Modifications to enable running the playbooks on VMs.

Create playbook_vm.yml to replace image_base and image_service to work on VM with become. Change the ci user UID so it does not collide with cloud-user and fedora user. Modify packages role so it recognizes rhel and applies pieces on appropriate host groups. Replace freeipa with ipa for RHEL. Improve ldap and ipa task idempotency. Ignore vagrant specific pieces in ad role, remove hardcoded vagrant password.
SSSD · Feb 9, 2023 · 0d816bd · 0d816bd
1 parent 6620cce
commit 0d816bd
Show file tree

Hide file tree

Showing 13 changed files with 321 additions and 29 deletions.
diff --git a/src/ansible/playbook_vm.yml b/src/ansible/playbook_vm.yml
@@ -0,0 +1,62 @@
+---
+# This playbook is to apply tasks similar to image_base and image_service
+# on virtual machines instead of containers as the roles need become true there
+# Some of the pieces also do not make any sense to apply on VMs.
+
+- hosts: all:!ad:!dns.test
+  gather_facts: yes
+  become: yes
+  vars_files:
+  - variables.yml
+  roles:
+  - facts
+  - packages
+  - common
+
+- hosts: ldap.test
+  gather_facts: no
+  become: yes
+  vars_files:
+  - variables.yml
+  roles:
+  - ldap
+
+- hosts: dc.samba.test
+  gather_facts: no
+  become: yes
+  vars_files:
+  - variables.yml
+  roles:
+  - samba
+
+- hosts: master.ipa.test
+  gather_facts: no
+  become: yes
+  vars_files:
+  - variables.yml
+  roles:
+  - ipa
+
+- hosts: client.test
+  gather_facts: no
+  become: yes
+  vars_files:
+  - variables.yml
+  roles:
+  - client
+
+- hosts: nfs.test
+  gather_facts: no
+  become: yes
+  vars_files:
+  - variables.yml
+  roles:
+  - nfs
+
+- hosts: kdc.test
+  gather_facts: no
+  become: yes
+  vars_files:
+  - variables.yml
+  roles:
+  - kdc
diff --git a/src/ansible/roles/ad/tasks/main.yml b/src/ansible/roles/ad/tasks/main.yml
@@ -1,3 +1,17 @@
+- name: 'Create netbios name for a machine in cloud'
+  set_fact:
+    netbios: "AD{{ lookup('password', '/tmp/ad_netbios chars=ascii_uppercase,digits length=4', seed=ansible_host) }}"
+  when: 'ansible_host != "172.16.200.10"'
+
+- name: 'Use pre-defined netbios for a vagrant machine'
+  set_fact:
+    netbios: "{{ service.ad.netbios }}"
+  when: 'ansible_host == "172.16.200.10"'
+
+- name: Show AD netbios name
+  debug:
+    var: netbios
+
 - name: Allow access from our network
   win_firewall_rule:
     name: Allow access from our network
@@ -31,7 +45,7 @@
     Install-ADDSForest                                                        \
       -DomainName "{{ service.ad.domain }}"                                   \
       -CreateDnsDelegation:$false                                             \
-      -DomainNetbiosName "{{ service.ad.netbios }}"                           \
+      -DomainNetbiosName "{{ netbios }}"                           \
       -ForestMode "WinThreshold"                                              \
       -DomainMode "WinThreshold"                                              \
       -Force:$true                                                            \
@@ -60,9 +74,15 @@
   with_items:
   - sudo
 
+- name: Check ldap port is available
+  win_wait_for:
+    port: 389
+    timeout: 6000
+  when: installation.changed
+
 - name: Install additional schemas
   win_shell: |
-    ldifde -i -f C:\{{ item }}.schema -c dc=X {{ service.ad.suffix }} -b "Administrator" "{{ service.ad.netbios }}" "vagrant"
+    ldifde -i -f C:\{{ item }}.schema -c dc=X {{ service.ad.suffix }} -b "Administrator" "{{ netbios }}" "{{ ansible_password }}"
   register: schema
   failed_when: schema.rc != 0 and schema.stdout is not search('ENTRY_EXISTS')
   changed_when: schema.rc == 0
@@ -82,8 +102,8 @@
     Set-ADUser -Server {{ service.ad.domain }} -Identity {{ item }}           \
       -PasswordNeverExpires $true
   register: result
-  failed_when: "result.rc != 255 and result.rc != 0"
-  changed_when: "result.rc == 0"
+  failed_when: "result.rc != 255 and result.rc != 0 and 'vagrant' not in result.stderr"
+  changed_when: "result.rc == 0 or 'vagrant' in result.stderr"
   with_items:
   - Administrator
   - vagrant
@@ -107,9 +127,11 @@
     data: "172.16.200.10"
     type: string
     state: present
+  when: 'ansible_host == "172.16.200.10"'
 
