[Ovirt-devel] [PATCH server] add server-side groundwork for remote freeipa server
Joey Boggs
jboggs at redhat.com
Fri May 15 20:29:27 UTC 2009
This lays 90% of the groundwork needed on the server side to support the use of a remote ipa server.
Leaving the option disabled in the installer until the necessary node integration(dns/keytab placementi location) is completed
Also apply:
[PATCH server] update ovirt-add-host to use ipa commands instead of kadmin.local
[PATCH server] separate ipa common tasks freeipa::common and rename ipa_server_install to ipa_install
---
installer/bin/ovirt-installer | 54 +++++++++++--------
installer/modules/ovirt/manifests/dns.pp | 72 ++++++++++++-------------
installer/modules/ovirt/manifests/freeipa.pp | 57 +++++++++++++++++----
installer/modules/ovirt/manifests/ovirt.pp | 2 +-
4 files changed, 115 insertions(+), 70 deletions(-)
diff --git a/installer/bin/ovirt-installer b/installer/bin/ovirt-installer
index ad4d56d..2258578 100755
--- a/installer/bin/ovirt-installer
+++ b/installer/bin/ovirt-installer
@@ -171,11 +171,29 @@ admin_dev = prompt_for_interface("Enter the interface for the Admin network (thi
#FIXME: correctly configure separate networks.
#For now, define admin and guest networks to be the same
-guest_dev = admin_dev
+guest_dev = guest_httpd_dev
#sep_networks = (guest_dev == admin_dev) ? "n" : "y"
-ovirt_host = prompt_for_answer("Enter the hostname of the oVirt management server (example: management.example.com):", :regex => IP_OR_FQDN)
-ipa_host = ovirt_host
+ovirt_host = prompt_for_answer("Enter the hostname of the oVirt management server", :regex => IP_OR_FQDN, :default => hostname.chomp)
+#remote_ipa = prompt_yes_no("Is FreeIPA already installed on another machine?")
+remote_ipa = "n"
+if remote_ipa == "y"
+ ipa_host = prompt_for_answer("Enter the hostname of the FreeIPA server", :regex => IP_OR_FQDN)
+else
+ ipa_host = ovirt_host
+end
+
+# FreeIPA Configuration
+realm_name = prompt_for_answer("Enter your kerberos realm name (example: example.com):", :regex => FQDN)
+ at cli.say("NOTE: The following password will also be your ovirtadmin password for the web management login")
+freeipa_password = prompt_for_password("Enter the admin password for FreeIPA:", "Confirm your FreeIPA admin password:")
+ldap_dn = ""
+ldap_dn_temp = realm_name.split(".")
+ldap_dn_temp.each do |i|
+ ldap_dn += "dc=#{i},"
+ end
+ ldap_dn = ldap_dn.chop
+
# DNS Configuration
@cli.say( "\nThe following DNS servers were found:")
@@ -190,16 +208,16 @@ guest_ipaddr = interfaces[guest_dev]
admin_ipaddr = interfaces[admin_dev]
if dns_servers == "y"
- guest_ipaddr_lookup = Socket.getaddrinfo(guest_ipaddr.to_s,nil)
- guest_hostname = guest_ipaddr_lookup[1][2]
- if guest_hostname.to_s != ipa_host.to_s
+ admin_ipaddr_lookup = Socket.getaddrinfo(admin_ipaddr.to_s,nil)
+ admin_hostname = admin_ipaddr_lookup[1][2]
+ if admin_hostname.to_s != ovirt_host.to_s
@cli.say("Reverse dns lookup for #{guest_ipaddr} failed, exiting")
exit(0)
end
- ipa_host_lookup = Socket.getaddrinfo(ipa_host,nil)
- ipa_hostip = ipa_host_lookup[1][3]
- if ipa_hostip.to_s != guest_ipaddr.to_s
+ ovirt_host_lookup = Socket.getaddrinfo(ovirt_host,nil)
+ ovirt_hostip = ovirt_host_lookup[1][3]
+ if ovirt_hostip.to_s != admin_ipaddr.to_s
@cli.say("Forward dns lookup for #{ipa_host} failed, exiting")
exit(0)
end
@@ -236,18 +254,6 @@ cobbler_user_password = prompt_for_password("Enter your cobbler user password:",
# Postgres Configuration
db_username = "ovirt"
db_password = prompt_for_password("Enter a password for the ovirt postgres account:", "Confirm your ovirt postgres password")
-# FreeIPA Configuration
-realm_name = prompt_for_answer("Enter your realm name (example: example.com):", :regex => FQDN)
-
- at cli.say("NOTE: The following password will also be your ovirtadmin password for the web management login")
-freeipa_password = prompt_for_password("Enter an administrator password for FreeIPA:", "Confirm your FreeIPA admin password:")
-ldap_dn = ""
-ldap_dn_temp = realm_name.split(".")
