Add support for RedHat 9

Signed-off-by: Kibahop <[email protected]>

.rubocop.yml

@@ -4,3 +4,8 @@
 
 inherit_gem:
   voxpupuli-test: rubocop.yml
+
+AllCops:
+  Exclude:
+  - bin/*
+  - spec/fixtures/modules/**/*

README.md

@@ -204,7 +204,8 @@ and passed to the IPA installer.
 If true, then the parameter '--fixed-primary' is passed to the IPA installer.
 
 #### `idstart`
-From the IPA man pages: "The starting user and group id number".
+From the IPA man pages: "The starting user and group id number". Note that this
+will clash with installer on RedHat 9. See adjust_login_defs parameter.
 
 #### `idmax`
 From the IPA man pages: "The max value for the IDs range (default: idstart+199999)".
@@ -291,10 +292,13 @@ The public or external FQDN used to access the IPA Web UI behind the reverse pro
 #### `webui_proxy_https_port`
 The HTTPS port to use for the reverse proxy. Cannot be 443.
 
+#### `adjust_login_defs`
+Adjust UID_MAX and GID_MAX in login.defs. This is require on RedHat 9. Default false.
+
 
 ## Limitations
 
-This module has only been tested on Centos 7.
+This module has only been tested on Centos 7 and RedHat 9.
 
 ## Testing
 A vagrantfile is provided for easy testing.

lib/facter/gid_max.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+Facter.add(:gid_max) do
+  setcode do
+    lines = File.readlines('/etc/login.defs')
+    lines.find { |line| line.start_with?('GID_MAX') }.split[1].strip.to_i
+  end
+end

lib/facter/ipa_server_version.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+Facter.add(:ipa_server_version) do
+  setcode do
+    family = Facter.value('osfamily')
+    case family
+    when 'RedHat'
+      Facter::Core::Execution.execute('/bin/rpm -q ipa-server --queryformat "%{VERSION}"')
+    when 'Debian'
+      Facter::Core::Execution.execute('/usr/bin/dpkg-query -W -f="${Version}" ipa-server')
+    end
+  end
+end

lib/facter/uid_max.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+Facter.add(:uid_max) do
+  setcode do
+    lines = File.readlines('/etc/login.defs')
+    lines.find { |line| line.start_with?('UID_MAX') }.split[1].strip.to_i
+  end
+end

manifests/config/webui.pp

@@ -18,33 +18,38 @@
       'G',
     )
 
-    exec { 'semanage-port-http_port_t':
-      command => "semanage port -a -t http_port_t -p tcp ${proxy_https_port}",
-      unless  => "semanage port -l|grep -E \"^http_port_t.*tcp.*${proxy_https_port}\"",
-      path    => ['/bin','/sbin','/usr/bin','/usr/sbin'],
-    }
+    # IPA switched to mod_ssl as the crypto engine for Apache as of version 4.7.0
+    # see https://www.freeipa.org/page/Releases/4.7.0#Highlights_in_4.7.0
+    # These are not needed for versions newer than 4.7.10
+    if versioncmp($facts['ipa_server_version'], '4.7.0') < 0 {
+      exec { 'semanage-port-http_port_t':
+        command => "semanage port -a -t http_port_t -p tcp ${proxy_https_port}",
+        unless  => "semanage port -l|grep -E \"^http_port_t.*tcp.*${proxy_https_port}\"",
+        path    => ['/bin','/sbin','/usr/bin','/usr/sbin'],
+      }
 
-    file_line { 'webui_additional_https_port_listener':
-      ensure => present,
-      path   => '/etc/httpd/conf.d/nss.conf',
-      line   => "Listen ${proxy_https_port}",
-      after  => 'Listen\ 443',
-      notify => Service['httpd'],
-    }
+      file_line { 'webui_additional_https_port_listener':
+        ensure => present,
+        path   => '/etc/httpd/conf.d/nss.conf',
+        line   => "Listen ${proxy_https_port}",
+        after  => 'Listen\ 443',
+        notify => Service['httpd'],
+      }
 
-    file { '/etc/httpd/conf.d/ipa-rewrite.conf':
-      ensure  => file,
-      replace => true,
-      content => template('easy_ipa/ipa-rewrite.conf.erb'),
-      notify  => Service['httpd'],
-    }
+      file { '/etc/httpd/conf.d/ipa-rewrite.conf':
+        ensure  => file,
+        replace => true,
+        content => template('easy_ipa/ipa-rewrite.conf.erb'),
+        notify  => Service['httpd'],
+      }
 
