From 7a3bab841af60dc5834283e9318bcd1800e3cf07 Mon Sep 17 00:00:00 2001 From: Eric Renfro Date: Sat, 16 Jul 2016 19:00:53 -0400 Subject: [PATCH 1/7] Successfully deployed functional freeipa-server --- Berksfile | 4 +++- recipes/server.rb | 55 +++++++++++++++++++++++++++-------------------- 2 files changed, 35 insertions(+), 24 deletions(-) diff --git a/Berksfile b/Berksfile index 065c05f..3187b76 100644 --- a/Berksfile +++ b/Berksfile @@ -4,4 +4,6 @@ metadata cookbook 'chef-vault' cookbook 'ohai' -cookbook 'sshroot2rootssh', path: '/home/psi-jack/Chef/cookbooks/sshroot2rootssh' +cookbook 'ohai-rootsshkey', path: '../ohai-rootsshkey' +cookbook 'sshroot2rootssh', path: '../sshroot2rootssh' + diff --git a/recipes/server.rb b/recipes/server.rb index a7ed6b8..327b7cf 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -37,16 +37,24 @@ passwords = chef_vault_item(:freeipa, 'passwords') #package "dbus" #package "oddjob" #package "ipa-client" -package "ipa-server" +#package "ipa-server" package "rsync" +package 'ipa-server' do + case node[:platform] + when 'redhat', 'centos' + package_name 'ipa-server' + end + action :install +end + ##### Security considerations # All FreeIPA server hosts need to be able to ssh to each other as root to copy replication configs # That kind of sucks, but what are the real consequences? # Since they are replicants of each other, this can be justified, since the data is already compromised. # Can selinux help mitigate this? #include_recipe "ohai" -#include_recipe "sshroot2rootssh" +include_recipe "sshroot2rootssh" ##### Replication # We're going to have to @@ -65,11 +73,11 @@ package "rsync" # negotiate for master freeipa_masters = search(:node, "freeipa_master:true") if freeipa_masters.empty? then - node.set[:freeipa][:master] = "true" -end + node.set[:freeipa][:master] = true +#end ##### Do master stuff -if node[:freeipa][:master] then +#if node[:freeipa][:master] then # write better tests to see if freeipa is already set up. ## Bootstrap FreeIPA @@ -87,33 +95,34 @@ if node[:freeipa][:master] then cmd += " -U " cmd += " --no-host-dns " command "#{cmd}" - notifies :start, "service[dirsrv]" + #notifies :start, "service[dirsrv]" end # Compare list of freeipa_servers with contents of /var/lib/ipa/ #configured_replicants =`ipa-replica-manage -p #{ldap_server_admin_pwd} -H #{node[:fqdn]} list`.split - configured_replicants =`ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{node[:fqdn]} list`.split - configured_replicants.each { |r| puts "DEBUG: configured_replicant: #{r}" } + #configured_replicants = `ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{node[:fqdn]} list`.split + #configured_replicants.each { |r| puts "DEBUG: configured_replicant: #{r}" } - freeipa_server_fqdns = Array.new - freeipa_servers.each { |n| freeipa_server_fqdns << n[:fqdn] } - freeipa_server_fqdns.compact! + #freeipa_server_fqdns = Array.new + #freeipa_servers.each { |n| freeipa_server_fqdns << n[:fqdn] } + #freeipa_server_fqdns.compact! - freeipa_server_fqdns.each do |f| - unless node[:fqdn] == f then - unless configured_replicants.include?( f ) then - execute "generating replica config for #{f}" do - not_if "ls /var/lib/ipa/replica-info-#{f}.gpg" - command "ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']} #{f}" - end - end - end - end + #freeipa_server_fqdns.each do |f| + # unless node[:fqdn] == f then + # unless configured_replicants.include?