diff --git a/SPECS/ansible-freeipa.spec b/SPECS/ansible-freeipa.spec new file mode 100644 index 0000000..0b748d4 --- /dev/null +++ b/SPECS/ansible-freeipa.spec @@ -0,0 +1,326 @@ +# Turn off automatic python byte compilation because these are Ansible +# roles and the files are transferred to the node and compiled there with +# the python verison used in the node +%define __brp_python_bytecompile %{nil} + +Summary: Roles and playbooks to deploy FreeIPA servers, replicas and clients +Name: ansible-freeipa +Version: 0.1.8 +Release: 3%{?dist} +URL: https://github.com/freeipa/ansible-freeipa +License: GPLv3+ +Source: https://github.com/freeipa/ansible-freeipa/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch1: ansible-freeipa-0.1.8-ipahost-Fix-choices-of-auth_ind-parameter-allow-to-reset-parameter_rhbz#1783992.patch +Patch2: ansible-freeipa-0.1.8-ipauser-Allow-reset-of-userauthtype-do-not-depend-on-first-last-for-mod_rhbz#1784474.patch +Patch3: ansible-freeipa-0.1.8-ipahost-Enhanced-failure-msg-for-member-params-used-without-member-action_rhbz#1783948.patch +Patch4: ansible-freeipa-0.1.8-Add-missing-attributes-to-ipasudorule_rhbz#1788168,1788035,1788024.patch +Patch5: ansible-freeipa-0.1.8-ipapwpolicy-Use-global_policy-if-name-is-not-set_rhbz#1797532.patch +Patch6: ansible-freeipa-0.1.8-ipahbacrule-Fix-handing-of-members-with-action-hbacrule_rhbz#1787996.patch +Patch7: ansible-freeipa-0.1.8-ansible_freeipa_module-Fix-comparison-of-bool-parameters-in-compare_args_ipa_rhbz#1784514.patch +Patch8: ansible-freeipa-ipahost-Add-support-for-several-IP-addresses-and-also-to-change-them_rhbz#1783979,1783976.patch +Patch9: ansible-freeipa-0.1.8-ipahost-Fail-on-action-member-for-new-hosts-fix-dnsrecord_add-reverse-flag_rhbz#1803026.patch +Patch10: ansible-freeipa-0.1.8-ipahost-Do-not-fail-on-missing-DNS-or-zone-when-no-IP-address-given_rhbz#1804838.patch +BuildArch: noarch + +#Requires: ansible + +%description +ansible-freeipa provides Ansible roles and playbooks to install and uninstall +FreeIPA servers, replicas and clients also modules for management. + +Note: The ansible playbooks and roles require a configured ansible environment +where the ansible nodes are reachable and are properly set up to have an IP +address and a working package manager. + +Features + +- Server, replica and client deployment +- Cluster deployments: Server, replicas and clients in one playbook +- One-time-password (OTP) support for client installation +- Repair mode for clients +- Modules for group management +- Modules for hbacrule management +- Modules for hbacsvc management +- Modules for hbacsvcgroup management +- Modules for host management +- Modules for hostgroup management +- Modules for pwpolicy management +- Modules for sudocmd management +- Modules for sudocmdgroup management +- Modules for sudorule management +- Modules for topology management +- Modules for user management + +Supported FreeIPA Versions + +FreeIPA versions 4.6 and up are supported by all roles. + +The client role supports versions 4.4 and up, the server role is working with +versions 4.5 and up, the replica role is currently only working with versions +4.6 and up. + +Supported Distributions + +- RHEL/CentOS 7.4+ +- Fedora 26+ +- Ubuntu +- Debian 10+ (ipaclient only, no server or replica!) + +Requirements + + Controller + - Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection) + - /usr/bin/kinit is required on the controller if a one time password (OTP) + is used + - python3-gssapi is required on the controller if a one time password (OTP) + is used with keytab to install the client. + + Node + - Supported FreeIPA version (see above) + - Supported distribution (needed for package installation only, see above) + +Limitations + +External CA support is not supported or working. The currently needed two step +process is an issue for the processing in the role. The configuration of the +server is partly done already and needs to be continued after the CSR has been +handled. This is for example breaking the deployment of a server with replicas +or clients in one playbook. + +%prep +%setup -q +# Do not create backup files with patches +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +# Fix python modules and module utils: +# - Remove shebang +# - Remove execute flag +for i in roles/ipa*/library/*.py roles/ipa*/module_utils/*.py plugins/*/*.py; do + sed -i '/\/usr\/bin\/python*/d' $i + chmod a-x $i +done +# Add execute flag to py3test.py scripts +chmod a+x roles/ipa*/files/py3test.py + +%build + +%install +install -m 755 -d %{buildroot}%{_datadir}/ansible/roles/ +cp -rp roles/ipaserver %{buildroot}%{_datadir}/ansible/roles/ +cp -rp