Merge branch 'develop' of Linux-Help/cookbook-freeipa into master

This commit is contained in:
psi-jack 2016-07-17 05:14:48 +00:00 committed by Gogs
commit 013b29e9ef
3 changed files with 115 additions and 81 deletions

View file

@ -4,4 +4,6 @@ metadata
cookbook 'chef-vault' cookbook 'chef-vault'
cookbook 'ohai' cookbook 'ohai'
cookbook 'sshroot2rootssh', path: '/home/psi-jack/Chef/cookbooks/sshroot2rootssh' cookbook 'ohai-rootsshkey', path: '../ohai-rootsshkey'
cookbook 'sshroot2rootssh', path: '../sshroot2rootssh'

View file

@ -4,7 +4,7 @@ maintainer_email 'psi-jack@linux-help.org'
license 'GPLv3' license 'GPLv3'
description 'Installs/Configures freeipa' description 'Installs/Configures freeipa'
long_description 'Installs/Configures freeipa' long_description 'Installs/Configures freeipa'
version '0.1.0' version '0.1.3'
depends 'ohai' depends 'ohai'
depends 'chef-vault' depends 'chef-vault'

View file

@ -37,8 +37,16 @@ passwords = chef_vault_item(:freeipa, 'passwords')
#package "dbus" #package "dbus"
#package "oddjob" #package "oddjob"
#package "ipa-client" #package "ipa-client"
package "ipa-server" #package "ipa-server"
package "rsync" #package "rsync"
package 'ipa-server' do
case node[:platform]
when 'redhat', 'centos'
package_name 'ipa-server'
end
action :install
end
##### Security considerations ##### Security considerations
# All FreeIPA server hosts need to be able to ssh to each other as root to copy replication configs # All FreeIPA server hosts need to be able to ssh to each other as root to copy replication configs
@ -46,7 +54,7 @@ package "rsync"
# Since they are replicants of each other, this can be justified, since the data is already compromised. # Since they are replicants of each other, this can be justified, since the data is already compromised.
# Can selinux help mitigate this? # Can selinux help mitigate this?
#include_recipe "ohai" #include_recipe "ohai"
#include_recipe "sshroot2rootssh" include_recipe "sshroot2rootssh"
##### Replication ##### Replication
# We're going to have to # We're going to have to
@ -65,16 +73,12 @@ package "rsync"
# negotiate for master # negotiate for master
freeipa_masters = search(:node, "freeipa_master:true") freeipa_masters = search(:node, "freeipa_master:true")
if freeipa_masters.empty? then if freeipa_masters.empty? then
node.set[:freeipa][:master] = "true" ##### Do master stuff
end
##### Do master stuff
if node[:freeipa][:master] then
# write better tests to see if freeipa is already set up. # write better tests to see if freeipa is already set up.
## Bootstrap FreeIPA ## Bootstrap FreeIPA
execute "initializing freeipa-server" do execute "initializing freeipa-server" do
not_if "ls /var/lib/ipa/sysrestore/sysrestore.state" not_if { File.exist?('/var/liv/ipa/sysrestore/sysrestore.state') }
cmd = "ipa-server-install" cmd = "ipa-server-install"
cmd += " --hostname " + node[:fqdn] cmd += " --hostname " + node[:fqdn]
#cmd += " -u " + "ipaadmin" #cmd += " -u " + "ipaadmin"
@ -85,88 +89,116 @@ if node[:freeipa][:master] then
cmd += " -a " + passwords['ipa_user_pwd'] cmd += " -a " + passwords['ipa_user_pwd']
cmd += " -N " cmd += " -N "
cmd += " -U " cmd += " -U "
cmd += " --no-host-dns " cmd += " --no-host-dns --mkhomedir"
command "#{cmd}" command cmd
notifies :start, "service[dirsrv]" #notifies :start, "service[dirsrv]"
end end
# Compare list of freeipa_servers with contents of /var/lib/ipa/ # Compare list of freeipa_servers with contents of /var/lib/ipa/
#configured_replicants =`ipa-replica-manage -p #{ldap_server_admin_pwd} -H #{node[:fqdn]} list`.split #configured_replicants =`ipa-replica-manage -p #{ldap_server_admin_pwd} -H #{node[:fqdn]} list`.split
