Merge branch 'develop' of Linux-Help/cookbook-freeipa into master

This commit is contained in:
psi-jack 2016-07-21 16:51:50 +00:00 committed by Gogs
commit 88e00d567a
6 changed files with 347 additions and 272 deletions

View file

@ -3,7 +3,7 @@ source "https://supermarket.chef.io"
metadata metadata
cookbook 'chef-vault' cookbook 'chef-vault'
cookbook 'ohai' #cookbook 'ohai'
cookbook 'ohai-rootsshkey', path: '../ohai-rootsshkey' #cookbook 'ohai-rootsshkey', path: '../ohai-rootsshkey'
cookbook 'sshroot2rootssh', path: '../sshroot2rootssh' #cookbook 'sshroot2rootssh', path: '../sshroot2rootssh'

View file

@ -4,8 +4,10 @@ maintainer_email 'psi-jack@linux-help.org'
license 'GPLv3' license 'GPLv3'
description 'Installs/Configures freeipa' description 'Installs/Configures freeipa'
long_description 'Installs/Configures freeipa' long_description 'Installs/Configures freeipa'
version '0.1.5' version '0.1.7'
issues_url 'http://git.linux-help.org/Linux-Help/freeipa/issues'
source_url 'http://git.linux-help.org/Linux-Help/freeipa'
depends 'ohai'
depends 'chef-vault' depends 'chef-vault'
depends 'sshroot2rootssh' #depends 'ohai'
#depends 'sshroot2rootssh'

View file

@ -2,6 +2,8 @@ def whyrun_supported?
true true
end end
use_inline_resources
action :remove do action :remove do
Chef::Log.warn('Remove ipa_group triggered') Chef::Log.warn('Remove ipa_group triggered')
end end

View file

@ -24,6 +24,10 @@ end
private private
def ipa_krblogin def ipa_krblogin
#File.open("/tmp/ipa.admin", "w") do |f|
# f.write(passwords["ipa_user_pwd"]
#end
if ::File.exist?('/etc/ipa/admin.password') then if ::File.exist?('/etc/ipa/admin.password') then
system 'kinit admin -l 1h < /etc/ipa/admin.password &>/dev/null' system 'kinit admin -l 1h < /etc/ipa/admin.password &>/dev/null'
if $? == 0 then if $? == 0 then

View file

@ -17,14 +17,16 @@
# limitations under the License. # limitations under the License.
# #
include_recipe 'chef-vault'
node.set[:freeipa][:client] = true
# become aware servers # become aware servers
freeipa_servers = search(:node, "freeipa_server:true") if Chef::Config[:solo]
freeipa_clients = search(:node, "freeipa_client:true") Chef::Log.warn('This recipe uses search. Chef solo does not support search.')
freeipa_masters = search(:node, "freeipa_master:true") else
include_recipe 'chef-vault'
node.normal["freeipa"]["client"] = true
freeipa_servers = search("node", "freeipa_server:true")
freeipa_clients = search("node", "freeipa_client:true")
freeipa_masters = search("node", "freeipa_master:true")
unless freeipa_servers.empty? then unless freeipa_servers.empty? then
package "ipa-client" package "ipa-client"
@ -49,8 +51,8 @@ unless freeipa_servers.empty? then
not_if { File.exist?("/var/lib/ipa-client/sysrestore/sysrestore.index") } not_if { File.exist?("/var/lib/ipa-client/sysrestore/sysrestore.index") }
cmd = "ipa-client-install" cmd = "ipa-client-install"
cmd += " --server " + freeipa_masters[0][:fqdn] cmd += " --server " + freeipa_masters[0][:fqdn]
cmd += " --domain " + node[:domain] cmd += " --domain " + node["domain"]
cmd += " --realm " + node[:domain].upcase cmd += " --realm " + node["domain"].upcase
cmd += " --mkhomedir --unattended" cmd += " --mkhomedir --unattended"
cmd += " -p admin -w " + passwords['ldap_server_admin_pwd'] cmd += " -p admin -w " + passwords['ldap_server_admin_pwd']
sensitive true sensitive true
@ -80,4 +82,5 @@ unless freeipa_servers.empty? then
# get http cert? # get http cert?
end end
end

