|
Packit Service |
0cfb78 |
#!/usr/libexec/platform-python
|
|
Packit Service |
0a38ef |
# -*- coding: utf-8 -*-
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Authors:
|
|
Packit Service |
0a38ef |
# Thomas Woerner <twoerner@redhat.com>
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# Copyright (C) 2019 Red Hat
|
|
Packit Service |
0a38ef |
# see file 'COPYING' for use and warranty information
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# This program is free software; you can redistribute it and/or modify
|
|
Packit Service |
0a38ef |
# it under the terms of the GNU General Public License as published by
|
|
Packit Service |
0a38ef |
# the Free Software Foundation, either version 3 of the License, or
|
|
Packit Service |
0a38ef |
# (at your option) any later version.
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# This program is distributed in the hope that it will be useful,
|
|
Packit Service |
0a38ef |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
0a38ef |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit Service |
0a38ef |
# GNU General Public License for more details.
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# You should have received a copy of the GNU General Public License
|
|
Packit Service |
0a38ef |
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
import os
|
|
Packit Service |
0a38ef |
import sys
|
|
Packit Service |
0a38ef |
import shutil
|
|
Packit Service |
0a38ef |
import tempfile
|
|
Packit Service |
0a38ef |
import argparse
|
|
Packit Service |
0a38ef |
import traceback
|
|
Packit Service |
0a38ef |
import subprocess
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
def parse_options():
|
|
Packit Service |
0a38ef |
usage = "Usage: anisble-ipa-replica-install [options] <ansible host>"
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
parser = argparse.ArgumentParser(usage=usage)
|
|
Packit Service |
0a38ef |
parser.add_argument("--version", dest="version",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="show program's version number and exit")
|
|
Packit Service |
0a38ef |
parser.add_argument("-U", "--unattended", dest="unattended",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="unattended (un)installation never prompts the "
|
|
Packit Service |
0a38ef |
"user")
|
|
Packit Service |
0a38ef |
# basic
|
|
Packit Service |
0a38ef |
parser.add_argument("-w", "--admin-password", dest="admin_password",
|
|
Packit Service |
0a38ef |
default=None,
|
|
Packit Service |
0a38ef |
help="Kerberos password for the specified admin "
|
|
Packit Service |
0a38ef |
"principal")
|
|
Packit Service |
0a38ef |
parser.add_argument("--ip-address", dest="ip_addresses",
|
|
Packit Service |
0a38ef |
metavar="IP_ADDRESS",
|
|
Packit Service |
0a38ef |
action='append', default=None,
|
|
Packit Service |
0a38ef |
help="Replica server IP Address. This option can be "
|
|
Packit Service |
0a38ef |
"used multiple times")
|
|
Packit Service |
0a38ef |
parser.add_argument("-n", "--domain", dest="domain",
|
|
Packit Service |
0a38ef |
metavar="DOMAIN_NAME", default=None,
|
|
Packit Service |
0a38ef |
help="primary DNS domain of the IPA deployment (not "
|
|
Packit Service |
0a38ef |
"necessarily related to the current hostname)")
|
|
Packit Service |
0a38ef |
parser.add_argument("--server", dest="servers",
|
|
Packit Service |
0a38ef |
metavar="SERVER",
|
|
Packit Service |
0a38ef |
action='append', default=None,
|
|
Packit Service |
0a38ef |
help="fully qualified name of IPA server to enroll to")
|
|
Packit Service |
0a38ef |
parser.add_argument("-r", "--realm", dest="realm",
|
|
Packit Service |
0a38ef |
metavar="REALM_NAME", default=None,
|
|
Packit Service |
0a38ef |
help="Kerberos realm name of the IPA deployment "
|
|
Packit Service |
0a38ef |
"(typically un upper-cased name of the primary DNS "
|
|
Packit Service |
0a38ef |
"domain)")
|
|
Packit Service |
0a38ef |
parser.add_argument("--hostname", dest="hostname",
|
|
Packit Service |
0a38ef |
metavar="HOST_NAME", default=None,
|
|
Packit Service |
0a38ef |
help="fully qualified name of this host")
|
|
Packit Service |
0a38ef |
parser.add_argument("-P", "--principal", dest="principal",
|
|
Packit Service |
0a38ef |
default=None,
|
|
Packit Service |
0a38ef |
help="User Principal allowed to promote replicas and "
|
|
Packit Service |
0a38ef |
"join IPA realm")
|
|
Packit Service |
0a38ef |
parser.add_argument("--pki-config-override", dest="pki_config_override",
|
|
Packit Service |
0a38ef |
default=None,
|
|
Packit Service |
0a38ef |
help="Path to ini file with config overrides.")