 - name: Remove vagrant IP address from DNS
   win_shell: |
     Get-DnsServerResourceRecord -ZoneName "{{ service.ad.domain }}" -RRType A \
       | Where-Object {$_.RecordData.ipv4address -ne "172.16.200.10"}          \
       | Remove-DnsServerResourceRecord -ZoneName "{{ service.ad.domain }}" -Force
+  when: 'ansible_host == "172.16.200.10"'
diff --git a/src/ansible/roles/common/tasks/main.yml b/src/ansible/roles/common/tasks/main.yml
@@ -12,9 +12,15 @@
     group: root
     mode: 0600
 
+- name: Create /data
+  file:
+    path: '/data'
+    state: directory
+    mode: 0700
+
 - name: Copy common data
   synchronize:
-    src: '{{ playbook_dir }}/../../data/'
+    src: '{{ role_path }}/../../../../data/'
     dest: /data/
 
 # synchronize rsync option --chown was ignored for some reason
@@ -39,7 +45,7 @@
 
 - name: Copy root user ssh keys
   copy:
-    src: '{{ playbook_dir }}/../../data/ssh-keys/{{ item.src }}'
+    src: '{{ role_path }}/../../../../data/ssh-keys/{{ item.src }}'
     dest: '/root/.ssh/{{ item.dest }}'
     owner: 'root'
     group: 'root'
@@ -58,7 +64,7 @@
 - name: 'Create {{ user.regular.name }} user'
   user:
     name: '{{ user.regular.name }}'
-    uid: 1000
+    uid: '{{ user.regular.uid }}'
     groups: wheel
     append: yes
     shell: /usr/bin/bash
@@ -72,7 +78,7 @@
 
 - name: Copy ci user ssh keys
   copy:
-    src: '{{ playbook_dir }}/../../data/ssh-keys/{{ item.src }}'
+    src: '{{ role_path }}/../../../../data/ssh-keys/{{ item.src }}'
     dest: '/home/{{ user.regular.name }}/.ssh/{{ item.dest }}'
     owner: '{{ user.regular.name }}'
     group: '{{ user.regular.name }}'

diff --git a/src/ansible/roles/facts/tasks/RedHat.yml b/src/ansible/roles/facts/tasks/RedHat.yml
@@ -0,0 +1,2 @@
+- name: 'Facts are the same as in Fedora'
+  include_tasks: 'Fedora.yml'
diff --git a/src/ansible/roles/ipa/tasks/main.yml b/src/ansible/roles/ipa/tasks/main.yml
@@ -39,27 +39,39 @@
     ipa automountmap-del default auto.direct
   args:
     stdin: '{{ service.ipa.password }}'
+  register: automountmapdel
+  failed_when:
+    - 'automountmapdel.rc != 0 and "automount map not found" not in automountmapdel.stderr'
 
 - name: Create pw-never-expires group
   shell: |
     kinit admin
     ipa group-add pw-never-expires
   args:
     stdin: '{{ service.ipa.password }}'
+  register: pwneverexpires
+  failed_when:
+    - 'pwneverexpires.rc != 0 and "already exists" not in pwneverexpires.stderr'
 
 - name: Create pw-never-expires password policy
   shell: |
     kinit admin
     ipa pwpolicy-add pw-never-expires --maxlife=0 --minlife=0 --priority=0
   args:
     stdin: '{{ service.ipa.password }}'
+  register: policy
+  failed_when:
+    - 'policy.rc != 0 and "already used by pw-never-expires" not in policy.stderr'
 
 - name: Add admin to pw-never-expires group
   shell: |
     kinit admin
     ipa group-add-member pw-never-expires --users=admin
   args:
     stdin: '{{ service.ipa.password }}'
+  register: member
+  failed_when:
+    - 'member.rc != 0 and "This entry is already a member" not in member.stdout'
 
 - name: Reset admin password to apply pw-never-expires policy
   shell: |
@@ -70,6 +82,16 @@
       {{ service.ipa.password }}
       {{ service.ipa.password }}
 
+- name: 'Check trust with {{ service.samba.domain }}'
+  shell: |
+    kinit admin
+    ipa trust-find
+  args:
+    stdin: |
+      {{ service.ipa.password }}
+  register: trust
+  failed_when: False
+
 - name: 'Setup trust with {{ service.samba.domain }}'
   shell: |
     kinit admin
@@ -78,3 +100,4 @@
     stdin: |
       {{ service.ipa.password }}
       {{ service.samba.password }}
+  when: 'service.samba.domain not in trust.stdout'
diff --git a/src/ansible/roles/ldap/tasks/main.yml b/src/ansible/roles/ldap/tasks/main.yml
@@ -27,3 +27,6 @@
       changetype: modify
       add: aci
       aci: (targetattr=*)(version 3.0; acl "Enable anyone read"; allow (read, search, compare)(userdn="ldap:///anyone");)
+  register: ldapmod
+  failed_when:
+    - 'ldapmod.rc != 0 and "ldap_modify: Type or value exists" not in ldapmod.stderr'
diff --git a/src/ansible/roles/packages/tasks/CentOS8.yml b/src/ansible/roles/packages/tasks/CentOS8.yml
@@ -29,7 +29,7 @@
   - name: Enable IdM module
     shell: |
       dnf module enable -y idm:DL1
-  when: inventory_hostname == 'base-ground'
+  when: inventory_hostname == 'base-ground' or 'base' in groups and inventory_hostname in groups['base']
 
