34e1c75e54
We currently install the openldap-clients package on overcloud controller nodes. It was assumed that this package was needed for IPA client enrollment, but the ipa-client package only uses the openldap libraries that will already be pulled in as an indirect dependency of ipa-client. The openldap-clients package contains LDAP CLI utilities, which don't appear to be actually used. Change-Id: I14c1d8204bd84ead0d6995b5aefd10d2bbc4227d
180 lines
6.6 KiB
YAML
180 lines
6.6 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: Registers nodes with the IPA server
|
|
|
|
parameters:
|
|
RoleNetIpMap:
|
|
default: {}
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
PythonInterpreter:
|
|
type: string
|
|
description: The python interpreter to use for python and ansible actions
|
|
default: /usr/bin/python
|
|
MakeHomeDir:
|
|
type: boolean
|
|
description: Configure PAM to create a users home directory if it does not exist.
|
|
default: False
|
|
IdMDomain:
|
|
default: ''
|
|
description: IDM domain to register IDM client. Typically, this is discovered
|
|
through DNS and does not have to be set explicitly.
|
|
type: string
|
|
IdMNoNtpSetup:
|
|
default: False
|
|
description: Set to true to add --no-ntp to the IDM client install call.
|
|
This will cause IDM client install not to set up NTP.
|
|
type: boolean
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the ipaclient service
|
|
value:
|
|
service_name: ipaclient
|
|
upgrade_tasks: []
|
|
step_config: ''
|
|
host_prep_tasks:
|
|
- name: enroll client in ipa and get metadata
|
|
become: yes
|
|
vars:
|
|
python_interpreter: {get_param: PythonInterpreter}
|
|
makehomedir: {get_param: MakeHomeDir}
|
|
idm_domain: {get_param: IdMDomain}
|
|
idm_no_ntp: {get_param: IdMNoNtpSetup}
|
|
block:
|
|
- name: install needed packages
|
|
package:
|
|
name: "{{ item }}"
|
|
state: present
|
|
with_items:
|
|
- ipa-client
|
|
- ipa-admintools
|
|
- hostname
|
|
|
|
- name: create enrollment script
|
|
copy:
|
|
dest: /root/setup-ipa-client.sh
|
|
mode: '0700'
|
|
content: |
|
|
#!/bin/sh
|
|
set -x
|
|
|
|
function get_metadata_config_drive {
|
|
if [ -f /run/cloud-init/status.json ]; then
|
|
# Get metadata from config drive
|
|
data=`cat /run/cloud-init/status.json`
|
|
config_drive=`echo $data | {{ python_interpreter }} -c 'import json,re,sys;obj=json.load(sys.stdin);ds=obj.get("v1", {}).get("datasource"); print(re.findall(r"source=(.*)]", ds)[0])'`
|
|
if [[ -b $config_drive ]]; then
|
|
temp_dir=`mktemp -d`
|
|
mount $config_drive $temp_dir
|
|
if [ -f $temp_dir/openstack/latest/vendor_data2.json ]; then
|
|
data=`cat $temp_dir/openstack/latest/vendor_data2.json`
|
|
umount $config_drive
|
|
rmdir $temp_dir
|
|
else
|
|
umount $config_drive
|
|
rmdir $temp_dir
|
|
fi
|
|
else
|
|
echo "Unable to retrieve metadata from config drive."
|
|
return 1
|
|
fi
|
|
else
|
|
echo "Unable to retrieve metadata from config drive."
|
|
return 1
|
|
fi
|
|
|
|
return 0
|
|
}
|
|
|
|
function get_metadata_network {
|
|
# Get metadata over the network
|
|
data=$(timeout 300 /bin/bash -c 'data=""; while [ -z "$data" ]; do sleep $[ ( $RANDOM % 10 ) + 1 ]s; data=`curl -s http://169.254.169.254/openstack/2016-10-06/vendor_data2.json 2>/dev/null`; done; echo $data')
|
|
|
|
if [[ $? != 0 ]] ; then
|
|
echo "Unable to retrieve metadata from metadata service."
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
function get_fqdn {
|
|
# Get the instance hostname out of the metadata
|
|
fqdn=`echo $data | {{ python_interpreter }} -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get("join", {}).get("hostname", ""))'`
|
|
if [ -z "$fqdn"]; then
|
|
echo "Unable to determine hostname"
|
|
return 1
|
|
fi
|
|
return 0
|
|
}
|
|
|
|
if ! get_metadata_config_drive || ! get_fqdn; then
|
|
if ! get_metadata_network || ! get_fqdn; then
|
|
echo "FATAL: No metadata available or could not read the hostname from the metadata"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
realm=`echo $data | {{ python_interpreter }} -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get("join", {}).get("krb_realm", ""))'`
|
|
otp=`echo $data | {{ python_interpreter }} -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get("join", {}).get("ipaotp", ""))'`
|
|
|
|
# Force hostname to use the FQDN
|
|
hostnamectl set-hostname $fqdn
|
|
|
|
# run ipa-client-install
|
|
OPTS="-U -w $otp --hostname $fqdn"
|
|
|
|
if [ -n "$realm" ]; then
|
|
OPTS="$OPTS --realm=$realm"
|
|
fi
|
|
if [ -n "$idm_domain" ]; then
|
|
OPTS="$OPTS --domain=$idm_domain"
|
|
fi
|
|
if [ "${makehomedir,,}" = "true" ]; then
|
|
OPTS="$OPTS --mkhomedir"
|
|
fi
|
|
if [ "${idm_no_ntp,,}" = "true" ]; then
|
|
OPTS="$OPTS --no-ntp"
|
|
fi
|
|
|
|
|
|
# Ensure we have the proper domain in /etc/resolv.conf
|
|
domain=$(hostname -d)
|
|
if [ -n "$idm_domain" ]; then
|
|
domain = "$domain $idm_domain"
|
|
fi
|
|
if ! grep -q ${domain} /etc/resolv.conf ; then
|
|
sed -i "0,/nameserver/s/\(nameserver.*\)/search ${domain}\n\1/" /etc/resolv.conf
|
|
fi
|
|
|
|
ipa-client-install $OPTS
|
|
|
|
- name: run enrollment script
|
|
shell: /root/setup-ipa-client.sh >> /var/log/setup-ipa-client-ansible.log 2>&1
|
|
args:
|
|
creates: /etc/ipa/default.conf
|