|
|
Packit Service |
0a38ef |
parser.add_argument("--no-host-dns", dest="no_host_dns",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="Do not use DNS for hostname lookup during "
|
|
Packit Service |
0a38ef |
"installation")
|
|
Packit Service |
0a38ef |
parser.add_argument("--skip-conncheck", dest="skip_conncheck",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="skip connection check to remote master")
|
|
Packit Service |
0a38ef |
# server
|
|
Packit Service |
0a38ef |
parser.add_argument("-p", "--password", dest="dm_password",
|
|
Packit Service |
0a38ef |
default=None,
|
|
Packit Service |
0a38ef |
help="Password to join the IPA realm. Assumes bulk "
|
|
Packit Service |
0a38ef |
"password unless principal is also set. (domain "
|
|
Packit Service |
0a38ef |
"level 1+) Directory Manager (existing master) "
|
|
Packit Service |
0a38ef |
"password. (domain level 0)")
|
|
Packit Service |
0a38ef |
parser.add_argument("--hidden-replica", dest="hidden_replica",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="Install a hidden replica")
|
|
Packit Service |
0a38ef |
parser.add_argument("--setup-adtrust", dest="setup_adtrust",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="configure AD trust capability")
|
|
Packit Service |
0a38ef |
parser.add_argument("--setup-ca", dest="setup_ca",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="configure a dogtag CA")
|
|
Packit Service |
0a38ef |
parser.add_argument("--setup-kra", dest="setup_kra",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="configure a dogtag KRA")
|
|
Packit Service |
0a38ef |
parser.add_argument("--setup-dns", dest="setup_dns",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="configure bind with our zone")
|
|
Packit Service |
0a38ef |
parser.add_argument("--no-pkinit", dest="no_pkinit",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="disables pkinit setup steps")
|
|
Packit Service |
0a38ef |
parser.add_argument("--no-ui-redirect", dest="no_ui_redirect",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="Do not automatically redirect to the Web UI")
|
|
Packit Service |
0a38ef |
parser.add_argument("--dirsrv-config-file", dest="dirsrv_config_file",
|
|
Packit Service |
0a38ef |
metavar="FILE", default=None,
|
|
Packit Service |
0a38ef |
help="The path to LDIF file that will be used to "
|
|
Packit Service |
0a38ef |
"modify configuration of dse.ldif during "
|
|
Packit Service |
0a38ef |
"installation of the directory server instance")
|
|
Packit Service |
0a38ef |
# ssl certificate
|
|
Packit Service |
0a38ef |
parser.add_argument("--dirsrv-cert-file", dest="dirsrv_cert_files",
|
|
Packit Service |
0a38ef |
metavar="FILE", default=None, action="append",
|
|
Packit Service |
0a38ef |
help="File containing the Directory Server SSL "
|
|
Packit Service |
0a38ef |
"certificate and private key")
|
|
Packit Service |
0a38ef |
parser.add_argument("--http-cert-file", dest="http_cert_files",
|
|
Packit Service |
0a38ef |
metavar="FILE", default=None, action="append",
|
|
Packit Service |
0a38ef |
help="File containing the Apache Server SSL "
|
|
Packit Service |
0a38ef |
"certificate and private key")
|
|
Packit Service |
0a38ef |
parser.add_argument("--pkinit-cert-file", dest="pkinit_cert_files",
|
|
Packit Service |
0a38ef |
metavar="FILE", default=None, action="append",
|
|
Packit Service |
0a38ef |
help="File containing the Kerberos KDC SSL "
|
|
Packit Service |
0a38ef |
"certificate and Private key")
|
|
Packit Service |
0a38ef |
parser.add_argument("--dirsrv-pin", dest="dirsrv_pin",
|
|
Packit Service |
0a38ef |
metavar="PIN", default=None,
|
|
Packit Service |
0a38ef |
help="The password to unlock the Directory Server "
|
|
Packit Service |
