provision: make playbooks work on virtual machines in idm-ci

Create playbook_vm.yml to include image_base and image_service to work on VM with become. Change the ci user UID locally so it does not collide with cloud-user and fedora user. Modify packages role so it recognizes rhel and applies pieces on appropriate host groups. Replace freeipa with ipa for RHEL. Improve ldap and ipa task idempotency. Add a dns role to configure dns VM. Allow appending to authorized keys instead of rewriting. Add a ssh host key for dns. Add retries to restarting ssh service as it seems to be flaky. Skip passkey on VMs (As it adds unwanted build dependencies). Modify AD role to reuse on VMs without vagrant. Make the backends ipa, ldap, samba optional. Make realm join verbose.
SSSD · Jul 25, 2023 · a95798d · a95798d
1 parent 118062b
commit a95798d
Show file tree

Hide file tree

Showing 34 changed files with 624 additions and 171 deletions.
diff --git a/data/ssh-keys/hosts/dns.test.ecdsa_key b/data/ssh-keys/hosts/dns.test.ecdsa_key
@@ -0,0 +1,9 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQTeoDWHkeAxJwxiCAJ5kjCE/xpA3T7L
+ZndAyO7/ygQ6CdWArKEFab+X4/adnwttHIA9mMGqUZZGryK9733xGoHhAAAAuIfIVTaHyF
+U2AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN6gNYeR4DEnDGII
+AnmSMIT/GkDdPstmd0DI7v/KBDoJ1YCsoQVpv5fj9p2fC20cgD2YwapRlkavIr3vffEage
+EAAAAhAKVUVVC5MY9wzbClODWatvgCoUAhdyYWbXXrkv5n+eqKAAAAG1dlbGwga25vd24g
+a2V5IGZvciBzc3NkLWNpLgECAwQ=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/data/ssh-keys/hosts/dns.test.ecdsa_key.pub b/data/ssh-keys/hosts/dns.test.ecdsa_key.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN6gNYeR4DEnDGIIAnmSMIT/GkDdPstmd0DI7v/KBDoJ1YCsoQVpv5fj9p2fC20cgD2YwapRlkavIr3vffEageE= Well known key for sssd-ci.
diff --git a/data/ssh-keys/hosts/dns.test.ed25519_key b/data/ssh-keys/hosts/dns.test.ed25519_key
@@ -0,0 +1,9 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRJuQU3kf5lhmziK9y/+IMBJjCxrNcF
+xsRm3f1aBBN6dWml3zZZ1KyxYr8FtzkMcudRyxt22k1m7u1fZzJjBHocAAAAuL2m1E69pt
+ROAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEm5BTeR/mWGbOIr
+3L/4gwEmMLGs1wXGxGbd/VoEE3p1aaXfNlnUrLFivwW3OQxy51HLG3baTWbu7V9nMmMEeh
+wAAAAgeHhKLEo0Z4fT4bxXp5/d3M1rXK0xRbWJvyWQxm30T6cAAAAbV2VsbCBrbm93biBr
+ZXkgZm9yIHNzc2QtY2kuAQIDBAU=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/data/ssh-keys/hosts/dns.test.ed25519_key.pub b/data/ssh-keys/hosts/dns.test.ed25519_key.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEm5BTeR/mWGbOIr3L/4gwEmMLGs1wXGxGbd/VoEE3p1aaXfNlnUrLFivwW3OQxy51HLG3baTWbu7V9nMmMEehw= Well known key for sssd-ci.
diff --git a/data/ssh-keys/hosts/dns.test.rsa_key b/data/ssh-keys/hosts/dns.test.rsa_key
@@ -0,0 +1,9 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQGYjXJprkndh1xohKvKvrfxOgr8VhG
+dl3ec1XLsgmY7UACtj1bCmJB3J8jPgeqjytIRlTMRqT44RkQhzD7VUt5AAAAuHlD4At5Q+
+ALAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAZiNcmmuSd2HXGi
+Eq8q+t/E6CvxWEZ2Xd5zVcuyCZjtQAK2PVsKYkHcnyM+B6qPK0hGVMxGpPjhGRCHMPtVS3
+kAAAAgB2/QhldZz5re7eO764YSs+cha1f8zTLXU7MhK8RX6SsAAAAbV2VsbCBrbm93biBr
+ZXkgZm9yIHNzc2QtY2kuAQIDBAU=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/data/ssh-keys/hosts/dns.test.rsa_key.pub b/data/ssh-keys/hosts/dns.test.rsa_key.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAZiNcmmuSd2HXGiEq8q+t/E6CvxWEZ2Xd5zVcuyCZjtQAK2PVsKYkHcnyM+B6qPK0hGVMxGpPjhGRCHMPtVS3k= Well known key for sssd-ci.
diff --git a/src/ansible/group_vars/all b/src/ansible/group_vars/all
@@ -56,3 +56,20 @@ user: {
     password: Secret123
   }
 }
+
+freeipa_packages: {
+    server: [ freeipa-server, freeipa-server-dns, freeipa-server-trust-ad ],
+    client: [ freeipa-client, ]
+}
+
+ipa_packages: {
+    server: [ ipa-server-dns, ipa-server, ipa-server-trust-ad ],
+    client: [ ipa-client, ]
+}
+
+join_samba: yes
+join_ipa: yes
+join_ldap: yes
+join_ad: no
+trust_ipa_samba: yes
+trust_ipa_ad: no
diff --git a/src/ansible/inventory.yml b/src/ansible/inventory.yml
@@ -39,6 +39,7 @@ all:
         ansible_connection: podman
         ansible_host: sssd-wip-base
         ansible_python_interpreter: /usr/bin/python3
+        extended_packageset: yes
     services:
       children:
         client:

diff --git a/src/ansible/playbook_image_service.yml b/src/ansible/playbook_image_service.yml
@@ -19,13 +19,19 @@
   gather_facts: no
   roles:
   - ipa
-  - passkey
 
 - hosts: client.test
   gather_facts: no
   roles:
   - client
-  - passkey
+
+- hosts: client.test, master.ipa.test
+  gather_facts: no
+  tasks:
+  - name: Include passkey
+    include_role:
+      name: passkey
+    when: passkey_support
 
 - hosts: nfs.test
   gather_facts: no

diff --git a/src/ansible/playbook_vagrant.yml b/src/ansible/playbook_vagrant.yml
@@ -2,4 +2,4 @@
 - hosts: dc.ad.test
   gather_facts: yes
   roles:
-  - ad
+  - { role: ad, enable_firewall: yes }
diff --git a/src/ansible/playbook_vm.yml b/src/ansible/playbook_vm.yml
@@ -0,0 +1,29 @@
+---
+- hosts: dns
+  gather_facts: yes
+  become: yes
+  roles:
+  - dns
+
+- name: Include base
+  ansible.builtin.import_playbook: playbook_image_base.yml
+  vars:
+    passkey_support: "{{ override_passkey_support | default('no') | bool }}"
+    user_regular_uid: 1024
+    ansible_become: yes
+
+- name: Include services
+  ansible.builtin.import_playbook: playbook_image_service.yml
+  vars:
+    passkey_support: "{{ override_passkey_support | default('no') | bool }}"
+    user_regular_uid: 1024
+    ansible_become: yes
+    join_ad: "{{ override_join_ad | default('yes') | bool }}"
+    join_ldap: "{{ override_join_ldap | default('yes') | bool }}"
+    join_samba: "{{ override_join_samba | default('yes') | bool }}"
+    join_ipa: "{{ override_join_ipa | default('yes') | bool }}"
+
+- hosts: ad
+  gather_facts: yes
+  roles:
+  - { role: ad, skip_install: yes, skip_dns: yes, ad_permanent_users: ['Administrator'] }
diff --git a/src/ansible/roles/ad/defaults/main.yml b/src/ansible/roles/ad/defaults/main.yml
@@ -0,0 +1,13 @@
+---
+# Users to be configured that their password never expires
+ad_permanent_users:
+- Administrator
+- vagrant
+# Skip vagrant-specific configuration of dns
+skip_dns: no
+# Skip installation of AD server
+skip_addc_install: no
+# Skip addition of sudo shcmea and possibly other ones
+skip_schema: no
+# Open firewall for all incomming traffic.
+open_firewall: yes
diff --git a/src/ansible/roles/ad/tasks/dns.yml b/src/ansible/roles/ad/tasks/dns.yml
@@ -0,0 +1,25 @@
+- name: Disable automatic DNS updates
+  win_regedit:
+    path: '{{ item.path }}'
+    name: '{{ item.name }}'
+    data: '{{ item.value }}'
+    type: dword
+    state: present
+  with_items:
+  - {path: 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', name: 'DisableDynamicUpdate', value: 1}
+  - {path: 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters', name: 'RegisterDnsARecords', value: 0}
+  - {path: 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters', name: 'UseDynamicDns', value: 0}
+
+- name: Allow only specific IP address for the DNS server
+  win_regedit:
+    path: HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters
+    name: PublishAddresses
+    data: "172.16.200.10"
+    type: string
+    state: present
+
+- name: Remove vagrant IP address from DNS
+  win_shell: |
+    Get-DnsServerResourceRecord -ZoneName "{{ service.ad.domain }}" -RRType A \
+      | Where-Object {$_.RecordData.ipv4address -ne "172.16.200.10"}          \
+      | Remove-DnsServerResourceRecord -ZoneName "{{ service.ad.domain }}" -Force
diff --git a/src/ansible/roles/ad/tasks/install.yml b/src/ansible/roles/ad/tasks/install.yml
