Update freeipa_client & server to address RHEL9 (cloudera-labs#199)

* Introduce new 'freeipa_sidecar' parameter in playbooks to suppress FreeIPA client configuration changes * Update freeipa_client and freeipa_server roles to restart networking, not restart host, on most configuration changes * Set SELinux to Permissive mode during FreeIPA configurations Signed-off-by: Chuck Levesque <[email protected]>
clevesque · Sep 12, 2024 · dd51746 · dd51746
1 parent a9cdbe9
commit dd51746
Show file tree

Hide file tree

Showing 6 changed files with 45 additions and 33 deletions.
diff --git a/playbooks/pvc_base_prereqs_ext.yml b/playbooks/pvc_base_prereqs_ext.yml
@@ -180,7 +180,9 @@
   become: yes
   roles:
     - role: cloudera.cluster.infrastructure.krb5_client
-      when: krb5_kdc_host is defined or 'krb5_server' in groups
+      when:
+        - krb5_kdc_host is defined or 'krb5_server' in groups
+        - not (freeipa_sidecar is defined and freeipa_sidecar)
   tags:
     - security
     - kerberos

diff --git a/playbooks/pvc_base_prereqs_int.yml b/playbooks/pvc_base_prereqs_int.yml
@@ -140,7 +140,9 @@
   become: yes
   roles:
     - role: cloudera.cluster.prereqs.kerberos
-      when: krb5_kdc_host is defined or 'krb5_server' in groups
+      when:
+        - krb5_kdc_host is defined or 'krb5_server' in groups
+        - not (freeipa_sidecar is defined and freeipa_sidecar)
   tags:
     - kerberos
     - prereqs

diff --git a/roles/freeipa_client/handlers/main.yml b/roles/freeipa_client/handlers/main.yml
@@ -14,5 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: restart host
-  ansible.builtin.reboot:
+- name: restart network
+  ansible.builtin.service:
+    name: NetworkManager
+    state: restarted
diff --git a/roles/freeipa_client/tasks/main.yml b/roles/freeipa_client/tasks/main.yml
@@ -14,32 +14,37 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Disable SELinux
+- name: Permissive SELinux
   ansible.posix.selinux:
-    state: disabled
-  notify: restart host
+    policy: targeted
+    state: permissive
 
 - name: Set up DNS and networking
   when: enable_dns
   block:
     - name: Update RHEL networking
       when: ansible_facts['os_family'] == 'RedHat'
       block:
+        - name: Check for existence of /etc/cloud/cloud.cfg
+          ansible.builtin.stat: path=/etc/cloud/cloud.cfg
+          register: cloud_cfg
+
         - name: Set cloud-init to preserve hostname (RHEL)
           ansible.builtin.lineinfile:
             path: /etc/cloud/cloud.cfg
             regex: "^(#)?preserve_hostname"
             line: "preserve_hostname: 1"
             state: present
-          notify: restart host
+          when: cloud_cfg.stat.exists
+          notify: restart network
 
         - name: Set interface config to preserve resolv.conf changes (RHEL)'
           ansible.builtin.lineinfile:
             path: "/etc/sysconfig/network-scripts/ifcfg-{{ ansible_default_ipv4.interface }}"
             regex: "^(#)?PEERDNS"
             line: "PEERDNS=no"
             state: present
-          notify: restart host
+          notify: restart network
 
         - name: Set /etc/NetworkManager/conf.d/disable-resolve.conf-managing.conf (RHEL)
           ansible.builtin.copy:
@@ -48,7 +53,7 @@
               # Generated by Ansible
               [main]
               dns=none
-          notify: restart host
+          notify: restart network
 
         - name: Set /etc/resolv.conf directly
           ansible.builtin.copy:
@@ -57,7 +62,7 @@
               # Generated by Ansible
               search {{ ipaserver_domain }}
               {{ ['nameserver '] | product(ipa_server_ips | sort) | map('join') | join('\n') }}
-          notify: restart host
+          notify: restart network
 
         - name: Disable nm-cloud-setup if present
           ignore_errors: yes
@@ -67,27 +72,21 @@
           loop:
             - systemctl disable nm-cloud-setup.service nm-cloud-setup.timer
             - systemctl stop nm-cloud-setup.service nm-cloud-setup.timer
-            - ip rule del prio 30400
             - rm -rf /etc/systemd/system/nm-cloud-setup.service.d
 
-        - name: Ensure NetworkManager is running to maintain DHCP
-          ansible.builtin.service:
-            name: NetworkManager
-            state: restarted
-
     - name: Set /etc/hostname to the FQDN
       ansible.builtin.copy:
         content: "{{ inventory_hostname }}"
         dest: /etc/hostname
-      notify: restart host
+      notify: restart network
 