0a38ef |
"private key")
|
|
Packit Service |
0a38ef |
parser.add_argument("--http-pin", dest="http_pin",
|
|
Packit Service |
0a38ef |
metavar="PIN", default=None,
|
|
Packit Service |
0a38ef |
help="The password to unlock the Apache Server "
|
|
Packit Service |
0a38ef |
"private key")
|
|
Packit Service |
0a38ef |
parser.add_argument("--pkinit-pin", dest="pkinit_pin",
|
|
Packit Service |
0a38ef |
metavar="PIN", default=None,
|
|
Packit Service |
0a38ef |
help="The password to unlock the Kerberos KDC "
|
|
Packit Service |
0a38ef |
"private key")
|
|
Packit Service |
0a38ef |
parser.add_argument("--dirsrv-cert-name", dest="dirsrv_cert_name",
|
|
Packit Service |
0a38ef |
metavar="NAME", default=None,
|
|
Packit Service |
0a38ef |
help="Name of the Directory Server SSL certificate "
|
|
Packit Service |
0a38ef |
"to install")
|
|
Packit Service |
0a38ef |
parser.add_argument("--http-cert-name", dest="http_cert_name",
|
|
Packit Service |
0a38ef |
metavar="NAME", default=None,
|
|
Packit Service |
0a38ef |
help="Name of the Apache Server SSL certificate to "
|
|
Packit Service |
0a38ef |
"install")
|
|
Packit Service |
0a38ef |
parser.add_argument("--pkinit-cert-name", dest="pkinit_cert_name",
|
|
Packit Service |
0a38ef |
metavar="NAME", default=None,
|
|
Packit Service |
0a38ef |
help="Name of the Kerberos KDC SSL certificate to "
|
|
Packit Service |
0a38ef |
"install")
|
|
Packit Service |
0a38ef |
# client
|
|
Packit Service |
0a38ef |
parser.add_argument("-k", "--keytab", dest="keytab",
|
|
Packit Service |
0a38ef |
default=None,
|
|
Packit Service |
0a38ef |
help="path to backed up keytab from previous "
|
|
Packit Service |
0a38ef |
"enrollment")
|
|
Packit Service |
0a38ef |
parser.add_argument("--mkhomedir", dest="mkhomedir",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="create home directories for users on their "
|
|
Packit Service |
0a38ef |
"first login")
|
|
Packit Service |
0a38ef |
parser.add_argument("--force-join", dest="force_join",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="Force client enrollment even if already "
|
|
Packit Service |
0a38ef |
"enrolled")
|
|
Packit Service |
0a38ef |
parser.add_argument("--ntp-server", dest="ntp_servers",
|
|
Packit Service |
0a38ef |
metavar="NTP_SERVER",
|
|
Packit Service |
0a38ef |
action='append', default=None,
|
|
Packit Service |
0a38ef |
help="ntp server to use. This option can be used "
|
|
Packit Service |
0a38ef |
"multiple times")
|
|
Packit Service |
0a38ef |
parser.add_argument("--ntp-pool", dest="ntp_pool",
|
|
Packit Service |
0a38ef |
default=None,
|
|
Packit Service |
0a38ef |
help="ntp server pool to use")
|
|
Packit Service |
0a38ef |
parser.add_argument("-N", "--no-ntp", dest="no_ntp",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="do not configure ntp")
|
|
Packit Service |
0a38ef |
parser.add_argument("--ssh-trust-dns", dest="ssh_trust_dns",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="configure OpenSSH client to trust DNS SSHFP "
|
|
Packit Service |
0a38ef |
"records")
|
|
Packit Service |
0a38ef |
parser.add_argument("--no-ssh", dest="no_ssh",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="do not configure OpenSSH client")
|
|
Packit Service |
0a38ef |
parser.add_argument("--no-sshd", dest="no_sshd",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="do not configure OpenSSH server")
|
|
Packit Service |
0a38ef |
parser.add_argument("--no-dns-sshfp", dest="no_dns_sshfp",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="do not automatically create DNS SSHFP records")
|
|
Packit Service |
0a38ef |
# certificate system
|
|
Packit Service |
0a38ef |
