diff --git a/roles/cloudera_manager/repo/defaults/main.yml b/roles/cloudera_manager/repo/defaults/main.yml index 4475f5d8..35a82308 100644 --- a/roles/cloudera_manager/repo/defaults/main.yml +++ b/roles/cloudera_manager/repo/defaults/main.yml @@ -19,3 +19,5 @@ cloudera_manager_distro_name: "{{ ansible_os_family | lower }}" cloudera_manager_distro_version: "{{ ansible_distribution_major_version }}" install_repo_on_host: yes + +set_custom_repo_as_archive_base_url: "{{ use_custom_repo_as_archive_base_url | default(True) }}" \ No newline at end of file diff --git a/roles/cloudera_manager/repo/tasks/main-RedHat.yml b/roles/cloudera_manager/repo/tasks/main-RedHat.yml index 1d67551f..c7947db9 100644 --- a/roles/cloudera_manager/repo/tasks/main-RedHat.yml +++ b/roles/cloudera_manager/repo/tasks/main-RedHat.yml @@ -28,4 +28,4 @@ - name: yum-clean-metadata command: yum clean metadata args: - warn: no \ No newline at end of file + warn: no diff --git a/roles/cloudera_manager/repo/tasks/main.yml b/roles/cloudera_manager/repo/tasks/main.yml index 578127e1..c461c175 100644 --- a/roles/cloudera_manager/repo/tasks/main.yml +++ b/roles/cloudera_manager/repo/tasks/main.yml @@ -18,6 +18,13 @@ include_vars: file: "{{ ansible_os_family }}.yml" +- name: Use Custom Repo as Archive Base if using Custom Repo + when: + - set_custom_repo_as_archive_base_url | bool + - '"custom_repo" in groups' + ansible.builtin.set_fact: + cloudera_archive_base_url: "http://{{ groups['custom_repo'] | first }}" + - name: Correct repo URL for Redhat with cm5 ansible.builtin.set_fact: __cloudera_manager_repo_url_paywall: "{{ cloudera_archive_base_url | regex_replace('/?$','') }}/p/cm{{ __cloudera_manager_major_version }}/redhat/{{ ansible_distribution_major_version }}/x86_64/cm/{{ cloudera_manager_version }}" @@ -45,4 +52,4 @@ - name: Install Cloudera Manager repository when: install_repo_on_host include_tasks: - file: "main-{{ ansible_os_family }}.yml" + file: "main-{{ ansible_os_family }}.yml" \ No newline at end of file diff --git a/roles/deployment/services/kts_common/defaults/main.yml b/roles/deployment/services/kts_common/defaults/main.yml index 22ef282b..7f74489e 100644 --- a/roles/deployment/services/kts_common/defaults/main.yml +++ b/roles/deployment/services/kts_common/defaults/main.yml @@ -22,8 +22,15 @@ keytrustee_server_key_files: - gpg.conf - keytrustee.conf - logging.conf + - trustdb.gpg + +# GnuPG 2.1+ uses .kbx for keyring, and retired secring / random_seed +keytrustee_server_gpg_files: + - secring.gpg - pubring.gpg - pubring.gpg~ - random_seed - - secring.gpg - - trustdb.gpg + +keytrustee_server_kbx_files: + - pubring.kbx + - pubring.kbx~ \ No newline at end of file diff --git a/roles/deployment/services/kts_high_availability/tasks/main.yml b/roles/deployment/services/kts_high_availability/tasks/main.yml index 1ea6b663..e909da61 100644 --- a/roles/deployment/services/kts_high_availability/tasks/main.yml +++ b/roles/deployment/services/kts_high_availability/tasks/main.yml @@ -33,12 +33,18 @@ state: directory mode: 0777 +# GnuPG 2.1+ uses .kbx for keyring, and retired secring / random_seed +- name: Determine gnupg version + delegate_to: "{{ groups.kts_active | first }}" + register: __gnupg_version + shell: "gpg2 --version | head -n 1 | rev | cut -d ' ' -f1 | rev" + - name: Fetch GPG keys and configs from active Key Trustee Server delegate_to: "{{ groups.kts_active | first }}" fetch: src: "{{ keytrustee_server_conf_dir }}/{{ item }}" dest: "{{ local_temp_dir }}/kts" - loop: "{{ keytrustee_server_key_files }}" + loop: "{{ keytrustee_server_key_files + (keytrustee_server_kbx_files if __gnupg_version.stdout is version('2.1', '>=') else keytrustee_server_gpg_files) }}" - name: Copy to passive Key Trustee Server delegate_to: "{{ groups.kts_passive | first }}" diff --git a/roles/infrastructure/custom_repo/defaults/main.yml