tripleo-heat-templates/ci/scripts/freeipa_setup.sh
Michele Baldessari 022d24aa46 Use --allow-overlap-zone when setting up freeipa
We currently call ipa-server-install with '--setup-dns --auto-forwarders --auto-reverse $FreeIPAExtraArgs'.

This can break if the forward dns are probed to see if they are in
charge of any zones that we're setting up. So it can fail with the
following error:
2020-03-25T08:51:14Z DEBUG check_port_bindable: bind success: 8080/TCP
2020-03-25T08:51:14Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2020-03-25T08:51:14Z INFO Checking DNS domain redhat.local., please wait ...
2020-03-25T08:51:14Z DEBUG Name freeipa-0.redhat.local resolved to {UnsafeIPAddress('10.0.0.96')}
2020-03-25T08:51:14Z DEBUG Searching for an interface of IP address: 10.0.0.96
2020-03-25T08:51:14Z DEBUG Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo)
2020-03-25T08:51:14Z DEBUG Testing local IP address: 172.16.0.47/255.255.255.0 (interface: eth1)
2020-03-25T08:51:14Z DEBUG Testing local IP address: 10.0.0.96/255.255.255.0 (interface: eth2)
2020-03-25T08:51:14Z DEBUG IP address 10.0.0.96 belongs to a private range, using forward policy only
2020-03-25T08:51:14Z DEBUG will use DNS forwarders: ['172.16.0.1', '10.0.0.1', '2620:52:0:13b8::fe']

2020-03-25T08:51:14Z INFO Checking DNS domain 0.0.10.in-addr.arpa., please wait ...
  File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 539, in check_reverse_zones
    options.allow_zone_overlap):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 349, in get_auto_reverse_zones
    dnsutil.check_zone_overlap(default_reverse)
  File "/usr/lib/python3.6/site-packages/ipapython/dnsutil.py", line 383, in check_zone_overlap
    raise DNSZoneAlreadyExists(zone=zone.to_text(), ns=ns)

2020-03-25T08:51:14Z DEBUG The ipa-server-install command failed, exception: DNSZoneAlreadyExists: DNS zone 0.0.10.in-addr.arpa. already exists in DNS and is handled by server(s): ['ns1.foo.bar.', 'ns2.foo.bar']
2020-03-25T08:51:14Z ERROR DNS zone 0.0.10.in-addr.arpa. already exists in DNS and is handled by server(s): ['ns1.foo.bar.', 'ns2.foo.bar']
2020-03-25T08:51:14Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Let's add --allow-overlap-zone so CI is not affected by this.

I checked that this new parameter we're adding exists in both centos7
and 8.

Change-Id: Idfd8ddf745e6a7cded9acab7575c0b51554a1cf3
2020-03-26 12:30:43 +01:00

120 lines
3.6 KiB
Bash
Executable File

#!/bin/bash
#
# Used environment variables:
#
# - Hostname
# - FreeIPAIP
# - DirectoryManagerPassword
# - AdminPassword
# - UndercloudFQDN
# - HostsSecret
# - ProvisioningCIDR: If set, it adds the given CIDR to the provisioning
# interface (which is hardcoded to eth1)
# - FreeIPAExtraArgs: Additional parameters to be passed to FreeIPA script
#
set -eux
if [ -f "~/freeipa-setup.env" ]; then
source ~/freeipa-setup.env
elif [ -f "/tmp/freeipa-setup.env" ]; then
source /tmp/freeipa-setup.env
fi
export Hostname=${Hostname:-""}
export FreeIPAIP=${FreeIPAIP:-""}
export DirectoryManagerPassword=${DirectoryManagerPassword:-""}
export AdminPassword=${AdminPassword:-""}
export UndercloudFQDN=${UndercloudFQDN:-""}
export HostsSecret=${HostsSecret:-""}
export ProvisioningCIDR=${ProvisioningCIDR:-""}
export FreeIPAExtraArgs=${FreeIPAExtraArgs:-""}
if [ -n "$ProvisioningCIDR" ]; then
# Add address to provisioning network interface
ip link set dev eth1 up
ip addr add $ProvisioningCIDR dev eth1
fi
# Set DNS servers
echo "nameserver 8.8.8.8" >> /etc/resolv.conf
echo "nameserver 8.8.4.4" >> /etc/resolv.conf
if rpm -q openstack-dashboard; then
yum -q -y remove openstack-dashboard
fi
source /etc/os-release
# RHEL8.0 does not have epel yet
if [[ $VERSION_ID == 8* ]]; then
PKGS="ipa-server ipa-server-dns rng-tools git"
else
PKGS="ipa-server ipa-server-dns epel-release rng-tools mod_nss git haveged"
fi
# Install the needed packages
yum -q install -y $PKGS
# Prepare hostname
hostnamectl set-hostname --static $Hostname
echo $FreeIPAIP `hostname` | tee -a /etc/hosts
# Set iptables rules
cat << EOF > freeipa-iptables-rules.txt
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#TCP ports for FreeIPA
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
#UDP ports for FreeIPA
-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF
iptables-restore < freeipa-iptables-rules.txt
# Entropy generation; otherwise, ipa-server-install will lag.
if [[ $VERSION_ID != 8* ]]; then
chkconfig haveged on
systemctl start haveged
# Remove conflicting httpd configuration
rm -f /etc/httpd/conf.d/ssl.conf
fi
# Set up FreeIPA
ipa-server-install -U -r `hostname -d|tr "[a-z]" "[A-Z]"` \
-p $DirectoryManagerPassword -a $AdminPassword \
--hostname `hostname -f` \
--ip-address=$FreeIPAIP \
--allow-zone-overlap \
--setup-dns --auto-forwarders --auto-reverse $FreeIPAExtraArgs
# Authenticate
echo $AdminPassword | kinit admin
# Verify we have TGT
klist
if [ "$?" = '1' ]; then
exit 1
fi