parser.add_argument("--skip-schema-check", dest="skip_schema_check",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="skip check for updated CA DS schema on the "
|
|
Packit Service |
0a38ef |
"remote master")
|
|
Packit Service |
0a38ef |
# dns
|
|
Packit Service |
0a38ef |
parser.add_argument("--allow-zone-overlap", dest="allow_zone_overlap",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="Create DNS zone even if it already exists")
|
|
Packit Service |
0a38ef |
parser.add_argument("--reverse-zone", dest="reverse_zones",
|
|
Packit Service |
0a38ef |
metavar="REVERSE_ZONE", action="append", default=None,
|
|
Packit Service |
0a38ef |
help="The reverse DNS zone to use. This option can "
|
|
Packit Service |
0a38ef |
"be used multiple times")
|
|
Packit Service |
0a38ef |
parser.add_argument("--no-reverse", dest="no_reverse",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="Do not create new reverse DNS zone")
|
|
Packit Service |
0a38ef |
parser.add_argument("--auto-reverse", dest="auto_reverse",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="Create necessary reverse zones")
|
|
Packit Service |
0a38ef |
parser.add_argument("--forwarder", dest="forwarders",
|
|
Packit Service |
0a38ef |
action="append", default=None,
|
|
Packit Service |
0a38ef |
help="Add a DNS forwarder. This option can be used "
|
|
Packit Service |
0a38ef |
"multiple times")
|
|
Packit Service |
0a38ef |
parser.add_argument("--no-forwarders", dest="no_forwarders",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="Do not add any DNS forwarders, use root "
|
|
Packit Service |
0a38ef |
"servers instead")
|
|
Packit Service |
0a38ef |
parser.add_argument("--auto-forwarders", dest="auto_forwarders",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="Use DNS forwarders configured in "
|
|
Packit Service |
0a38ef |
"/etc/resolv.conf")
|
|
Packit Service |
0a38ef |
parser.add_argument("-forward-policy-", dest="forward_policy",
|
|
Packit Service |
0a38ef |
choices=("only", "first"), default=None,
|
|
Packit Service |
0a38ef |
help="DNS forwarding policy for global forwarders")
|
|
Packit Service |
0a38ef |
parser.add_argument("--no-dnssec-validation", dest="no_dnssec_validation",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="Disable DNSSEC validation")
|
|
Packit Service |
0a38ef |
# ad trust
|
|
Packit Service |
0a38ef |
parser.add_argument("--add-sids", dest="add_sids",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="Add SIDs for existing users and groups as the "
|
|
Packit Service |
0a38ef |
"final step")
|
|
Packit Service |
0a38ef |
parser.add_argument("--add-agents", dest="add_agents",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="Add IPA masters to a list of hosts allowed to "
|
|
Packit Service |
0a38ef |
"serve information about users from trusted forests")
|
|
Packit Service |
0a38ef |
parser.add_argument("--enable-compat", dest="enable_compat",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="Enable support for trusted domains for old "
|
|
Packit Service |
0a38ef |
"clients")
|
|
Packit Service |
0a38ef |
parser.add_argument("--netbios-name", dest="netbios_name",
|
|
Packit Service |
0a38ef |
default=None,
|
|
Packit Service |
0a38ef |
help="NetBIOS name of the IPA domain")
|
|
Packit Service |
0a38ef |
parser.add_argument("--rid-base", dest="rid_base",
|
|
Packit Service |
0a38ef |
default=None, type=int,
|
|
Packit Service |
0a38ef |
help="Start value for mapping UIDs and GIDs to RIDs")
|
|
Packit Service |
0a38ef |
parser.add_argument("--secondary-rid-base", dest="secondary_rid_base",
|
|
Packit Service |
0a38ef |
default=None, type=int,
|
|
Packit Service |
0a38ef |
help="Start value of the secondary range for mapping "
|
|
Packit Service |
0a38ef |
"UIDs and GIDs to RIDs")
|
|
Packit Service |
