From 8459e1c45401e18aa7422eb846583ae173e761bc Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Fri, 25 Nov 2022 23:12:28 -0300 Subject: [PATCH] utils: Remove deprecated shell scripts used to deploy IPA. The deprecated shell scripts used to deplay IPA are outdated and are not needed to deploy IPA. There is no documentation about them, and they would need to be updated and maintained in the future. --- tests/sanity/ignore-2.12.txt | 3 - tests/sanity/ignore-2.13.txt | 3 - utils/ansible-freeipa.spec.in | 3 +- utils/ansible-ipa-client-install | 412 --------------------- utils/ansible-ipa-replica-install | 528 --------------------------- utils/ansible-ipa-server-install | 588 ------------------------------ 6 files changed, 1 insertion(+), 1536 deletions(-) delete mode 100755 utils/ansible-ipa-client-install delete mode 100755 utils/ansible-ipa-replica-install delete mode 100755 utils/ansible-ipa-server-install diff --git a/tests/sanity/ignore-2.12.txt b/tests/sanity/ignore-2.12.txt index e0ccd60a8f..364d924991 100644 --- a/tests/sanity/ignore-2.12.txt +++ b/tests/sanity/ignore-2.12.txt @@ -41,9 +41,6 @@ tests/user/users.sh shebang!skip tests/user/users_absent.sh shebang!skip tests/utils.py pylint:ansible-format-automatic-specification utils/ansible-doc-test shebang!skip -utils/ansible-ipa-client-install shebang!skip -utils/ansible-ipa-replica-install shebang!skip -utils/ansible-ipa-server-install shebang!skip utils/build-galaxy-release.sh shebang!skip utils/build-srpm.sh shebang!skip utils/changelog shebang!skip diff --git a/tests/sanity/ignore-2.13.txt b/tests/sanity/ignore-2.13.txt index 3da8ae39ff..0709427eff 100644 --- a/tests/sanity/ignore-2.13.txt +++ b/tests/sanity/ignore-2.13.txt @@ -23,9 +23,6 @@ tests/user/users.sh shebang!skip tests/user/users_absent.sh shebang!skip tests/utils.py pylint:ansible-format-automatic-specification utils/ansible-doc-test shebang!skip -utils/ansible-ipa-client-install shebang!skip -utils/ansible-ipa-replica-install shebang!skip -utils/ansible-ipa-server-install shebang!skip utils/build-galaxy-release.sh shebang!skip utils/build-srpm.sh shebang!skip utils/changelog shebang!skip diff --git a/utils/ansible-freeipa.spec.in b/utils/ansible-freeipa.spec.in index bc532a2fc5..960c30000a 100644 --- a/utils/ansible-freeipa.spec.in +++ b/utils/ansible-freeipa.spec.in @@ -122,8 +122,7 @@ for i in roles/ipa*/library/*.py roles/ipa*/module_utils/*.py plugins/*/*.py; do chmod a-x $i done -for i in utils/*.py utils/ansible-ipa-*-install utils/new_module \ - utils/changelog utils/ansible-doc-test; +for i in utils/*.py utils/new_module utils/changelog utils/ansible-doc-test do sed -i '{s@/usr/bin/python*@%{python}@}' $i done diff --git a/utils/ansible-ipa-client-install b/utils/ansible-ipa-client-install deleted file mode 100755 index 9f9ae0eae9..0000000000 --- a/utils/ansible-ipa-client-install +++ /dev/null @@ -1,412 +0,0 @@ -#!/usr/bin/python -# -*- coding: utf-8 -*- - -# Authors: -# Thomas Woerner -# -# Copyright (C) 2019 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import sys -import shutil -import tempfile -import argparse -import traceback -import subprocess - - -def parse_options(): - usage = "Usage: ansible-ipa-client-install [options] " - - parser = argparse.ArgumentParser(usage=usage) - parser.add_argument("--version", dest="version", - action="store_true", - help="show program's version number and exit") - parser.add_argument("-U", "--unattended", dest="unattended", - action="store_true", - help="unattended (un)installation never prompts the " - "user") - parser.add_argument("--uninstall", dest="uninstall", - action="store_true", - help="uninstall an existing installation. The " - "uninstall can be run with --unattended option") - # basic - parser.add_argument("-p", "--principal", dest="principal", - default=None, - help="principal to use to join the IPA realm") - parser.add_argument("--ca-cert-file", dest="ca_cert_file", - default=None, - help="load the CA certificate from this file") - parser.add_argument("--ip-address", dest="ip_addresses", - metavar="IP_ADDRESS", - action='append', default=None, - help="Specify IP address that should be added to DNS. " - "This option can be used multiple times") - parser.add_argument("--all-ip-addresses", dest="all_ip_addresses", - action='store_true', - help="All routable IP addresses configured on any " - "interface will be added to DNS") - parser.add_argument("--domain", dest="domain", - default=None, - help="primary DNS domain of the IPA deployment (not " - "necessarily related to the current hostname)") - parser.add_argument("--server", dest="servers", - metavar="SERVER", - action='append', default=None, - help="FQDN of IPA server") - parser.add_argument("--realm", dest="realm", - default=None, - help="Kerberos realm name of the IPA deployment " - "(typically an upper-cased name of the primary DNS " - "domain)") - parser.add_argument("--hostname", dest="hostname", - default=None, - help="The hostname of this machine (FQDN). If " - "specified, the hostname will be set and the system " - "configuration will be updated to persist over " - "reboot. By default the result of getfqdn() call " - "from Python's socket module is used.") - # client - parser.add_argument("-w", "--password", dest="password", - default=None, - help="password to join the IPA realm (assumes bulk " - "password unless principal is also set)") - parser.add_argument("-W", dest="password_prompt", - action="store_true", - help="Prompt for a password to join the IPA realm") - parser.add_argument("-f", "--force", dest="force", - action="store_true", - help="force setting of LDAP/Kerberos conf") - parser.add_argument("--configure-firefox", dest="configure_firefox", - action="store_true", - help="configure Firefox to use IPA domain credentials") - parser.add_argument("--firefox-dir", dest="firefox_dir", - default=None, - help="specify directory where Firefox is installed " - "(for example: '/usr/lib/firefox')") - parser.add_argument("-k", "--keytab", dest="keytab", - default=None, - help="path to backed up keytab from previous " - "enrollment") - parser.add_argument("--mkhomedir", dest="mkhomedir", - action="store_true", - help="create home directories for users on their " - "first login") - parser.add_argument("--force-join", dest="force_join", - action="store_true", - help="Force client enrollment even if already " - "enrolled") - parser.add_argument("--ntp-server", dest="ntp_servers", - metavar="NTP_SERVER", - action='append', default=None, - help="ntp server to use. This option can be used " - "multiple times") - parser.add_argument("--ntp-pool", dest="ntp_pool", - default=None, - help="ntp server pool to use") - parser.add_argument("-N", "--no-ntp", dest="no_ntp", - action="store_true", - help="do not configure ntp") - parser.add_argument("--nisdomain", dest="nisdomain", - default=None, - help="NIS domain