( f ) then + # execute "generating replica config for #{f}" do + # not_if "ls /var/lib/ipa/replica-info-#{f}.gpg" + # command "ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']} #{f}" + # end + # end + # end + #end -end +#end ### Subsequent nodes -unless node[:freeipa][:master] then +#unless node[:freeipa][:master] then +else # check to see if slave is setup to replicat from master #"ipa-replica-manage -p 0123456789 -H authentication-1.dev.us-east-1.aws.afistfulofservers.net list" From 73f104031f9242b9ce9bcfcb191fb6861c5b5e4c Mon Sep 17 00:00:00 2001 From: Eric Renfro Date: Sat, 16 Jul 2016 19:08:11 -0400 Subject: [PATCH 2/7] Added admin.password file for escelating kerberos auth --- metadata.rb | 2 +- recipes/server.rb | 9 +++++++++ templates/default/admin.password.erb | 1 + 3 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 templates/default/admin.password.erb diff --git a/metadata.rb b/metadata.rb index a8d9805..79e4f9d 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ maintainer_email 'psi-jack@linux-help.org' license 'GPLv3' description 'Installs/Configures freeipa' long_description 'Installs/Configures freeipa' -version '0.1.0' +version '0.1.1' depends 'ohai' depends 'chef-vault' diff --git a/recipes/server.rb b/recipes/server.rb index 327b7cf..3d937a8 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -169,7 +169,16 @@ else command cmd ignore_failure true end +end +template '/etc/ipa/admin.password' do + source 'admin.password.erb' + user 'root' + group 'root' + mode '0600' + variables ( + password => passwords['ipa_user_pwd'] + ) end ##### services diff --git a/templates/default/admin.password.erb b/templates/default/admin.password.erb new file mode 100644 index 0000000..6518912 --- /dev/null +++ b/templates/default/admin.password.erb @@ -0,0 +1 @@ +<%= password -%> From 6331699cde67a031354f386ba752c33dcc5e25ba Mon Sep 17 00:00:00 2001 From: Eric Renfro Date: Sat, 16 Jul 2016 19:12:05 -0400 Subject: [PATCH 3/7] Fixed admin.password template --- recipes/server.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/recipes/server.rb b/recipes/server.rb index 3d937a8..e39dba9 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -176,9 +176,7 @@ template '/etc/ipa/admin.password' do user 'root' group 'root' mode '0600' - variables ( - password => passwords['ipa_user_pwd'] - ) + variables :password => passwords['ipa_user_pwd'] end ##### services From 1cf22fbfa3991114ef69e4505b68c4eb33a8d029 Mon Sep 17 00:00:00 2001 From: Eric Renfro Date: Sat, 16 Jul 2016 19:38:47 -0400 Subject: [PATCH 4/7] Added admin.password file --- recipes/server.rb | 8 ++++---- templates/default/admin.password.erb | 1 - 2 files changed, 4 insertions(+), 5 deletions(-) delete mode 100644 templates/default/admin.password.erb diff --git a/recipes/server.rb b/recipes/server.rb index e39dba9..55b2d21 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -171,12 +171,12 @@ else end end -template '/etc/ipa/admin.password' do - source 'admin.password.erb' - user 'root' +file '/etc/ipa/admin.password' do + content "#{passwords['ipa_user_pwd']}" + owner 'root' group 'root' mode '0600' - variables :password => passwords['ipa_user_pwd'] + sensitive true end ##### services diff --git a/templates/default/admin.password.erb b/templates/default/admin.password.erb deleted file mode 100644 index 6518912..0000000 --- a/templates/default/admin.password.erb +++ /dev/null @@ -1 +0,0 @@ -<%= password -%> From d48b3f2615788a3d71fba0a3388dbea6f58f6c3a Mon Sep 17 00:00:00 2001 From: Eric Renfro Date: Sun, 17 Jul 2016 01:04:58 -0400 Subject: [PATCH 5/7] Code cleanup, refinement, and some minor corrections. --- metadata.rb | 2 +- recipes/server.rb | 142 +++++++++++++++++++++++++--------------------- 2 files changed, 79 insertions(+), 65 deletions(-) diff --git a/metadata.rb b/metadata.rb index 79e4f9d..fe92800 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ maintainer_email 'psi-jack@linux-help.org' license 'GPLv3' description 'Installs/Configures freeipa' long_description 'Installs/Configures freeipa' -version '0.1.1' +version '0.1.2' depends 'ohai' depends 'chef-vault' diff --git a/recipes/server.rb b/recipes/server.rb index 55b2d21..5b96a14 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -38,14 +38,14 @@ passwords = chef_vault_item(:freeipa, 'passwords') #package "oddjob" #package "ipa-client" #package "ipa-server" -package "rsync" +#package "rsync" package 'ipa-server' do case node[:platform] when 'redhat', 'centos' package_name 'ipa-server' end - action :install + action :install end ##### Security considerations @@ -73,28 +73,24 @@ include_recipe "sshroot2rootssh" # negotiate for master freeipa_masters = search(:node, "freeipa_master:true") if freeipa_masters.empty? then - node.set[:freeipa][:master] = true -#end - -##### Do master stuff -#if node[:freeipa][:master] then + ##### Do master stuff # write better tests to see if freeipa is already set up. ## Bootstrap FreeIPA execute "initializing freeipa-server" do - not_if "ls /var/lib/ipa/sysrestore/sysrestore.state" - cmd = "ipa-server-install" - cmd += " --hostname " + node[:fqdn] - #cmd += " -u " + "ipaadmin" - cmd += " -r " + node[:domain].upcase - cmd += " -n " + node[:domain] - cmd += " -p " + passwords['ldap_server_admin_pwd'] - cmd += " -P " + passwords['kdc_database_master_key'] - cmd += " -a " + passwords['ipa_user_pwd'] - cmd += " -N " - cmd += " -U " - cmd += " --no-host-dns " - command "#{cmd}" + not_if { File.exist?('/var/liv/ipa/sysrestore/sysrestore.state') } + cmd = "ipa-server-install" + cmd += " --hostname " + node[:fqdn] + #cmd += " -u " + "ipaadmin" + cmd += " -r " + node[:domain].upcase + cmd += " -n " + node[:domain] + cmd += " -p " + passwords['ldap_server_admin_pwd'] + cmd += " -P " + passwords['kdc_database_master_key'] + cmd += " -a " + passwords['ipa_user_pwd'] + cmd += " -N " + cmd += " -U " + cmd += " --no-host-dns --mkhomedir" + command cmd #notifies :start, "service[dirsrv]" end @@ -118,61 +114,78 @@ if freeipa_masters.empty? then # end #end -#end + node.set[:freeipa][:master] = true -### Subsequent nodes -#unless node[:freeipa][:master] then -else +elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then + ### Subsequent Replica Nodes # check to see if slave is setup to replicat from master #"ipa-replica-manage -p 0123456789 -H authentication-1.dev.us-east-1.aws.afistfulofservers.net list" + ssh_noauth = "-o StrictHostKeyChecking=yes -o PasswordAuthentication=no" + + execute "prepare replica from master" do + cmd = "ssh #{ssh_noauth} root@#{freeipa_masters[0][:fqdn]} ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']}" + command cmd + not_if "ssh #{ssh_noauth} root@#{freeipa_masters[0][:fqdn]} test -f /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" + #notifies :run, 'execute[rsyncing freeipa replication data]', :immediately + end # Check for replication config # Attempt to copy config from master. # Fail gracefully if not found. - execute "rsyncing freeipa replication data" do - #only_if "ipa-replica-manage -p #{ldap_server_admin_pwd} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" - cmd = "rsync -a -e \"ssh " - cmd += " -o StrictHostKeyChecking=yes" - cmd += " -o PasswordAuthentication=no\"" - cmd += " root@" - cmd += "#{freeipa_masters[0][:fqdn]}:" - cmd += "/var/lib/ipa/replica-info*" - cmd += " /var/lib/ipa" - command cmd - ignore_failure true + execute "scping freeipa replication data" do + #only_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" + only_if "ssh #{ssh_noauth} root@#{freeipa_masters[0][:fqdn]} test -f /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" + not_if { File.exist?("/var/lib/ipa/replica-info-#{node[:fqdn]}.gpg") } + #cmd = "rsync -a -e \"ssh " + ssh_noauth + cmd = "scp " + ssh_noauth + cmd += " root@" + freeipa_masters[0][:fqdn] + cmd += ":/var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" + cmd += " /var/lib/ipa/" + command cmd + notifies :run, 'execute[joining freeipa cluster]', :immediately end execute "joining freeipa cluster" do - not_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" - only_if "ls /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" - cmd = "ipa-replica-install" - cmd += " -p " + passwords['ldap_server_admin_pwd'] - cmd +=" /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" - command cmd + not_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" + #only_if "ls /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" + only_if { File.exist?