0a38ef |
# logging and output
|
|
Packit Service |
0a38ef |
parser.add_argument("-v", "--verbose", dest="verbose",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="print debugging information")
|
|
Packit Service |
0a38ef |
parser.add_argument("-d", "--debug", dest="verbose",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="alias for --verbose (deprecated)")
|
|
Packit Service |
0a38ef |
parser.add_argument("-q", "--quiet", dest="quiet",
|
|
Packit Service |
0a38ef |
action="store_true",
|
|
Packit Service |
0a38ef |
help="output only errors")
|
|
Packit Service |
0a38ef |
parser.add_argument("--log-file", dest="log_file",
|
|
Packit Service |
0a38ef |
help="log to the given file")
|
|
Packit Service |
0a38ef |
# ansible
|
|
Packit Service |
0a38ef |
parser.add_argument("--ipareplica-install-packages",
|
|
Packit Service |
0a38ef |
dest="ipareplica_install_packages",
|
|
Packit Service |
0a38ef |
choices=("yes", "no"), default=None,
|
|
Packit Service |
0a38ef |
help="The bool value defines if the needed packages "
|
|
Packit Service |
0a38ef |
"are installed on the node. Default: yes")
|
|
Packit Service |
0a38ef |
parser.add_argument("--ipareplica-setup-firewalld",
|
|
Packit Service |
0a38ef |
dest="ipareplica_setup_firewalld",
|
|
Packit Service |
0a38ef |
choices=("yes", "no"), default=None,
|
|
Packit Service |
0a38ef |
help="The value defines if the needed services will "
|
|
Packit Service |
0a38ef |
"automatically be openen in the firewall managed by "
|
|
Packit Service |
0a38ef |
"firewalld. Default: yes")
|
|
Packit Service |
0a38ef |
# playbook
|
|
Packit Service |
0a38ef |
parser.add_argument("--playbook-dir",
|
|
Packit Service |
0a38ef |
dest="playbook_dir",
|
|
Packit Service |
0a38ef |
default=None,
|
|
Packit Service |
0a38ef |
help="If defined will be used as to create inventory "
|
|
Packit Service |
0a38ef |
"file and playbook in. The files will not be removed "
|
|
Packit Service |
0a38ef |
"after the playbook processing ended.")
|
|
Packit Service |
0a38ef |
parser.add_argument("--become-method",
|
|
Packit Service |
0a38ef |
dest="become_method",
|
|
Packit Service |
0a38ef |
default="sudo",
|
|
Packit Service |
0a38ef |
help="privilege escalation method to use "
|
|
Packit Service |
0a38ef |
"(default=sudo), use `ansible-doc -t become -l` to "
|
|
Packit Service |
0a38ef |
"list valid choices.")
|
|
Packit Service |
0a38ef |
parser.add_argument("--ansible-verbose",
|
|
Packit Service |
0a38ef |
dest="ansible_verbose",
|
|
Packit Service |
0a38ef |
type=int, default=None,
|
|
Packit Service |
0a38ef |
help="privilege escalation method to use "
|
|
Packit Service |
0a38ef |
"(default=sudo), use `ansible-doc -t become -l` to "
|
|
Packit Service |
0a38ef |
"list valid choices.")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
options, args = parser.parse_known_args()
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if options.playbook_dir and not os.path.isdir(options.playbook_dir):
|
|
Packit Service |
0a38ef |
parser.error("playbook dir does not exist")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if options.log_file:
|
|
Packit Service |
0a38ef |
parser.error("log_file is not supported")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if len(args) < 1:
|
|
Packit Service |
0a38ef |
parser.error("ansible host not set")
|
|
Packit Service |
0a38ef |
elif len(args) > 1:
|
|
Packit Service |
0a38ef |
parser.error("too many arguments: %s" % ",".join(args))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
return options, args
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
def run_cmd(args):
|
|
Packit Service |
0a38ef |
"""
|
|
Packit Service |
0a38ef |
Execute an external command.