name") - parser.add_argument("--no-nisdomain", dest="no_nisdomain", - action="store_true", - help="do not configure NIS domain name") - parser.add_argument("--ssh-trust-dns", dest="ssh_trust_dns", - action="store_true", - help="configure OpenSSH client to trust DNS SSHFP " - "records") - parser.add_argument("--no-ssh", dest="no_ssh", - action="store_true", - help="do not configure OpenSSH client") - parser.add_argument("--no-sshd", dest="no_sshd", - action="store_true", - help="do not configure OpenSSH server") - parser.add_argument("--no-sudo", dest="no_sudo", - action="store_true", - help="do not configure SSSD as data source for sudo") - parser.add_argument("--no-dns-sshfp", dest="no_dns_sshfp", - action="store_true", - help="do not automatically create DNS SSHFP records") - parser.add_argument("--kinit-attempts", dest="kinit_attempts", - type=int, default=None, - help="number of attempts to obtain host TGT (defaults " - "to 5)") - # sssd - parser.add_argument("--fixed-primary", dest="fixed_primary", - action="store_true", - help="Configure sssd to use fixed server as primary " - "IPA server") - parser.add_argument("--permit", dest="permit", - action="store_true", - help="disable access rules by default, permit all " - "access") - parser.add_argument("--enable-dns-updates", dest="enable_dns_updates", - action="store_true", - help="Configures the machine to attempt dns updates " - "when the ip address changes") - parser.add_argument("--no-krb5-offline-passwords", - dest="no_krb5_offline_passwords", - action="store_true", - help="Configure SSSD not to store user password when " - "the server is offline") - parser.add_argument("--preserve-sssd", dest="preserve_sssd", - action="store_true", - help="Preserve old SSSD configuration if possible") - - # automount - parser.add_argument("--automount-location", dest="automount_location", - default=None, - help="Automount location") - # logging and output - parser.add_argument("-v", "--verbose", dest="verbose", - action="store_true", - help="print debugging information") - parser.add_argument("-d", "--debug", dest="verbose", - action="store_true", - help="alias for --verbose (deprecated)") - parser.add_argument("-q", "--quiet", dest="quiet", - action="store_true", - help="output only errors") - parser.add_argument("--log-file", dest="log_file", - help="log to the given file") - # ansible - parser.add_argument("--ipaclient-use-otp", dest="ipaclient_use_otp", - choices=("yes", "no"), default=None, - help="The bool value defines if a one-time password " - "will be generated to join a new or existing host. " - "Default: no") - parser.add_argument("--ipaclient-allow-repair", - dest="ipaclient_allow_repair", - choices=("yes", "no"), default=None, - help="The bool value defines if an already joined or " - "partly set-up client can be repaired. Default: no") - parser.add_argument("--ipaclient-install-packages", - dest="ipaclient_install_packages", - choices=("yes", "no"), default=None, - help="The bool value defines if the needed packages " - "are installed on the node. Default: yes") - # playbook - parser.add_argument("--playbook-dir", - dest="playbook_dir", - default=None, - help="If defined will be used as to create inventory " - "file and playbook in. The files will not be removed " - "after the playbook processing ended.") - parser.add_argument("--become-method", - dest="become_method", - default="sudo", - help="privilege escalation method to use " - "(default=sudo), use `ansible-doc -t become -l` to " - "list valid choices.") - parser.add_argument("--ansible-verbose", - dest="ansible_verbose", - type=int, default=None, - help="privilege escalation method to use " - "(default=sudo), use `ansible-doc -t become -l` to " - "list valid choices.") - - options, args = parser.parse_known_args() - - if options.playbook_dir and not os.path.isdir(options.playbook_dir): - parser.error("playbook dir does not exist") - - if options.password_prompt: - parser.error("password prompt is not possible with ansible") - if options.log_file: - parser.error("log_file is not supported") - - if len(args) < 1: - parser.error("ansible host not set") - elif len(args) > 1: - parser.error("too many arguments: %s" % ",".join(args)) - - return options, args - - -def run_cmd(args): - """ - Execute an external command. - """ - p_out = subprocess.PIPE - p_err = subprocess.STDOUT - try: - p = subprocess.Popen(args, stdout=p_out, stderr=p_err, - close_fds=True, bufsize=1, - universal_newlines=True) - while True: - line = p.stdout.readline() - if p.poll() is not None and line == "": - break - sys.stdout.write(line) - except KeyboardInterrupt: - p.wait() - raise - else: - p.wait() - return p.returncode - - -def main(options, args): - if options.playbook_dir: - playbook_dir = options.playbook_dir - else: - temp_dir = tempfile.mkdtemp(prefix='ansible-ipa-client') - playbook_dir = temp_dir - - inventory = os.path.join(playbook_dir, "ipaclient-inventory") - playbook = os.path.join(playbook_dir, "ipaclient-playbook.yml") - - with open(inventory, 'w') as f: - if options.servers: - f.write("[ipaservers]\n") - for server in options.servers: - f.write("%s\n" % server) - f.write("\n") - f.write("[ipaclients]\n") - f.write("%s\n" % args[0]) - f.write("\n") - f.write("[ipaclients:vars]\n") - # basic - if options.principal: - f.write("ipaadmin_principal=%s\n" % options.principal) - if options.ca_cert_file: - f.write("ipaclient_ca_cert_file=%s\n" % options.ca_cert_file) - if options.ip_addresses: - f.write("ipaclient_ip_addresses=%s\n" % - ",".join(options.ip_addresses)) - if options.all_ip_addresses: - f.write("ipaclient_all_ip_addresses=yes\n") - if options.domain: - f.write("ipaclient_domain=%s\n" % options.domain) - # --servers are handled above - if options.realm: - f.write("ipaclient_realm=%s\n" % options.realm) - if options.hostname: - f.write("ipaclient_hostname=%s\n" % options.hostname) - # client - if options.password: - f.write("ipaadmin_password=%s\n" % options.password) - if options.force: - f.write("ipaclient_force=yes\n") - if options.configure_firefox: - f.write("ipaclient_configure_firefox=yes\n") - if options.firefox_dir: - f.write("ipaclient_firefox_dir=%s\n" % options.firefox_dir) - if options.keytab: - f.write("ipaclient_keytab=%s\n" % options.keytab) - if options.mkhomedir: - f.write("ipaclient_mkhomedir=yes\n") - if options.force_join: - f.write("ipaclient_force_join=%s\n" % options.force_join) - if options.ntp_servers: - f.write("ipaclient_ntp_servers=%s\n" % - ",".join(options.ntp_servers)) - if options.ntp_pool: - f.write("ipaclient_ntp_pool=%s\n" % options.ntp_pool) - if options.no_ntp: - f.write("ipaclient_no_ntp=yes\n") - if options.nisdomain: - f.write("ipaclient_nisdomain=%s\n" % options.nisdomain) - if options.no_nisdomain: - f.write("ipaclient_no_nisdomain=yes\n") - if options.ssh_trust_dns: - f.write("ipaclient_ssh_trust_dns=yes\n") - if options.no_ssh: - f.write("ipaclient_no_ssh=yes\n") - if options.no_sshd: - f.write("ipaclient_no_sshd=yes\n") - if options.no_sudo: - f.write("ipaclient_no_sudo=yes\n") - if options.no_dns_sshfp: - f.write("ipaclient_no_dns_sshfp=yes\n") - if options.kinit_attempts: - f.write("ipaclient_kinit_attempts=%d\n" % options.kinit_attempts) - # sssd - if options.fixed_primary: - f.write("ipasssd_fixed_primary=yes\n") - if options.permit: - f.write("ipasssd_permit=yes\n") - if options.enable_dns_updates: - f.write("ipasssd_enable_dns_updates=yes\n") - if options.no_krb5_offline_passwords: - f.write("ipasssd_no_krb5_offline_passwords=yes\n") - if options.preserve_sssd: - f.write("ipasssd_preserve_sssd=yes\n") - # automount - if options.automount_location: - f.write("ipaclient_automount_location=%s\n" % - options.automount_location) - # ansible - if options.ipaclient_use_otp: - f.write("ipaclient_use_otp=%s\n" % options.ipaclient_use_otp) - if options.ipaclient_allow_repair: - f.write("ipaclient_allow_repair=%s\n" % - options.ipaclient_allow_repair) - if options.ipaclient_install_packages: - f.write("ipaclient_install_packages=%s\n" % - options.ipaclient_install_packages) - - if options.uninstall: - state = "absent" - else: - state = "present" - - with open(playbook, 'w') as f: - f.write("---\n") - f.write("- name: Playbook to configure IPA clients\n") - f.write(" hosts: ipaclients\n") - f.write(" become: true\n") - if options.become_method: - f.write(" become_method: %s\n" % options.become_method) - f.write("\n") - f.write(" roles:\n") - f.write(" - role: ipaclient\n") - f.write(" state: %s\n" % state) - - cmd = [ 'ansible-playbook' ] - if options.ansible_verbose: - cmd.append("-"+"v"*options.ansible_verbose) - cmd.extend(['-i', inventory, playbook]) - try: - returncode = run_cmd(cmd) - if returncode != 0: - raise RuntimeError() - finally: - if not options.playbook_dir: - shutil.rmtree(temp_dir, ignore_errors=True) - - -options, args = parse_options() -try: - main(options, args) -except KeyboardInterrupt: - sys.exit(1) -except SystemExit as e: - sys.exit(e) -except RuntimeError as e: - sys.exit(e) -except Exception as e: - if options.verbose: - traceback.print_exc(file=sys.stdout) - else: - print("Re-run %s with --verbose option to get more information" % - sys.argv[0]) - - print("Unexpected error: %s" % str(e)) - sys.exit(1) diff --git a/utils/ansible-ipa-replica-install b/utils/ansible-ipa-replica-install deleted file mode 100755 index 0d9d0e2291..0000000000 --- a/utils/ansible-ipa-replica-install +++ /dev/null @@ -1,528 +0,0 @@ -#!/usr/bin/python -# -*- coding: utf-8 -*- - -# Authors: -# Thomas Woerner -# -# Copyright (C) 2019 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import sys -import shutil -import tempfile -import argparse -import traceback -import subprocess - - -def parse_options(): - usage = "Usage: anisble-ipa-replica-install [options] " - - parser = argparse.ArgumentParser(usage=usage) - parser.add_argument("--version", dest="version", - action="store_true", - help="show program's version number and exit") - parser.add_argument("-U", "--unattended", dest="unattended", - action="store_true", - help="unattended (un)installation never prompts the " - "user") - # basic - parser.add_argument("-w", "--admin-password", dest="admin_password", - default=None, - help="Kerberos password for the specified admin " - "principal") - parser.add_argument("--ip-address", dest="ip_addresses", - metavar="IP_ADDRESS", - action='append', default=None, - help="Replica server IP Address. This option can be " - "used multiple times") - parser.add_argument("-n", "--domain", dest="domain", - metavar="DOMAIN_NAME", default=None, - help="primary DNS domain of the IPA deployment (not " - "necessarily related to the current hostname)") - parser.add_argument("--server", dest="servers", - metavar="SERVER", - action='append', default=None, - help="fully qualified name of IPA server to enroll to") - parser.add_argument("-r", "--realm", dest="realm", - metavar="REALM_NAME", default=None, - help="Kerberos realm name of the IPA deployment " - "(typically un upper-cased name of the primary DNS " - "domain)") - parser.add_argument("--hostname", dest="hostname", - metavar="HOST_NAME", default=None, - help="fully qualified name of this host") - parser.add_argument("-P", "--principal", dest="principal", - default=None, - help="User Principal allowed to promote replicas and " - "join IPA realm") - parser.add_argument("--pki-config-override", dest="pki_config_override", - default=None, - help="Path to ini file with config overrides.") - parser.add_argument("--no-host-dns", dest="no_host_dns", - action="store_true", - help="Do not use DNS for hostname lookup during " - "installation") - parser.add_argument("--skip-conncheck", dest="skip_conncheck", - action="store_true", - help="skip connection check to remote master") - # server - parser.add_argument("-p", "--password", dest="dm_password", - default=None, - help="Password to join the IPA realm. Assumes bulk " - "password unless principal is also set. (domain " - "level 1+) Directory Manager (existing master) " - "password. (domain level 0)") - parser.add_argument("--hidden-replica", dest="hidden_replica", - action="store_true", - help="Install a hidden replica") - parser.add_argument("--setup-adtrust", dest="setup_adtrust", - action="store_true", - help="configure AD trust capability") - parser.add_argument("--setup-ca", dest="setup_ca", - action="store_true", - help="configure a dogtag CA") - parser.add_argument("--setup-kra", dest="setup_kra", - action="store_true", - help="configure a dogtag KRA") - parser.add_argument("--setup-dns", dest="setup_dns", - action="store_true", - help="configure bind with our zone") - parser.add_argument("--no-pkinit", dest="no_pkinit", - action="store_true", - help="disables pkinit setup steps") - parser.add_argument("--no-ui-redirect", dest="no_ui_redirect", - action="store_true", - help="Do not automatically redirect to the Web UI") - parser.add_argument("--dirsrv-config-file", dest="dirsrv_config_file", - metavar="FILE", default=None, - help="The path to LDIF file that will be used to " - "modify configuration of dse.ldif during " - "installation of the directory server instance") - # ssl certificate - parser.add_argument("--dirsrv-cert-file", dest="dirsrv_cert_files", - metavar="FILE", default=None, action="append", - help="File containing the Directory Server SSL " - "certificate and private key") - parser.add_argument("--http-cert-file", dest="http_cert_files", - metavar="FILE", default=None, action="append", - help="File containing the Apache Server SSL " - "certificate and private key") - parser.add_argument("--pkinit-cert-file", dest="pkinit_cert_files", - metavar="FILE", default=None, action="append", - help="File containing the Kerberos KDC SSL " - "certificate and Private