("/var/lib/ipa/replica-info-#{node[:fqdn]}.gpg") } + cmd = "ipa-replica-install" + cmd += " -p " + passwords['ldap_server_admin_pwd'] + cmd += " --unattended --mkhomedir --skip-conncheck" + cmd += " /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" + command cmd + sensitive true + action :nothing + notifies :run, 'execute[copying CA private key]', :immediately end # copy CA private key # /etc/dirsrv/slapd-DEV-US-EAST-1-AWS-AFISTFULOFSERVERS-NET/pwdfile.txt execute "copying CA private key" do - only_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" - only_if "ls /etc/dirsrv/slapd-#{node[:domain].upcase}/" - not_if "ls /etc/dirsrv/slapd-#{node[:domain].upcase}/cacert.p12" - cmd = "rsync -a -e \"ssh " - cmd += " -o StrictHostKeyChecking=yes" - cmd += " -o PasswordAuthentication=no\"" - cmd += " root@" - cmd += "#{freeipa_masters[0][:fqdn]}:" - cmd += "/etc/dirsrv/slapd-#{node[:domain].upcase}/cacert.p12" - cmd += " /etc/dirsrv/slapd-#{node[:domain].upcase}/" - #puts "DEBUG: #{cmd}" - command cmd + only_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" + only_if { File.exist?("/etc/dirsrv/slapd-#{node[:domain].upcase}/") } + not_if { File.exist?("/etc/dirsrv/slaved-#{node[:domain].upcase}/cacert.p12") } + cmd = "scp " + ssh_noauth + cmd += " root@" + freeipa_masters[0][:fqdn] + cmd += ":/etc/dirsrv/slapd-#{node[:domain].upcase}/cacert.p12" + cmd += " /etc/dirsrv/slapd-#{node[:domain].upcase}/" + command cmd ignore_failure true + action :nothing + notifies :run, 'ruby_block[set node as replica]', :immediately + end + + ruby_block "set node as replica" do + block do + node.set[:freeipa][:replica] = true + end + action :nothing end end file '/etc/ipa/admin.password' do - content "#{passwords['ipa_user_pwd']}" + content passwords['ipa_user_pwd'] owner 'root' group 'root' mode '0600' @@ -183,12 +196,13 @@ end # enable all the default services recommended by the freeipa docs #service "dirsrv" do -# action [:enable,:start] +# service_name "dirsrv@#{node[:domain].upcase.gsub(".", "-")}" +# action [:enable,:start] #end #service "krb5kdc" do -# only_if service[:dirsrv] => running -# action [:enable,:start] +# only_if service[:dirsrv] => running +# action [:enable,:start] #end #template "/etc/httpd/conf.d/ipa.conf" do @@ -197,18 +211,18 @@ end # notifies :restart, "service[httpd]" #end -#service "httpd" do -# action [:enable,:start] -#end +service "httpd" do + action [:enable,:start] +end #service "ipa_kpasswd" do # action [:enable,:start] #end -#service "ipa" do -# action [:enable,:start] -#end -# +service "ipa" do + action [:enable,:start] +end + #service "messagebus" do # action [:enable,:start] #end From c1159db3be7da57d07d67543a61f1249d7548d65 Mon Sep 17 00:00:00 2001 From: Eric Renfro Date: Sun, 17 Jul 2016 01:09:38 -0400 Subject: [PATCH 6/7] Little further refinement to condition checking for deployment steps --- recipes/server.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/recipes/server.rb b/recipes/server.rb index 5b96a14..54aaf08 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -116,7 +116,9 @@ if freeipa_masters.empty? then node.set[:freeipa][:master] = true -elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then +#elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then +elsif (node[:freeipa][:master] && node[:freeipa][:master].respond_to?(:value) && node[:freeipa][:master] == false) && + (node[:freeipa][:replica] && node[:freeipa][:replica].respond_to?(:value) && node[:freeipa][:replica] == false) then ### Subsequent Replica Nodes # check to see if slave is setup to replicat from master From 463065b85048e5b2eb23eb8783abfb2577018537 Mon Sep 17 00:00:00 2001 From: Eric Renfro Date: Sun, 17 Jul 2016 01:09:58 -0400 Subject: [PATCH 7/7] Version bump --- metadata.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.rb b/metadata.rb index fe92800..0775378 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ maintainer_email 'psi-jack@linux-help.org' license 'GPLv3' description 'Installs/Configures freeipa' long_description 'Installs/Configures freeipa' -version '0.1.2' +version '0.1.3' depends 'ohai' depends 'chef-vault'