diff --git a/playbooks/pvc_base_prereqs_ext.yml b/playbooks/pvc_base_prereqs_ext.yml index e0848c2d..7ac2a76e 100644 --- a/playbooks/pvc_base_prereqs_ext.yml +++ b/playbooks/pvc_base_prereqs_ext.yml @@ -180,7 +180,9 @@ become: yes roles: - role: cloudera.cluster.infrastructure.krb5_client - when: krb5_kdc_host is defined or 'krb5_server' in groups + when: + - krb5_kdc_host is defined or 'krb5_server' in groups + - not (freeipa_sidecar is defined and freeipa_sidecar) tags: - security - kerberos diff --git a/playbooks/pvc_base_prereqs_int.yml b/playbooks/pvc_base_prereqs_int.yml index a6e4c278..8860f1ad 100644 --- a/playbooks/pvc_base_prereqs_int.yml +++ b/playbooks/pvc_base_prereqs_int.yml @@ -140,7 +140,9 @@ become: yes roles: - role: cloudera.cluster.prereqs.kerberos - when: krb5_kdc_host is defined or 'krb5_server' in groups + when: + - krb5_kdc_host is defined or 'krb5_server' in groups + - not (freeipa_sidecar is defined and freeipa_sidecar) tags: - kerberos - prereqs diff --git a/roles/freeipa_client/handlers/main.yml b/roles/freeipa_client/handlers/main.yml index e1d74e4c..b2c3b6d1 100644 --- a/roles/freeipa_client/handlers/main.yml +++ b/roles/freeipa_client/handlers/main.yml @@ -14,5 +14,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: restart host - ansible.builtin.reboot: +- name: restart network + ansible.builtin.service: + name: NetworkManager + state: restarted diff --git a/roles/freeipa_client/tasks/main.yml b/roles/freeipa_client/tasks/main.yml index 55578aee..62fcb6d7 100644 --- a/roles/freeipa_client/tasks/main.yml +++ b/roles/freeipa_client/tasks/main.yml @@ -14,10 +14,10 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Disable SELinux +- name: Permissive SELinux ansible.posix.selinux: - state: disabled - notify: restart host + policy: targeted + state: permissive - name: Set up DNS and networking when: enable_dns @@ -25,13 +25,18 @@ - name: Update RHEL networking when: ansible_facts['os_family'] == 'RedHat' block: + - name: Check for existence of /etc/cloud/cloud.cfg + ansible.builtin.stat: path=/etc/cloud/cloud.cfg + register: cloud_cfg + - name: Set cloud-init to preserve hostname (RHEL) ansible.builtin.lineinfile: path: /etc/cloud/cloud.cfg regex: "^(#)?preserve_hostname" line: "preserve_hostname: 1" state: present - notify: restart host + when: cloud_cfg.stat.exists + notify: restart network - name: Set interface config to preserve resolv.conf changes (RHEL)' ansible.builtin.lineinfile: @@ -39,7 +44,7 @@ regex: "^(#)?PEERDNS" line: "PEERDNS=no" state: present - notify: restart host + notify: restart network - name: Set /etc/NetworkManager/conf.d/disable-resolve.conf-managing.conf (RHEL) ansible.builtin.copy: @@ -48,7 +53,7 @@ # Generated by Ansible [main] dns=none - notify: restart host + notify: restart network - name: Set /etc/resolv.conf directly ansible.builtin.copy: @@ -57,7 +62,7 @@ # Generated by Ansible search {{ ipaserver_domain }} {{ ['nameserver '] | product(ipa_server_ips | sort) | map('join') | join('\n') }} - notify: restart host + notify: restart network - name: Disable nm-cloud-setup if present ignore_errors: yes @@ -67,19 +72,13 @@ loop: - systemctl disable nm-cloud-setup.service nm-cloud-setup.timer - systemctl stop nm-cloud-setup.service nm-cloud-setup.timer - - ip rule del prio 30400 - rm -rf /etc/systemd/system/nm-cloud-setup.service.d - - name: Ensure NetworkManager is running to maintain DHCP - ansible.builtin.service: - name: NetworkManager - state: restarted - - name: Set /etc/hostname to the FQDN ansible.builtin.copy: content: "{{ inventory_hostname }}" dest: /etc/hostname - notify: restart host + notify: restart network - name: Set /etc/hosts ansible.builtin.copy: @@ -87,7 +86,7 @@ content: | # Set by Ansible {{ ansible_default_ipv4.address }} {{ inventory_hostname }} {{ inventory_hostname_short }} - notify: restart host + notify: restart network - name: Check for existence of /etc/dhcp/dhclient.conf ansible.builtin.stat: path=/etc/dhcp/dhclient.conf @@ -108,7 +107,7 @@ domain_search: supersede domain-search "{{ ipaserver_domain }}"; domain_name_servers: supersede domain-name-servers {{ ipa_server_ips | sort | union(fallback_nameservers) | join(', ') }}; when: dhclient_conf.stat.exists - notify: restart host + notify: restart network - name: Flush handlers ansible.builtin.meta: flush_handlers diff --git a/roles/freeipa_server/handlers/main.yml b/roles/freeipa_server/handlers/main.yml index b73b6ffe..a2a89031 100644 --- a/roles/freeipa_server/handlers/main.yml +++ b/roles/freeipa_server/handlers/main.yml @@ -14,8 +14,10 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: restart host - ansible.builtin.reboot: +- name: restart network + ansible.builtin.service: + name: NetworkManager + state: restarted - name: restart dns ansible.builtin.service: diff --git a/roles/freeipa_server/tasks/main.yml b/roles/freeipa_server/tasks/main.yml index b7a59cbc..9371c0d9 100644 --- a/roles/freeipa_server/tasks/main.yml +++ b/roles/freeipa_server/tasks/main.yml @@ -45,10 +45,10 @@ update_cache: yes state: present -- name: Disable SELinux +- name: Permissive SELinux ansible.posix.selinux: - state: disabled - notify: restart host + policy: targeted + state: permissive - name: Install base FreeIPA server packages ansible.builtin.package: @@ -61,17 +61,22 @@ - name: Configure RHEL systems when: ansible_facts['os_family'] == 'RedHat' block: + - name: Check for existence of /etc/cloud/cloud.cfg + ansible.builtin.stat: path=/etc/cloud/cloud.cfg + register: cloud_cfg + - name: Set cloud-init to preserve hostname (RHEL) ansible.builtin.lineinfile: path: /etc/cloud/cloud.cfg regex: "^(#)?preserve_hostname" line: "preserve_hostname: 1" state: present - notify: restart host + when: cloud_cfg.stat.exists + notify: restart network - name: Check for existence of /etc/NetworkManager/conf.d ansible.builtin.stat: path=/etc/NetworkManager/conf.d - register: st + register: nm_conf - name: Set /etc/NetworkManager/conf.d/disable-resolve.conf-managing.conf (RHEL) ansible.builtin.copy: @@ -80,8 +85,8 @@ # Generated by Ansible [main] dns=none - when: st.stat.exists - notify: restart host + when: nm_conf.stat.exists + notify: restart network # TODO Either local if dns_provider=freeipa or keep nameserver and update search only # TODO Convert to ansible.builtin.template with role templates @@ -93,14 +98,14 @@ search {{ [[name_prefix, domain] | join('.'), domain] | join(' ') }} nameserver 127.0.0.1 {{ ['nameserver'] | product(ipaserver_resolv_nameservers) | map('join', ' ') | join('\n') }} - notify: restart host + notify: restart network # TODO Need to check-n-set vs. overwrite (forces reboot...) - name: Set /etc/hostname to the FQDN ansible.builtin.copy: content: "{{ inventory_hostname }}" dest: /etc/hostname - notify: restart host + notify: restart network # TODO Need to check-n-set vs. overwrite (forces reboot...) - name: Set /etc/hosts @@ -111,7 +116,7 @@ 127.0.0.1 localhost {{ ansible_default_ipv4.address }} {{ inventory_hostname }} {{ inventory_hostname_short }} backup: yes - notify: restart host + notify: restart network - name: Check for existence of /etc/dhcp/dhclient.conf ansible.builtin.stat: path=/etc/dhcp/dhclient.conf @@ -132,7 +137,7 @@ domain_search: supersede domain-search "{{ [[name_prefix, domain] | join('.'), domain] | join('", "') }}"; domain_name_servers: supersede domain-name-servers 127.0.0.1, {{ ipaserver_resolv_nameservers | join(', ') }}; when: dhclient_conf.stat.exists - notify: restart host + notify: restart network - name: Flush handlers ansible.builtin.meta: flush_handlers