ipaserver: Add support for 4.7 (4.6.90-pre2)

With IPA 4.7 bigger changes have been introduced Changes: - Use of timeconf and chrony instead of ntpconf and ntpd. - New IPAChangeConf (not used in ipaserver modules) - New check_ldap_conf form ipaclient.install.client - custodia instance needed for ca and kra - no_ntp defaults to yes for client installation part - A new option ntp_pool has been introduced (set to None).

ipaserver: Add support for 4.7 (4.6.90-pre2)
14f975b4 · Thomas Woerner · 86e9496a · 14f975b4 · 14f975b4 · 14f975b4
Commit 14f975b4 authored 6 years ago by Thomas Woerner
--- a/module_utils/ansible_ipa_server.py
+++ b/module_utils/ansible_ipa_server.py
@@ -51,12 +51,14 @@ if NUM_VERSION >= 40500:
    import six
+    if NUM_VERSION >= 40690:
+        from ipaclient.install.ipachangeconf import IPAChangeConf
    from ipalib.install import certmonger, sysrestore
    from ipapython import ipautil
    if NUM_VERSION < 40600:
        from ipapython.ipa_log_manager import root_logger
    from ipapython.ipautil import (
-        format_netloc, ipa_generate_password, run, user_input)
+        ipa_generate_password, run, user_input)
    from ipapython.admintool import ScriptError
    from ipaplatform import services
    from ipaplatform.paths import paths
@@ -70,11 +72,21 @@ if NUM_VERSION >= 40500:
        no_matching_interface_for_ip_address_warning,
    )
    from ipapython.dnsutil import check_zone_overlap
-    from ipaclient.install import ntpconf
+    try:
+        from ipaclient.install import timeconf
+        from ipaclient.install.client import sync_time
+        time_service = "chronyd"
+    except ImportError:
+        try:
+            from ipaclient.install import ntpconf as timeconf
+        except ImportError:
+            from ipaclient import ntpconf as timeconf
+        from ipaserver.install import ntpinstance
+        time_service = "ntpd"
    from ipaserver.install import (
        adtrust, bindinstance, ca, dns, dsinstance,
        httpinstance, installutils, kra, krbinstance,
-        ntpinstance, otpdinstance, custodiainstance, replication, service,
+        otpdinstance, custodiainstance, replication, service,
        sysupgrade)
    adtrust_imported = True
    kra_imported = True
@@ -105,6 +117,11 @@ if NUM_VERSION >= 40500:
    except ImportError:
        _server_trust_ad_installed = False
+    try:
+        from ipaclient.install.client import check_ldap_conf
+    except ImportError:
+        check_ldap_conf = None
 else:
    # IPA version < 4.5

--- a/roles/ipaserver/library/ipaserver_prepare.py
+++ b/roles/ipaserver/library/ipaserver_prepare.py
@@ -200,7 +200,7 @@ def main():
    fd.write("realm=%s\n" % options.realm_name)
    fd.write("domain=%s\n" % options.domain_name)
    fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % \
-             format_netloc(options.host_name))
+             ipautil.format_netloc(options.host_name))
    fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % \
             installutils.realm_to_serverid(options.realm_name))
    if options.setup_ca:

--- a/roles/ipaserver/library/ipaserver_setup_ca.py
+++ b/roles/ipaserver/library/ipaserver_setup_ca.py
@@ -170,6 +170,8 @@ def main():
    # init #################################################################
+    options.promote = False  # first master, no promotion
    fstore = sysrestore.FileStore(paths.SYSRESTORE)
    api_Backend_ldap2(options.host_name, options.setup_ca, connect=True)
@@ -186,6 +188,11 @@ def main():
    # setup CA ##############################################################
    with redirect_stdout(ansible_log):
+        if NUM_VERSION >= 40604:
+            custodia = custodiainstance.get_custodia_instance(
+                options, custodiainstance.CustodiaModes.MASTER_PEER)
+            custodia.create_instance()
        if options.setup_ca:
            if not options.external_cert_files and options.external_ca:
                # stage 1 of external CA installation
@@ -193,6 +200,9 @@ def main():
                              if n in options.__dict__}
                write_cache(cache_vars)
+            if NUM_VERSION >= 40604:
+                ca.install_step_0(False, None, options, custodia=custodia)
+            else:
                ca.install_step_0(False, None, options)
        else:
            # Put the CA cert where other instances expect it
@@ -210,12 +220,14 @@ def main():
            x509.write_certificate(options._http_ca_cert, paths.CA_BUNDLE_PEM)
            os.chmod(paths.CA_BUNDLE_PEM, 0o444)
-    with redirect_stdout(ansible_log):
        # we now need to enable ssl on the ds
        ds.enable_ssl()
        if options.setup_ca:
            with redirect_stdout(ansible_log):
+                if NUM_VERSION >= 40604:
+                    ca.install_step_1(False, None, options, custodia=custodia)
+                else:
                    ca.install_step_1(False, None, options)
    ansible_module.exit_json(changed=True)