View file

@ -19,29 +19,21 @@
include_recipe 'chef-vault' include_recipe 'chef-vault'
node.set[:freeipa][:server] = true node.normal["freeipa"]["server"] = true
# become aware of clients and servers # become aware of clients and servers
if Chef::Config[:solo]
Chef::Log.warn('This recipe uses search. Chef solo does not support search.')
else
freeipa_servers = search(:node, "freeipa_server:true") freeipa_servers = search(:node, "freeipa_server:true")
freeipa_clients = search(:node, "freeipa_client:true") freeipa_clients = search(:node, "freeipa_client:true")
# gather data bag secrets # gather data bag secrets
#secret = Chef::EncryptedDataBagItem.load_secret("/home/psi-jack/.chef/encrypted_data_bag_secret") passwords = chef_vault_item("freeipa", 'passwords')
#passwords = Chef::EncryptedDataBagItem.load("secrets", "passwords", secret)
passwords = chef_vault_item(:freeipa, 'passwords')
#ldap_server_admin_pwd = data_bag_item('secrets','ldap_server_admin_pwd')['value']
#kdc_database_master_key = data_bag_item('secrets','kdc_database_master_key')['value']
#ipa_user_pwd = data_bag_item('secrets','ipa_user_pwd')['value']
# packages # packages
#package "dbus"
#package "oddjob"
#package "ipa-client"
#package "ipa-server"
#package "rsync"
package 'ipa-server' do package 'ipa-server' do
case node[:platform] case node["platform"]
when 'redhat', 'centos' when 'redhat', 'centos'
package_name 'ipa-server' package_name 'ipa-server'
end end
@ -54,7 +46,7 @@ end
# Since they are replicants of each other, this can be justified, since the data is already compromised. # Since they are replicants of each other, this can be justified, since the data is already compromised.
# Can selinux help mitigate this? # Can selinux help mitigate this?
#include_recipe "ohai" #include_recipe "ohai"
include_recipe "sshroot2rootssh" #include_recipe "sshroot2rootssh"
##### Replication ##### Replication
# We're going to have to # We're going to have to
@ -80,12 +72,12 @@ if freeipa_masters.empty? then
execute "initializing freeipa-server" do execute "initializing freeipa-server" do
not_if { File.exist?('/var/liv/ipa/sysrestore/sysrestore.state') } not_if { File.exist?('/var/liv/ipa/sysrestore/sysrestore.state') }
cmd = "ipa-server-install" cmd = "ipa-server-install"
cmd += " --hostname " + node[:fqdn] cmd += " --hostname " + node["fqdn"]
#cmd += " -u " + "ipaadmin" #cmd += " -u " + "ipaadmin"
cmd += " -r " + node[:domain].upcase cmd += " -r " + node["domain"].upcase
cmd += " -n " + node[:domain] cmd += " -n " + node["domain"]
cmd += " -p " + passwords['ldap_server_admin_pwd'] cmd += " -p " + passwords['ldap_server_admin_pwd']
cmd += " -P " + passwords['kdc_database_master_key'] #cmd += " -P " + passwords['kdc_database_master_key']
cmd += " -a " + passwords['ipa_user_pwd'] cmd += " -a " + passwords['ipa_user_pwd']
cmd += " -N " cmd += " -N "
cmd += " -U " cmd += " -U "
@ -114,11 +106,41 @@ if freeipa_masters.empty? then
# end # end
#end #end
node.set[:freeipa][:master] = true directory "/root/.ssh" do
owner "root"
group "root"
mode "0700"
action :create
end
file "/root/.ssh/id_rsa" do
content passwords["ssh-pvt"]
owner "root"
group "root"
mode "0600"
end
file "/root/.ssh/id_rsa.pub" do
content passwords["ssh-pub"]
owner "root"
group "root"
mode "0600"
end
ruby_block "add public key to authorized_keys" do
block do
file = Chef::Util::FileEdit.new("/root/.ssh/authorized_keys")
file.insert_line_if_no_match(Regexp.new(Regexp.escape(passwords["ssh-pub"].delete("\n"))), passwords["ssh-pub"])
file.write_file
end
end
