diff --git a/module_utils/ansible_ipa_replica.py b/module_utils/ansible_ipa_replica.py
index d26f9d2799c8e65c2d3a9534eafe6afd729ffc55..3b1fbf73524da4e73530fe684a2d0407357aec48 100644
--- a/module_utils/ansible_ipa_replica.py
+++ b/module_utils/ansible_ipa_replica.py
@@ -59,7 +59,6 @@ if NUM_VERSION >= 40600:
import six
from ipaclient.install.ipachangeconf import IPAChangeConf
- import ipaclient.install.ntpconf
from ipalib.install import certstore, sysrestore
from ipalib.install.kinit import kinit_keytab
from ipapython import ipaldap, ipautil, kernel_keyring
@@ -78,8 +77,7 @@ if NUM_VERSION >= 40600:
from ipaserver.install import (
adtrust, bindinstance, ca, certs, dns, dsinstance, httpinstance,
installutils, kra, krbinstance,
- ntpinstance, otpdinstance, custodiainstance, service,
- upgradeinstance)
+ otpdinstance, custodiainstance, service, upgradeinstance)
from ipaserver.install.installutils import (
create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured)
from ipaserver.install.replication import (
@@ -103,6 +101,18 @@ if NUM_VERSION >= 40600:
if six.PY3:
unicode = str
+ try:
+ from ipaclient.install import timeconf
+ time_service = "chronyd"
+ ntpinstance = None
+ except ImportError:
+ try:
+ from ipaclient.install import ntpconf as timeconf
+ except ImportError:
+ from ipaclient import ntpconf as timeconf
+ from ipaserver.install import ntpinstance
+ time_service = "ntpd"
+
else:
# IPA version < 4.6
diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py
index ab9313a3b00249bba1ec39fa061c322e27ba85ea..d3c719995221ab39c6f5b392239eb6c819e6cb45 100644
--- a/roles/ipareplica/library/ipareplica_prepare.py
+++ b/roles/ipareplica/library/ipareplica_prepare.py
@@ -265,7 +265,9 @@ def main():
# do not use ensure_enrolled, it uses redirect_output
# ensure_enrolled(installer)
- args = [paths.IPA_CLIENT_INSTALL, "--unattended", "--no-ntp"]
+ args = [paths.IPA_CLIENT_INSTALL, "--unattended"]
+ if NUM_VERSION < 40690:
+ args.append("--no-ntp")
stdin = None
nolog = []
diff --git a/roles/ipareplica/library/ipareplica_setup_ca.py b/roles/ipareplica/library/ipareplica_setup_ca.py
index b322da588439ea68aa336bad3a3a51fd443e6d15..f4de7592e0c5a15513aa00c12cf7623f7d7ffc5c 100644
--- a/roles/ipareplica/library/ipareplica_setup_ca.py
+++ b/roles/ipareplica/library/ipareplica_setup_ca.py
@@ -189,6 +189,7 @@ def main():
config.master_host_name = config_master_host_name
config.ca_host_name = config_ca_host_name
config.ips = config_ips
+ config.promote = options.promote
remote_api = gen_remote_api(config.master_host_name, paths.ETC_IPA)
options._remote_api = remote_api
@@ -208,7 +209,16 @@ def main():
options.domain_name = config.domain_name
options.host_name = config.host_name
options.dm_password = config.dirman_password
- ca.install(False, config, options)
+ if NUM_VERSION < 40690:
+ ca.install(False, config, options)
+ else:
+ if ca_enabled:
+ mode = custodiainstance.CustodiaModes.CA_PEER
+ else:
+ mode = custodiainstance.CustodiaModes.MASTER_PEER
+ custodia = custodiainstance.get_custodia_instance(config, mode)
+
+ ca.install(False, config, options, custodia=custodia)
# done #
diff --git a/roles/ipareplica/library/ipareplica_setup_custodia.py b/roles/ipareplica/library/ipareplica_setup_custodia.py
index 628eb495802daa8fd1a526c008a6774a7b1bf6c8..37b11f1f06383a665c35cc15b18506f9c2dfe8f8 100644
--- a/roles/ipareplica/library/ipareplica_setup_custodia.py
+++ b/roles/ipareplica/library/ipareplica_setup_custodia.py
@@ -148,6 +148,7 @@ def main():
api_bootstrap_finalize(env)
config = gen_ReplicaConfig()
config.dirman_password = dirman_password
+ config.promote = installer.promote
remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
#installer._remote_api = remote_api
@@ -163,13 +164,21 @@ def main():