@@ -0,0 +1,32 @@
+- name: Install Active Directory Services
+  win_feature:
+    name: '{{ item }}'
+    include_management_tools: yes
+    include_sub_features: yes
+    state: present
+  with_items:
+  - AD-Domain-Services
+  - DNS
+
+- name: 'Create new AD forest {{ service.ad.domain }}'
+  win_shell: |
+    Import-Module ADDSDeployment
+
+    Install-ADDSForest                                                        \
+      -DomainName "{{ service.ad.domain }}"                                   \
+      -CreateDnsDelegation:$false                                             \
+      -DomainNetbiosName "{{ service.ad.netbios }}"                           \
+      -ForestMode "WinThreshold"                                              \
+      -DomainMode "WinThreshold"                                              \
+      -Force:$true                                                            \
+      -InstallDns:$true                                                       \
+      -NoRebootOnCompletion:$true                                             \
+      -SafeModeAdministratorPassword                                          \
+        (ConvertTo-SecureString '{{ service.ad.safe_password }}' -AsPlainText -Force)
+  register: installation
+  args:
+    creates: 'C:\Windows\NTDS'
+
+- name: Reboot machine
+  win_reboot:
+  when: installation.changed
diff --git a/src/ansible/roles/ad/tasks/main.yml b/src/ansible/roles/ad/tasks/main.yml
@@ -5,6 +5,7 @@
     action: allow
     enabled: yes
     state: present
+  when: open_firewall
 
 - name: Set the default SSH shell to PowerShell
   win_regedit:
@@ -14,60 +15,42 @@
     type: string
     state: present
 
-- name: Install Active Directory Services
-  win_feature:
-    name: '{{ item }}'
-    include_management_tools: yes
-    include_sub_features: yes
-    state: present
-  with_items:
-  - AD-Domain-Services
-  - DNS
-
-- name: 'Create new AD forest {{ service.ad.domain }}'
-  win_shell: |
-    Import-Module ADDSDeployment
+- name: Detect cygwin
+  win_stat:
+    path: 'C:\cygwin64\etc'
+  register: cygwin
 
-    Install-ADDSForest                                                        \
-      -DomainName "{{ service.ad.domain }}"                                   \
-      -CreateDnsDelegation:$false                                             \
-      -DomainNetbiosName "{{ service.ad.netbios }}"                           \
-      -ForestMode "WinThreshold"                                              \
-      -DomainMode "WinThreshold"                                              \
-      -Force:$true                                                            \
-      -InstallDns:$true                                                       \
-      -NoRebootOnCompletion:$true                                             \
-      -SafeModeAdministratorPassword                                          \
-        (ConvertTo-SecureString '{{ service.ad.safe_password }}' -AsPlainText -Force)
-  register: installation
-  args:
-    creates: 'C:\Windows\NTDS'
+- name: Configure shell for cygwin
+  win_lineinfile:
+    path: 'C:\cygwin64\etc\nsswitch.conf'
+    line: "db_shell: /cygdrive/c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe"
+  when: cygwin.stat.exists
+  register: configured_cygwin
 
