From 54080cafed1e37e00a0cd2e34de3dbb90f420c96 Mon Sep 17 00:00:00 2001 From: Peter Bittner Date: Thu, 14 Apr 2022 12:03:35 +0200 Subject: [PATCH] Upgrade to CentOS 8, Foreman 3.2, Python 3 (Ansible) --- Vagrantfile | 26 ++++++- ansible/playbook-enc.yml | 2 +- ansible/roles/encfrontend/tasks/main.yml | 58 ++++++++------ .../roles/identitymanagement/tasks/main.yml | 77 +++++++++++-------- 4 files changed, 101 insertions(+), 62 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index a29d6ed..462700c 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -4,21 +4,35 @@ # Vagrantfile docs: https://docs.vagrantup.com # For more boxes see https://vagrantcloud.com/search +# ENV['VAGRANT_DEFAULT_PROVIDER'] = 'libvirt' + ansible_roles = [] +vagrant_plugins = [ + # 'vagrant-libvirt', + # 'vagrant-mutate', +] ansible_roles.each do |role| system("ansible-galaxy install #{role}") end +vagrant_plugins.each do |plugin| + system("vagrant plugin list | grep -q #{plugin} || vagrant plugin install #{plugin}") +end + Vagrant.configure("2") do |config| config.vm.define "identity" do |identity| - identity.vm.box = "centos/7" + identity.vm.box = "generic/centos8" identity.vm.hostname = "identity.painless.software" identity.vm.network :forwarded_port, host: 8444, guest: 443, auto_correct: true identity.vm.post_up_message = "Identity management is ready. FreeIPA: https://127.0.0.1:8444/" + # identity.vm.provider :libvirt do |libvirt| + # libvirt.driver = "kvm" + # libvirt.memory = 1024 + # libvirt.cpus = 1 identity.vm.provider :virtualbox do |vb| vb.customize ["modifyvm", :id, "--name", "Groundcontrol IdentityManagement"] - vb.customize ["modifyvm", :id, "--memory", "1024"] + vb.customize ["modifyvm", :id, "--memory", "2048"] vb.customize ["modifyvm", :id, "--vram", "16"] vb.customize ["modifyvm", :id, "--ioapic", "on"] vb.customize ["modifyvm", :id, "--cpus", "4"] @@ -26,15 +40,20 @@ Vagrant.configure("2") do |config| identity.vm.provision "ansible" do |ansible| ansible.compatibility_mode = "2.0" ansible.playbook = "ansible/playbook-identity.yml" + ansible.extra_vars = { ansible_python_interpreter: "/usr/bin/python3" } end identity.vm.synced_folder ".", "/vagrant", disabled: true end config.vm.define "enc" do |enc| - enc.vm.box = "centos/7" + enc.vm.box = "generic/centos8" enc.vm.hostname = "enc.painless.software" enc.vm.network :forwarded_port, host: 8443, guest: 443, auto_correct: true enc.vm.post_up_message = "ENC frontend is ready. The Foreman: https://127.0.0.1:8443/" + # enc.vm.provider :libvirt do |libvirt| + # libvirt.driver = "kvm" + # libvirt.memory = 1024 + # libvirt.cpus = 1 enc.vm.provider :virtualbox do |vb| vb.customize ["modifyvm", :id, "--name", "Groundcontrol ENCfrontend"] vb.customize ["modifyvm", :id, "--memory", "1024"] @@ -45,6 +64,7 @@ Vagrant.configure("2") do |config| enc.vm.provision "ansible" do |ansible| ansible.compatibility_mode = "2.0" ansible.playbook = "ansible/playbook-enc.yml" + ansible.extra_vars = { ansible_python_interpreter: "/usr/bin/python3" } end enc.vm.synced_folder ".", "/vagrant", disabled: true end diff --git a/ansible/playbook-enc.yml b/ansible/playbook-enc.yml index 7faab72..55ee5d2 100644 --- a/ansible/playbook-enc.yml +++ b/ansible/playbook-enc.yml @@ -2,7 +2,7 @@ - name: Set up a ENC frontend and virtualization for Groundcontrol Genesis hosts: all roles: - - virtualization + # - virtualization - encfrontend vars: HOSTNAME: '{{ ansible_hostname }}' diff --git a/ansible/roles/encfrontend/tasks/main.yml b/ansible/roles/encfrontend/tasks/main.yml index e56a4bb..1becdbc 100644 --- a/ansible/roles/encfrontend/tasks/main.yml +++ b/ansible/roles/encfrontend/tasks/main.yml @@ -1,32 +1,42 @@ --- -# https://theforeman.org/manuals/1.17/index.html#2.1Installation +# https://theforeman.org/manuals/3.2/index.html#2.1Installation -- name: Install Puppet 5 - package: - name: https://yum.puppetlabs.com/puppet5/puppet5-release-el-7.noarch.rpm - state: present - become: true +- name: Set up The Foreman + block: -- name: Install EPEL (Extra Packages for Enterprise Linux) - package: - name: http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm - state: present - become: true + - name: Puppet 7 + command: dnf install -y https://yum.puppet.com/puppet7-release-el-8.noarch.rpm + # dnf: + # name: https://yum.puppet.com/puppet7-release-el-8.noarch.rpm + # state: present -- name: Add Foreman repos - package: - name: https://yum.theforeman.org/releases/1.17/el7/x86_64/foreman-release.rpm - state: present - become: true + - name: Enable Ruby module (1/2) + command: dnf module -y reset ruby -- name: Install foreman-installer package - package: name=foreman-installer state=latest - become: true + - name: Enable Ruby module (2/2) + command: dnf module -y enable ruby:2.7 + # dnf: + # name: '@ruby:2.7' + # state: present -- name: Run foreman-installer - command: foreman-installer -v --foreman-admin-password={{ ADMIN_PASSWORD }} - become: true + - name: Add Foreman repos + command: dnf install -y https://yum.theforeman.org/releases/3.2/el8/x86_64/foreman-release.rpm + # dnf: + # name: https://yum.theforeman.org/releases/3.2/el8/x86_64/foreman-release.rpm + # state: present + + - name: Install foreman-installer package + command: dnf install -y foreman-installer + # package: + # name: foreman-installer + # state: latest + + - name: Run foreman-installer + command: foreman-installer -v -s --foreman-initial-admin-password={{ ADMIN_PASSWORD }} + + - name: Remove webserver default configuration + file: + path: /etc/httpd/conf.d/15-default.conf + state: absent -- name: Remove webserver default configuration - file: path=/etc/httpd/conf.d/15-default.conf state=absent become: true diff --git a/ansible/roles/identitymanagement/tasks/main.yml b/ansible/roles/identitymanagement/tasks/main.yml index 8104fb3..e494618 100644 --- a/ansible/roles/identitymanagement/tasks/main.yml +++ b/ansible/roles/identitymanagement/tasks/main.yml @@ -1,46 +1,55 @@ --- # https://access.redhat.com/products/identity-management#getstarted +# https://www.howtoforge.com/tutorial/install-and-configure-freeipa-server-on-centos-8/ -- name: Ensure hostname doesn't resolve to localhost - replace: - path: /etc/hosts - regexp: '^127.0.0.1\t{{ FQDN }}\t{{ HOSTNAME }}' - replace: '{{ IP_ADDRESS }}\t{{ FQDN }}\t{{ HOSTNAME }}' - become: true +- name: Set up FreeIPA + block: -- name: Install FreeIPA server - package: name=freeipa-server - become: true + - name: Ensure hostname doesn't resolve to localhost + replace: + path: /etc/hosts + regexp: '^127.0.0.1\t{{ FQDN }}\t{{ HOSTNAME }}' + replace: '{{ IP_ADDRESS }}\t{{ FQDN }}\t{{ HOSTNAME }}' -- name: Configure FreeIPA server - command: ipa-server-install --unattended --admin-password={{ ADMIN_PASSWORD }} --ds-password={{ ADMIN_PASSWORD }} --hostname={{ FQDN }} --domain={{ DOMAIN }} --realm={{ DOMAIN|upper }} - args: - creates: /var/log/ipaserver-install.log - become: true + - name: Enable FreeIPA package + command: dnf module -y enable idm:DL1 -- name: Ensure admin config / auth to Kerberos realm - shell: echo '{{ ADMIN_PASSWORD }}' | kinit admin - become: true + - name: Install FreeIPA server + command: dnf install -y ipa-server + # package: + # name: ipa-server -- name: Disable redirects to hard-coded domain - replace: path=/etc/httpd/conf.d/ipa-rewrite.conf regexp='{{ item.regexp }}' replace='{{ item.replace }}' - with_items: - - { regexp: '^(RewriteRule \^/\$) (https://.*)(/ipa/ui.*)$', replace: '\1 \3' } - - { regexp: '^(RewriteRule \^\/ipa\/\(.*)$', replace: '#\1' } - - { regexp: '^(RewriteCond .*)$', replace: '#\1' } - become: true + - name: Configure FreeIPA server + command: ipa-server-install --unattended --admin-password={{ ADMIN_PASSWORD }} --ds-password={{ ADMIN_PASSWORD }} --hostname={{ FQDN }} --domain={{ DOMAIN }} --realm={{ DOMAIN|upper }} + args: + creates: /var/log/ipaserver-install.log -- name: Deactivate HTTP RefererError - replace: - path: '/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py' - regexp: '{{ item }}' - replace: '\1pass # \2' - with_items: - - "^([ ]*)(return self.marshal\\(result, RefererError\\(referer)" - become: true + - name: Ensure admin config / auth to Kerberos realm + shell: echo '{{ ADMIN_PASSWORD }}' | kinit admin + + - name: Disable redirects to hard-coded domain + replace: + path: /etc/httpd/conf.d/ipa-rewrite.conf + regexp: '{{ item.regexp }}' + replace: '{{ item.replace }}' + with_items: + - { regexp: '^(RewriteRule \^/\$) (https://.*)(/ipa/ui.*)$', replace: '\1 \3' } + - { regexp: '^(RewriteRule \^\/ipa\/\(.*)$', replace: '#\1' } + - { regexp: '^(RewriteCond .*)$', replace: '#\1' } + + - name: Deactivate HTTP RefererError + replace: + path: '/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py' + regexp: '{{ item }}' + replace: '\1pass # \2' + with_items: + - "^([ ]*)(return self.marshal\\(result, RefererError\\(referer)" + + - name: Activate webserver configuration changes + service: + name: httpd + state: reloaded -- name: Activate webserver configuration changes - service: name=httpd state=reloaded become: true - name: Create a couple of demo accounts (FreeIPA)