Fixes for RHEL8.6 support and custom_repo with Cloudera Manager (cloudera-labs#83)

* Fix download and reuse of Cloudera Manager repo-as-tarball
* Switch to using custom_repo as base url for archive.cloudera.com by default if custom_repo is specified in build without a specific base_url being supplied.
* Fix kts setup for RHEL8+ where gpg 2.1+ is used which has changed the default file set - look for kbx files.
* Setup of automatic DNS on the freeipa server now supports running on ec2 instances with RHEL8.6, and EL8 generally
* Automatically set selinux to permissive on the krb5_server for RHEL8, as otherwise setup is blocked
* Separate Py2 and Py3 setup on RHEL8 in preparation for final Py2 deprecation in Cloudera products
* Set default admins group as configurable variable in freeipa config
* Add option to ensure creation of a 'superuser' in FreeIPA as the default 'admin' user can clash with system users within CDP in some circumstances. This user is then useful to PvC-DS installs and not created by default otherwise.

Signed-off-by: Daniel Chaffelson <[email protected]>

Author: Chaffelson

roles/cloudera_manager/repo/defaults/main.yml

@@ -19,3 +19,5 @@ cloudera_manager_distro_name: "{{ ansible_os_family | lower }}"
 cloudera_manager_distro_version: "{{ ansible_distribution_major_version }}"
 
 install_repo_on_host: yes
+
+set_custom_repo_as_archive_base_url: "{{ use_custom_repo_as_archive_base_url | default(True) }}"

roles/cloudera_manager/repo/tasks/main-RedHat.yml

@@ -28,4 +28,4 @@
 - name: yum-clean-metadata
   command: yum clean metadata
   args:
-    warn: no
+    warn: no

roles/cloudera_manager/repo/tasks/main.yml

@@ -18,6 +18,13 @@
   include_vars:
     file: "{{ ansible_os_family }}.yml"
 
+- name: Use Custom Repo as Archive Base if using Custom Repo
+  when:
+    - set_custom_repo_as_archive_base_url | bool
+    - '"custom_repo" in groups'
+  ansible.builtin.set_fact:
+    cloudera_archive_base_url: "http://{{ groups['custom_repo'] | first }}"
+
 - name: Correct repo URL for Redhat with cm5
   ansible.builtin.set_fact:
     __cloudera_manager_repo_url_paywall: "{{ cloudera_archive_base_url | regex_replace('/?$','') }}/p/cm{{ __cloudera_manager_major_version }}/redhat/{{ ansible_distribution_major_version }}/x86_64/cm/{{ cloudera_manager_version }}"
@@ -45,4 +52,4 @@
 - name: Install Cloudera Manager repository
   when: install_repo_on_host
   include_tasks:
-    file: "main-{{ ansible_os_family }}.yml"
+    file: "main-{{ ansible_os_family }}.yml"

roles/deployment/services/kts_common/defaults/main.yml

@@ -22,8 +22,15 @@ keytrustee_server_key_files:
   - gpg.conf
   - keytrustee.conf
   - logging.conf
+  - trustdb.gpg
+
+# GnuPG 2.1+ uses .kbx for keyring, and retired secring / random_seed
+keytrustee_server_gpg_files:
+  - secring.gpg
   - pubring.gpg
   - pubring.gpg~
   - random_seed
-  - secring.gpg
-  - trustdb.gpg
+
+keytrustee_server_kbx_files:
+  - pubring.kbx
+  - pubring.kbx~

roles/deployment/services/kts_high_availability/tasks/main.yml

@@ -33,12 +33,18 @@
     state: directory
     mode: 0777
 
+# GnuPG 2.1+ uses .kbx for keyring, and retired secring / random_seed
+- name: Determine gnupg version
+  delegate_to: "{{ groups.kts_active | first }}"
+  register: __gnupg_version
+  shell: "gpg2 --version | head -n 1 | rev | cut -d ' ' -f1 | rev"
+
 - name: Fetch GPG keys and configs from active Key Trustee Server
   delegate_to: "{{ groups.kts_active | first }}"
   fetch:
     src: "{{ keytrustee_server_conf_dir }}/{{ item }}"
     dest: "{{ local_temp_dir }}/kts"
-  loop: "{{ keytrustee_server_key_files }}"
+  loop: "{{ keytrustee_server_key_files + (keytrustee_server_kbx_files if __gnupg_version.stdout is version('2.1', '>=') else keytrustee_server_gpg_files) }}"
 
 - name: Copy to passive Key Trustee Server
   delegate_to: "{{ groups.kts_passive | first }}"

roles/infrastructure/custom_repo/defaults/main.yml

@@ -19,5 +19,4 @@ repo_tar_local_dir: repo
 repo_tar_files: "{{ definition.repo_tar_files | default([]) }}"
 keep_newer: yes
 