-ldap_dn_temp.each do |i|
- ldap_dn += "dc=#{i},"
-end
-ldap_dn = ldap_dn.chop
-
#
# Use ERB to spit out the puppet file whcih is used by ace.
@@ -311,7 +317,7 @@ $db_username = '<%= db_username %>'
$db_password = '<%= db_password %>'
# FreeIPA configuration
-$realm_name = '<%= realm_name %>'
+$realm_name = '<%= realm_name.upcase %>'
$freeipa_password = '<%= freeipa_password %>'
$short_ldap_dn = '<%= ldap_dn %>'
$ldap_dn = 'cn=ipaConfig,cn=etc,<%= ldap_dn %>'
@@ -328,7 +334,11 @@ firewall_rule{"nat-postrouting": table => "nat", chain => "POSTROUTING", out_int
<% end %>
include postgres::bundled
include freeipa::common
+<% if remote_ipa == "n" %>
include freeipa::bundled
+<% else %>
+include freeipa::remote
+<% end %>
include ovirt::setup
END_OF_TEMPLATE
diff --git a/installer/modules/ovirt/manifests/dns.pp b/installer/modules/ovirt/manifests/dns.pp
index 7709cbf..8f44090 100644
--- a/installer/modules/ovirt/manifests/dns.pp
+++ b/installer/modules/ovirt/manifests/dns.pp
@@ -24,52 +24,27 @@ import "augeas"
define dns::common($guest_ipaddr="", $admin_ipaddr="",$guest_dev="",$admin_dev="") {
+ single_exec {"add_guest_server_to_etc_hosts":
+ command => "/bin/echo $admin_ipaddr $ovirt_host >> /etc/hosts",
+ notify => Service[dnsmasq]
+ }
+
package {"dnsmasq":
- ensure => installed,
- require => [Single_exec["add_dns_server_to_resolv.conf"]]
+ ensure => installed
}
service {"dnsmasq" :
ensure => running,
- enable => true,
- require => [File["/etc/dnsmasq.d/ovirt-dns.conf"], Package["dnsmasq"]]
- }
-
- file {"/etc/dnsmasq.d/ovirt-dns.conf":
- content => template("ovirt/ovirt-dns.conf.erb"),
- mode => 644,
- notify => Service[dnsmasq],
- require => Package["dnsmasq"]
- }
-
- single_exec {"add_dns_server_to_resolv.conf":
- command => "/bin/sed -e '1i nameserver $admin_ipaddr' -i /etc/resolv.conf",
- require => [Single_exec["set_hostname"]]
+ enable => true
}
- augeas{"appliance_info":
- context => "/files/etc/dnsmasq.conf",
- changes => [
- "set conf-dir /etc/dnsmasq.d"
+ augeas{"appliance_info":
+ context => "/files/etc/dnsmasq.conf",
+ changes => [
+ "set conf-dir /etc/dnsmasq.d"
],
notify => Service[dnsmasq]
}
-
- file {"/etc/dhclient.conf":
- ensure => present
- }
-
- file_append {"dhclient_config":
- file => "/etc/dhclient.conf",
- line => "prepend domain-name-servers $admin_ipaddr;",
- require => [Single_exec["set_hostname"], Package["dnsmasq"], File["/etc/dhclient.conf"]] ,
- notify => Service[dnsmasq],
- }
-
- single_exec {"add_guest_server_to_etc_hosts":
- command => "/bin/echo $guest_ipaddr $ipa_host >> /etc/hosts",
- notify => [Service[dnsmasq], Single_exec["add_dns_server_to_resolv.conf"]]
- }
}
define dns::bundled($guest_ipaddr="", $admin_ipaddr="",$guest_dev="",$admin_dev="") {
@@ -79,13 +54,36 @@ define dns::bundled($guest_ipaddr="", $admin_ipaddr="",$guest_dev="",$admin_dev=
augeas{"set_system_hostname":
context => "/files/etc/sysconfig/network",
changes => [
- "set HOSTNAME $ipa_host"
+ "set HOSTNAME $ovirt_host"
]
}
firewall_rule {"named": destination_port => '53'}
firewall_rule {"named-udp": destination_port => '53', protocol => 'udp'}
+ file {"/etc/dhclient.conf":
+ ensure => present
+ }
+
+ single_exec {"add_dns_server_to_resolv.conf":
+ command => "/bin/sed -e '1i nameserver $admin_ipaddr' -i /etc/resolv.conf",
+ require => Single_exec["set_hostname"],
+ notify => Service[dnsmasq]
+ }
+
+ file_append {"dhclient_config":
+ file => "/etc/dhclient.conf",
+ line => "prepend domain-name-servers $admin_ipaddr;",
+ require => [Single_exec["set_hostname"], Package["dnsmasq"], File["/etc/dhclient.conf"]] ,
+ notify => Service[dnsmasq],
+ }
+
+ file {"/etc/dnsmasq.d/ovirt-dns.conf":