key") - parser.add_argument("--dirsrv-pin", dest="dirsrv_pin", - metavar="PIN", default=None, - help="The password to unlock the Directory Server " - "private key") - parser.add_argument("--http-pin", dest="http_pin", - metavar="PIN", default=None, - help="The password to unlock the Apache Server " - "private key") - parser.add_argument("--pkinit-pin", dest="pkinit_pin", - metavar="PIN", default=None, - help="The password to unlock the Kerberos KDC " - "private key") - parser.add_argument("--dirsrv-cert-name", dest="dirsrv_cert_name", - metavar="NAME", default=None, - help="Name of the Directory Server SSL certificate " - "to install") - parser.add_argument("--http-cert-name", dest="http_cert_name", - metavar="NAME", default=None, - help="Name of the Apache Server SSL certificate to " - "install") - parser.add_argument("--pkinit-cert-name", dest="pkinit_cert_name", - metavar="NAME", default=None, - help="Name of the Kerberos KDC SSL certificate to " - "install") - # client - parser.add_argument("-k", "--keytab", dest="keytab", - default=None, - help="path to backed up keytab from previous " - "enrollment") - parser.add_argument("--mkhomedir", dest="mkhomedir", - action="store_true", - help="create home directories for users on their " - "first login") - parser.add_argument("--force-join", dest="force_join", - action="store_true", - help="Force client enrollment even if already " - "enrolled") - parser.add_argument("--ntp-server", dest="ntp_servers", - metavar="NTP_SERVER", - action='append', default=None, - help="ntp server to use. This option can be used " - "multiple times") - parser.add_argument("--ntp-pool", dest="ntp_pool", - default=None, - help="ntp server pool to use") - parser.add_argument("-N", "--no-ntp", dest="no_ntp", - action="store_true", - help="do not configure ntp") - parser.add_argument("--ssh-trust-dns", dest="ssh_trust_dns", - action="store_true", - help="configure OpenSSH client to trust DNS SSHFP " - "records") - parser.add_argument("--no-ssh", dest="no_ssh", - action="store_true", - help="do not configure OpenSSH client") - parser.add_argument("--no-sshd", dest="no_sshd", - action="store_true", - help="do not configure OpenSSH server") - parser.add_argument("--no-dns-sshfp", dest="no_dns_sshfp", - action="store_true", - help="do not automatically create DNS SSHFP records") - # certificate system - parser.add_argument("--skip-schema-check", dest="skip_schema_check", - action="store_true", - help="skip check for updated CA DS schema on the " - "remote master") - # dns - parser.add_argument("--allow-zone-overlap", dest="allow_zone_overlap", - action="store_true", - help="Create DNS zone even if it already exists") - parser.add_argument("--reverse-zone", dest="reverse_zones", - metavar="REVERSE_ZONE", action="append", default=None, - help="The reverse DNS zone to use. This option can " - "be used multiple times") - parser.add_argument("--no-reverse", dest="no_reverse", - action="store_true", - help="Do not create new reverse DNS zone") - parser.add_argument("--auto-reverse", dest="auto_reverse", - action="store_true", - help="Create necessary reverse zones") - parser.add_argument("--forwarder", dest="forwarders", - action="append", default=None, - help="Add a DNS forwarder. This option can be used " - "multiple times") - parser.add_argument("--no-forwarders", dest="no_forwarders", - action="store_true", - help="Do not add any DNS forwarders, use root " - "servers instead") - parser.add_argument("--auto-forwarders", dest="auto_forwarders", - action="store_true", - help="Use DNS forwarders configured in " - "/etc/resolv.conf") - parser.add_argument("-forward-policy-", dest="forward_policy", - choices=("only", "first"), default=None, - help="DNS forwarding policy for global forwarders") - parser.add_argument("--no-dnssec-validation", dest="no_dnssec_validation", - action="store_true", - help="Disable DNSSEC validation") - # ad trust - parser.add_argument("--add-sids", dest="add_sids", - action="store_true", - help="Add SIDs for existing users and groups as the " - "final step") - parser.add_argument("--add-agents", dest="add_agents", - action="store_true", - help="Add IPA masters to a list of hosts allowed to " - "serve information about users from trusted forests") - parser.add_argument("--enable-compat", dest="enable_compat", - action="store_true", - help="Enable support for trusted domains for old " - "clients") - parser.add_argument("--netbios-name", dest="netbios_name", - default=None, - help="NetBIOS name of the IPA domain") - parser.add_argument("--rid-base", dest="rid_base", - default=None, type=int, - help="Start value for mapping UIDs and GIDs to RIDs") - parser.add_argument("--secondary-rid-base", dest="secondary_rid_base", - default=None, type=int, - help="Start value of the secondary range for mapping " - "UIDs and GIDs to RIDs") - # logging and output - parser.add_argument("-v", "--verbose", dest="verbose", - action="store_true", - help="print debugging information") - parser.add_argument("-d", "--debug", dest="verbose", - action="store_true", - help="alias for --verbose (deprecated)") - parser.add_argument("-q", "--quiet", dest="quiet", - action="store_true", - help="output only errors") - parser.add_argument("--log-file", dest="log_file", - help="log to the given file") - # ansible - parser.add_argument("--ipareplica-install-packages", - dest="ipareplica_install_packages", - choices=("yes", "no"), default=None, - help="The bool value defines if the needed packages " - "are installed on the node. Default: yes") - parser.add_argument("--ipareplica-setup-firewalld", - dest="ipareplica_setup_firewalld", - choices=("yes", "no"), default=None, - help="The value defines if the needed services will " - "automatically be openen in the firewall managed by " - "firewalld. Default: yes") - # playbook - parser.add_argument("--playbook-dir", - dest="playbook_dir", - default=None, - help="If defined will be used as to create inventory " - "file and playbook in. The files will not be removed " - "after the playbook processing ended.") - parser.add_argument("--become-method", - dest="become_method", - default="sudo", - help="privilege escalation method to use " - "(default=sudo), use `ansible-doc -t become -l` to " - "list valid choices.") - parser.add_argument("--ansible-verbose", - dest="ansible_verbose", - type=int, default=None, - help="privilege escalation method to use " - "(default=sudo), use `ansible-doc -t become -l` to " - "list valid choices.") - - options, args = parser.parse_known_args() - - if options.playbook_dir and not os.path.isdir(options.playbook_dir): - parser.error("playbook dir does not exist") - - if options.log_file: - parser.error("log_file is not supported") - - if len(args) < 1: - parser.error("ansible host not set") - elif len(args) > 1: - parser.error("too many arguments: %s" % ",".join(args)) - - return options, args - - -def run_cmd(args): - """ - Execute an