022d24aa46
We currently call ipa-server-install with '--setup-dns --auto-forwarders --auto-reverse $FreeIPAExtraArgs'. This can break if the forward dns are probed to see if they are in charge of any zones that we're setting up. So it can fail with the following error: 2020-03-25T08:51:14Z DEBUG check_port_bindable: bind success: 8080/TCP 2020-03-25T08:51:14Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-03-25T08:51:14Z INFO Checking DNS domain redhat.local., please wait ... 2020-03-25T08:51:14Z DEBUG Name freeipa-0.redhat.local resolved to {UnsafeIPAddress('10.0.0.96')} 2020-03-25T08:51:14Z DEBUG Searching for an interface of IP address: 10.0.0.96 2020-03-25T08:51:14Z DEBUG Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo) 2020-03-25T08:51:14Z DEBUG Testing local IP address: 172.16.0.47/255.255.255.0 (interface: eth1) 2020-03-25T08:51:14Z DEBUG Testing local IP address: 10.0.0.96/255.255.255.0 (interface: eth2) 2020-03-25T08:51:14Z DEBUG IP address 10.0.0.96 belongs to a private range, using forward policy only 2020-03-25T08:51:14Z DEBUG will use DNS forwarders: ['172.16.0.1', '10.0.0.1', '2620:52:0:13b8::fe'] 2020-03-25T08:51:14Z INFO Checking DNS domain 0.0.10.in-addr.arpa., please wait ... File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 539, in check_reverse_zones options.allow_zone_overlap): File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 349, in get_auto_reverse_zones dnsutil.check_zone_overlap(default_reverse) File "/usr/lib/python3.6/site-packages/ipapython/dnsutil.py", line 383, in check_zone_overlap raise DNSZoneAlreadyExists(zone=zone.to_text(), ns=ns) 2020-03-25T08:51:14Z DEBUG The ipa-server-install command failed, exception: DNSZoneAlreadyExists: DNS zone 0.0.10.in-addr.arpa. already exists in DNS and is handled by server(s): ['ns1.foo.bar.', 'ns2.foo.bar'] 2020-03-25T08:51:14Z ERROR DNS zone 0.0.10.in-addr.arpa. already exists in DNS and is handled by server(s): ['ns1.foo.bar.', 'ns2.foo.bar'] 2020-03-25T08:51:14Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Let's add --allow-overlap-zone so CI is not affected by this. I checked that this new parameter we're adding exists in both centos7 and 8. Change-Id: Idfd8ddf745e6a7cded9acab7575c0b51554a1cf3
120 lines
3.6 KiB
Bash
Executable File
120 lines
3.6 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# Used environment variables:
|
|
#
|
|
# - Hostname
|
|
# - FreeIPAIP
|
|
# - DirectoryManagerPassword
|
|
# - AdminPassword
|
|
# - UndercloudFQDN
|
|
# - HostsSecret
|
|
# - ProvisioningCIDR: If set, it adds the given CIDR to the provisioning
|
|
# interface (which is hardcoded to eth1)
|
|
# - FreeIPAExtraArgs: Additional parameters to be passed to FreeIPA script
|
|
#
|
|
set -eux
|
|
|
|
if [ -f "~/freeipa-setup.env" ]; then
|
|
source ~/freeipa-setup.env
|
|
elif [ -f "/tmp/freeipa-setup.env" ]; then
|
|
source /tmp/freeipa-setup.env
|
|
fi
|
|
|
|
export Hostname=${Hostname:-""}
|
|
export FreeIPAIP=${FreeIPAIP:-""}
|
|
export DirectoryManagerPassword=${DirectoryManagerPassword:-""}
|
|
export AdminPassword=${AdminPassword:-""}
|
|
export UndercloudFQDN=${UndercloudFQDN:-""}
|
|
export HostsSecret=${HostsSecret:-""}
|
|
export ProvisioningCIDR=${ProvisioningCIDR:-""}
|
|
export FreeIPAExtraArgs=${FreeIPAExtraArgs:-""}
|
|
|
|
if [ -n "$ProvisioningCIDR" ]; then
|
|
# Add address to provisioning network interface
|
|
ip link set dev eth1 up
|
|
ip addr add $ProvisioningCIDR dev eth1
|
|
fi
|
|
|
|
# Set DNS servers
|
|
echo "nameserver 8.8.8.8" >> /etc/resolv.conf
|
|
echo "nameserver 8.8.4.4" >> /etc/resolv.conf
|
|
|
|
if rpm -q openstack-dashboard; then
|
|
yum -q -y remove openstack-dashboard
|
|
fi
|
|
|
|
source /etc/os-release
|
|
# RHEL8.0 does not have epel yet
|
|
if [[ $VERSION_ID == 8* ]]; then
|
|
PKGS="ipa-server ipa-server-dns rng-tools git"
|
|
else
|
|
PKGS="ipa-server ipa-server-dns epel-release rng-tools mod_nss git haveged"
|
|
fi
|
|
|
|
# Install the needed packages
|
|
yum -q install -y $PKGS
|
|
|
|
# Prepare hostname
|
|
hostnamectl set-hostname --static $Hostname
|
|
|
|
echo $FreeIPAIP `hostname` | tee -a /etc/hosts
|
|
|
|
# Set iptables rules
|
|
cat << EOF > freeipa-iptables-rules.txt
|
|
# Firewall configuration written by system-config-firewall
|
|
# Manual customization of this file is not recommended.
|
|
*filter
|
|
:INPUT ACCEPT [0:0]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
-A INPUT -p icmp -j ACCEPT
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
|
|
#TCP ports for FreeIPA
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
|
|
#UDP ports for FreeIPA
|
|
-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
|
|
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
|
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
|
COMMIT
|
|
EOF
|
|
|
|
iptables-restore < freeipa-iptables-rules.txt
|
|
|
|
# Entropy generation; otherwise, ipa-server-install will lag.
|
|
if [[ $VERSION_ID != 8* ]]; then
|
|
chkconfig haveged on
|
|
systemctl start haveged
|
|
|
|
# Remove conflicting httpd configuration
|
|
rm -f /etc/httpd/conf.d/ssl.conf
|
|
fi
|
|
|
|
# Set up FreeIPA
|
|
ipa-server-install -U -r `hostname -d|tr "[a-z]" "[A-Z]"` \
|
|
-p $DirectoryManagerPassword -a $AdminPassword \
|
|
--hostname `hostname -f` \
|
|
--ip-address=$FreeIPAIP \
|
|
--allow-zone-overlap \
|
|
--setup-dns --auto-forwarders --auto-reverse $FreeIPAExtraArgs
|
|
|
|
# Authenticate
|
|
echo $AdminPassword | kinit admin
|
|
|
|
# Verify we have TGT
|
|
klist
|
|
|
|
if [ "$?" = '1' ]; then
|
|
exit 1
|
|
fi
|