|
|
Packit Service |
0a38ef |
"""
|
|
Packit Service |
0a38ef |
p_out = subprocess.PIPE
|
|
Packit Service |
0a38ef |
p_err = subprocess.STDOUT
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
p = subprocess.Popen(args, stdout=p_out, stderr=p_err,
|
|
Packit Service |
0a38ef |
close_fds=True, bufsize=1,
|
|
Packit Service |
0a38ef |
universal_newlines=True)
|
|
Packit Service |
0a38ef |
while True:
|
|
Packit Service |
0a38ef |
line = p.stdout.readline()
|
|
Packit Service |
0a38ef |
if p.poll() is not None and line == "":
|
|
Packit Service |
0a38ef |
break
|
|
Packit Service |
0a38ef |
sys.stdout.write(line)
|
|
Packit Service |
0a38ef |
except KeyboardInterrupt:
|
|
Packit Service |
0a38ef |
p.wait()
|
|
Packit Service |
0a38ef |
raise
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
p.wait()
|
|
Packit Service |
0a38ef |
return p.returncode
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
def main(options, args):
|
|
Packit Service |
0a38ef |
if options.playbook_dir:
|
|
Packit Service |
0a38ef |
playbook_dir = options.playbook_dir
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
temp_dir = tempfile.mkdtemp(prefix='ansible-ipa-replica')
|
|
Packit Service |
0a38ef |
playbook_dir = temp_dir
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
inventory = os.path.join(playbook_dir, "ipareplica-inventory")
|
|
Packit Service |
0a38ef |
playbook = os.path.join(playbook_dir, "ipareplica-playbook.yml")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
with open(inventory, 'w') as f:
|
|
Packit Service |
0a38ef |
if options.servers:
|
|
Packit Service |
0a38ef |
f.write("[ipaservers]\n")
|
|
Packit Service |
0a38ef |
for server in options.servers:
|
|
Packit Service |
0a38ef |
f.write("%s\n" % server)
|
|
Packit Service |
0a38ef |
f.write("\n")
|
|
Packit Service |
0a38ef |
f.write("[ipareplicas]\n")
|
|
Packit Service |
0a38ef |
f.write("%s\n" % args[0])
|
|
Packit Service |
0a38ef |
f.write("\n")
|
|
Packit Service |
0a38ef |
f.write("[ipareplicas:vars]\n")
|
|
Packit Service |
0a38ef |
# basic
|
|
Packit Service |
0a38ef |
if options.admin_password:
|
|
Packit Service |
0a38ef |
f.write("ipaadmin_password=%s\n" % options.admin_password)
|
|
Packit Service |
0a38ef |
if options.ip_addresses:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_ip_addresses=%s\n" %
|
|
Packit Service |
0a38ef |
",".join(options.ip_addresses))
|
|
Packit Service |
0a38ef |
if options.domain:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_domain=%s\n" % options.domain)
|
|
Packit Service |
0a38ef |
# --servers are handled above
|
|
Packit Service |
0a38ef |
if options.realm:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_realm=%s\n" % options.realm)
|
|
Packit Service |
0a38ef |
if options.hostname:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_hostname=%s\n" % options.hostname)
|
|
Packit Service |
0a38ef |
if options.principal:
|
|
Packit Service |
0a38ef |
f.write("ipaadmin_principal=%s\n" % options.principal)
|
|
Packit Service |
0a38ef |
if options.pki_config_override:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_pki_config_override=yes\n")
|
|
Packit Service |
0a38ef |
if options.no_host_dns:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_no_host_dns=yes\n")
|
|
Packit Service |
0a38ef |
if options.skip_conncheck:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_skip_conncheck=yes\n")
|
|
Packit Service |
0a38ef |
# server
|
|
Packit Service |
0a38ef |
if options.dm_password:
|
|
Packit Service |
0a38ef |
f.write("ipadm_password=%s\n" % options.dm_password)
|
|
Packit Service |
0a38ef |
if options.hidden_replica:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_hidden_replica=yes\n")
|
|
Packit Service |
0a38ef |
if options.setup_adtrust:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_setup_adtrust=yes\n")
|
|
Packit Service |
0a38ef |
if options.setup_ca:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_setup_ca=yes\n")
|
|
Packit Service |
0a38ef |
if options.setup_kra:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_setup_kra=yes\n")
|
|
Packit Service |
0a38ef |
if options.setup_dns:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_setup_dns=yes\n")
|
|
Packit Service |
0a38ef |