configured_replicants =`ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{node[:fqdn]} list`.split #configured_replicants = `ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{node[:fqdn]} list`.split
configured_replicants.each { |r| puts "DEBUG: configured_replicant: #{r}" } #configured_replicants.each { |r| puts "DEBUG: configured_replicant: #{r}" }
freeipa_server_fqdns = Array.new #freeipa_server_fqdns = Array.new
freeipa_servers.each { |n| freeipa_server_fqdns << n[:fqdn] } #freeipa_servers.each { |n| freeipa_server_fqdns << n[:fqdn] }
freeipa_server_fqdns.compact! #freeipa_server_fqdns.compact!
freeipa_server_fqdns.each do |f| #freeipa_server_fqdns.each do |f|
unless node[:fqdn] == f then # unless node[:fqdn] == f then
unless configured_replicants.include?( f ) then # unless configured_replicants.include?( f ) then
execute "generating replica config for #{f}" do # execute "generating replica config for #{f}" do
not_if "ls /var/lib/ipa/replica-info-#{f}.gpg" # not_if "ls /var/lib/ipa/replica-info-#{f}.gpg"
command "ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']} #{f}" # command "ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']} #{f}"
end # end
end # end
end # end
end #end
end node.set[:freeipa][:master] = true
### Subsequent nodes #elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then
unless node[:freeipa][:master] then elsif (node[:freeipa][:master] && node[:freeipa][:master].respond_to?(:value) && node[:freeipa][:master] == false) &&
(node[:freeipa][:replica] && node[:freeipa][:replica].respond_to?(:value) && node[:freeipa][:replica] == false) then
### Subsequent Replica Nodes
# check to see if slave is setup to replicat from master # check to see if slave is setup to replicat from master
#"ipa-replica-manage -p 0123456789 -H authentication-1.dev.us-east-1.aws.afistfulofservers.net list" #"ipa-replica-manage -p 0123456789 -H authentication-1.dev.us-east-1.aws.afistfulofservers.net list"
ssh_noauth = "-o StrictHostKeyChecking=yes -o PasswordAuthentication=no"
execute "prepare replica from master" do
cmd = "ssh #{ssh_noauth} root@#{freeipa_masters[0][:fqdn]} ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']}"
command cmd
not_if "ssh #{ssh_noauth} root@#{freeipa_masters[0][:fqdn]} test -f /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg"
#notifies :run, 'execute[rsyncing freeipa replication data]', :immediately
end
# Check for replication config # Check for replication config
# Attempt to copy config from master. # Attempt to copy config from master.
# Fail gracefully if not found. # Fail gracefully if not found.
execute "rsyncing freeipa replication data" do execute "scping freeipa replication data" do
#only_if "ipa-replica-manage -p #{ldap_server_admin_pwd} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" #only_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}"
cmd = "rsync -a -e \"ssh " only_if "ssh #{ssh_noauth} root@#{freeipa_masters[0][:fqdn]} test -f /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg"
cmd += " -o StrictHostKeyChecking=yes" not_if { File.exist?("/var/lib/ipa/replica-info-#{node[:fqdn]}.gpg") }
cmd += " -o PasswordAuthentication=no\"" #cmd = "rsync -a -e \"ssh " + ssh_noauth
cmd += " root@" cmd = "scp " + ssh_noauth
cmd += "#{freeipa_masters[0][:fqdn]}:" cmd += " root@" + freeipa_masters[0][:fqdn]