external command. - """ - p_out = subprocess.PIPE - p_err = subprocess.STDOUT - try: - p = subprocess.Popen(args, stdout=p_out, stderr=p_err, - close_fds=True, bufsize=1, - universal_newlines=True) - while True: - line = p.stdout.readline() - if p.poll() is not None and line == "": - break - sys.stdout.write(line) - except KeyboardInterrupt: - p.wait() - raise - else: - p.wait() - return p.returncode - - -def main(options, args): - if options.playbook_dir: - playbook_dir = options.playbook_dir - else: - temp_dir = tempfile.mkdtemp(prefix='ansible-ipa-replica') - playbook_dir = temp_dir - - inventory = os.path.join(playbook_dir, "ipareplica-inventory") - playbook = os.path.join(playbook_dir, "ipareplica-playbook.yml") - - with open(inventory, 'w') as f: - if options.servers: - f.write("[ipaservers]\n") - for server in options.servers: - f.write("%s\n" % server) - f.write("\n") - f.write("[ipareplicas]\n") - f.write("%s\n" % args[0]) - f.write("\n") - f.write("[ipareplicas:vars]\n") - # basic - if options.admin_password: - f.write("ipaadmin_password=%s\n" % options.admin_password) - if options.ip_addresses: - f.write("ipareplica_ip_addresses=%s\n" % - ",".join(options.ip_addresses)) - if options.domain: - f.write("ipareplica_domain=%s\n" % options.domain) - # --servers are handled above - if options.realm: - f.write("ipareplica_realm=%s\n" % options.realm) - if options.hostname: - f.write("ipareplica_hostname=%s\n" % options.hostname) - if options.principal: - f.write("ipaadmin_principal=%s\n" % options.principal) - if options.pki_config_override: - f.write("ipareplica_pki_config_override=yes\n") - if options.no_host_dns: - f.write("ipareplica_no_host_dns=yes\n") - if options.skip_conncheck: - f.write("ipareplica_skip_conncheck=yes\n") - # server - if options.dm_password: - f.write("ipadm_password=%s\n" % options.dm_password) - if options.hidden_replica: - f.write("ipareplica_hidden_replica=yes\n") - if options.setup_adtrust: - f.write("ipareplica_setup_adtrust=yes\n") - if options.setup_ca: - f.write("ipareplica_setup_ca=yes\n") - if options.setup_kra: - f.write("ipareplica_setup_kra=yes\n") - if options.setup_dns: - f.write("ipareplica_setup_dns=yes\n") - if options.no_pkinit: - f.write("ipareplica_no_pkinit=yes\n") - if options.no_ui_redirect: - f.write("ipareplica_no_ui_redirect=yes\n") - # ssl certificate - if options.dirsrv_cert_files: - f.write("ipareplica_dirsrv_cert_files=%s\n" % - ",".join(options.dirsrv_cert_files)) - if options.http_cert_files: - f.write("ipareplica_http_cert_files=%s\n" % - ",".join(options.http_cert_files)) - if options.pkinit_cert_files: - f.write("ipareplica_pkinit_cert_files=%s\n" % - ",".join(options.pkinit_cert_files)) - if options.dirsrv_pin: - f.write("ipareplica_dirsrv_pin=%s\n" % options.dirsrv_pin) - if options.http_pin: - f.write("ipareplica_http_pin=%s\n" % options.http_pin) - if options.pkinit_pin: - f.write("ipareplica_pkinit_pin=%s\n" % options.pkinit_pin) - if options.dirsrv_cert_name: - f.write("ipareplica_dirsrv_cert_name=%s\n" % - options.dirsrv_cert_name) - if options.http_cert_name: - f.write("ipareplica_http_cert_name=%s\n" % options.http_cert_name) - if options.pkinit_cert_name: - f.write("ipareplica_pkinit_cert_name=%s\n" % - options.pkinit_cert_name) - # client - if options.keytab: - f.write("ipaclient_keytab=%s\n" % options.keytab) - if options.mkhomedir: - f.write("ipaclient_mkhomedir=yes\n") - if options.force_join: - f.write("ipaclient_force_join=yes\n") - if options.ntp_servers: - f.write("ipaclient_ntp_server=%s\n" % - ",".join(options.ntp_replicas)) - if options.ntp_pool: - f.write("ipaclient_ntp_pool=%s\n" % options.ntp_pool) - if options.no_ntp: - f.write("ipaclient_no_ntp=yes\n") - if options.ssh_trust_dns: - f.write("ipaclient_ssh_trust_dns=yes\n") - if options.no_ssh: - f.write("ipaclient_no_ssh=yes\n") - if options.no_sshd: - f.write("ipaclient_no_sshd=yes\n") - if options.no_dns_sshfp: - f.write("ipaclient_no_dns_sshfp=yes\n") - # certificate system - if options.skip_schema_check: - f.write("ipareplica_skip_schema_check=yes\n") - # dns - if options.allow_zone_overlap: - f.write("ipareplica_allow_zone_overlap=yes\n") - if options.reverse_zones: - f.write("ipareplica_reverse_zones=%s\n" % - ",".join(options.reverse_zones)) - if options.no_reverse: - f.write("ipareplica_no_reverse=yes\n") - if options.auto_reverse: - f.write("ipareplica_auto_reverse=yes\n") - if options.forwarders: - f.write("ipareplica_forwarders=%s\n" % - ",".join(options.forwarders)) - if options.no_forwarders: - f.write("ipareplica_no_forwarders=yes\n") - if options.auto_forwarders: - f.write("ipareplica_auto_forwarders=yes\n") - if options.forward_policy: - f.write("ipareplica_forward_policy=%s\n" % options.forward_policy) - if options.no_dnssec_validation: - f.write("ipareplica_no_dnssec_validation=yes\n") - # ad trust - if options.add_sids: - f.write("ipareplica_add_sids=yes\n") - if options.add_agents: - f.write("ipareplica_add_agents=yes\n") - if options.enable_compat: - f.write("ipareplica_enable_compat=yes\n") - if options.netbios_name: - f.write("ipareplica_netbios_name=%s\n" % options.netbios_name) - if options.rid_base: - f.write("ipareplica_rid_base=%s\n" % options.rid_base) - if options.secondary_rid_base: - f.write("ipareplica_secondary_rid_base=%s\n" % - options.secondary_rid_base) - # ansible - if options.ipareplica_install_packages: - f.write("ipareplica_install_packages=%s\n" % - options.ipareplica_install_packages) - if options.ipareplica_setup_firewalld: - f.write("ipareplica_setup_firewalld=%s\n" % - options.ipareplica_setup_firewalld) - - # uninstall done with ipaserver role - state = "present" - - with open(playbook, 'w') as f: - f.write("---\n") - f.write("- name: Playbook to configure IPA replicas\n") - f.write(" hosts: ipareplicas\n") - f.write(" become: true\n") - if options.become_method: - f.write(" become_method: %s\n" % options.become_method) - f.write("\n") - f.write(" roles:\n") - f.write(" - role: ipareplica\n") - f.write(" state: %s\n" % state) - - cmd = [ 'ansible-playbook' ] - if options.ansible_verbose: - cmd.append("-"+"v"*options.ansible_verbose) - cmd.extend(['-i', inventory, playbook]) - try: - returncode = run_cmd(cmd) - if returncode != 0: - raise RuntimeError() - finally: - if not options.playbook_dir: - shutil.rmtree(temp_dir, ignore_errors=True) - - -options, args = parse_options() -try: - main(options, args) -except KeyboardInterrupt: - sys.exit(1) -except SystemExit as e: - sys.exit(e) -except RuntimeError as e: - sys.exit(e) -except Exception as e: - if options.verbose: - traceback.print_exc(file=sys.stdout) - else: - print("Re-run %s with --verbose option to get more information" % - sys.argv[0]) - - print("Unexpected error: %s" % str(e)) - sys.exit(1) diff --git a/utils/ansible-ipa-server-install b/utils/ansible-ipa-server-install deleted file mode 100755 index 62e7595197..0000000000 --- a/utils/ansible-ipa-server-install +++ /dev/null @@ -1,588 +0,0 @@ -#!