with redirect_stdout(ansible_log):
ansible_log.debug("-- INSTALL_CUSTODIA --")
- custodia = custodiainstance.CustodiaInstance(config.host_name,
- config.realm_name)
- if promote:
- ansible_log.debug("-- CUSTODIA CREATE_REPLICA --")
- custodia.create_replica(config.master_host_name)
+ if NUM_VERSION < 40690:
+ custodia = custodiainstance.CustodiaInstance(config.host_name,
+ config.realm_name)
+ if promote:
+ ansible_log.debug("-- CUSTODIA CREATE_REPLICA --")
+ custodia.create_replica(config.master_host_name)
+ else:
+ ansible_log.debug("-- CUSTODIA CREATE_INSTANCE --")
+ custodia.create_instance()
else:
- ansible_log.debug("-- CUSTODIA CREATE_INSTANCE --")
+ if ca_enabled:
+ mode = custodiainstance.CustodiaModes.CA_PEER
+ else:
+ mode = custodiainstance.CustodiaModes.MASTER_PEER
+ custodia = custodiainstance.get_custodia_instance(config, mode)
custodia.create_instance()
# done #
diff --git a/roles/ipareplica/library/ipareplica_setup_dns.py b/roles/ipareplica/library/ipareplica_setup_dns.py
index 6d6701a7715611b83784815db295e90fd5315bc7..10675698be9d751dedc6cd72b3d873f5ab75554b 100644
--- a/roles/ipareplica/library/ipareplica_setup_dns.py
+++ b/roles/ipareplica/library/ipareplica_setup_dns.py
@@ -52,7 +52,7 @@ options:
_top_dir:
description:
required: yes
- config_setup_ca:
+ setup_ca:
description:
required: yes
config_master_host_name:
@@ -82,7 +82,7 @@ def main():
### additional ###
ccache=dict(required=True),
_top_dir = dict(required=True),
- config_setup_ca=dict(required=True),
+ setup_ca=dict(required=True),
config_master_host_name=dict(required=True),
),
supports_check_mode = True,
@@ -105,7 +105,7 @@ def main():
ccache = ansible_module.params.get('ccache')
os.environ['KRB5CCNAME'] = ccache
options._top_dir = ansible_module.params.get('_top_dir')
- config_setup_ca = ansible_module.params.get('config_setup_ca')
+ options.setup_ca = ansible_module.params.get('setup_ca')
config_master_host_name = ansible_module.params.get('config_master_host_name')
# init #
diff --git a/roles/ipareplica/library/ipareplica_setup_ds.py b/roles/ipareplica/library/ipareplica_setup_ds.py
index 24b976aa83f0b819af8c54871895de98846c275a..02a11c76e069a4eb7b73002bebfca13c0ea34026 100644
--- a/roles/ipareplica/library/ipareplica_setup_ds.py
+++ b/roles/ipareplica/library/ipareplica_setup_ds.py
@@ -289,6 +289,7 @@ def main():
config.master_host_name = config_master_host_name
config.ca_host_name = config_ca_host_name
config.ips = config_ips
+ config.promote = installer.promote
remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
installer._remote_api = remote_api
@@ -324,8 +325,9 @@ def main():
install_dns_records(config, options, remote_api)
ansible_log.debug("-- NTP LDAP ENABLE --")
- ntpinstance.ntp_ldap_enable(config.host_name, ds.suffix,
- remote_api.env.realm)
+ if ntpinstance is not None:
+ ntpinstance.ntp_ldap_enable(config.host_name, ds.suffix,
+ remote_api.env.realm)
finally:
if conn.isconnected():
ansible_log.debug("-- DISCONNECT --")
diff --git a/roles/ipareplica/library/ipareplica_setup_http.py b/roles/ipareplica/library/ipareplica_setup_http.py
index ff6450a391dbf050700f4ef452da4e605b1ef542..98afd1b0d8090bb154e80c77d35ed0823693704c 100644
--- a/roles/ipareplica/library/ipareplica_setup_http.py
+++ b/roles/ipareplica/library/ipareplica_setup_http.py
@@ -97,6 +97,7 @@ def main():
#### certificate system ###
subject_base=dict(required=True),
config_master_host_name=dict(required=True),
+ config_ca_host_name=dict(required=True),
ccache=dict(required=True),
_ca_enabled=dict(required=False, type='bool'),
_ca_file=dict(required=False),
@@ -123,6 +124,7 @@ def main():
options.subject_base = DN(options.subject_base)
### additional ###
master_host_name = ansible_module.params.get('config_master_host_name')