cmd += "/var/lib/ipa/replica-info*" cmd += ":/var/lib/ipa/replica-info-#{node[:fqdn]}.gpg"
cmd += " /var/lib/ipa" cmd += " /var/lib/ipa/"
command cmd command cmd
ignore_failure true notifies :run, 'execute[joining freeipa cluster]', :immediately
end end
execute "joining freeipa cluster" do execute "joining freeipa cluster" do
not_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" not_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}"
only_if "ls /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" #only_if "ls /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg"
only_if { File.exist?("/var/lib/ipa/replica-info-#{node[:fqdn]}.gpg") }
cmd = "ipa-replica-install" cmd = "ipa-replica-install"
cmd += " -p " + passwords['ldap_server_admin_pwd'] cmd += " -p " + passwords['ldap_server_admin_pwd']
cmd +=" /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" cmd += " --unattended --mkhomedir --skip-conncheck"
cmd += " /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg"
command cmd command cmd
sensitive true
action :nothing
notifies :run, 'execute[copying CA private key]', :immediately
end end
# copy CA private key # copy CA private key
# /etc/dirsrv/slapd-DEV-US-EAST-1-AWS-AFISTFULOFSERVERS-NET/pwdfile.txt # /etc/dirsrv/slapd-DEV-US-EAST-1-AWS-AFISTFULOFSERVERS-NET/pwdfile.txt
execute "copying CA private key" do execute "copying CA private key" do
only_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" only_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}"
only_if "ls /etc/dirsrv/slapd-#{node[:domain].upcase}/" only_if { File.exist?("/etc/dirsrv/slapd-#{node[:domain].upcase}/") }
not_if "ls /etc/dirsrv/slapd-#{node[:domain].upcase}/cacert.p12" not_if { File.exist?("/etc/dirsrv/slaved-#{node[:domain].upcase}/cacert.p12") }
cmd = "rsync -a -e \"ssh " cmd = "scp " + ssh_noauth
cmd += " -o StrictHostKeyChecking=yes" cmd += " root@" + freeipa_masters[0][:fqdn]
cmd += " -o PasswordAuthentication=no\"" cmd += ":/etc/dirsrv/slapd-#{node[:domain].upcase}/cacert.p12"
cmd += " root@"
cmd += "#{freeipa_masters[0][:fqdn]}:"
cmd += "/etc/dirsrv/slapd-#{node[:domain].upcase}/cacert.p12"
cmd += " /etc/dirsrv/slapd-#{node[:domain].upcase}/" cmd += " /etc/dirsrv/slapd-#{node[:domain].upcase}/"
#puts "DEBUG: #{cmd}"
command cmd command cmd
ignore_failure true ignore_failure true
action :nothing
notifies :run, 'ruby_block[set node as replica]', :immediately
end end
ruby_block "set node as replica" do
block do
node.set[:freeipa][:replica] = true
end
action :nothing
end
end
file '/etc/ipa/admin.password' do
content passwords['ipa_user_pwd']
owner 'root'
group 'root'
mode '0600'
sensitive true
end end
##### services ##### services
# enable all the default services recommended by the freeipa docs # enable all the default services recommended by the freeipa docs
#service "dirsrv" do #service "dirsrv" do
# service_name "dirsrv@#{node[:domain].upcase.gsub(".", "-")}"
# action [:enable,:start] # action [:enable,:start]
#end #end
@ -181,18 +213,18 @@ end
# notifies :restart, "service[httpd]" # notifies :restart, "service[httpd]"
#end #end
#service "httpd" do service "httpd" do
# action [:enable,:start] action [:enable,:start]
#end end
#service "ipa_kpasswd" do #service "ipa_kpasswd" do
# action [:enable,:start] # action [:enable,:start]
#end #end
#service "ipa" do service "ipa" do
# action [:enable,:start] action [:enable,:start]
#end end
#
#service "messagebus" do #service "messagebus" do
# action [:enable,:start] # action [:enable,:start]
#end #end