diff --git a/README.md b/README.md index 0a0f9b8..b3dc705 100644 --- a/README.md +++ b/README.md @@ -25,11 +25,11 @@ Role Variables | `rhsm_state` | `present` | Whether to enable or disable a Red Hat subscription. | | `rhsm_autosubscribe` | `[undefined]` | Whether or not to autosubscribe to available repositories. | | `rhsm_consumer_hostname` | `[undefined]` | Name of the system to use when registering. Defaults to using the system hostname if undefined. | -| `rhsm_force_register` | `[undefined]` | Whether or not to force registration. Will not force registration if undefined. | +| `rhsm_force_register` | `False` | Whether or not to force registration. | | `rhsm_repos` | `[]` | The list of repositories to enable or disable. See `defaults/main.yml` for examples. | | `rhsm_rhsm_port` | `443` | Port to use when connecting to subscription server. | | `rhsm_server_hostname` | `subscription.rhn.redhat.com` | FQDN of subscription server. | -| `rhsm_server_prefix` | `/subscription` | Server prefix | +| `rhsm_server_prefix` | `/subscription` or `/rhsm` | RHS server prefix. `/subscription` when using registering via `portal`, `/rhsm` when registering via `satellite`. | | `rhsm_insecure` | `False` | Disable certificate validation. | | `rhsm_ssl_verify_depth` | `3` | Depths certificates should be validated when checking. | | `rhsm_rhsm_proxy_hostname` | `[undefined]` | FQDN of outbound proxy server. | @@ -39,7 +39,6 @@ Role Variables | `rhsm_baseurl` | `https://cdn.redhat.com` | Base URL for content. | | `rhsm_satellite_url` | `[see defaults/main.yml]` | URL of the Satellite server that will be probed to determine the Satellite version. Uses the scheme and hostname of `rhsm_baseurl` by default. | | `rhsm_ca_cert_dir` | `/etc/rhsm/ca/` | Server CA certificate directory. | -| `rhsm_repo_ca_cert` | `%(ca_cert_dir)sredhat-uep.pem` | Default CA to use when generating yum rep configs. | | `rhsm_product_cert_dir` | `/etc/pki/product` | Product certificate directory. | | `rhsm_entitlement_cert_dir` | `/etc/pki/entitlement` | Entitlement certificate directory. | | `rhsm_consumer_cert_dir` | `/etc/pki/consumer` | Consumer certificate directory. | diff --git a/defaults/main.yml b/defaults/main.yml index e1b42c3..58247ae 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,6 +7,7 @@ rhsm_state: present # present or absent rhsm_method: portal # portal or satellite +rhsm_force_registration: False rhsm_repos: [] # - name: rhel-7-server-extras-rpms # wildcard or repo name @@ -16,7 +17,7 @@ rhsm_repos: [] ## /etc/rhsm/rhsm.conf settings rhsm_rhsm_port: 443 rhsm_server_hostname: subscription.rhn.redhat.com -rhsm_server_prefix: '/subscription' +rhsm_server_prefix: "{{ '/rhsm' if rhsm_method == 'satellite' else '/subscription' }}" rhsm_insecure: False rhsm_ssl_verify_depth: 3 # rhsm_rhsm_proxy_hostname: "" @@ -26,7 +27,6 @@ rhsm_ssl_verify_depth: 3 rhsm_baseurl: https://cdn.redhat.com rhsm_satellite_url: "{{ rhsm_baseurl | urlsplit('scheme') ~ '://' ~ rhsm_baseurl | urlsplit('hostname') }}" rhsm_ca_cert_dir: /etc/rhsm/ca/ -rhsm_repo_ca_cert: '%(ca_cert_dir)sredhat-uep.pem' rhsm_product_cert_dir: /etc/pki/product rhsm_entitlement_cert_dir: /etc/pki/entitlement rhsm_consumer_cert_dir: /etc/pki/consumer diff --git a/library/rhsm_repository.py b/library/rhsm_repository.py deleted file mode 100644 index f3f7bf3..0000000 --- a/library/rhsm_repository.py +++ /dev/null @@ -1,261 +0,0 @@ -#!/usr/bin/python -# -# Copyright (c) 2017 OpenStack Foundation -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from __future__ import absolute_import -from __future__ import division -from __future__ import print_function -from ansible.module_utils.basic import AnsibleModule -from copy import deepcopy -from fnmatch import fnmatch -import os -import re - - -ANSIBLE_METADATA = {'metadata_version': '1.1', - 'status': ['preview'], - 'supported_by': 'community'} - -DOCUMENTATION = ''' ---- -module: rhsm_repository -short_description: Manage RHSM repositories using the subscription-manager - command -description: - - Manage(List/Enable/Disable) RHSM repositories to the Red Hat - Subscription Management entitlement platform using the - C(subscription-manager) command. -version_added: '2.5' -author: Giovanni Sciortino (@giovannisciortino) -notes: - - In order to manage RHSM repositories the system must be already - registered to RHSM manually or using the ansible module - redhat_subscription. - - One option between name and list must be defined, both options in the - same task must not be defined. - -requirements: - - subscription-manager -options: - state: - description: - - If state is equal to present or disabled, indicates the desired - repository state. - choices: [present, enabled, absent, disabled] - required: True - default: "present" - name: - description: - - The ID of repositories to enable. - - To operate on several repositories this can accept a comma separated - list or a YAML list. - required: True -''' - -EXAMPLES = ''' -- name: Enable a RHSM repository - rhsm_repository: - name: rhel-7-server-rpms - -- name: Disable all Red Hat repositories - rhsm_repository: - name: '*' - state: disabled - -- name: Enable all repositories starting with rhel-6-server - rhsm_repository: - name: rhel-6-server* - state: enabled - -- name: Disable all repositories except rhel-7-server-rpms - rhsm_repository: - name: "{{ item }}" - state: disabled - with_items: "{{ - rhsm_repository.repositories | - map(attribute='id') | - difference(['rhel-7-server-rpms']) }}" -''' - -RETURN = ''' -repositories: - description: - - The list of Red Hat repositories with their states. - - When this module is used to change the repositories states, this list - contains the updated states after the changes. - returned: success - type: list -''' - - -def run_subscription_manager(module, arguments): - # Execute subuscription-manager with arguments and manage common errors - rhsm_bin = module.get_bin_path('subscription-manager') - if not rhsm_bin: - module.fail_json(msg='The executable file subscription-manager was ' + - 'not found in PATH') - - rc, out, err = module.run_command("%s %s" % (rhsm_bin, - " ".join(arguments))) - - if rc == 1 and (err == 'The password you typed is invalid.\nPlease try ' + - 'again.\n' or os.getuid() != 0): - module.fail_json(msg='The executable file subscription-manager must ' + - 'be run using root privileges') - elif rc == 0 and (out == 'This system has no repositories available ' + - 'through subscriptions.\n'): - module.fail_json(msg='This system has no repositories available ' + - 'through subscriptions') - elif rc == 1: - module.fail_json(msg='subscription-manager failed with the ' + - 'following error: %s' % err) - else: - return rc, out, err - - -def get_repository_list(module, list_parameter): - # Generate RHSM repository list and return a list of dict - if list_parameter == 'list_enabled': - rhsm_arguments = ['repos', '--list-enabled'] - elif list_parameter == 'list_disabled': - rhsm_arguments = ['repos', '--list-disabled'] - elif list_parameter == 'list': - rhsm_arguments = ['repos', '--list'] - rc, out, err = run_subscription_manager(module, rhsm_arguments) - - skip_lines = [ - '+----------------------------------------------------------+', - ' Available Repositories in /etc/yum.repos.d/redhat.repo' - ] - repo_id_re_str = r'Repo ID: (.*)' - repo_name_re_str = r'Repo Name: (.*)' - repo_url_re_str = r'Repo URL: (.*)' - repo_enabled_re_str = r'Enabled: (.*)' - - repo_id = '' - repo_name = '' - repo_url = '' - repo_enabled = '' - - repo_result = [] - - for line in out.split('\n'): - if line in skip_lines: - continue - - repo_id_re = re.match(repo_id_re_str, line) - if repo_id_re: - repo_id = repo_id_re.group(1) - continue - - repo_name_re = re.match(repo_name_re_str, line) - if repo_name_re: - repo_name = repo_name_re.group(1) - continue - - repo_url_re = re.match(repo_url_re_str, line) - if repo_url_re: - repo_url = repo_url_re.group(1) - continue - - repo_enabled_re = re.match(repo_enabled_re_str, line) - if repo_enabled_re: - repo_enabled = repo_enabled_re.group(1) - - repo = { - "id": repo_id, - "name": repo_name, - "url": repo_url, - "enabled": True if repo_enabled == '1' else False - } - repo_result.append(repo) - return repo_result - - -def repository_modify(module, state, name): - name = set(name) - current_repo_list = get_repository_list(module, 'list') - updated_repo_list = deepcopy(current_repo_list) - matched_existing_repo = {} - for repoid in name: - matched_existing_repo[repoid] = [] - for idx, repo