[Ovirt-devel] Re: [PATCH server] add server-side groundwork for remote freeipa server
Joey Boggs
jboggs at redhat.com
Fri May 15 20:31:15 UTC 2009
In case anyone is wondering, due to the puppet classes we have, a bit of
the tasks had to be moved around to support bundled/common/remote
scenarios between the dns/freeipa/ovirt modules.
Joey Boggs wrote:
> This lays 90% of the groundwork needed on the server side to support the use of a remote ipa server.
>
> Leaving the option disabled in the installer until the necessary node integration(dns/keytab placementi location) is completed
>
> Also apply:
> [PATCH server] update ovirt-add-host to use ipa commands instead of kadmin.local
> [PATCH server] separate ipa common tasks freeipa::common and rename ipa_server_install to ipa_install
>
>
> ---
> installer/bin/ovirt-installer | 54 +++++++++++--------
> installer/modules/ovirt/manifests/dns.pp | 72 ++++++++++++-------------
> installer/modules/ovirt/manifests/freeipa.pp | 57 +++++++++++++++++----
> installer/modules/ovirt/manifests/ovirt.pp | 2 +-
> 4 files changed, 115 insertions(+), 70 deletions(-)
>
> diff --git a/installer/bin/ovirt-installer b/installer/bin/ovirt-installer
> index ad4d56d..2258578 100755
> --- a/installer/bin/ovirt-installer
> +++ b/installer/bin/ovirt-installer
> @@ -171,11 +171,29 @@ admin_dev = prompt_for_interface("Enter the interface for the Admin network (thi
>
> #FIXME: correctly configure separate networks.
> #For now, define admin and guest networks to be the same
> -guest_dev = admin_dev
> +guest_dev = guest_httpd_dev
> #sep_networks = (guest_dev == admin_dev) ? "n" : "y"
>
> -ovirt_host = prompt_for_answer("Enter the hostname of the oVirt management server (example: management.example.com):", :regex => IP_OR_FQDN)
> -ipa_host = ovirt_host
> +ovirt_host = prompt_for_answer("Enter the hostname of the oVirt management server", :regex => IP_OR_FQDN, :default => hostname.chomp)
> +#remote_ipa = prompt_yes_no("Is FreeIPA already installed on another machine?")
> +remote_ipa = "n"
> +if remote_ipa == "y"
> + ipa_host = prompt_for_answer("Enter the hostname of the FreeIPA server", :regex => IP_OR_FQDN)
> +else
> + ipa_host = ovirt_host
> +end
> +
> +# FreeIPA Configuration
> +realm_name = prompt_for_answer("Enter your kerberos realm name (example: example.com):", :regex => FQDN)
> + at cli.say("NOTE: The following password will also be your ovirtadmin password for the web management login")
> +freeipa_password = prompt_for_password("Enter the admin password for FreeIPA:", "Confirm your FreeIPA admin password:")
> +ldap_dn = ""
> +ldap_dn_temp = realm_name.split(".")