+ ca_host_name = ansible_module.params.get('config_master_host_name')
ccache = ansible_module.params.get('ccache')
os.environ['KRB5CCNAME'] = ccache
#os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache')
@@ -146,8 +148,12 @@ def main():
constants.DEFAULT_CONFIG)
api_bootstrap_finalize(env)
config = gen_ReplicaConfig()
- config.dirman_password = dirman_password
config.subject_base = options.subject_base
+ config.dirman_password = dirman_password
+ config.setup_ca = options.setup_ca
+ #config.master_host_name = master_host_name
+ config.ca_host_name = ca_host_name
+ config.promote = installer.promote
remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
#installer._remote_api = remote_api
@@ -164,6 +170,24 @@ def main():
with redirect_stdout(ansible_log):
ansible_log.debug("-- INSTALL_HTTP --")
+ # We need to point to the master when certmonger asks for
+ # HTTP certificate.
+ # During http installation, the HTTP/hostname principal is created
+ # locally then the installer waits for the entry to appear on the
+ # master selected for the installation.
+ # In a later step, the installer requests a SSL certificate through
+ # Certmonger (and the op adds the principal if it does not exist yet).
+ # If xmlrpc_uri points to the soon-to-be replica,
+ # the httpd service is not ready yet to handle certmonger requests
+ # and certmonger tries to find another master. The master can be
+ # different from the one selected for the installation, and it is
+ # possible that the principal has not been replicated yet. This
+ # may lead to a replication conflict.
+ # This is why we need to force the use of the same master by
+ # setting xmlrpc_uri
+ create_ipa_conf(fstore, config, ca_enabled,
+ master=config.master_host_name)
+
install_http(
config,
auto_redirect=not options.no_ui_redirect,
@@ -172,6 +196,9 @@ def main():
ca_is_configured=ca_enabled,
ca_file=cafile)
+ # Need to point back to ourself after the cert for HTTP is obtained
+ create_ipa_conf(fstore, config, ca_enabled)
+
# done #
ansible_module.exit_json(changed=True)
diff --git a/roles/ipareplica/library/ipareplica_setup_kra.py b/roles/ipareplica/library/ipareplica_setup_kra.py
index 5a96fd9fb0e42876cda6bee01b288f0ece14583f..b585cb17d08d446bb8afc01edb310bdd4a7a1254 100644
--- a/roles/ipareplica/library/ipareplica_setup_kra.py
+++ b/roles/ipareplica/library/ipareplica_setup_kra.py
@@ -205,6 +205,7 @@ def main():
api_bootstrap_finalize(env)
config = gen_ReplicaConfig()
config.subject_base = options.subject_base
+ config.promote = installer.promote
remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
installer._remote_api = remote_api
@@ -215,7 +216,16 @@ def main():
with redirect_stdout(ansible_log):
ansible_log.debug("-- INSTALL KRA --")
- kra.install(api, config, options)
+ if NUM_VERSION < 40690:
+ kra.install(api, config, options)
+ else:
+ if ca_enabled:
+ mode = custodiainstance.CustodiaModes.CA_PEER
+ else:
+ mode = custodiainstance.CustodiaModes.MASTER_PEER
+ custodia = custodiainstance.get_custodia_instance(config, mode)
+
+ kra.install(api, config, options, custodia=custodia)
# done #
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index de5576fb11333eddceac01deab82e70fa6df5a60..47c44800031b2b1c60685882de4f515c23127891 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -373,6 +373,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
+ config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
@@ -586,7 +587,7 @@
### additional ###
ccache: "{{ result_ipareplica_prepare.ccache }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
- config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
+ setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}"
- name: Install - Setup adtrust