A collection of Ansible playbooks to detect and report potential issues during TripleO deployments
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

108 lines
4.2 KiB

  1. ---
  2. # Copyright 2020 Red Hat, Inc.
  3. #
  4. # Licensed under the Apache License, Version 2.0 (the "License"); you may
  5. # not use this file except in compliance with the License. You may obtain
  6. # a copy of the License at
  7. #
  8. # http://www.apache.org/licenses/LICENSE-2.0
  9. #
  10. # Unless required by applicable law or agreed to in writing, software
  11. # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  12. # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  13. # License for the specific language governing permissions and limitations
  14. # under the License.
  15. #
  16. # Changes have been - and possibly will be introduced in future - that
  17. # require changes in IPA permissions or ACLs. We do not have the permissions
  18. # to automatically make these changes, but we can include checks here to make
  19. # sure that they have occurred before attempting an overcloud or undercloud
  20. # update in a TLS-E environment. This playbook is supposed to fail with
  21. # an appropriate error message in case a requirement is not met.
  22. #
  23. # This playbook contains the following parameters
  24. # - tls_everywhere_check_dns_aci - which determines if we want to check
  25. # for the DNS ACI. This defaults to true.
  26. # - tls_everywhere_undercloud_fqdn - which defaults to ansible_fqdn
  27. - name: check if undercloud is an ipa client
  28. stat:
  29. path: /etc/ipa/default.conf
  30. register: ipa_default_conf
  31. - name: perform ipa_server tests
  32. when: ipa_default_conf.stat.exists
  33. vars:
  34. check_dns_aci: "{{ tls_everywhere_check_dns_aci | default(True)}}"
  35. undercloud_fqdn: "{{ tls_everywhere_undercloud_fqdn | default(ansible_fqdn) }}"
  36. ipa_server_aci_check_failures: []
  37. fail_1: >-
  38. The IPA server does not have the required ACI to allow host
  39. entities to view dns records. Please add the ACI.
  40. fail_2: >-
  41. The nova/{{undercloud_fqdn}} user does not have the
  42. "System: Modify Realm Domains" privilege. Please add this privilege for
  43. this user on the IPA server.
  44. block:
  45. - name: Get the ipa server hostname
  46. validations_read_ini:
  47. path: "/etc/ipa/default.conf"
  48. section: global
  49. key: server
  50. register: ipa_server_fqdn
  51. - name: set dns zone and shortname
  52. set_fact:
  53. dns_zone: "{{ ipa_server_fqdn.value.split('.', 1)[1] }}"
  54. short_hostname: "{{ ipa_server_fqdn.value.split('.')[0] }}"
  55. - name: kinit as the host entity
  56. command: "{{ kinit_bin }} host/{{ undercloud_fqdn }} -k -t /etc/krb5.keytab"
  57. register: kinit
  58. become: true
  59. changed_when: kinit.rc == 0
  60. - name: check if ipa server has correct DNS ACI on host entries
  61. when: check_dns_aci
  62. block:
  63. - name: try to view the dns record for the ipa server
  64. become: true
  65. command: "{{ ipa_bin }} dnsrecord-show {{dns_zone}} {{short_hostname}}"
  66. register: dnsrecord_show
  67. ignore_errors: true
  68. - name: add failure message when zone is not found
  69. set_fact:
  70. ipa_server_aci_check_failures: "{{ ipa_server_aci_check_failures + [fail_1] }}"
  71. when:
  72. "'DNS zone not found' in dnsrecord_show.stderr"
  73. - name: check if nova service has the added permissions
  74. become: true
  75. command: "{{ ipa_bin}} service-show nova/{{ undercloud_fqdn }} --all --raw"
  76. register: service_show
  77. - name: parse service data and fail if permission not present
  78. set_fact:
  79. ipa_server_aci_check_failures: "{{ ipa_server_aci_check_failures + [fail_2] }}"
  80. when:
  81. - "'memberof: cn=System: Modify Realm Domains' not in service_show.stdout"
  82. - name: fail if failures detected
  83. fail:
  84. msg: "{{ ipa_server_aci_check_failures }}"
  85. when: 'ipa_server_aci_check_failures|length > 0'
  86. always:
  87. - name: clean up the keytab
  88. command: "{{ kdestroy_bin }} -A"
  89. register: kdestroy
  90. become: true
  91. - name: set output for molecule testing
  92. set_fact:
  93. ipa_server_aci_check_kdestroy_output: "{{ kdestroy.stdout }}"
  94. tls_everywhere_aci_check_kinit_output: "{{ kinit.stdout }}"
  95. tls_everywhere_aci_check_dns_record_show_output: "{{ dnsrecord_show.stdout }}"
  96. tls_everywhere_aci_check_service_show_output: "{{ service_show.stdout }}"
  97. when: not ansible_check_mode