if options.no_pkinit:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_no_pkinit=yes\n")
|
|
Packit Service |
0a38ef |
if options.no_ui_redirect:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_no_ui_redirect=yes\n")
|
|
Packit Service |
0a38ef |
# ssl certificate
|
|
Packit Service |
0a38ef |
if options.dirsrv_cert_files:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_dirsrv_cert_files=%s\n" %
|
|
Packit Service |
0a38ef |
",".join(options.dirsrv_cert_files))
|
|
Packit Service |
0a38ef |
if options.http_cert_files:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_http_cert_files=%s\n" %
|
|
Packit Service |
0a38ef |
",".join(options.http_cert_files))
|
|
Packit Service |
0a38ef |
if options.pkinit_cert_files:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_pkinit_cert_files=%s\n" %
|
|
Packit Service |
0a38ef |
",".join(options.pkinit_cert_files))
|
|
Packit Service |
0a38ef |
if options.dirsrv_pin:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_dirsrv_pin=%s\n" % options.dirsrv_pin)
|
|
Packit Service |
0a38ef |
if options.http_pin:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_http_pin=%s\n" % options.http_pin)
|
|
Packit Service |
0a38ef |
if options.pkinit_pin:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_pkinit_pin=%s\n" % options.pkinit_pin)
|
|
Packit Service |
0a38ef |
if options.dirsrv_cert_name:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_dirsrv_cert_name=%s\n" %
|
|
Packit Service |
0a38ef |
options.dirsrv_cert_name)
|
|
Packit Service |
0a38ef |
if options.http_cert_name:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_http_cert_name=%s\n" % options.http_cert_name)
|
|
Packit Service |
0a38ef |
if options.pkinit_cert_name:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_pkinit_cert_name=%s\n" %
|
|
Packit Service |
0a38ef |
options.pkinit_cert_name)
|
|
Packit Service |
0a38ef |
# client
|
|
Packit Service |
0a38ef |
if options.keytab:
|
|
Packit Service |
0a38ef |
f.write("ipaclient_keytab=%s\n" % options.keytab)
|
|
Packit Service |
0a38ef |
if options.mkhomedir:
|
|
Packit Service |
0a38ef |
f.write("ipaclient_mkhomedir=yes\n")
|
|
Packit Service |
0a38ef |
if options.force_join:
|
|
Packit Service |
0a38ef |
f.write("ipaclient_force_join=yes\n")
|
|
Packit Service |
0a38ef |
if options.ntp_servers:
|
|
Packit Service |
0a38ef |
f.write("ipaclient_ntp_server=%s\n" %
|
|
Packit Service |
0a38ef |
",".join(options.ntp_replicas))
|
|
Packit Service |
0a38ef |
if options.ntp_pool:
|
|
Packit Service |
0a38ef |
f.write("ipaclient_ntp_pool=%s\n" % options.ntp_pool)
|
|
Packit Service |
0a38ef |
if options.no_ntp:
|
|
Packit Service |
0a38ef |
f.write("ipaclient_no_ntp=yes\n")
|
|
Packit Service |
0a38ef |
if options.ssh_trust_dns:
|
|
Packit Service |
0a38ef |
f.write("ipaclient_ssh_trust_dns=yes\n")
|
|
Packit Service |
0a38ef |
if options.no_ssh:
|
|
Packit Service |
0a38ef |
f.write("ipaclient_no_ssh=yes\n")
|
|
Packit Service |
0a38ef |
if options.no_sshd:
|
|
Packit Service |
0a38ef |
f.write("ipaclient_no_sshd=yes\n")
|
|
Packit Service |
0a38ef |
if options.no_dns_sshfp:
|
|
Packit Service |
0a38ef |
f.write("ipaclient_no_dns_sshfp=yes\n")
|
|
Packit Service |
0a38ef |
# certificate system
|
|
Packit Service |
0a38ef |
if options.skip_schema_check:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_skip_schema_check=yes\n")
|
|
Packit Service |
0a38ef |
# dns
|
|
Packit Service |
0a38ef |
if options.allow_zone_overlap:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_allow_zone_overlap=yes\n")
|
|
Packit Service |
0a38ef |
if options.reverse_zones:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_reverse_zones=%s\n" %
|
|
Packit Service |
0a38ef |
",".join(options.reverse_zones))
|
|
Packit Service |
0a38ef |
if options.no_reverse:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_no_reverse=yes\n")
|
|
Packit Service |
0a38ef |
if options.auto_reverse:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_auto_reverse=yes\n")
|
|
Packit Service |
0a38ef |
if options.forwarders:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_forwarders=%s\n" %
|
|
Packit Service |
0a38ef |
",".join(options.forwarders))
|
|
Packit Service |
0a38ef |
if options.no_forwarders:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_no_forwarders=yes\n")