b/roles/infrastructure/custom_repo/defaults/main.yml index 90bcb158..416cf7f3 100644 --- a/roles/infrastructure/custom_repo/defaults/main.yml +++ b/roles/infrastructure/custom_repo/defaults/main.yml @@ -19,5 +19,4 @@ repo_tar_local_dir: repo repo_tar_files: "{{ definition.repo_tar_files | default([]) }}" keep_newer: yes -cm_repo_tarball_url: "{{ definition.cm_repo_tarball_url | default('') }}" -custom_repo_rehost_files: "{{ definition.custom_repo_rehost_files | default([]) }}" +custom_repo_rehost_files: "{{ definition.custom_repo_rehost_files | default([]) }}" \ No newline at end of file diff --git a/roles/infrastructure/custom_repo/tasks/rehost_files_from_download.yml b/roles/infrastructure/custom_repo/tasks/rehost_files_from_download.yml index 82935e9c..4e52182a 100644 --- a/roles/infrastructure/custom_repo/tasks/rehost_files_from_download.yml +++ b/roles/infrastructure/custom_repo/tasks/rehost_files_from_download.yml @@ -65,14 +65,3 @@ src: "/var/www/html{{ __tmp_unpack_item | urlsplit('path') }}" dest: "/var/www/html{{ __tmp_unpack_item | urlsplit('path') | regex_replace('^(.+)repo.+-(.+)\\.tar\\.gz$', '\\1\\2' + '/yum/') }}" keep_newer: "{{ keep_newer }}" - -- name: Set Cloudera Manager Base Repo if included in rehosting list - when: "{{ custom_repo_rehost_files | select('search', 'tar.gz') | list | select('search', '/cm') | list }} | length > 0" - ansible.builtin.set_fact: - cloudera_archive_base_url: "http://{{ groups['custom_repo'] | first }}" - delegate_to: "{{ __play_host }}" - delegate_facts: true - loop: "{{ groups.cloudera_manager + groups.cluster + groups.ecs_nodes }}" - loop_control: - loop_var: __play_host - label: __play_host diff --git a/roles/infrastructure/krb5_client/tasks/freeipa_autodns.yml b/roles/infrastructure/krb5_client/tasks/freeipa_autodns.yml index e58bc5f8..5882f611 100644 --- a/roles/infrastructure/krb5_client/tasks/freeipa_autodns.yml +++ b/roles/infrastructure/krb5_client/tasks/freeipa_autodns.yml @@ -13,9 +13,9 @@ # limitations under the License. --- -- name: Configure autodns on FreeIPA for el7 +- name: Configure autodns on FreeIPA for el7 or el8 when: - - ansible_distribution_major_version | int == 7 + - ansible_distribution_major_version | int > 6 - ansible_os_family == 'RedHat' block: - name: Gather facts from KRB5 Server @@ -51,4 +51,23 @@ dest: /etc/NetworkManager/conf.d/disable-resolve.conf-managing.conf backup: yes -# TODO: Implement and test for el8 \ No newline at end of file +- name: Disable nm-cloud-setup if present + when: + - ansible_distribution_major_version | int > 7 + - ansible_os_family == 'RedHat' + block: + - name: Disable nm-cloud-setup if present + ignore_errors: yes + loop_control: + loop_var: __nm_cloud_setup_disable_item + loop: + - systemctl disable nm-cloud-setup.service nm-cloud-setup.timer + - systemctl stop nm-cloud-setup.service nm-cloud-setup.timer + - ip rule del prio 30400 + - rm -rf /etc/systemd/system/nm-cloud-setup.service.d + ansible.builtin.command: "{{ __nm_cloud_setup_disable_item }}" + + - name: Ensure NetworkManager is running to maintain DHCP + ansible.builtin.service: + name: NetworkManager + state: restarted diff --git a/roles/infrastructure/krb5_common/defaults/main.yml b/roles/infrastructure/krb5_common/defaults/main.yml index 9a01cde9..c8378fbf 100644 --- a/roles/infrastructure/krb5_common/defaults/main.yml +++ b/roles/infrastructure/krb5_common/defaults/main.yml @@ -28,6 +28,8 @@ ipadm_password: "{{ cloudera_manager_admin_password }}" ipa_admin_user: admin ipaadmin_password: "{{ cloudera_manager_admin_password }}" +ipa_admins_group: admins + ipa_ldap_dc_suffix: "{% for i in krb5_realm.split('.') %}dc={{ i | lower }}{% if not loop.last %},{% endif %}{% endfor %}" ipa_ldap_user_bind_dn: "uid=admin,cn=users,cn=accounts,{{ ipa_ldap_dc_suffix }}" ipa_ldap_user_bind_password: "{{ cloudera_manager_admin_password }}" diff --git a/roles/infrastructure/krb5_server/tasks/freeipa.yml b/roles/infrastructure/krb5_server/tasks/freeipa.yml index e41e307e..b7508067 100644 --- a/roles/infrastructure/krb5_server/tasks/freeipa.yml +++ b/roles/infrastructure/krb5_server/tasks/freeipa.yml @@ -17,6 +17,14 @@ include_tasks: file: fix_freeipa_collection.yml +- name: Disable SELinux to allow FreeIPA server setup on Rhel8 + when: + - ansible_distribution_major_version | int >= 8 + selinux: + policy: targeted + state: permissive + ignore_errors: yes + - name: Setup FreeIPA Server ansible.builtin.include_role: name: freeipa.ansible_freeipa.ipaserver @@ -28,8 +36,35 @@ ipaserver_setup_dns: "{{ freeipa_autodns | default(omit) }}" ipaserver_auto_forwarders: "{{ freeipa_autodns | default(omit) }}" +- name: Ensure FreeIPA Superuser if required + when: + - freeipa_superuser is defined + - freeipa_superuser | length > 0 + block: + - name: Create Superuser if not present + community.general.ipa_user: + name: "{{ freeipa_superuser }}" + givenname: "{{ freeipa_superuser_gn | default('Cloudera') }}" + sn: "{{ freeipa_superuser_sn | default('Labs') }}" + password: "{{ freeipa_superuser_pw | default(cloudera_manager_admin_password) }}" + update_password: on_create + ipa_host: "{{ groups.krb5_server | first }}" + ipa_pass: "{{ ipaadmin_password }}" + ipa_user: "{{ ipa_admin_user }}" + + - name: Ensure Superuser is added to admins group + community.general.ipa_group: + name: "{{ ipa_admins_group }}" + user: + - "{{ freeipa_superuser }}" + append: true + ipa_host: "{{ groups.krb5_server | first }}" + ipa_pass: "{{ ipaadmin_password }}" + ipa_user: "{{ ipa_admin_user }}" + - name: Create FreeIPA DNS records for PVC ECS when: + - pvc_type is defined and freeipa_autodns is defined - pvc_type == 'ECS' | default(false) - freeipa_autodns | default(false) block: @@ -50,6 +85,7 @@ community.general.ipa_dnszone: ipa_host: "{{ groups.krb5_server | first }}" ipa_pass: "{{ ipaadmin_password }}" + ipa_user: "{{ ipa_admin_user }}" state: present zone_name: "apps.{{ krb5_realm | lower }}" @@ -57,6 +93,7 @@ community.general.ipa_dnsrecord: ipa_host: "{{ groups.krb5_server | first }}" ipa_pass: "{{ ipaadmin_password }}" + ipa_user: "{{ ipa_admin_user }}" state: present zone_name: "{{ __dns_record_item }}" record_name: "*" diff --git a/roles/infrastructure/krb5_server/vars/default.yml b/roles/infrastructure/krb5_server/vars/default.yml index fc17dc41..6324f7ec 100644 --- a/roles/infrastructure/krb5_server/vars/default.yml +++ b/roles/infrastructure/krb5_server/vars/default.yml @@ -1,2 +1,2 @@ --- -ipaserver_packages: [ "ipa-server", "python3-libselinux" ] \ No newline at end of file +ipaserver_packages: [ "ipa-server", "python3-libselinux" ] diff --git a/roles/prereqs/os/tasks/main-RedHat.yml b/roles/prereqs/os/tasks/main-RedHat.yml index 1219f615..e770815b 100644 --- a/roles/prereqs/os/tasks/main-RedHat.yml +++ b/roles/prereqs/os/tasks/main-RedHat.yml @@ -13,7 +13,7 @@ # limitations under the License. --- -- name: Setup System python on Rhel8 +- name: Setup System python3 on Rhel8 when: ansible_distribution_major_version | int >= 8 block: - name: Check if Python3 is installed so we don't end up with multiple versions @@ -30,6 +30,14 @@ update_cache: yes state: present + - name: Ensure pip3 is upgraded + ansible.builtin.command: "pip3 install --upgrade pip" + +# leaving as separate group for when py2 is finally deprecated +- name: Setup System python2 on Rhel8 + when: + - ansible_distribution_major_version | int >= 8 + block: - name: Check if Python2 is installed so we don't end up with multiple versions shell: python2 --version register: __py2_check @@ -50,9 +58,6 @@ alternatives --set python /usr/bin/python2 fi - - name: Ensure pip3 is upgraded - ansible.builtin.command: "pip3 install --upgrade pip" - - name: Disable SELinux selinux: policy: targeted