/usr/bin/python -# -*- coding: utf-8 -*- - -# Authors: -# Thomas Woerner -# -# Copyright (C) 2019 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import sys -import shutil -import tempfile -import argparse -import traceback -import subprocess - - -def parse_options(): - usage = "Usage: anisble-ipa-server-install [options] " - - parser = argparse.ArgumentParser(usage=usage) - parser.add_argument("--version", dest="version", - action="store_true", - help="show program's version number and exit") - parser.add_argument("-U", "--unattended", dest="unattended", - action="store_true", - help="unattended (un)installation never prompts the " - "user") - parser.add_argument("--uninstall", dest="uninstall", - action="store_true", - help="uninstall an existing installation. The " - "uninstall can be run with --unattended option") - # basic - parser.add_argument("-p", "--ds-password", dest="dm_password", - default=None, - help="Directory Manager password") - parser.add_argument("-a", "--admin-password", dest="admin_password", - default=None, - help="admin user kerberos password") - parser.add_argument("--ip-address", dest="ip_addresses", - metavar="IP_ADDRESS", - action='append', default=None, - help="Master Server IP Address. This option can be " - "used multiple times") - parser.add_argument("-n", "--domain", dest="domain", - metavar="DOMAIN_NAME", default=None, - help="primary DNS domain of the IPA deployment (not " - "necessarily related to the current hostname)") - parser.add_argument("-r", "--realm", dest="realm", - metavar="REALM_NAME", default=None, - help="Kerberos realm name of the IPA deployment " - "(typically un upper-cased name of the primary DNS " - "domain)") - parser.add_argument("--hostname", dest="hostname", - metavar="HOST_NAME", default=None, - help="fully qualified name of this host") - parser.add_argument("--ca-cert-file", dest="ca_cert_file", - metavar="FILE", default=None, - help="File containing CA certificates for the " - "service certificate files") - parser.add_argument("--pki-config-override", dest="pki_config_override", - default=None, - help="Path to ini file with config overrides.") - parser.add_argument("--no-host-dns", dest="no_host_dns", - action="store_true", - help="Do not use DNS for hostname lookup during " - "installation") - # server - parser.add_argument("--setup-adtrust", dest="setup_adtrust", - action="store_true", - help="configure AD trust capability") - parser.add_argument("--setup-kra", dest="setup_kra", - action="store_true", - help="configure a dogtag KRA") - parser.add_argument("--setup-dns", dest="setup_dns", - action="store_true", - help="configure bind with our zone") - parser.add_argument("--idstart", dest="idstart", - type=int, default=None, - help="The starting value for the IDs range (default " - "random)") - parser.add_argument("--idmax", dest="idmax", - default=None, type=int, - help="The max value for the IDs range (default: " - "idstart+199999)") - parser.add_argument("--no-hbac-allow", dest="no_hbac_allow", - action="store_true", - help="Don't install allow_all HBAC rule") - parser.add_argument("--no-pkinit", dest="no_pkinit", - action="store_true", - help="disables pkinit setup steps") - parser.add_argument("--no-ui-redirect", dest="no_ui_redirect", - action="store_true", - help="Do not automatically redirect to the Web UI") - parser.add_argument("--dirsrv-config-file", dest="dirsrv_config_file", - metavar="FILE", default=None, - help="The path to LDIF file that will be used to " - "modify configuration of dse.ldif during " - "installation of the directory server instance") - # ssl certificate - parser.add_argument("--dirsrv-cert-file", dest="dirsrv_cert_files", - metavar="FILE", default=None, action="append", - help="File containing the Directory Server SSL " - "certificate and private key") - parser.add_argument("--http-cert-file", dest="http_cert_files", - metavar="FILE", default=None, action="append", - help="File containing the Apache Server SSL " - "certificate and private key") - parser.add_argument("--pkinit-cert-file", dest="pkinit_cert_files", - metavar="FILE", default=None, action="append", - help="File containing the Kerberos KDC SSL " - "certificate and Private key") - parser.add_argument("--dirsrv-pin", dest="dirsrv_pin", - metavar="PIN", default=None, - help="The password to unlock the Directory Server " - "private key") - parser.add_argument("--http-pin", dest="http_pin", - metavar="PIN", default=None, - help="The password to unlock the Apache Server " - "private key") - parser.add_argument("--pkinit-pin", dest="pkinit_pin", - metavar="PIN", default=None, - help="The password to unlock the Kerberos KDC " - "private key") - parser.add_argument("--dirsrv-cert-name", dest="dirsrv_cert_name", - metavar="NAME", default=None, - help="Name of the Directory Server SSL certificate " - "to install") - parser.add_argument("--http-cert-name", dest="http_cert_name", - metavar="NAME", default=None, - help="Name of the Apache Server SSL certificate to " - "install") - parser.add_argument("--pkinit-cert-name", dest="pkinit_cert_name", - metavar="NAME", default=None, - help="Name of the Kerberos KDC SSL certificate to " - "install") - # client - parser.add_argument("--mkhomedir", dest="mkhomedir", - action="store_true", - help="create home directories for users on their " - "first login") - parser.add_argument("--ntp-server", dest="ntp_servers", - metavar="NTP_SERVER", - action='append', default=None, - help="ntp server to use. This option can be used " - "multiple times") - parser.add_argument("--ntp-pool", dest="ntp_pool", - default=None, - help="ntp server pool to use") - parser.add_argument("-N", "--no-ntp", dest="no_ntp", - action="store_true", - help="do not configure ntp") - parser.add_argument("--ssh-trust-dns", dest="ssh_trust_dns", - action="store_true", - help="configure OpenSSH client to trust DNS SSHFP " - "records") - parser.add_argument("--no-ssh", dest="no_ssh", - action="store_true", - help="do not configure OpenSSH client") - parser.add_argument("--no-sshd", dest="no_sshd", - action="store_true", - help="do not configure OpenSSH server") - parser.add_argument("--no-dns-sshfp", dest="no_dns_sshfp", - action="store_true", - help="do not automatically create DNS SSHFP records") - # certificate system - parser.add_argument("--external-ca", dest="external_ca", - action="store_true", - help="Generate a CSR for the IPA CA certificate to " - "be signed by an external CA") - parser.add_argument("--external-ca-type", dest="external_ca_type", - choices=("generic", "ms-cs"), default=None, - help="Type of the external CA") - parser.add_argument("--external-ca-profile", dest="external_ca_profile", - default=None, - help="Specify the certificate profile/template to " - "use at the external