node.normal["freeipa"]["master"] = true
#elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then #elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then
elsif (node[:freeipa][:master] && node[:freeipa][:master].respond_to?(:value) && node[:freeipa][:master] == false) && #elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value) && node["freeipa"]["master"] == false) &&
(node[:freeipa][:replica] && node[:freeipa][:replica].respond_to?(:value) && node[:freeipa][:replica] == false) then # (node["freeipa"]["replica"] && node["freeipa"]["replica"].respond_to?(:value) && node["freeipa"]["replica"] == false) then
elsif(node["freeipa"]["master"] != true && node["freeipa"]["replica"] != true) then
### Subsequent Replica Nodes ### Subsequent Replica Nodes
# check to see if slave is setup to replicat from master # check to see if slave is setup to replicat from master
@ -126,9 +148,11 @@ elsif (node[:freeipa][:master] && node[:freeipa][:master].respond_to?(:value) &&
ssh_noauth = "-o StrictHostKeyChecking=yes -o PasswordAuthentication=no" ssh_noauth = "-o StrictHostKeyChecking=yes -o PasswordAuthentication=no"
execute "prepare replica from master" do execute "prepare replica from master" do
cmd = "ssh #{ssh_noauth} root@#{freeipa_masters[0][:fqdn]} ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']}" cmd = "ssh #{ssh_noauth} root@#{freeipa_masters[0]['fqdn']} ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']}"
cmd += " " + node["fqdn"]
command cmd command cmd
not_if "ssh #{ssh_noauth} root@#{freeipa_masters[0][:fqdn]} test -f /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" sensitive true
not_if "ssh #{ssh_noauth} root@#{freeipa_masters[0]['fqdn']} test -f /var/lib/ipa/replica-info-#{node['fqdn']}.gpg"
#notifies :run, 'execute[rsyncing freeipa replication data]', :immediately #notifies :run, 'execute[rsyncing freeipa replication data]', :immediately
end end
@ -137,41 +161,41 @@ elsif (node[:freeipa][:master] && node[:freeipa][:master].respond_to?(:value) &&
# Fail gracefully if not found. # Fail gracefully if not found.
execute "scping freeipa replication data" do execute "scping freeipa replication data" do
#only_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" #only_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}"
only_if "ssh #{ssh_noauth} root@#{freeipa_masters[0][:fqdn]} test -f /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" only_if "ssh #{ssh_noauth} root@#{freeipa_masters[0]['fqdn']} test -f /var/lib/ipa/replica-info-#{node['fqdn']}.gpg"
not_if { File.exist?("/var/lib/ipa/replica-info-#{node[:fqdn]}.gpg") } not_if { File.exist?("/var/lib/ipa/replica-info-#{node['fqdn']}.gpg") }
#cmd = "rsync -a -e \"ssh " + ssh_noauth #cmd = "rsync -a -e \"ssh " + ssh_noauth
cmd = "scp " + ssh_noauth cmd = "scp " + ssh_noauth
cmd += " root@" + freeipa_masters[0][:fqdn] cmd += " root@" + freeipa_masters[0]["fqdn"]
cmd += ":/var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" cmd += ":/var/lib/ipa/replica-info-#{node['fqdn']}.gpg"
cmd += " /var/lib/ipa/" cmd += " /var/lib/ipa/"
command cmd command cmd
notifies :run, 'execute[joining freeipa cluster]', :immediately #notifies :run, 'execute[joining freeipa cluster]', :immediately
end end
execute "joining freeipa cluster" do execute "joining freeipa cluster" do
not_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" not_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0]['fqdn']} list | grep #{node['fqdn']}"
#only_if "ls /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" #only_if "ls /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg"