> +ldap_dn_temp.each do |i|
> + ldap_dn += "dc=#{i},"
> + end
> + ldap_dn = ldap_dn.chop
> +
>
> # DNS Configuration
> @cli.say( "\nThe following DNS servers were found:")
> @@ -190,16 +208,16 @@ guest_ipaddr = interfaces[guest_dev]
> admin_ipaddr = interfaces[admin_dev]
>
> if dns_servers == "y"
> - guest_ipaddr_lookup = Socket.getaddrinfo(guest_ipaddr.to_s,nil)
> - guest_hostname = guest_ipaddr_lookup[1][2]
> - if guest_hostname.to_s != ipa_host.to_s
> + admin_ipaddr_lookup = Socket.getaddrinfo(admin_ipaddr.to_s,nil)
> + admin_hostname = admin_ipaddr_lookup[1][2]
> + if admin_hostname.to_s != ovirt_host.to_s
> @cli.say("Reverse dns lookup for #{guest_ipaddr} failed, exiting")
> exit(0)
> end
>
> - ipa_host_lookup = Socket.getaddrinfo(ipa_host,nil)
> - ipa_hostip = ipa_host_lookup[1][3]
> - if ipa_hostip.to_s != guest_ipaddr.to_s
> + ovirt_host_lookup = Socket.getaddrinfo(ovirt_host,nil)
> + ovirt_hostip = ovirt_host_lookup[1][3]
> + if ovirt_hostip.to_s != admin_ipaddr.to_s
> @cli.say("Forward dns lookup for #{ipa_host} failed, exiting")
> exit(0)
> end
> @@ -236,18 +254,6 @@ cobbler_user_password = prompt_for_password("Enter your cobbler user password:",
> # Postgres Configuration
> db_username = "ovirt"
> db_password = prompt_for_password("Enter a password for the ovirt postgres account:", "Confirm your ovirt postgres password")
> -# FreeIPA Configuration
> -realm_name = prompt_for_answer("Enter your realm name (example: example.com):", :regex => FQDN)
> -
> - at cli.say("NOTE: The following password will also be your ovirtadmin password for the web management login")
> -freeipa_password = prompt_for_password("Enter an administrator password for FreeIPA:", "Confirm your FreeIPA admin password:")
> -ldap_dn = ""
> -ldap_dn_temp = realm_name.split(".")
> -ldap_dn_temp.each do |i|
> - ldap_dn += "dc=#{i},"
> -end
> -ldap_dn = ldap_dn.chop
> -
>
> #
> # Use ERB to spit out the puppet file whcih is used by ace.
> @@ -311,7 +317,7 @@ $db_username = '<%= db_username %>'
> $db_password = '<%= db_password %>'
>
> # FreeIPA configuration
> -$realm_name = '<%= realm_name %>'
> +$realm_name = '<%= realm_name.upcase %>'
> $freeipa_password = '<%= freeipa_password %>'
> $short_ldap_dn = '<%= ldap_dn %>'
> $ldap_dn = 'cn=ipaConfig,cn=etc,<%= ldap_dn %>'
> @@ -328,7 +334,11 @@ firewall_rule{"nat-postrouting": table => "nat", chain => "POSTROUTING", out_int
> <% end %>
> include postgres::bundled
> include freeipa::common
> +<% if remote_ipa == "n" %>
> include freeipa::bundled
> +<% else %>
> +include freeipa::remote
> +<% end %>
> include ovirt::setup
> END_OF_TEMPLATE
>
> diff --git a/installer/modules/ovirt/manifests/dns.pp b/installer/modules/ovirt/manifests/dns.pp
> index 7709cbf..8f44090 100644
> --- a/installer/modules/ovirt/manifests/dns.pp
> +++ b/installer/modules/ovirt/manifests/dns.pp
> @@ -24,52 +24,27 @@ import "augeas"
>
> define dns::common($guest_ipaddr="", $admin_ipaddr="",$guest_dev="",$admin_dev="") {
>
> + single_exec {"add_guest_server_to_etc_hosts":
> + command => "/bin/echo $admin_ipaddr $ovirt_host >> /etc/hosts",
> + notify => Service[dnsmasq]
> + }
> +
> package {"dnsmasq":
> - ensure => installed,
