Fix host name setup in server deployment + - Fix errors when ipaservers variable is not set + - Fix ipaclient install role length typo + - Cleanups + +* Mon May 6 2019 Thomas Woerner - 0.1.1-1 +- Initial package