only_if { File.exist?("/var/lib/ipa/replica-info-#{node[:fqdn]}.gpg") } only_if { File.exist?("/var/lib/ipa/replica-info-#{node['fqdn']}.gpg") }
cmd = "ipa-replica-install" cmd = "ipa-replica-install"
cmd += " -p " + passwords['ldap_server_admin_pwd'] cmd += " -p " + passwords['ldap_server_admin_pwd']
cmd += " --unattended --mkhomedir --skip-conncheck" cmd += " --unattended --mkhomedir --skip-conncheck"
cmd += " /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" cmd += " /var/lib/ipa/replica-info-#{node['fqdn']}.gpg"
command cmd command cmd
sensitive true #sensitive true
action :nothing #action :nothing
notifies :run, 'execute[copying CA private key]', :immediately notifies :run, 'execute[copying CA private key]', :immediately
end end
# copy CA private key # copy CA private key
# /etc/dirsrv/slapd-DEV-US-EAST-1-AWS-AFISTFULOFSERVERS-NET/pwdfile.txt # /etc/dirsrv/slapd-DEV-US-EAST-1-AWS-AFISTFULOFSERVERS-NET/pwdfile.txt
execute "copying CA private key" do execute "copying CA private key" do
only_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" only_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0]['fqdn']} list | grep #{node['fqdn']}"
only_if { File.exist?("/etc/dirsrv/slapd-#{node[:domain].upcase}/") } only_if { File.exist?("/etc/dirsrv/slapd-#{node['domain'].upcase}/") }
not_if { File.exist?("/etc/dirsrv/slaved-#{node[:domain].upcase}/cacert.p12") } not_if { File.exist?("/etc/dirsrv/slaved-#{node['domain'].upcase}/cacert.p12") }
cmd = "scp " + ssh_noauth cmd = "scp " + ssh_noauth
cmd += " root@" + freeipa_masters[0][:fqdn] cmd += " root@" + freeipa_masters[0]['fqdn']
cmd += ":/etc/dirsrv/slapd-#{node[:domain].upcase}/cacert.p12" cmd += ":/etc/dirsrv/slapd-#{node['domain'].upcase}/cacert.p12"
cmd += " /etc/dirsrv/slapd-#{node[:domain].upcase}/" cmd += " /etc/dirsrv/slapd-#{node['domain'].upcase}/"
command cmd command cmd
ignore_failure true ignore_failure true
action :nothing action :nothing
@ -180,12 +204,15 @@ elsif (node[:freeipa][:master] && node[:freeipa][:master].respond_to?(:value) &&
ruby_block "set node as replica" do ruby_block "set node as replica" do
block do block do
node.set[:freeipa][:replica] = true node.normal["freeipa"]["replica"] = true
end end
action :nothing action :nothing
end end
end end
### Admin Password for LWRP
#
file '/etc/ipa/admin.password' do file '/etc/ipa/admin.password' do
content passwords['ipa_user_pwd'] content passwords['ipa_user_pwd']
owner 'root' owner 'root'
@ -194,6 +221,42 @@ file '/etc/ipa/admin.password' do
sensitive true sensitive true
end end
### SSH key for IPA server communications
#
directory "/root/.ssh" do
owner "root"
group "root"
mode "0700"
action :create
end
file "/root/.ssh/id_rsa" do
content passwords["ssh-pvt"]
owner "root"
group "root"
mode "0600"
sensitive true
end
file "/root/.ssh/id_rsa.pub" do
content passwords["ssh-pub"]
owner "root"
group "root"
mode "0600"
sensitive true
end
ruby_block "add public key to authorized_keys" do
block do
file = Chef::Util::FileEdit.new("/root/.ssh/authorized_keys")
file.insert_line_if_no_match(Regexp.new(Regexp.escape(passwords["ssh-pub"].delete("\n"))), passwords["ssh-pub"])
file.write_file
end
end
##### services ##### services
# enable all the default services recommended by the freeipa docs # enable all the default services recommended by the freeipa docs
@ -232,4 +295,5 @@ end
#service "oddjobd" do #service "oddjobd" do
# action [:enable,:start] # action [:enable,:start]
#end #end
end