fce23f7646
Adds two checks that were used in order repos (liketq)but not on this one. Change-Id: I4ccaf3dc78777b4b661fa17382f2feef8eb0d03e
109 lines
3.3 KiB
Django/Jinja
109 lines
3.3 KiB
Django/Jinja
#! /bin/bash
|
|
|
|
set -eux
|
|
|
|
### ---start_docs
|
|
|
|
## Setup FreeIPA
|
|
## =============
|
|
|
|
## * Set required environment variables::
|
|
|
|
export TRIPLEO_DOMAIN=ooo.test
|
|
export CA_SERVER_HOSTNAME=ipa.$TRIPLEO_DOMAIN
|
|
export CA_ADMIN_PASS={{ freeipa_admin_password }}
|
|
export CA_DIR_MANAGER_PASS={{ directory_manager_password }}
|
|
export UNDERCLOUD_FQDN=undercloud.$TRIPLEO_DOMAIN
|
|
export IPA_SERVER_IP={{ supplemental_node_ip }}
|
|
|
|
## * Set IPA hostname::
|
|
|
|
hostnamectl set-hostname --static $CA_SERVER_HOSTNAME
|
|
|
|
## * Prepare the hosts file
|
|
## .. note:: This must be at the top of /etc/hosts
|
|
## ::
|
|
|
|
sed -i "1i$IPA_SERVER_IP $CA_SERVER_HOSTNAME" /etc/hosts
|
|
|
|
## * Install required system packages::
|
|
|
|
yum install -yq ipa-server ipa-server-dns curl epel-release
|
|
|
|
## * Update NSS (required for CA server to launch during deploy)
|
|
|
|
yum update -y nss
|
|
|
|
## * Increase system entropy (to prevent slow down during IPA installation)::
|
|
|
|
curl -Lo ius-release.rpm https://centos7.iuscommunity.org/ius-release.rpm
|
|
rpm -Uvh ius-release*.rpm
|
|
yum install -y haveged
|
|
systemctl start haveged.service
|
|
|
|
## * Install FreeIPA::
|
|
|
|
ipa-server-install -U \
|
|
-r `hostname -d|tr "[a-z]" "[A-Z]"` \
|
|
-p $CA_DIR_MANAGER_PASS \
|
|
-a $CA_ADMIN_PASS \
|
|
--hostname `hostname -f ` \
|
|
--ip-address=$IPA_SERVER_IP \
|
|
--setup-dns \
|
|
{% if custom_nameserver is defined -%}
|
|
{% for dns in custom_nameserver %}
|
|
--forwarder={{ dns }} \
|
|
{% endfor %}
|
|
{% else %}
|
|
--auto-forwarders \
|
|
{% endif %}
|
|
--auto-reverse {{ ipa_server_install_params|default('') }}
|
|
## * Set CA to create CRL on restart
|
|
sed -i "s/ca.crl.MasterCRL.publishOnStart=.*/ca.crl.MasterCRL.publishOnStart=true/" /etc/pki/pki-tomcat/ca/CS.cfg
|
|
systemctl restart pki-tomcatd@pki-tomcat.service
|
|
|
|
## * Set iptables rules::
|
|
|
|
cat << EOF > freeipa-iptables-rules.txt
|
|
# Firewall configuration written by system-config-firewall
|
|
# Manual customization of this file is not recommended.
|
|
*filter
|
|
:INPUT ACCEPT [0:0]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
-A INPUT -p icmp -j ACCEPT
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
|
|
#TCP ports for FreeIPA
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
|
|
#UDP ports for FreeIPA
|
|
-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
|
|
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
|
|
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
|
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
|
COMMIT
|
|
EOF
|
|
|
|
iptables-restore < freeipa-iptables-rules.txt
|
|
|
|
# Setup sub-CAs
|
|
{% for subca in freeipa_subcas %}
|
|
{% if loop.first %}
|
|
echo $CA_ADMIN_PASS | kinit admin
|
|
ipa caacl-add-ca hosts_services_caIPAserviceCert --cas=ipa
|
|
{% endif %}
|
|
ipa ca-add --subject=CN={{subca}} {{subca}}
|
|
ipa caacl-add-ca hosts_services_caIPAserviceCert --cas={{subca}}
|
|
{% endfor %}
|
|
|
|
### ---stop_docs
|