 - name: 'Packages are the same as in Fedora'
   include_tasks: 'Fedora.yml'
diff --git a/src/ansible/roles/packages/tasks/CentOS9.yml b/src/ansible/roles/packages/tasks/CentOS9.yml
@@ -31,7 +31,7 @@
       option: 'gpgcheck'
       value: 'false'
       mode: 0644
-  when: inventory_hostname == 'base-ground'
+  when: inventory_hostname == 'base-ground' or 'base' in groups and inventory_hostname in groups['base']
 
 - name: 'Packages are the same as in Fedora'
   include_tasks: 'Fedora.yml'
diff --git a/src/ansible/roles/packages/tasks/Debian.yml b/src/ansible/roles/packages/tasks/Debian.yml
@@ -32,7 +32,7 @@
       - tshark
       - vim
       - wget
-  when: inventory_hostname == 'base-ground'
+  when: inventory_hostname == 'base-ground' or 'base' in groups and inventory_hostname in groups['base']
 
 - name: Enable backports repo to install freeipa
   block:
@@ -58,7 +58,7 @@
       - realmd
       - sssd
       - sssd-*
-  when: inventory_hostname == 'base-client'
+  when: "'client' in inventory_hostname"
 
 - name: Install packages for NFS base image
   block:
@@ -68,7 +68,7 @@
       update_cache: yes
       name:
       - nfs-kernel-server
-  when: inventory_hostname == 'base-nfs'
+  when: "'nfs' in inventory_hostname"
 
 - name: Install packages for KDC base image
   block:
@@ -80,7 +80,7 @@
       - krb5-admin-server
       - krb5-config
       - krb5-kdc
-  when: inventory_hostname == 'base-kdc'
+  when: "'kdc' in inventory_hostname"
 
 - name: Install additional packages for client development image
   block:
@@ -175,4 +175,4 @@
     pip:
       name:
       - flaky
-  when: inventory_hostname == 'client-devel'
+  when: inventory_hostname == 'client-devel' or 'client-devel' in groups and inventory_hostname in groups['client-devel']
diff --git a/src/ansible/roles/packages/tasks/Fedora.yml b/src/ansible/roles/packages/tasks/Fedora.yml
@@ -47,7 +47,7 @@
       - wget
       - which
       - wireshark-cli
-  when: inventory_hostname == 'base-ground'
+  when: inventory_hostname == 'base-ground' or 'base' in groups and inventory_hostname in groups['base']
 
 - name: Install packages for client base image
   block:
@@ -71,7 +71,7 @@
         libldb                  \
         libtalloc               \
         libtevent
-  when: inventory_hostname == 'base-client'
+  when: "'client' in inventory_hostname"
 
 - name: Install packages for LDAP base image
   block:
@@ -81,7 +81,7 @@
       name:
       - acl
       - 389-ds-base
-  when: inventory_hostname == 'base-ldap'
+  when: "'ldap' in inventory_hostname or 'ipa' in inventory_hostname"
 
 - name: Install packages for IPA base image
   block:
@@ -92,7 +92,7 @@
       - freeipa-server
       - freeipa-server-dns
       - freeipa-server-trust-ad
-  when: inventory_hostname == 'base-ipa'
+  when: "'ipa' in inventory_hostname"
 
 - name: Install packages for Samba base image
   block:
@@ -102,7 +102,7 @@
       name:
       - samba-dc
       - samba-winbind-clients
-  when: inventory_hostname == 'base-samba'
+  when: "'samba' in inventory_hostname"
 
 - name: Install packages for NFS base image
   block:
@@ -111,7 +111,7 @@
       state: present
       name:
       - nfs-utils
-  when: inventory_hostname == 'base-nfs'
+  when: "'nfs' in inventory_hostname"
 
 - name: Install packages for KDC base image
   block:
@@ -122,7 +122,7 @@
       - krb5-libs
       - krb5-server
       - krb5-workstation
-  when: inventory_hostname == 'base-kdc'
+  when: "'kdc' in inventory_hostname"
 
 - name: Install additional packages for client development image
   block:
@@ -162,4 +162,4 @@
     pip:
       name:
       - flaky
-  when: inventory_hostname == 'client-devel'
+  when: inventory_hostname == 'client-devel' or 'client-devel' in groups and inventory_hostname in groups['client-devel']