in enumerate(current_repo_list): - if fnmatch(repo['id'], repoid): - matched_existing_repo[repoid].append(repo) - # Update current_repo_list to return it as result variable - if state == 'enabled': - updated_repo_list[idx]['enabled'] = True - else: - updated_repo_list[idx]['enabled'] = False - - changed = False - results = [] - diff_before = "" - diff_after = "" - rhsm_arguments = ['repos'] - - for repoid in matched_existing_repo: - if len(matched_existing_repo[repoid]) == 0: - results.append("%s is not a valid repository ID" % repoid) - module.fail_json(results=results, - msg="%s is not a valid repository ID" % repoid) - for repo in matched_existing_repo[repoid]: - if state in ['disabled', 'absent']: - if repo['enabled']: - changed = True - diff_before += "Repository '%s' is enabled" % repo['id'] - diff_after += "Repository '%s' is disabled" % repo['id'] - results.append( - "Repository '%s' is disabled for this system" % repo['id']) - rhsm_arguments += ['--disable', repo['id']] - elif state in ['enabled', 'present']: - if not repo['enabled']: - changed = True - diff_before += "Repository '%s' is disabled" % repo['id'] - diff_after += "Repository '%s' is enabled" % repo['id'] - results.append( - "Repository '%s' is enabled for this system" % repo['id']) - rhsm_arguments += ['--enable', repo['id']] - - diff = {'before': diff_before, - 'after': diff_after, - 'before_header': "RHSM repositories", - 'after_header': "RHSM repositories"} - - if not module.check_mode: - rc, out, err = run_subscription_manager(module, rhsm_arguments) - results = out.split('\n') - module.exit_json(results=results, changed=changed, - repositories=updated_repo_list, diff=diff) - - -def main(): - module = AnsibleModule( - argument_spec=dict( - name=dict(type='list', required=True), - state=dict(choices=['enabled', 'present', 'disabled', 'absent'], - default='enabled'), - ), - supports_check_mode=True, - ) - name = module.params['name'] - state = module.params['state'] - - repository_modify(module, state, name) - - -if __name__ == '__main__': - main() diff --git a/tasks/main.yml b/tasks/main.yml index 23fccd5..e36e918 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,6 +1,6 @@ - name: Ensure this is Red Hat assert: - that: "ansible_distribution == 'RedHat'" + that: "ansible_facts.distribution == 'RedHat'" tags: - rhsm diff --git a/tasks/satellite-6.yml b/tasks/satellite-6.yml index 7bc0ee9..f3adeee 100644 --- a/tasks/satellite-6.yml +++ b/tasks/satellite-6.yml @@ -1,15 +1,46 @@ -- name: SATELLITE 6 | Install katello RPM - yum: - name: "{{ rhsm_satellite_url }}/pub/katello-ca-consumer-latest.noarch.rpm" - state: present - validate_certs: "{{ not rhsm_insecure }}" +- name: SATELLITE 6 | Set Satellite server CA as a fact + set_fact: + rhsm_katello_ca: "{{ lookup('url', rhsm_satellite_url ~ '/pub/katello-server-ca.crt', validate_certs=False, split_lines=False) }}" -- name: SATELLITE 6 | Get Satellite certificates - get_url: - url: "{{ rhsm_satellite_url }}//pub/katello-rhsm-consumer" - dest: /tmp/katello-rhsm-consumer +- block: + - name: Ensure appropriate version of subscription-manager is installed + assert: + fail_msg: The installed version of subscription-manager is too old. + that: + - packages['subscription-manager'][0]['version'] is version_compare('1.10', '>=') + rescue: + - name: Attempt to update subscription-manager + yum: + name: subscription-manager + state: latest -- name: SATELLITE 6 | Run katello script - command: bash /tmp/katello-rhsm-consumer - args: - creates: /etc/rhsm/ca/katello-server-ca.pem + - name: Ensure appropriate version of subscription-manager is installed + assert: + fail_msg: The installed version of subscription-manager is too old. + that: + - packages['subscription-manager'][0]['version'] is version_compare('1.10', '>=') + +- name: SATELLITE 6 | Set RHSM facts + copy: + content: "{{ rhsm_facts | to_json }}\n" + dest: /etc/rhsm/facts/katello.facts + vars: + rhsm_facts: + network.hostname-override: "{{ ansible_facts.fqdn }}" + +- name: Configure yum plugins + ini_file: + path: /etc/yum/pluginconf.d/{{ item.file }} + section: "{{ item.section | default('main') }}" + option: "{{ item.option }}" + value: "{{ item.value }}" + loop: "{{ rhsm_yum_plugins }}" + +- name: SATELLITE 6 | Install CA certificates + copy: + content: "{{ rhsm_katello_ca }}\n" + dest: /etc/rhsm/ca/{{ item }} + owner: root + group: root + mode: 0644 + loop: "{{ rhsm_ca_files }}" diff --git a/tasks/satellite.yml b/tasks/satellite.yml index f5b4910..6c4a0bd 100644 --- a/tasks/satellite.yml +++ b/tasks/satellite.yml @@ -18,13 +18,32 @@ tags: - rhsm_satellite +- name: SATELLITE | Gather service facts + service_facts: + +- name: SATELLITE | Set list of services as a fact + set_fact: + service_list: "{{ services.keys() | list | replace('.service', '') }}" + +- name: SATELLITE | Gather package facts + package_facts: + +- name: SATELLITE | Start and enable rhsmcertsd + service: + name: rhsmcertd + state: started + enabled: yes + when: "'rhsmcertd' in service_list" + - name: SATELLITE | Set Satellite version set_fact: rhsm_satellite_version: "{% if _sat5_check['status'] == 200 %}5{% elif _sat6_check['status'] == 200 %}6{% endif %}" tags: - rhsm_satellite -- include_tasks: satellite-{{ rhsm_satellite_version }}.yml +- name: SATELLITE | Run Satellite {{ rhsm_satellite_version}} tasks + include_tasks: satellite-{{ rhsm_satellite_version }}.yml + when: rhsm_state == 'present' tags: - rhsm_satellite diff --git a/tests/Vagrantfile b/tests/Vagrantfile index b82aa26..83db94e 100644 --- a/tests/Vagrantfile +++ b/tests/Vagrantfile @@ -7,7 +7,7 @@ Vagrant.configure(2) do |config| config.vm.provider "virtualbox" do |vbox| vbox.name = "rhsm-rhel6" vbox.cpus = 1 - vbox.memory = 256 + vbox.memory = 1024 end end @@ -18,14 +18,12 @@ Vagrant.configure(2) do |config| config.vm.provider "virtualbox" do |vbox| vbox.name = "rhsm-rhel7" vbox.cpus = 1 - vbox.memory = 128 + vbox.memory = 1024 end end config.vm.provision "ansible" do |ansible| ansible.playbook = 'vagrant.yml' - ansible.extra_vars = 'vars.yml' ansible.compatibility_mode = '2.0' end - end diff --git a/tests/ansible.cfg b/tests/ansible.cfg new file mode 100644 index 0000000..c52c042 --- /dev/null +++ b/tests/ansible.cfg @@ -0,0 +1,6 @@ +[defaults] +inventory = .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory +roles_path = ../../ +stdout_callback = debug +retry_files = False +host_key_checking = False diff --git a/tests/inventory b/tests/inventory deleted file mode 100644 index d18580b..0000000 --- a/tests/inventory +++ /dev/null @@ -1 +0,0 @@ -localhost \ No newline at end of file diff --git a/tests/test.yml b/tests/test.yml deleted file mode 100644 index 71e71b2..0000000 --- a/tests/test.yml +++ /dev/null @@ -1,4 +0,0 @@ -- hosts: localhost - remote_user: root - roles: - - redhat-subscription diff --git a/tests/vagrant.yml b/tests/vagrant.yml index acf4b1d..1277415 100644 --- a/tests/vagrant.yml +++ b/tests/vagrant.yml @@ -3,12 +3,23 @@ become: yes vars: - rhsm_state: present - rhsm_repos: - - name: rhel-7-server-extras-rpms - state: present - - name: rhel-7-server-rh-common-rpms - - name: rhel-7-server-openstack-8-rpms + rhsm_username: "{{ lookup('env', 'RHSM_USERNAME') }}" + rhsm_password: "{{ lookup('env', 'RHSM_PASSWORD') }}" + rhsm_pool_ids: "{{ lookup('env', 'RHSM_POOL_ID') }}" + rhsm_state: absent + # rhsm_force_register: yes + rhsm_repos: "{{ repos[ansible_distribution ~ '-' ~ ansible_distribution_major_version] }}" + + repos: + RedHat-6: + - name: rhel-{{ ansible_distribution_major_version }}-server-extras-rpms + state: present + - name: rhel-{{ ansible_distribution_major_version }}-server-rh-common-rpms + RedHat-7: + - name: rhel-{{ ansible_distribution_major_version }}-server-extras-rpms + state: present + - name: rhel-{{ ansible_distribution_major_version }}-server-rh-common-rpms + - name: rhel-{{ ansible_distribution_major_version }}-server-openstack-12-tools-rpms roles: - ansible-role-redhat-subscription diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..92f1b61 --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,14 @@ +rhsm_repo_ca_cert: "{{ '%(ca_cert_dir)s' ~ ('katello-server-ca.pem' if rhsm_method == 'satellite' else 'chemeredhat-uep.pem') }}" +rhsm_full_refresh_on_yum: "{{ 1 if rhsm_method == 'satellite' else 0 }}" +rhsm_yum_plugins: + - file: product-id.conf + option: enabled + value: 1 + + - file: subscription-manager.conf + option: enabled + value: 1 + +rhsm_ca_files: + - katello-server-ca.pem + - katello-default-ca.pem