diff --git a/.rubocop.yml b/.rubocop.yml index 53ac1898..32736b59 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -4,3 +4,8 @@ inherit_gem: voxpupuli-test: rubocop.yml + +AllCops: + Exclude: + - bin/* + - spec/fixtures/modules/**/* diff --git a/README.md b/README.md index 720ccbfb..56220db8 100644 --- a/README.md +++ b/README.md @@ -204,7 +204,8 @@ and passed to the IPA installer. If true, then the parameter '--fixed-primary' is passed to the IPA installer. #### `idstart` -From the IPA man pages: "The starting user and group id number". +From the IPA man pages: "The starting user and group id number". Note that this +will clash with installer on RedHat 9. See adjust_login_defs parameter. #### `idmax` From the IPA man pages: "The max value for the IDs range (default: idstart+199999)". @@ -291,10 +292,13 @@ The public or external FQDN used to access the IPA Web UI behind the reverse pro #### `webui_proxy_https_port` The HTTPS port to use for the reverse proxy. Cannot be 443. +#### `adjust_login_defs` +Adjust UID_MAX and GID_MAX in login.defs. This is require on RedHat 9. Default false. + ## Limitations -This module has only been tested on Centos 7. +This module has only been tested on Centos 7 and RedHat 9. ## Testing A vagrantfile is provided for easy testing. diff --git a/lib/facter/gid_max.rb b/lib/facter/gid_max.rb new file mode 100644 index 00000000..0eddc9f6 --- /dev/null +++ b/lib/facter/gid_max.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +Facter.add(:gid_max) do + setcode do + lines = File.readlines('/etc/login.defs') + lines.find { |line| line.start_with?('GID_MAX') }.split[1].strip.to_i + end +end diff --git a/lib/facter/ipa_server_version.rb b/lib/facter/ipa_server_version.rb new file mode 100644 index 00000000..87860871 --- /dev/null +++ b/lib/facter/ipa_server_version.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +Facter.add(:ipa_server_version) do + setcode do + family = Facter.value('osfamily') + case family + when 'RedHat' + Facter::Core::Execution.execute('/bin/rpm -q ipa-server --queryformat "%{VERSION}"') + when 'Debian' + Facter::Core::Execution.execute('/usr/bin/dpkg-query -W -f="${Version}" ipa-server') + end + end +end diff --git a/lib/facter/uid_max.rb b/lib/facter/uid_max.rb new file mode 100644 index 00000000..9b668b30 --- /dev/null +++ b/lib/facter/uid_max.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +Facter.add(:uid_max) do + setcode do + lines = File.readlines('/etc/login.defs') + lines.find { |line| line.start_with?('UID_MAX') }.split[1].strip.to_i + end +end diff --git a/manifests/config/webui.pp b/manifests/config/webui.pp index 2b4f89e9..43aedb73 100644 --- a/manifests/config/webui.pp +++ b/manifests/config/webui.pp @@ -18,33 +18,38 @@ 'G', ) - exec { 'semanage-port-http_port_t': - command => "semanage port -a -t http_port_t -p tcp ${proxy_https_port}", - unless => "semanage port -l|grep -E \"^http_port_t.*tcp.*${proxy_https_port}\"", - path => ['/bin','/sbin','/usr/bin','/usr/sbin'], - } + # IPA switched to mod_ssl as the crypto engine for Apache as of version 4.7.0 + # see https://www.freeipa.org/page/Releases/4.7.0#Highlights_in_4.7.0 + # These are not needed for versions newer than 4.7.10 + if versioncmp($facts['ipa_server_version'], '4.7.0') < 0 { + exec { 'semanage-port-http_port_t': + command => "semanage port -a -t http_port_t -p tcp ${proxy_https_port}", + unless => "semanage port -l|grep -E \"^http_port_t.*tcp.*${proxy_https_port}\"", + path => ['/bin','/sbin','/usr/bin','/usr/sbin'], + } - file_line { 'webui_additional_https_port_listener': - ensure => present, - path => '/etc/httpd/conf.d/nss.conf', - line => "Listen ${proxy_https_port}", - after => 'Listen\ 443', - notify => Service['httpd'], - } + file_line { 'webui_additional_https_port_listener': + ensure => present, + path => '/etc/httpd/conf.d/nss.conf', + line => "Listen ${proxy_https_port}", + after => 'Listen\ 443', + notify => Service['httpd'], + } - file { '/etc/httpd/conf.d/ipa-rewrite.conf': - ensure => file, - replace => true, - content => template('easy_ipa/ipa-rewrite.conf.erb'), - notify => Service['httpd'], - } + file { '/etc/httpd/conf.d/ipa-rewrite.conf': + ensure => file, + replace => true, + content => template('easy_ipa/ipa-rewrite.conf.erb'), + notify => Service['httpd'], + } - file { '/etc/httpd/conf.d/ipa-webui-proxy.conf': - ensure => file, - replace => true, - content => template('easy_ipa/ipa-webui-proxy.conf.erb'), - notify => Service['httpd'], - require => Exec['semanage-port-http_port_t'], + file { '/etc/httpd/conf.d/ipa-webui-proxy.conf': + ensure => file, + replace => true, + content => template('easy_ipa/ipa-webui-proxy.conf.erb'), + notify => Service['httpd'], + require => Exec['semanage-port-http_port_t'], + } } } diff --git a/manifests/init.pp b/manifests/init.pp index 761724a7..758a4aa6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -152,6 +152,9 @@ # @param webui_proxy_https_port # (integer) The HTTPS port to use for the reverse proxy. Cannot be 443. # +# @param adjust_login_defs +# (boolean) Adjust UID_MAX and GID_MAX in login.defs. Without this newer server installers fail. Default false. +# # TODO: Allow creation of root zone for isolated networks -- https://www.freeipa.org/page/Howto/DNS_in_isolated_networks # TODO: Class comments. # TODO: Dependencies and metadata updates. @@ -202,6 +205,7 @@ Boolean $webui_force_https = false, String $webui_proxy_external_fqdn = 'localhost', String $webui_proxy_https_port = '8440', + Boolean $adjust_login_defs = false, ) { if $manage { # Include per-OS parameters and fail on unsupported OS @@ -213,7 +217,7 @@ } $master_principals = suffix( - prefix( [$ipa_server_fqdn], + prefix([$ipa_server_fqdn], 'host/' ), "@${final_realm}" @@ -240,6 +244,23 @@ default => '--no-sshd', } + if $adjust_login_defs { + file_line { + default: + path => '/etc/login.defs', + replace => true, + ; + 'adjust uid max': + line => "UID_MAX\t11999", + match => '^UID_MAX\s*60000$', + ; + 'adjust gid max': + line => "GID_MAX\t11999", + match => '^GID_MAX\s*60000$', + ; + } + } + require easy_ipa::validate_params contain easy_ipa::install } diff --git a/manifests/install/server.pp b/manifests/install/server.pp index 228893d9..3de35dbd 100644 --- a/manifests/install/server.pp +++ b/manifests/install/server.pp @@ -16,6 +16,32 @@ $server_install_cmd_opts_idstart = "--idstart=${easy_ipa::idstart}" + # Newer installers clash with both default UID_MAX and GID_MAX + # Note: SUB_* only affect user/group mapping in containers, so not of + # concern here + if $easy_ipa::adjust_login_defs { + if $easy_ipa::idstart < $facts['uid_max'] { + $uid_max_value = $easy_ipa::idstart -1 + } + if $easy_ipa::idstart < $facts['gid_max'] { + $gid_max_value = $easy_ipa::idstart -1 + } + file_line { + default: + path => '/etc/login.defs', + replace => true, + ; + 'adjust uid max': + line => "UID_MAX\t${uid_max_value}", + match => '^UID_MAX.*$', + ; + 'adjust gid max': + line => "GID_MAX\t${gid_max_value}", + match => '^GID_MAX.*$', + ; + } + } + $server_install_cmd_opts_idmax = $easy_ipa::idmax ? { undef => '', default => "--idmax=${easy_ipa::idmax}" diff --git a/metadata.json b/metadata.json index 99f7a14c..d5d1ec32 100644 --- a/metadata.json +++ b/metadata.json @@ -33,7 +33,8 @@ "operatingsystem": "RedHat", "operatingsystemrelease": [ "7", - "8" + "8", + "9" ] }, { diff --git a/plans/update_host_keys.pp b/plans/update_host_keys.pp index ad81e436..6462a1aa 100644 --- a/plans/update_host_keys.pp +++ b/plans/update_host_keys.pp @@ -50,12 +50,14 @@ $rsa = $ipa_client.facts['ssh']['rsa']['key'] $dsa = $ipa_client.facts['ssh']['dsa']['key'] - $ipa_host_mod_cmd = "ipa host-mod ${ipa_client.facts['fqdn']} --sshpubkey=\"${ed25519}\" --sshpubkey=\"${ecdsa}\" --sshpubkey=\"${rsa}\" --sshpubkey=\"${dsa}\" --updatedns" + $ipa_host_mod_cmd = "ipa host-mod ${ipa_client.facts['fqdn']} --sshpubkey=\"${ed25519}\" --sshpubkey=\"${ecdsa}\" --sshpubkey=\"${rsa}\" --sshpubkey=\"${dsa}\" --updatedns" # lint:ignore:140chars if $noop { out::message("No-op: would run \"${ipa_host_mod_cmd}\" on IPA server") } else { + # lint:ignore:manifest_whitespace_opening_bracket_before # lint:ignore:140chars $ipa_host_mod_resultset = run_command($ipa_host_mod_cmd, $ipa_server, '_catch_errors' => true) ['stdout','stderr'].each |$output| { + # lint:endignore out::message($ipa_host_mod_resultset.first.value[$output]) } }