--- a/roles/ipaserver/library/ipaserver_setup_ds.py
+++ b/roles/ipaserver/library/ipaserver_setup_ds.py
@@ -151,7 +151,7 @@ def main():
                               ca_subject=options.ca_subject,
                               hbac_allow=not options.no_hbac_allow,
                               setup_pkinit=not options.no_pkinit)
-            if not options.dirsrv_cert_files:
+            if not options.dirsrv_cert_files and NUM_VERSION < 40690:
                ntpinstance.ntp_ldap_enable(options.host_name, ds.suffix,
                                            options.realm_name)

--- a/roles/ipaserver/library/ipaserver_setup_kra.py
+++ b/roles/ipaserver/library/ipaserver_setup_kra.py
@@ -80,6 +80,13 @@ def main():
    # setup kra #####################################################
    with redirect_stdout(ansible_log):
+        if NUM_VERSION >= 40604:
+            custodia = custodiainstance.get_custodia_instance(
+                options, custodiainstance.CustodiaModes.MASTER_PEER)
+            custodia.create_instance()
+            kra.install(api, None, options, custodia=custodia)
+        else:
            kra.install(api, None, options)
    # done ##########################################################

--- a/roles/ipaserver/library/ipaserver_setup_ntp.py
+++ b/roles/ipaserver/library/ipaserver_setup_ntp.py
@@ -64,7 +64,23 @@ def main():
    # setup NTP #####################################################
-    ntpconf.force_ntpd(sstore)
+    if time_service == "chronyd":
+        # We have to sync time before certificate handling on master.
+        # As chrony configuration is moved from client here, unconfiguration of
+        # chrony will be handled here in uninstall() method as well by invoking
+        # the ipa-server-install --uninstall
+        ansible_module.log("Synchronizing time")
+        options.ntp_servers = None
+        options.ntp_pool = None
+        if sync_time(options, fstore, sstore):
+            ansible_module.log("Time synchronization was successful.")
+        else:
+            ansible_module.warn("IPA was unable to sync time with chrony!")
+            ansible_module.warn("Time synchronization is required for IPA "
+                                "to work correctly")
+    else:
+        # Configure ntpd
+        timeconf.force_ntpd(sstore)
        ntp = ntpinstance.NTPInstance(fstore)
        ntp.set_output(ansible_log)
        with redirect_stdout(ansible_log):