     - name: Set /etc/hosts
       ansible.builtin.copy:
         dest: /etc/hosts
         content: |
           # Set by Ansible
           {{ ansible_default_ipv4.address }} {{ inventory_hostname }} {{ inventory_hostname_short }}
-      notify: restart host
+      notify: restart network
 
     - name: Check for existence of /etc/dhcp/dhclient.conf
       ansible.builtin.stat: path=/etc/dhcp/dhclient.conf
@@ -108,7 +107,7 @@
           domain_search: supersede domain-search "{{ ipaserver_domain }}";
           domain_name_servers: supersede domain-name-servers {{ ipa_server_ips | sort | union(fallback_nameservers) | join(', ') }};
       when: dhclient_conf.stat.exists
-      notify: restart host
+      notify: restart network
 
 - name: Flush handlers
   ansible.builtin.meta: flush_handlers

diff --git a/roles/freeipa_server/handlers/main.yml b/roles/freeipa_server/handlers/main.yml
@@ -14,8 +14,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: restart host
-  ansible.builtin.reboot:
+- name: restart network
+  ansible.builtin.service:
+    name: NetworkManager
+    state: restarted
 
 - name: restart dns
   ansible.builtin.service:

diff --git a/roles/freeipa_server/tasks/main.yml b/roles/freeipa_server/tasks/main.yml
@@ -45,10 +45,10 @@
     update_cache: yes
     state: present
 
-- name: Disable SELinux
+- name: Permissive SELinux
   ansible.posix.selinux:
-    state: disabled
-  notify: restart host
+    policy: targeted
+    state: permissive
 
 - name: Install base FreeIPA server packages
   ansible.builtin.package:
@@ -61,17 +61,22 @@
     - name: Configure RHEL systems
       when: ansible_facts['os_family'] == 'RedHat'
       block:
+        - name: Check for existence of /etc/cloud/cloud.cfg
+          ansible.builtin.stat: path=/etc/cloud/cloud.cfg
+          register: cloud_cfg
+
         - name: Set cloud-init to preserve hostname (RHEL)
           ansible.builtin.lineinfile:
             path: /etc/cloud/cloud.cfg
             regex: "^(#)?preserve_hostname"
             line: "preserve_hostname: 1"
             state: present
-          notify: restart host
+          when: cloud_cfg.stat.exists
+          notify: restart network
 
         - name: Check for existence of /etc/NetworkManager/conf.d
           ansible.builtin.stat: path=/etc/NetworkManager/conf.d
-          register: st
+          register: nm_conf
 
         - name: Set /etc/NetworkManager/conf.d/disable-resolve.conf-managing.conf (RHEL)
           ansible.builtin.copy:
@@ -80,8 +85,8 @@
               # Generated by Ansible
               [main]
               dns=none
-          when: st.stat.exists
-          notify: restart host
+          when: nm_conf.stat.exists
+          notify: restart network
 
         # TODO Either local if dns_provider=freeipa or keep nameserver and update search only
         # TODO Convert to ansible.builtin.template with role templates
@@ -93,14 +98,14 @@
               search {{ [[name_prefix, domain] | join('.'), domain] | join(' ') }}
               nameserver 127.0.0.1
               {{ ['nameserver'] | product(ipaserver_resolv_nameservers) | map('join', ' ') | join('\n') }}
-          notify: restart host
+          notify: restart network
 
     # TODO Need to check-n-set vs. overwrite (forces reboot...)
     - name: Set /etc/hostname to the FQDN
       ansible.builtin.copy:
         content: "{{ inventory_hostname }}"
         dest: /etc/hostname
-      notify: restart host
+      notify: restart network
 
     # TODO Need to check-n-set vs. overwrite (forces reboot...)
     - name: Set /etc/hosts
@@ -111,7 +116,7 @@
           127.0.0.1 localhost
           {{ ansible_default_ipv4.address }}  {{ inventory_hostname }} {{ inventory_hostname_short }}
         backup: yes
-      notify: restart host
+      notify: restart network
 
     - name: Check for existence of /etc/dhcp/dhclient.conf
       ansible.builtin.stat: path=/etc/dhcp/dhclient.conf
@@ -132,7 +137,7 @@
           domain_search: supersede domain-search "{{ [[name_prefix, domain] | join('.'), domain] | join('", "') }}";
           domain_name_servers: supersede domain-name-servers 127.0.0.1, {{ ipaserver_resolv_nameservers | join(', ') }};
       when: dhclient_conf.stat.exists
-      notify: restart host
+      notify: restart network
 
 - name: Flush handlers
   ansible.builtin.meta: flush_handlers