> - require => [Single_exec["add_dns_server_to_resolv.conf"]]
> + ensure => installed
> }
>
> service {"dnsmasq" :
> ensure => running,
> - enable => true,
> - require => [File["/etc/dnsmasq.d/ovirt-dns.conf"], Package["dnsmasq"]]
> - }
> -
> - file {"/etc/dnsmasq.d/ovirt-dns.conf":
> - content => template("ovirt/ovirt-dns.conf.erb"),
> - mode => 644,
> - notify => Service[dnsmasq],
> - require => Package["dnsmasq"]
> - }
> -
> - single_exec {"add_dns_server_to_resolv.conf":
> - command => "/bin/sed -e '1i nameserver $admin_ipaddr' -i /etc/resolv.conf",
> - require => [Single_exec["set_hostname"]]
> + enable => true
> }
>
> - augeas{"appliance_info":
> - context => "/files/etc/dnsmasq.conf",
> - changes => [
> - "set conf-dir /etc/dnsmasq.d"
> + augeas{"appliance_info":
> + context => "/files/etc/dnsmasq.conf",
> + changes => [
> + "set conf-dir /etc/dnsmasq.d"
> ],
> notify => Service[dnsmasq]
> }
> -
> - file {"/etc/dhclient.conf":
> - ensure => present
> - }
> -
> - file_append {"dhclient_config":
> - file => "/etc/dhclient.conf",
> - line => "prepend domain-name-servers $admin_ipaddr;",
> - require => [Single_exec["set_hostname"], Package["dnsmasq"], File["/etc/dhclient.conf"]] ,
> - notify => Service[dnsmasq],
> - }
> -
> - single_exec {"add_guest_server_to_etc_hosts":
> - command => "/bin/echo $guest_ipaddr $ipa_host >> /etc/hosts",
> - notify => [Service[dnsmasq], Single_exec["add_dns_server_to_resolv.conf"]]
> - }
> }
>
> define dns::bundled($guest_ipaddr="", $admin_ipaddr="",$guest_dev="",$admin_dev="") {
> @@ -79,13 +54,36 @@ define dns::bundled($guest_ipaddr="", $admin_ipaddr="",$guest_dev="",$admin_dev=
> augeas{"set_system_hostname":
> context => "/files/etc/sysconfig/network",
> changes => [
> - "set HOSTNAME $ipa_host"
> + "set HOSTNAME $ovirt_host"
> ]
> }
>
> firewall_rule {"named": destination_port => '53'}
> firewall_rule {"named-udp": destination_port => '53', protocol => 'udp'}
>
> + file {"/etc/dhclient.conf":
> + ensure => present
> + }
> +
> + single_exec {"add_dns_server_to_resolv.conf":
> + command => "/bin/sed -e '1i nameserver $admin_ipaddr' -i /etc/resolv.conf",
> + require => Single_exec["set_hostname"],
> + notify => Service[dnsmasq]
> + }
> +
> + file_append {"dhclient_config":
> + file => "/etc/dhclient.conf",
> + line => "prepend domain-name-servers $admin_ipaddr;",
> + require => [Single_exec["set_hostname"], Package["dnsmasq"], File["/etc/dhclient.conf"]] ,
> + notify => Service[dnsmasq],
> + }
> +
> + file {"/etc/dnsmasq.d/ovirt-dns.conf":
> + content => template("ovirt/ovirt-dns.conf.erb"),
> + mode => 644,
> + notify => Service[dnsmasq],
> + require => Package["dnsmasq"]
> + }
> }
>
> define dns::remote($guest_ipaddr="", $admin_ipaddr="",$guest_dev="",$admin_dev="") {
> diff --git a/installer/modules/ovirt/manifests/freeipa.pp b/installer/modules/ovirt/manifests/freeipa.pp
> index 796b8b4..8983e10 100644
> --- a/installer/modules/ovirt/manifests/freeipa.pp
> +++ b/installer/modules/ovirt/manifests/freeipa.pp
> @@ -45,6 +45,15 @@ class freeipa::common{
> require => Single_exec[ipa_ovirtadmin_group]
> }
>
> + single_exec {"set_hostname":
> + command => "/bin/hostname $ovirt_host",
> + }
