openstack/tripleo-heat-templates
Code Issues Proposed changes
24f0613d2c
tripleo-heat-templates/deployment/ipa/ipaclient-baremetal-ansible.yaml
Ade Lee bf0bc85ef4 Restart certmnonger after registering system with IPA 
If certmonger is not restarted when the server is registered with
IPA, then it may define the IPA CA as unreachable.  This results
in CA certs not being stored when cert requests are made with a -F
option.  Eventually, certmonger refreshes itself, but this can
take up to 8 hours.

We see this sometimes when doing brownfield deploys.  The ca cert
fails to be created for some requests, resulting in containers
being unable to load.

We fix this by simply restarting certmonger after enrollment, and
avoiding the whole confused state.

Change-Id: Id968a2d5170af1485417e41318e0187d79cd4aae
2019-10-28 11:24:31 -04:00

195 lines
7.1 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: Registers nodes with the IPA server
parameters:
RoleNetIpMap:
default: {}
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
PythonInterpreter:
type: string
description: The python interpreter to use for python and ansible actions
default: /usr/bin/python
MakeHomeDir:
type: boolean
description: Configure PAM to create a users home directory if it does not exist.
default: False
IdMDomain:
default: ''
description: IDM domain to register IDM client. Typically, this is discovered
through DNS and does not have to be set explicitly.
type: string
IdMNoNtpSetup:
default: False
description: Set to true to add --no-ntp to the IDM client install call.
This will cause IDM client install not to set up NTP.
type: boolean
outputs:
role_data:
description: Role data for the ipaclient service
value:
service_name: ipaclient
upgrade_tasks: []
step_config: ''
host_prep_tasks:
- name: enroll client in ipa and get metadata
become: yes
vars:
python_interpreter: {get_param: PythonInterpreter}
makehomedir: {get_param: MakeHomeDir}
idm_domain: {get_param: IdMDomain}
idm_no_ntp: {get_param: IdMNoNtpSetup}
block:
- name: install needed packages
package:
name: "{{ item }}"
state: present
with_items:
- ipa-client
- ipa-admintools
- hostname
- name: create enrollment script
copy:
dest: /root/setup-ipa-client.sh
mode: '0700'
content: |
#!/bin/sh
set -x
function get_metadata_config_drive {
if [ -f /run/cloud-init/status.json ]; then
# Get metadata from config drive
data=`cat /run/cloud-init/status.json`
config_drive=`echo $data | {{ python_interpreter }} -c 'import json,re,sys;obj=json.load(sys.stdin);ds=obj.get("v1", {}).get("datasource"); print(re.findall(r"source=(.*)]", ds)[0])'`
if [[ -b $config_drive ]]; then
temp_dir=`mktemp -d`
mount $config_drive $temp_dir
if [ -f $temp_dir/openstack/latest/vendor_data2.json ]; then
data=`cat $temp_dir/openstack/latest/vendor_data2.json`
umount $config_drive
rmdir $temp_dir
else
umount $config_drive
rmdir $temp_dir
fi
else
echo "Unable to retrieve metadata from config drive."
return 1
fi
else
echo "Unable to retrieve metadata from config drive."
return 1
fi
return 0
}
function get_metadata_network {
# Get metadata over the network
data=$(timeout 300 /bin/bash -c 'data=""; while [ -z "$data" ]; do sleep $[ ( $RANDOM % 10 ) + 1 ]s; data=`curl -s http://169.254.169.254/openstack/2016-10-06/vendor_data2.json 2>/dev/null`; done; echo $data')
if [[ $? != 0 ]] ; then
echo "Unable to retrieve metadata from metadata service."
return 1
fi
}
function get_fqdn {
# Get the instance hostname out of the metadata
fqdn=`echo $data | {{ python_interpreter }} -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get("join", {}).get("hostname", ""))'`
if [ -z "$fqdn"]; then
echo "Unable to determine hostname"
return 1
fi
return 0
}
if ! get_metadata_config_drive || ! get_fqdn; then
if ! get_metadata_network || ! get_fqdn; then
echo "FATAL: No metadata available or could not read the hostname from the metadata"
exit 1
fi
fi
realm=`echo $data | {{ python_interpreter }} -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get("join", {}).get("krb_realm", ""))'`
otp=`echo $data | {{ python_interpreter }} -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get("join", {}).get("ipaotp", ""))'`
# Force hostname to use the FQDN
hostnamectl set-hostname $fqdn
makehomedir={{ makehomedir }}
idm_no_ntp={{ idm_no_ntp }}
idm_domain={{ idm_domain }}
# run ipa-client-install
OPTS="-U -w $otp --hostname $fqdn"
if [ -n "$realm" ]; then
OPTS="$OPTS --realm=$realm"
fi
if [ -n "$idm_domain" ]; then
OPTS="$OPTS --domain=$idm_domain"
fi
if [ "${makehomedir,,}" = "true" ]; then
OPTS="$OPTS --mkhomedir"
fi
if [ "${idm_no_ntp,,}" = "true" ]; then
OPTS="$OPTS --no-ntp"
fi
# Ensure we have the proper domain in /etc/resolv.conf
domain=$(hostname -d)
if [ -n "$idm_domain" ]; then
domain = "$domain $idm_domain"
fi
if ! grep -q ${domain} /etc/resolv.conf ; then
sed -i "0,/nameserver/s/\(nameserver.*\)/search ${domain}\n\1/" /etc/resolv.conf
fi
ipa-client-install $OPTS
- name: determine if client is already enrolled
stat:
path: /etc/ipa/default.conf
register: ipa_default_conf
- block:
- name: run enrollment script
shell: /root/setup-ipa-client.sh >> /var/log/setup-ipa-client-ansible.log 2>&1
- name: restart certmonger service
systemd:
state: restarted
daemon_reload: true
name: certmonger.service
when: ipa_default_conf.stat.exists == False
View Git Blame Copy Permalink