+ content => template("ovirt/ovirt-dns.conf.erb"),
+ mode => 644,
+ notify => Service[dnsmasq],
+ require => Package["dnsmasq"]
+ }
}
define dns::remote($guest_ipaddr="", $admin_ipaddr="",$guest_dev="",$admin_dev="") {
diff --git a/installer/modules/ovirt/manifests/freeipa.pp b/installer/modules/ovirt/manifests/freeipa.pp
index 796b8b4..8983e10 100644
--- a/installer/modules/ovirt/manifests/freeipa.pp
+++ b/installer/modules/ovirt/manifests/freeipa.pp
@@ -45,6 +45,15 @@ class freeipa::common{
require => Single_exec[ipa_ovirtadmin_group]
}
+ single_exec {"set_hostname":
+ command => "/bin/hostname $ovirt_host",
+ }
+
+ single_exec {"dnsmasq_restart":
+ command => "/usr/bin/pkill dnsmasq;/etc/init.d/dnsmasq start",
+ require => [Single_exec[add_guest_server_to_etc_hosts],Package[dnsmasq]]
+ }
+
}
class freeipa::bundled{
@@ -54,10 +63,6 @@ class freeipa::bundled{
require => [Exec[db_exists_file],Single_exec["set_hostname"]]
}
- single_exec {"set_hostname":
- command => "/bin/hostname $ipa_host",
- }
-
exec {"set_kdc_defaults":
command => "/bin/sed -i '/\[kdcdefaults\]/a \ kdc_ports = 88' /usr/share/ipa/kdc.conf.template",
require => Package[ipa-server]
@@ -83,11 +88,6 @@ class freeipa::bundled{
notify => Service[httpd]
}
- single_exec {"dnsmasq_restart":
- command => "/usr/bin/pkill dnsmasq;/etc/init.d/dnsmasq start",
- require => [Single_exec[add_guest_server_to_etc_hosts],Package[dnsmasq]]
- }
-
single_exec {"ipa_install":
command => "/usr/sbin/ipa-server-install -r $realm_name -p $freeipa_password -P $freeipa_password -a $freeipa_password --hostname $ipa_host -u dirsrv -U",
require => [Exec[set_kdc_defaults],Single_exec[dnsmasq_restart]]
@@ -104,7 +104,44 @@ class freeipa::bundled{
class freeipa::remote {
-# oVirt is not configured at this time to support a remote freeipa server
+ single_exec {"ipa_install":
+ command => "/usr/sbin/ipa-client-install --server $ipa_host --domain=$realm_name --realm=$realm_name --force -U",
+ require => Single_exec[dnsmasq_restart]
+ }
+
+ package {"mod_nss":
+ ensure => installed
+ }
+
+ file_replacement{"mod_nss_config_1":
+ file => "/etc/httpd/conf.d/nss.conf",
+ pattern => "<VirtualHost _default_:8443>",
+ replacement => "<VirtualHost _default_:443>",
+ require => Package[mod_nss]
+ }
+ file_replacement{"mod_nss_config_2":
+ file => "/etc/httpd/conf.d/nss.conf",
+ pattern => "Listen 8443",
+ replacement => "Listen 443",
+ require => Package[mod_nss]
+ }
+
+ single_exec {"create_HTTP_keytab":
+ command => "/usr/sbin/ipa-addservice HTTP/$ovirt_host@$realm_name",
+ require => Single_exec[ipa_install]
+ }
+
+ single_exec {"get_HTTP_keytab":
+ command => "/usr/sbin/ipa-getkeytab -s $ipa_host -p HTTP/$ovirt_host@$realm_name -k /usr/share/ovirt-server/ovirt.keytab",
+ require => Single_exec[create_HTTP_keytab],
+ notify => Service[httpd]
+ }
+
+ single_exec {"copy_ovirt_keytab":
+ command => "/bin/cp /usr/share/ovirt-server/ovirt.keytab /etc/httpd/conf/ipa.keytab",
+ require => Single_exec[get_HTTP_keytab],
+ notify => Service[httpd]
+ }
}
diff --git a/installer/modules/ovirt/manifests/ovirt.pp b/installer/modules/ovirt/manifests/ovirt.pp
index 03a93a7..2e91e69 100644
--- a/installer/modules/ovirt/manifests/ovirt.pp
+++ b/installer/modules/ovirt/manifests/ovirt.pp
@@ -125,7 +125,7 @@ class ovirt::setup {
}
single_exec { "add_host" :
- command => "/usr/bin/ovirt-add-host $ipa_host /usr/share/ovirt-server/ovirt.keytab",
+ command => "/usr/bin/ovirt-add-host $ovirt_host /usr/share/ovirt-server/ovirt.keytab",
require => Package[ovirt-server],
notify => Service[qpidd]
}
--
1.6.0.6
More information about the ovirt-devel
mailing list