CA") - parser.add_argument("--external-cert-file", dest="external_cert_files", - metavar="FILE", default=None, action="append", - help="File containing the IPA CA certificate and the " - "external CA certificate chain") - parser.add_argument("--subject-base", dest="subject_base", - default=None, - help="The certificate subject base (default " - "O=). RDNs are in LDAP order (most " - "specific RDN first).") - parser.add_argument("--ca-subject", dest="ca_subject", - default=None, - help="The CA certificate subject DN (default " - "CN=Certificate Authority,O=). RDNs are " - "in LDAP order (most specific RDN first).") - parser.add_argument("--ca-signing-algorithm", dest="ca_signing_algorithm", - choices=("SHA1withRSA", "SHA256withRSA", - "SHA512withRSA"), - default=None, - help="Signing algorithm of the IPA CA certificate") - # dns - parser.add_argument("--allow-zone-overlap", dest="allow_zone_overlap", - action="store_true", - help="Create DNS zone even if it already exists") - parser.add_argument("--reverse-zone", dest="reverse_zones", - metavar="REVERSE_ZONE", action="append", default=None, - help="The reverse DNS zone to use. This option can " - "be used multiple times") - parser.add_argument("--no-reverse", dest="no_reverse", - action="store_true", - help="Do not create new reverse DNS zone") - parser.add_argument("--auto-reverse", dest="auto_reverse", - action="store_true", - help="Create necessary reverse zones") - parser.add_argument("--zonemgr", dest="zonemgr", - default=None, - help="DNS zone manager e-mail address. Defaults to " - "hostmaster@DOMAIN") - parser.add_argument("--forwarder", dest="forwarders", - action="append", default=None, - help="Add a DNS forwarder. This option can be used " - "multiple times") - parser.add_argument("--no-forwarders", dest="no_forwarders", - action="store_true", - help="Do not add any DNS forwarders, use root " - "servers instead") - parser.add_argument("--auto-forwarders", dest="auto_forwarders", - action="store_true", - help="Use DNS forwarders configured in " - "/etc/resolv.conf") - parser.add_argument("-forward-policy-", dest="forward_policy", - choices=("only", "first"), default=None, - help="DNS forwarding policy for global forwarders") - parser.add_argument("--no-dnssec-validation", dest="no_dnssec_validation", - action="store_true", - help="Disable DNSSEC validation") - # ad trust - parser.add_argument("--enable-compat", dest="enable_compat", - action="store_true", - help="Enable support for trusted domains for old " - "clients") - parser.add_argument("--netbios-name", dest="netbios_name", - default=None, - help="NetBIOS name of the IPA domain") - parser.add_argument("--rid-base", dest="rid_base", - default=None, type=int, - help="Start value for mapping UIDs and GIDs to RIDs") - parser.add_argument("--secondary-rid-base", dest="secondary_rid_base", - default=None, type=int, - help="Start value of the secondary range for mapping " - "UIDs and GIDs to RIDs") - # deprecated - parser.add_argument("--domain-level", type=int, - help="IPA domain level (deprecated)") - # uninstall - parser.add_argument("--ignore-topology-disconnect", - dest="ignore_topology_disconnect", - action="store_true", - help="do not check whether server uninstall " - "disconnects the topology (domain level 1+)") - parser.add_argument("--ignore-last-of-role", dest="ignore_last_of_role", - action="store_true", - help="do not check whether server uninstall removes " - "last CA/DNS server or DNSSec master (domain level " - "1+)") - # logging and output - parser.add_argument("-v", "--verbose", dest="verbose", - action="store_true", - help="print debugging information") - parser.add_argument("-d", "--debug", dest="verbose", - action="store_true", - help="alias for --verbose (deprecated)") - parser.add_argument("-q", "--quiet", dest="quiet", - action="store_true", - help="output only errors") - parser.add_argument("--log-file", dest="log_file", - help="log to the given file") - - # ansible - parser.add_argument("--ipaserver-install-packages", - dest="ipaserver_install_packages", - choices=("yes", "no"), default=None, - help="The bool value defines if the needed packages " - "are installed on the node. Default: yes") - parser.add_argument("--ipaserver-setup-firewalld", - dest="ipaserver_setup_firewalld", - choices=("yes", "no"), default=None, - help="The value defines if the needed services will " - "automatically be openen in the firewall managed by " - "firewalld. Default: yes") - parser.add_argument("--ipaserver-external-cert-files-from-controller", - dest="ipaserver_external_cert_files_from_controller", - default=None, action="append", - help="Files containing the IPA CA certificates and " - "the external CA certificate chains on the " - "controller that will be copied to the ipaserver " - "host to /root folder.") - parser.add_argument("--ipaserver-copy-csr-to-controller", - dest="ipaserver_copy_csr_to_controller", - choices=("yes", "no"), default=None, - help="Copy the generated CSR from the ipaserver to " - "the controller as -ipa.csr.") - # playbook - parser.add_argument("--playbook-dir", - dest="playbook_dir", - default=None, - help="If defined will be used as to create inventory " - "file and playbook in. The files will not be removed " - "after the playbook processing ended.") - parser.add_argument("--become-method", - dest="become_method", - default="sudo", - help="privilege escalation method to use " - "(default=sudo), use `ansible-doc -t become -l` to " - "list valid choices.") - parser.add_argument("--ansible-verbose", - dest="ansible_verbose", - type=int, default=None, - help="privilege escalation method to use " - "(default=sudo), use `ansible-doc -t become -l` to " - "list valid choices.") - - options, args = parser.parse_known_args() - - if options.playbook_dir and not os.path.isdir(options.playbook_dir): - parser.error("playbook dir does not exist") - - if options.log_file: - parser.error("log_file is not supported") - - if len(args) < 1: - parser.error("ansible host not set") - elif len(args) > 1: - parser.error("too many arguments: %s" % ",".join(args)) - - return options, args - - -def run_cmd(args): - """ - Execute an external command. - """ - p_out = subprocess.PIPE - p_err = subprocess.STDOUT - try: - p = subprocess.Popen(args, stdout=p_out, stderr=p_err, - close_fds=True, bufsize=1, - universal_newlines=True) - while True: - line = p.stdout.readline() - if p.poll() is not None and line == "": - break - sys.stdout.write(line) - except KeyboardInterrupt: - p.wait() - raise - else: - p.wait() - return p.returncode - - -def main(options, args): - if options.playbook_dir: - playbook_dir = options.playbook_dir - else: - temp_dir = tempfile.mkdtemp(prefix='ansible-ipa-server') - playbook_dir = temp_dir - - inventory = os.path.join(playbook_dir, "ipaserver-inventory") - playbook = os.path.join(playbook_dir, "ipaserver-playbook.yml") - - with open(inventory, 'w') as f: - f.write("[ipaserver]\n") - f.write("%s\n" % args[0]) - f.write("\n") - f.write("[ipaserver:vars]\n") - # basic - if options.dm_password: - f.write("ipadm_password=%s\n" % options.dm_password) - if options.admin_password: - f.write("ipaadmin_password=%s\n" % options.admin_password) - if options.ip_addresses: - f.write("ipaserver_ip_addresses=%s\n" % - ",".join(options.ip_addresses)) - if options.domain: - f.write("ipaserver_domain=%s\n" % options.domain) - if options.realm: - f.write("ipaserver_realm=%s\n" % options.realm) - if options.hostname: - f.write("ipaserver_hostname=%s\n" % options.hostname) - if options.ca_cert_file: - f.write("ipaserver_ca_cert_files=%s\n" % options.ca_cert_file) - if options.pki_config_override: - f.write("ipaserver_pki_config_override=yes\n") - if options.no_host_dns: - f.write("ipaserver_no_host_dns=yes\n") - # server - if options.setup_adtrust: - f.write("ipaserver_setup_adtrust=yes\n") - if options.setup_kra: - f.write("ipaserver_setup_kra=yes\n") - if options.setup_dns: - f.write("ipaserver_setup_dns=yes\n") - if options.idstart: - f.write("ipaserver_idstart=%s\n" % options.idstart) - if options.idmax: - f.write("ipaserver_idmax=%s\n" % options.idmax) - if options.no_hbac_allow: - f.write("ipaserver_no_hbac_allow=yes\n") - if options.no_pkinit: - f.write("ipaserver_no_pkinit=yes\n") - if options.no_ui_redirect: - f.write("ipaserver_no_ui_redirect=yes\n") - if options.dirsrv_config_file: - f.write("ipaserver_dirsrv_config_file=%s\n" % - options.dirsrv_config_file) - # ssl certificate - if options.dirsrv_cert_files: - f.write("ipaserver_dirsrv_cert_files=%s\n" % - ",".join(options.dirsrv_cert_files)) - if options.http_cert_files: - f.write("ipaserver_http_cert_files=%s\n" % - ",".join(options.http_cert_files)) - if options.pkinit_cert_files: - f.write("ipaserver_pkinit_cert_files=%s\n" % - ",".join(options.pkinit_cert_files)) - if options.dirsrv_pin: - f.write("ipaserver_dirsrv_pin=%s\n" % options.dirsrv_pin) - if options.http_pin: - f.write("ipaserver_http_pin=%s\n" % options.http_pin) - if options.pkinit_pin: - f.write("ipaserver_pkinit_pin=%s\n" % options.pkinit_pin) - if options.dirsrv_cert_name: - f.write("ipaserver_dirsrv_cert_name=%s\n" % - options.dirsrv_cert_name) - if options.http_cert_name: - f.write("ipaserver_http_cert_name=%s\n" % options.http_cert_name) - if options.pkinit_cert_name: - f.write("ipaserver_pkinit_cert_name=%s\n" % - options.pkinit_cert_name) - # client - if options.mkhomedir: - f.write("ipaclient_mkhomedir=yes\n") - if options.ntp_servers: - f.write("ipaclient_ntp_servers=%s\n" % - ",".join(options.ntp_servers)) - if options.ntp_pool: - f.write("ipaclient_ntp_pool=%s\n" % options.ntp_pool) - if options.no_ntp: - f.write("ipaclient_no_ntp=yes\n") - if options.ssh_trust_dns: - f.write("ipaclient_ssh_trust_dns=yes\n") - if options.no_ssh: - f.write("ipaclient_no_ssh=yes\n") - if options.no_sshd: - f.write("ipaclient_no_sshd=yes\n") - if options.no_dns_sshfp: - f.write("ipaclient_no_dns_sshfp=yes\n") - # certificate system - if options.external_ca: - f.write("ipaserver_external_ca=yes\n") - if options.external_ca_type: - f.write("ipaserver_external_ca_type=%s\n" % - options.external_ca_type) - if options.external_ca_profile: - f.write("ipaserver_external_ca_profile=%s\n" % - options.external_ca_profile) - if options.external_cert_files: - f.write("ipaserver_external_cert_files=%s\n" % - ",".join(options.external_cert_files)) - if options.subject_base: - f.write("ipaserver_subject_base=%s\n" % options.subject_base) - if options.ca_subject: - f.write("ipaserver_ca_subject=%s\n" % options.ca_subject) - if options.ca_signing_algorithm: - f.write("ipaserver_ca_signing_algorithm=%s\n" % - options.ca_signing_algorithm) - # dns - if options.allow_zone_overlap: - f.write("ipaserver_allow_zone_overlap=yes\n") - if options.reverse_zones: - f.write("ipaserver_reverse_zones=%s\n" % - ",".join(options.reverse_zones)) - if options.no_reverse: - f.write("ipaserver_no_reverse=yes\n") - if options.auto_reverse: - f.write("ipaserver_auto_reverse=yes\n") - if options.zonemgr: - f.write("ipaserver_zonemgr=%s\n" % options.zonemgr) - if options.forwarders: - f.write("ipaserver_forwarders=%s\n" % - ",".join(options.forwarders)) - if options.no_forwarders: - f.write("ipaserver_no_forwarders=yes\n") - if options.auto_forwarders: - f.write("ipaserver_auto_forwarders=yes\n") - if options.forward_policy: - f.write("ipaserver_forward_policy=%s\n" % options.forward_policy) - if options.no_dnssec_validation: - f.write("ipaserver_no_dnssec_validation=yes\n") - # ad trust - if options.enable_compat: - f.write("ipaserver_enable_compat=yes\n") - if options.netbios_name: - f.write("ipaserver_netbios_name=%s\n" % options.netbios_name) - if options.rid_base: - f.write("ipaserver_rid_base=%s\n" % options.rid_base) - if options.secondary_rid_base: - f.write("ipaserver_secondary_rid_base=%s\n" % - options.secondary_rid_base) - # uninstall - if options.ignore_topology_disconnect: - f.write("ipaserver_ignore_topology_disconnect=yes\n") - if options.ignore_last_of_role: - f.write("ipaserver_ignore_last_of_role=yes\n") - # ansible - if options.ipaserver_install_packages: - f.write("ipaserver_install_packages=%s\n" % - options.ipaserver_install_packages) - if options.ipaserver_setup_firewalld: - f.write("ipaserver_setup_firewalld=%s\n" % - options.ipaserver_setup_firewalld) - if options.ipaserver_external_cert_files_from_controller: - f.write("ipaserver_external_cert_files_from_controller=%s\n" % - ",".join( - options.ipaserver_external_cert_files_from_controller)) - if options.ipaserver_copy_csr_to_controller: - f.write("ipaserver_copy_csr_to_controller=%s\n" % - options.ipaserver_copy_csr_to_controller) - - if options.uninstall: - state = "absent" - else: - state = "present" - - with open(playbook, 'w') as f: - f.write("---\n") - f.write("- name: Playbook to configure IPA server\n") - f.write(" hosts: ipaserver\n") - f.write(" become: true\n") - if options.become_method: - f.write(" become_method: %s\n" % options.become_method) - f.write("\n") - f.write(" roles:\n") - f.write(" - role: ipaserver\n") - f.write(" state: %s\n" % state) - - cmd = [ 'ansible-playbook' ] - if options.ansible_verbose: - cmd.append("-"+"v"*options.ansible_verbose) - cmd.extend(['-i', inventory, playbook]) - try: - returncode = run_cmd(cmd) - if returncode != 0: - raise RuntimeError() - finally: - if not options.playbook_dir: - shutil.rmtree(temp_dir, ignore_errors=True) - - -options, args = parse_options() -try: - main(options, args) -except KeyboardInterrupt: - sys.exit(1) -except SystemExit as e: - sys.exit(e) -except RuntimeError as e: - sys.exit(e) -except Exception as e: - if options.verbose: - traceback.print_exc(file=sys.stdout) - else: - print("Re-run %s with --verbose option to get more information" % - sys.argv[0]) - - print("Unexpected error: %s" % str(e)) - sys.exit(1)