|
|
Packit Service |
0a38ef |
if options.auto_forwarders:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_auto_forwarders=yes\n")
|
|
Packit Service |
0a38ef |
if options.forward_policy:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_forward_policy=%s\n" % options.forward_policy)
|
|
Packit Service |
0a38ef |
if options.no_dnssec_validation:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_no_dnssec_validation=yes\n")
|
|
Packit Service |
0a38ef |
# ad trust
|
|
Packit Service |
0a38ef |
if options.add_sids:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_add_sids=yes\n")
|
|
Packit Service |
0a38ef |
if options.add_agents:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_add_agents=yes\n")
|
|
Packit Service |
0a38ef |
if options.enable_compat:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_enable_compat=yes\n")
|
|
Packit Service |
0a38ef |
if options.netbios_name:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_netbios_name=%s\n" % options.netbios_name)
|
|
Packit Service |
0a38ef |
if options.rid_base:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_rid_base=%s\n" % options.rid_base)
|
|
Packit Service |
0a38ef |
if options.secondary_rid_base:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_secondary_rid_base=%s\n" %
|
|
Packit Service |
0a38ef |
options.secondary_rid_base)
|
|
Packit Service |
0a38ef |
# ansible
|
|
Packit Service |
0a38ef |
if options.ipareplica_install_packages:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_install_packages=%s\n" %
|
|
Packit Service |
0a38ef |
options.ipareplica_install_packages)
|
|
Packit Service |
0a38ef |
if options.ipareplica_setup_firewalld:
|
|
Packit Service |
0a38ef |
f.write("ipareplica_setup_firewalld=%s\n" %
|
|
Packit Service |
0a38ef |
options.ipareplica_setup_firewalld)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# uninstall done with ipaserver role
|
|
Packit Service |
0a38ef |
state = "present"
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
with open(playbook, 'w') as f:
|
|
Packit Service |
0a38ef |
f.write("---\n")
|
|
Packit Service |
0a38ef |
f.write("- name: Playbook to configure IPA replicas\n")
|
|
Packit Service |
0a38ef |
f.write(" hosts: ipareplicas\n")
|
|
Packit Service |
0a38ef |
f.write(" become: true\n")
|
|
Packit Service |
0a38ef |
if options.become_method:
|
|
Packit Service |
0a38ef |
f.write(" become_method: %s\n" % options.become_method)
|
|
Packit Service |
0a38ef |
f.write("\n")
|
|
Packit Service |
0a38ef |
f.write(" roles:\n")
|
|
Packit Service |
0a38ef |
f.write(" - role: ipareplica\n")
|
|
Packit Service |
0a38ef |
f.write(" state: %s\n" % state)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
cmd = [ 'ansible-playbook' ]
|
|
Packit Service |
0a38ef |
if options.ansible_verbose:
|
|
Packit Service |
0a38ef |
cmd.append("-"+"v"*options.ansible_verbose)
|
|
Packit Service |
0a38ef |
cmd.extend(['-i', inventory, playbook])
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
returncode = run_cmd(cmd)
|
|
Packit Service |
0a38ef |
if returncode != 0:
|
|
Packit Service |
0a38ef |
raise RuntimeError()
|
|
Packit Service |
0a38ef |
finally:
|
|
Packit Service |
0a38ef |
if not options.playbook_dir:
|
|
Packit Service |
0a38ef |
shutil.rmtree(temp_dir, ignore_errors=True)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
options, args = parse_options()
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
main(options, args)
|
|
Packit Service |
0a38ef |
except KeyboardInterrupt:
|
|
Packit Service |
0a38ef |
sys.exit(1)
|
|
Packit Service |
0a38ef |
except SystemExit as e:
|
|
Packit Service |
0a38ef |
sys.exit(e)
|
|
Packit Service |
0a38ef |
except RuntimeError as e:
|
|
Packit Service |
0a38ef |
sys.exit(e)
|
|
Packit Service |
0a38ef |
except Exception as e:
|
|
Packit Service |
0a38ef |
if options.verbose:
|
|
Packit Service |
0a38ef |
traceback.print_exc(file=sys.stdout)
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
print("Re-run %s with --verbose option to get more information" %
|
|
Packit Service |
0a38ef |
sys.argv[0])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
print("Unexpected error: %s" % str(e))
|
|
Packit Service |
0a38ef |
sys.exit(1)
|