-    file { '/etc/httpd/conf.d/ipa-webui-proxy.conf':
-      ensure  => file,
-      replace => true,
-      content => template('easy_ipa/ipa-webui-proxy.conf.erb'),
-      notify  => Service['httpd'],
-      require => Exec['semanage-port-http_port_t'],
+      file { '/etc/httpd/conf.d/ipa-webui-proxy.conf':
+        ensure  => file,
+        replace => true,
+        content => template('easy_ipa/ipa-webui-proxy.conf.erb'),
+        notify  => Service['httpd'],
+        require => Exec['semanage-port-http_port_t'],
+      }
     }
   }
 

manifests/init.pp

@@ -152,6 +152,9 @@
 # @param webui_proxy_https_port
 #      (integer) The HTTPS port to use for the reverse proxy. Cannot be 443.
 #
+# @param adjust_login_defs
+#      (boolean) Adjust UID_MAX and GID_MAX in login.defs. Without this newer server installers fail. Default false.
+#
 # TODO: Allow creation of root zone for isolated networks -- https://www.freeipa.org/page/Howto/DNS_in_isolated_networks
 # TODO: Class comments.
 # TODO: Dependencies and metadata updates.
@@ -202,6 +205,7 @@
   Boolean $webui_force_https                       = false,
   String $webui_proxy_external_fqdn                = 'localhost',
   String $webui_proxy_https_port                   = '8440',
+  Boolean $adjust_login_defs                       = false,
 ) {
   if $manage {
     # Include per-OS parameters and fail on unsupported OS
@@ -213,7 +217,7 @@
     }
 
     $master_principals = suffix(
-      prefix( [$ipa_server_fqdn],
+      prefix([$ipa_server_fqdn],
         'host/'
       ),
       "@${final_realm}"
@@ -240,6 +244,23 @@
       default => '--no-sshd',
     }
 
+    if $adjust_login_defs {
+      file_line {
+        default:
+          path    => '/etc/login.defs',
+          replace => true,
+          ;
+        'adjust uid max':
+          line  => "UID_MAX\t11999",
+          match => '^UID_MAX\s*60000$',
+          ;
+        'adjust gid max':
+          line  => "GID_MAX\t11999",
+          match => '^GID_MAX\s*60000$',
+          ;
+      }
+    }
+
     require easy_ipa::validate_params
     contain easy_ipa::install
   }

manifests/install/server.pp

@@ -16,6 +16,32 @@
 
   $server_install_cmd_opts_idstart = "--idstart=${easy_ipa::idstart}"
 
+  # Newer installers clash with both default UID_MAX and GID_MAX
+  # Note: SUB_* only affect user/group mapping in containers, so not of
+  # concern here
+  if $easy_ipa::adjust_login_defs {
+    if $easy_ipa::idstart < $facts['uid_max'] {
+      $uid_max_value = $easy_ipa::idstart -1
+    }
+    if $easy_ipa::idstart < $facts['gid_max'] {
+      $gid_max_value = $easy_ipa::idstart -1
+    }
+    file_line {
+      default:
+        path    => '/etc/login.defs',
+        replace => true,
+        ;
+      'adjust uid max':
+        line  => "UID_MAX\t${uid_max_value}",
+        match => '^UID_MAX.*$',
+        ;
+      'adjust gid max':
+        line  => "GID_MAX\t${gid_max_value}",
+        match => '^GID_MAX.*$',
+        ;
+    }
+  }
+
   $server_install_cmd_opts_idmax = $easy_ipa::idmax ? {
     undef   => '',
     default => "--idmax=${easy_ipa::idmax}"

metadata.json

@@ -33,7 +33,8 @@
       "operatingsystem": "RedHat",
       "operatingsystemrelease": [
         "7",
-        "8"
+        "8",
+        "9"
       ]
     },
     {

plans/update_host_keys.pp

@@ -50,12 +50,14 @@
     $rsa = $ipa_client.facts['ssh']['rsa']['key']
     $dsa = $ipa_client.facts['ssh']['dsa']['key']
 
-    $ipa_host_mod_cmd = "ipa host-mod ${ipa_client.facts['fqdn']} --sshpubkey=\"${ed25519}\" --sshpubkey=\"${ecdsa}\" --sshpubkey=\"${rsa}\" --sshpubkey=\"${dsa}\" --updatedns"
+    $ipa_host_mod_cmd = "ipa host-mod ${ipa_client.facts['fqdn']} --sshpubkey=\"${ed25519}\" --sshpubkey=\"${ecdsa}\" --sshpubkey=\"${rsa}\" --sshpubkey=\"${dsa}\" --updatedns"  # lint:ignore:140chars
 
     if $noop {
       out::message("No-op: would run \"${ipa_host_mod_cmd}\" on IPA server")
     } else {
+      # lint:ignore:manifest_whitespace_opening_bracket_before  # lint:ignore:140chars 
       $ipa_host_mod_resultset = run_command($ipa_host_mod_cmd, $ipa_server, '_catch_errors' => true) ['stdout','stderr'].each |$output| {
+        # lint:endignore
         out::message($ipa_host_mod_resultset.first.value[$output])
       }
     }