roles/ipaserver/README.md README-server.md +cp -rp roles/ipareplica %{buildroot}%{_datadir}/ansible/roles/ +cp -rp roles/ipareplica/README.md README-replica.md +cp -rp roles/ipaclient %{buildroot}%{_datadir}/ansible/roles/ +cp -rp roles/ipaclient/README.md README-client.md +install -m 755 -d %{buildroot}%{_datadir}/ansible/plugins/ +cp -rp plugins/* %{buildroot}%{_datadir}/ansible/plugins/ + +%files +%license COPYING +%{_datadir}/ansible/roles/ipaserver +%{_datadir}/ansible/roles/ipareplica +%{_datadir}/ansible/roles/ipaclient +%{_datadir}/ansible/plugins/module_utils +%{_datadir}/ansible/plugins/modules +%doc README.md +%doc README-*.md +%doc playbooks + +%changelog +* Thu Feb 20 2020 Thomas Woerner - 0.1.8-3 +- ipahost: Do not fail on missing DNS or zone when no IP address given + Resolves: RHBZ#1804838 + +* Fri Feb 14 2020 Thomas Woerner - 0.1.8-2 +- Updated RPM description for ansible-freeipa 0.1.8 + Related: RHBZ#1748986 +- ipahost: Fix choices of auth_ind parameter, allow to reset parameter + Resolves: RHBZ#1783992 +- ipauser: Allow reset of userauthtype, do not depend on first,last for mod + Resolves: RHBZ#1784474 +- ipahost: Enhanced failure msg for member params used without member action + Resolves: RHBZ#1783948 +- Add missing attributes to ipasudorule + Resolves: RHBZ#1788168 + Resolves: RHBZ#1788035 + Resolves: RHBZ#1788024 +- ipapwpolicy: Use global_policy if name is not set + Resolves: RHBZ#1797532 +- ipahbacrule: Fix handing of members with action hbacrule + Resolves: RHBZ#1787996 +- ansible_freeipa_module: Fix comparison of bool parameters in compare_args_isa + Resolves: RHBZ#1784514 +- ipahost: Add support for several IP addresses and also to change them + Resolves: RHBZ#1783979 + Resolves: RHBZ#1783976 +- ipahost: Fail on action member for new hosts, fix dnsrecord_add reverse flag + Resolves: RHBZ#1803026 + +* Sat Dec 14 2019 Thomas Woerner - 0.1.8-1 +- Update to version 0.1.8 (bug fix release) + - roles/ipaclient/README.md: Add information about ipaclient_otp + - Install and enable firewalld if it is configured for ipaserver and + ipareplica roles + - ipaserver_test: Do not use zone_overlap_check for domain name validation + - Allow execution of API commands that do not require a name + - Update README-host: Drop options from allow_*keytab parameters docs + - ipauser: Extend email addresses with default email domain if no domain is + given + Resolves: RHBZ#1747413 + Related: RHBZ#1748986 + +* Mon Dec 2 2019 Thomas Woerner - 0.1.7-1 +- Update to version 0.1.7 + - Add debian support for ipaclient + - Added support for predefining client OTP using ipaclient_otp + - ipatopologysegment: Store suffix for commands in command list + - ipatopologysegment: Fail for missing entry with reinitialized + - Utils scripts: ansible-ipa-[server,replica,client]-install + - ipaserver_test,ipareplica_prepare: Do not return _pkcs12_file settings + - ansible_freeipa_module: Add support for GSSAPI + - ansible_ipa_client: Drop import of configure_nsswitch_database + - New host management module + - New hostgroup management module + - ipagroup: Remove unused member_[present,absent] states + - external-ca tests: Fix typo in inventory files + - tests/external-signed-ca tests: Fix external-ca.sh to use proper serials + - ipagroup: Rework to use same mechanisms as ipahostgroup module + - ansible_freeipa_module: api_command should not have extra try clause + - ansible_freeipa_module: compare_args_ipa needs to compare lists orderless + - ansible_freeipa_module: New function api_check_param + - ansible_freeipa_module: New functions module_params_get and _afm_convert + - ansible_freeipa_module: Add missing to_text import for _afm_convert + - ansible_freeipa_module: Convert tuple to list in compare_args_ipa + - ansible_freeipa_module: New function api_get_realm + - ipauser: User module extension + - New sudocmd management module + - New sudocmdgroup management module + - ansible_freeipa_module: Convert int to string in compare_args_ipa + - New pwpolicy management module + - New hbacsvc (HBAC Service) management module + - New hbacsvcgroup (HBAC Service Group) management module + - ipagroup: Properly support IPA versions 4.6 and RHEL-7 + - ipagroup: Fix changed flag, new test cases + - ipauser: Add info about version limitation of passwordexpiration + - New hbacrule (HBAC Rule) management module + - ipahostgroup: Fix changed flag, support IPA 4.6 on RHEL-7, new test cases + - New sudorule (Sudo Rule) management module + - ipauser: Support 'sn' alias of 'last' for surname + - Update galaxy.yml: Update description, drop empty dependencies + - Update ipauser.py: Fix typo in users.name description + - ipaclient: Fix misspelled