> +
> + single_exec {"dnsmasq_restart":
> + command => "/usr/bin/pkill dnsmasq;/etc/init.d/dnsmasq start",
> + require => [Single_exec[add_guest_server_to_etc_hosts],Package[dnsmasq]]
> + }
> +
> }
>
> class freeipa::bundled{
> @@ -54,10 +63,6 @@ class freeipa::bundled{
> require => [Exec[db_exists_file],Single_exec["set_hostname"]]
> }
>
> - single_exec {"set_hostname":
> - command => "/bin/hostname $ipa_host",
> - }
> -
> exec {"set_kdc_defaults":
> command => "/bin/sed -i '/\[kdcdefaults\]/a \ kdc_ports = 88' /usr/share/ipa/kdc.conf.template",
> require => Package[ipa-server]
> @@ -83,11 +88,6 @@ class freeipa::bundled{
> notify => Service[httpd]
> }
>
> - single_exec {"dnsmasq_restart":
> - command => "/usr/bin/pkill dnsmasq;/etc/init.d/dnsmasq start",
> - require => [Single_exec[add_guest_server_to_etc_hosts],Package[dnsmasq]]
> - }
> -
> single_exec {"ipa_install":
> command => "/usr/sbin/ipa-server-install -r $realm_name -p $freeipa_password -P $freeipa_password -a $freeipa_password --hostname $ipa_host -u dirsrv -U",
> require => [Exec[set_kdc_defaults],Single_exec[dnsmasq_restart]]
> @@ -104,7 +104,44 @@ class freeipa::bundled{
>
> class freeipa::remote {
>
> -# oVirt is not configured at this time to support a remote freeipa server
> + single_exec {"ipa_install":
> + command => "/usr/sbin/ipa-client-install --server $ipa_host --domain=$realm_name --realm=$realm_name --force -U",
> + require => Single_exec[dnsmasq_restart]
> + }
> +
> + package {"mod_nss":
> + ensure => installed
> + }
> +
> + file_replacement{"mod_nss_config_1":
> + file => "/etc/httpd/conf.d/nss.conf",
> + pattern => "<VirtualHost _default_:8443>",
> + replacement => "<VirtualHost _default_:443>",
> + require => Package[mod_nss]
> + }
> + file_replacement{"mod_nss_config_2":
> + file => "/etc/httpd/conf.d/nss.conf",
> + pattern => "Listen 8443",
> + replacement => "Listen 443",
> + require => Package[mod_nss]
> + }
> +
> + single_exec {"create_HTTP_keytab":
> + command => "/usr/sbin/ipa-addservice HTTP/$ovirt_host@$realm_name",
> + require => Single_exec[ipa_install]
> + }
> +
> + single_exec {"get_HTTP_keytab":
> + command => "/usr/sbin/ipa-getkeytab -s $ipa_host -p HTTP/$ovirt_host@$realm_name -k /usr/share/ovirt-server/ovirt.keytab",
> + require => Single_exec[create_HTTP_keytab],
> + notify => Service[httpd]
> + }
> +
> + single_exec {"copy_ovirt_keytab":
> + command => "/bin/cp /usr/share/ovirt-server/ovirt.keytab /etc/httpd/conf/ipa.keytab",
> + require => Single_exec[get_HTTP_keytab],
> + notify => Service[httpd]
> + }
>
> }
>
> diff --git a/installer/modules/ovirt/manifests/ovirt.pp b/installer/modules/ovirt/manifests/ovirt.pp
> index 03a93a7..2e91e69 100644
> --- a/installer/modules/ovirt/manifests/ovirt.pp
> +++ b/installer/modules/ovirt/manifests/ovirt.pp
> @@ -125,7 +125,7 @@ class ovirt::setup {
> }
>
> single_exec { "add_host" :
> - command => "/usr/bin/ovirt-add-host $ipa_host /usr/share/ovirt-server/ovirt.keytab",
> + command => "/usr/bin/ovirt-add-host $ovirt_host /usr/share/ovirt-server/ovirt.keytab",
> require => Package[ovirt-server],
> notify => Service[qpidd]
> }
>
More information about the ovirt-devel
mailing list