-- name: Reboot machine
+- name: Reboot machine to apply changes in cygwin config
   win_reboot:
-  when: installation.changed
+  when: configured_cygwin.changed and skip_addc_install
+
+- name: 'Install AD server'
+  include_tasks: 'install.yml'
+  when: not skip_addc_install
+
+- name: Install management tools
+  win_feature:
+    name:
+    - RSAT-AD-Tools
+    include_sub_features: yes
+    include_management_tools: yes
 
 - name: Make sure Active Directory Web Services is running
   win_service:
     name: adws
     start_mode: auto
     state: started
 
-- name: Copy sudo schema to guest
-  win_copy:
-    src: '{{ item }}.schema'
-    dest: 'C:\{{ item }}.schema'
-  with_items:
-  - sudo
-
-- name: Install additional schemas
-  win_shell: |
-    ldifde -i -f C:\{{ item }}.schema -c dc=X {{ service.ad.suffix }} -b "Administrator" "{{ service.ad.netbios }}" "vagrant"
-  register: schema
-  failed_when: schema.rc != 0 and schema.stdout is not search('ENTRY_EXISTS')
-  changed_when: schema.rc == 0
-  with_items:
-  - sudo
+- name: 'Add sudo schema and possibly other'
+  include_tasks: 'schema.yml'
+  when: not skip_schema
 
 - name: Set Password Never Expires for system users
   win_shell: |
@@ -84,32 +67,14 @@
   register: result
   failed_when: "result.rc != 255 and result.rc != 0"
   changed_when: "result.rc == 0"
+  until: "result.rc == 0"
+  # The AD is sometimes not ready to proccess requests so we retry
+  # to make it stable.
+  retries: 5
+  delay: 60
   with_items:
-  - Administrator
-  - vagrant
-
-- name: Disable automatic DNS updates
-  win_regedit:
-    path: '{{ item.path }}'
-    name: '{{ item.name }}'
-    data: '{{ item.value }}'
-    type: dword
-    state: present
-  with_items:
-  - {path: 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', name: 'DisableDynamicUpdate', value: 1}
-  - {path: 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters', name: 'RegisterDnsARecords', value: 0}
-  - {path: 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters', name: 'UseDynamicDns', value: 0}
-
-- name: Allow only specific IP address for the DNS server
-  win_regedit:
-    path: HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters
-    name: PublishAddresses
-    data: "172.16.200.10"
-    type: string
-    state: present
+  - "{{ ad_permanent_users }}"
 
-- name: Remove vagrant IP address from DNS
-  win_shell: |
-    Get-DnsServerResourceRecord -ZoneName "{{ service.ad.domain }}" -RRType A \
-      | Where-Object {$_.RecordData.ipv4address -ne "172.16.200.10"}          \
-      | Remove-DnsServerResourceRecord -ZoneName "{{ service.ad.domain }}" -Force
+- name: 'Configure DNS on vagrant AD'
+  include_tasks: 'dns.yml'
+  when: not skip_dns
diff --git a/src/ansible/roles/ad/tasks/schema.yml b/src/ansible/roles/ad/tasks/schema.yml
@@ -0,0 +1,15 @@
+- name: Copy sudo schema to guest
+  win_copy:
+    src: '{{ item }}.schema'
+    dest: 'C:\{{ item }}.schema'
+  with_items:
+  - sudo
+
+- name: Install additional schemas
+  win_shell: |
+    ldifde -i -f C:\{{ item }}.schema -c dc=X {{ service.ad.suffix }} -b "Administrator" "{{ service.ad.domain }}" "{{ ansible_password }}"
+  register: schema
+  failed_when: schema.rc != 0 and schema.stdout is not search('ENTRY_EXISTS')
+  changed_when: schema.rc == 0
+  with_items:
+  - sudo