sssd options + - ipauser: Return generated random password + - ipahost: Return generated random password + - Added context configuration to api_connect + - ansible_freeipa_module: Better support for KRB5CCNAME environment variable + - ipa[server,replica,client]: Add support for CentOS-8 + - ipahost: Extension to be able handle several hosts and all settings + - Flake8 fixes + - Documentation updates + - Cleanup + Resolves: RHBZ#1748986 + +* Fri Sep 6 2019 Thomas Woerner - 0.1.6-4 +- ansible_ipa_client: Drop import of configure_nsswitch_database + (RHBZ#1748905) + +* Wed Jul 31 2019 Thomas Woerner - 0.1.6-3 +- ipatopologysegment: Store suffix for commands in command list (RHBZ#1733547) +- ipatopologysegment: Fail for missing entry with reinitialized (RHBZ#1733559) + +* Tue Jul 23 2019 Thomas Woerner - 0.1.6-2 +- Drop dirserv_cert_files key from utils/gen_module_docs.py for covscan + +* Tue Jul 23 2019 Thomas Woerner - 0.1.6-1 +- update to version 0.1.6 + - Lots of documentation updates in READMEs and modules + - library/ipaclient_get_otp: Enable force mode for host_add call (fixes #74) + - Flake8 and pylint reated fixes + - Fixed wrong path to CheckedIPAddress class in ipareplica_test + - Remove unused ipaserver/library/ipaserver.py + - No not use wildcard imports for modules + - ipareplica: Add support for pki_config_override + - ipareplica: Initialize dns.ip_addresses and dns.reverse_zones for dns setup + - ipareplica_prepare: Properly initialize pin and cert_name variables + - ipareplica: Fail with proper error messages + - ipaserver: Properly set settings related to pkcs12 files + - ipaclient: RawConfigParser is not always provided by six.moves.configparser + - ipaclient_setup_nss: paths.GETENT is not available before + freeipa-4.6.90.pre1 + - ipaserver_test: Initialize value from options.zonemgr + - ipareplica_setup_custodia: create_replica only available in newer releases + - ipaclient: Fix typo in dnsok assignment for ipaclient_setup_nss + - ipa[server,replica]: Set _packages_adtrust for Ubuntu + - New build script for galaxy release + - New utils script to update module docs +- Changes from ansible-freeipa-0.1.5 + - Support for IPA 4.8.0 + - New user management module + - New group management module + - ipaserver: Support external signed CA + - RHEL-8 specific vars files to be able to install needed modules + automatically + - ipareplica: Fixes for certmonger and kra setup + - New tests folder + - OTP related updates to README files + +* Thu Jul 4 2019 Thomas Woerner - 0.1.4-2 +- ansible_ipa_client: Always set options.unattended (RHBZ#1726645) +- ipaserver_prepare: Properly report error, do show trace back (RHBZ#1726668) +- ipa[server,replica,client]: RHEL-8 specific vars files (RHBZ#1727095) +- ipatopology modules: Use ipaadmin_ prefix for principal and password + (RHBZ#1727101) + +* Mon Jun 17 2019 Thomas Woerner - 0.1.4-1 +- update to version 0.1.4 + - ipatopologysegment: Use commands, not command + +* Mon Jun 17 2019 Thomas Woerner - 0.1.3-1 +- update to version 0.1.3 + - ipaclient_test: Fix Python2 decode use with Python3 + - Fixed: #86 (AttributeError: 'str' object has no attribute 'decode') + - ipaclient_get_otp: Remove ansible_python_interpreter handling + - ipaclient: Use omit (None) for password, keytab, no string length checks + - ipaclient_join: Support to use ipaadmin_keytab without ipaclient_use_otp + - ipaclient: Report error message if ipaclient_get_otp failed + - Fixes #17 Improve how tasks manage package installation + - ipareplica: The dm password is not needed for ipareplica_master_password + - ipareplica: Use ipareplica_server if set + - ipatopologysegment: Allow domain+ca suffix, new state: checked + - Documentation updates + - Cleanups + +* Tue Jun 11 2019 Thomas Woerner - 0.1.2-3 +- bump release for functional test + +* Tue Jun 11 2019 Thomas Woerner - 0.1.2-2 +- bump release for functional test + +* Fri Jun 7 2019 Thomas Woerner - 0.1.2-1 +- update to version 0.1.2 + - Now a new Ansible Collection + - Fix gssapi requirement for OTP: It is only needed if keytab is used with + OTP now. + - Fix wrong ansible argument types + - Do not fail on textwrap for replica deployments with CA + - Ansible lint and galaxy fixes + - Disable automatic removal of replication agreements in uninstall + - Enable freeipa-trust service if adtrust is enabled + - Add support for hidden replica + - New topology managament modules + - Add support for pki_config_override + - Fix host name setup in server deployment + - Fix errors when ipaservers variable is not set + - Fix ipaclient install role length typo + - Cleanups + +* Mon May 6 2019 Thomas Woerner - 0.1.1-1 +- Initial package