--- a/roles/ipaserver/library/ipaserver_test.py
+++ b/roles/ipaserver/library/ipaserver_test.py
@@ -506,6 +506,8 @@ def main():
    tasks.check_ipv6_stack_enabled()
    tasks.check_selinux_status()
+    if check_ldap_conf is not None:
+        check_ldap_conf()
    _installation_cleanup = True
    if not options.external_ca and not options.external_cert_files and \
@@ -515,14 +517,15 @@ def main():
    if not options.no_ntp:
        try:
-            ntpconf.check_timedate_services()
+            timeconf.check_timedate_services()
-        except ntpconf.NTPConflictingService as e:
+        except timeconf.NTPConflictingService as e:
            ansible_module.log("Conflicting time&date synchronization service '%s'"
-                       " will be disabled in favor of ntpd" % \
+                       " will be disabled in favor of %s" % \
-                       e.conflicting_service)
+                       (e.conflicting_service, time_service))
-        except ntpconf.NTPConfigurationError:
+        except timeconf.NTPConfigurationError:
            pass
+    if hasattr(httpinstance, "httpd_443_configured"):
        # Check to see if httpd is already configured to listen on 443
        if httpinstance.httpd_443_configured():
            ansible_module.fail_json(msg="httpd is already configured to listen on 443.")
@@ -534,20 +537,6 @@ def main():
        except ScriptError as e:
            ansible_module.fail_json(msg=e)
-    if not options.no_ntp:
-        try:
-            ntpconf.check_timedate_services()
-        except ntpconf.NTPConflictingService as e:
-            ansible_module.warn(
-                "Conflicting time&date synchronization service "
-                "'%s' will be disabled" % e.conflicting_service)
-        except ntpconf.NTPConfigurationError:
-            pass
-    # Check to see if httpd is already configured to listen on 443
-    if httpinstance.httpd_443_configured():
-        ansible_module.fail_json(msg="httpd is already configured to listen on 443.")
    # check bind packages are installed
    if options.setup_dns:
        # Don't require an external DNS to say who we are if we are
@@ -560,12 +549,9 @@ def main():
    else:
        options.host_default = get_fqdn()
-    _host_name_overridden = False
    try:
        verify_fqdn(options.host_default, options.no_host_dns)
        options.host_name = options.host_default
-        if options.host_default != get_fqdn():
-            _host_name_overridden = True
    except BadHostError as e:
        ansible_module.fail_json(msg=e)
    options.host_name = options.host_name.lower()
@@ -581,6 +567,11 @@ def main():
    if not options.realm_name:
        options.realm_name = options.domain_name
    options.realm_name = options.realm_name.upper()
+    if NUM_VERSION >= 40690:
+        try:
+            validate_domain_name(options.realm_name, entity="realm")
+        except ValueError as e:
+            raise ScriptError("Invalid realm name: {}".format(unicode(e)))
    if not options.setup_adtrust:
        # If domain name and realm does not match, IPA server will not be able
@@ -686,7 +677,7 @@ def main():
        fd.write("basedn=%s\n" % ipautil.realm_to_suffix(options.realm_name))
        fd.write("realm=%s\n" % options.realm_name)
        fd.write("domain=%s\n" % options.domain_name)
-        fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % format_netloc(options.host_name))
+        fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % ipautil.format_netloc(options.host_name))
        fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
                 installutils.realm_to_serverid(options.realm_name))
        if options.setup_ca:
@@ -744,6 +735,9 @@ def main():
        except OSError:
            ansible_module.fail_json(msg="Could not remove %s" % ipa_tempdir)
+    # Always set _host_name_overridden
+    options._host_name_overridden = bool(options.host_name)
    # done ##################################################################
    ansible_module.exit_json(changed=True,
@@ -753,7 +747,7 @@ def main():
                             realm=options.realm_name,
                             ip_addresses=[ str(ip) for ip in ip_addresses ],
                             hostname=options.host_name,
-                             _hostname_overridden=_host_name_overridden,
+                             _hostname_overridden=options._host_name_overridden,
                             no_host_dns=options.no_host_dns,
                             ### server ###
                             setup_adtrust=options.setup_adtrust,

--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -125,8 +125,9 @@
      setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
      setup_kra: "{{ result_ipaserver_test.setup_kra }}"
      setup_dns: "{{ ipaserver_setup_dns }}"
-      #no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
      ### certificate system ###
+      # external_ca
+      # external_cert_files
      subject_base: "{{ result_ipaserver_test.subject_base }}"
      ca_subject: "{{ result_ipaserver_test.ca_subject }}"
      ### dns ###
@@ -138,6 +139,11 @@
      no_forwarders: "{{ ipaserver_no_forwarders }}"
      auto_forwarders: "{{ ipaserver_auto_forwarders }}"
      no_dnssec_validation: "{{ result_ipaserver_test.no_dnssec_validation }}"
+      ### ad trust ###
+      # enable_compat
+      # netbios_name
+      # rid_base
+      # secondary_rid_base
      ### additional ###
      setup_ca: "{{ result_ipaserver_test.setup_ca }}"
      _hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
@@ -329,13 +335,9 @@
      ipaclient_on_master: yes
      ipaclient_domain: "{{ result_ipaserver_test.domain }}"
      ipaclient_realm: "{{ result_ipaserver_test.realm }}"
-      ipaclient_server: "{{ result_ipaserver_test.hostname }}"
+      ipaclient_servers: [ "{{ result_ipaserver_test.hostname }}" ]
      ipaclient_hostname: "{{ result_ipaserver_test.hostname }}"
-      #ipaclient_no_dns_sshfp: "{{ ipaclient_no_dns_sshfp }}"
+      ipaclient_no_ntp: "{{ 'true' if result_ipaserver_test.ipa_python_version >= 40690 else 'false' }}"
-      #ipaclient_ssh_trust_dns: "{{ ipaclient_ssh_trust_dns }}"
-      #ipaclient_no_ssh: "{{ ipaclient_no_ssh }}"
-      #ipaclient_no_sshd: "{{ ipaclient_no_sshd }}"
-      #ipaclient_mkhomedir: "{{ ipaclient_mkhomedir }}"
  #- name: Install - Setup client
  #  command: >