heat_template_version: wallaby description: Registers nodes with the IPA server parameters: RoleNetIpMap: default: {} type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json PythonInterpreter: type: string description: The python interpreter to use for python and ansible actions default: "$(command -v python3 || command -v python)" MakeHomeDir: type: boolean description: Configure PAM to create a users home directory if it does not exist. default: False IdMDomain: default: '' description: IDM domain to register IDM client. Typically, this is discovered through DNS and does not have to be set explicitly. type: string IdMNoNtpSetup: default: False description: Set to true to add --no-ntp to the IDM client install call. This will cause IDM client install not to set up NTP. type: boolean outputs: role_data: description: Role data for the ipaclient service value: service_name: ipaclient upgrade_tasks: [] step_config: '' host_prep_tasks: - name: enroll client in ipa and get metadata become: yes vars: python_interpreter: {get_param: PythonInterpreter} makehomedir: {get_param: MakeHomeDir} idm_domain: {get_param: IdMDomain} idm_no_ntp: {get_param: IdMNoNtpSetup} block: - name: install needed packages package: name: "{{ item }}" state: present with_items: - ipa-client - ipa-admintools - hostname - name: create enrollment script copy: dest: /root/setup-ipa-client.sh mode: '0700' content: | #!/bin/sh set -x function get_metadata_config_drive { if [ -f /run/cloud-init/status.json ]; then # Get metadata from config drive data=`cat /run/cloud-init/status.json` config_drive=`echo $data | {{ python_interpreter }} -c 'import json,re,sys;obj=json.load(sys.stdin);ds=obj.get("v1", {}).get("datasource"); print(re.findall(r"source=(.*)]", ds)[0])'` if [[ -b $config_drive ]]; then temp_dir=`mktemp -d` mount $config_drive $temp_dir if [ -f $temp_dir/openstack/latest/vendor_data2.json ]; then data=`cat $temp_dir/openstack/latest/vendor_data2.json` umount $config_drive rmdir $temp_dir else umount $config_drive rmdir $temp_dir fi else echo "Unable to retrieve metadata from config drive." return 1 fi else echo "Unable to retrieve metadata from config drive." return 1 fi return 0 } function get_metadata_network { # Get metadata over the network data=$(timeout 300 /bin/bash -c 'data=""; while [ -z "$data" ]; do sleep $[ ( $RANDOM % 10 ) + 1 ]s; data=`curl -s http://169.254.169.254/openstack/2016-10-06/vendor_data2.json 2>/dev/null`; done; echo $data') if [[ $? != 0 ]] ; then echo "Unable to retrieve metadata from metadata service." return 1 fi } function get_fqdn { # Get the instance hostname out of the metadata fqdn=`echo $data | {{ python_interpreter }} -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get("join", {}).get("hostname", ""))'` if [ -z "$fqdn"]; then echo "Unable to determine hostname" return 1 fi return 0 } if ! get_metadata_config_drive || ! get_fqdn; then if ! get_metadata_network || ! get_fqdn; then echo "FATAL: No metadata available or could not read the hostname from the metadata" exit 1 fi fi realm=`echo $data | {{ python_interpreter }} -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get("join", {}).get("krb_realm", ""))'` otp=`echo $data | {{ python_interpreter }} -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get("join", {}).get("ipaotp", ""))'` # Force hostname to use the FQDN hostnamectl set-hostname $fqdn makehomedir={{ makehomedir }} idm_no_ntp={{ idm_no_ntp }} idm_domain={{ idm_domain }} # run ipa-client-install OPTS="-U -w $otp --hostname $fqdn" if [ -n "$realm" ]; then OPTS="$OPTS --realm=$realm" fi if [ -n "$idm_domain" ]; then OPTS="$OPTS --domain=$idm_domain" fi if [ "${makehomedir,,}" = "true" ]; then OPTS="$OPTS --mkhomedir" fi if [ "${idm_no_ntp,,}" = "true" ]; then OPTS="$OPTS --no-ntp" fi # Ensure we have the proper domain in /etc/resolv.conf domain=$(hostname -d) if [ -n "$idm_domain" ]; then domain = "$domain $idm_domain" fi if ! grep -q ${domain} /etc/resolv.conf ; then sed -i "0,/nameserver/s/\(nameserver.*\)/search ${domain}\n\1/" /etc/resolv.conf fi ipa-client-install $OPTS - name: determine if client is already enrolled stat: path: /etc/ipa/default.conf register: ipa_default_conf - block: - name: run enrollment script shell: /root/setup-ipa-client.sh >> /var/log/setup-ipa-client-ansible.log 2>&1 - name: restart certmonger service systemd: state: restarted daemon_reload: true name: certmonger.service when: ipa_default_conf.stat.exists == False