-cm_repo_tarball_url: "{{ definition.cm_repo_tarball_url | default('') }}"
-custom_repo_rehost_files: "{{ definition.custom_repo_rehost_files | default([]) }}"
+custom_repo_rehost_files: "{{ definition.custom_repo_rehost_files | default([]) }}"

roles/infrastructure/custom_repo/tasks/rehost_files_from_download.yml

@@ -65,14 +65,3 @@
     src: "/var/www/html{{ __tmp_unpack_item | urlsplit('path') }}"
     dest: "/var/www/html{{ __tmp_unpack_item | urlsplit('path') | regex_replace('^(.+)repo.+-(.+)\\.tar\\.gz$', '\\1\\2' + '/yum/') }}"
     keep_newer: "{{ keep_newer }}"
-
-- name: Set Cloudera Manager Base Repo if included in rehosting list
-  when: "{{ custom_repo_rehost_files | select('search', 'tar.gz') | list | select('search', '/cm') | list }} | length > 0"
-  ansible.builtin.set_fact:
-    cloudera_archive_base_url: "http://{{ groups['custom_repo'] | first }}"
-  delegate_to: "{{ __play_host }}"
-  delegate_facts: true
-  loop: "{{ groups.cloudera_manager + groups.cluster + groups.ecs_nodes }}"
-  loop_control:
-    loop_var: __play_host
-    label: __play_host

roles/infrastructure/krb5_client/tasks/freeipa_autodns.yml

@@ -13,9 +13,9 @@
 # limitations under the License.
 
 ---
-- name: Configure autodns on FreeIPA for el7
+- name: Configure autodns on FreeIPA for el7 or el8
   when:
-    - ansible_distribution_major_version | int == 7
+    - ansible_distribution_major_version | int > 6
     - ansible_os_family == 'RedHat'
   block:
     - name: Gather facts from KRB5 Server
@@ -51,4 +51,23 @@
         dest: /etc/NetworkManager/conf.d/disable-resolve.conf-managing.conf
         backup: yes
 
-# TODO: Implement and test for el8
+- name: Disable nm-cloud-setup if present
+  when:
+    - ansible_distribution_major_version | int > 7
+    - ansible_os_family == 'RedHat'
+  block:
+    - name: Disable nm-cloud-setup if present
+      ignore_errors: yes
+      loop_control:
+        loop_var: __nm_cloud_setup_disable_item
+      loop:
+        - systemctl disable nm-cloud-setup.service nm-cloud-setup.timer
+        - systemctl stop nm-cloud-setup.service nm-cloud-setup.timer
+        - ip rule del prio 30400
+        - rm -rf /etc/systemd/system/nm-cloud-setup.service.d
+      ansible.builtin.command: "{{ __nm_cloud_setup_disable_item }}"
+
+    - name: Ensure NetworkManager is running to maintain DHCP
+      ansible.builtin.service:
+        name: NetworkManager
+        state: restarted

roles/infrastructure/krb5_common/defaults/main.yml

@@ -28,6 +28,8 @@ ipadm_password: "{{ cloudera_manager_admin_password }}"
 ipa_admin_user: admin
 ipaadmin_password: "{{ cloudera_manager_admin_password }}"
 
+ipa_admins_group: admins
+
 ipa_ldap_dc_suffix: "{% for i in krb5_realm.split('.') %}dc={{ i | lower }}{% if not loop.last %},{% endif %}{% endfor %}"
 ipa_ldap_user_bind_dn: "uid=admin,cn=users,cn=accounts,{{ ipa_ldap_dc_suffix }}"
 ipa_ldap_user_bind_password: "{{ cloudera_manager_admin_password }}"

roles/infrastructure/krb5_server/tasks/freeipa.yml

@@ -17,6 +17,14 @@
   include_tasks:
     file: fix_freeipa_collection.yml
 
+- name: Disable SELinux to allow FreeIPA server setup on Rhel8
+  when:
+    - ansible_distribution_major_version | int >= 8
+  selinux:
+    policy: targeted
+    state: permissive
+  ignore_errors: yes
+
 - name: Setup FreeIPA Server
   ansible.builtin.include_role:
     name: freeipa.ansible_freeipa.ipaserver
@@ -28,8 +36,35 @@
     ipaserver_setup_dns: "{{ freeipa_autodns | default(omit) }}"
     ipaserver_auto_forwarders: "{{ freeipa_autodns | default(omit) }}"
 
+- name: Ensure FreeIPA Superuser if required
+  when:
+    - freeipa_superuser is defined
+    - freeipa_superuser | length > 0
+  block:
+    - name: Create Superuser if not present
+      community.general.ipa_user:
+        name: "{{ freeipa_superuser }}"
+        givenname: "{{ freeipa_superuser_gn | default('Cloudera') }}"
+        sn: "{{ freeipa_superuser_sn | default('Labs') }}"
+        password: "{{ freeipa_superuser_pw | default(cloudera_manager_admin_password) }}"
+        update_password: on_create
+        ipa_host: "{{ groups.krb5_server | first }}"
+        ipa_pass: "{{ ipaadmin_password }}"
+        ipa_user: "{{ ipa_admin_user }}"
+
+    - name: Ensure Superuser is added to admins group
+      community.general.ipa_group:
+        name: "{{ ipa_admins_group }}"
+        user:
+          - "{{ freeipa_superuser }}"
+        append: true
+        ipa_host: "{{ groups.krb5_server | first }}"
+        ipa_pass: "{{ ipaadmin_password }}"
+        ipa_user: "{{ ipa_admin_user }}"
+
 - name: Create FreeIPA DNS records for PVC ECS
   when:
+    - pvc_type is defined and freeipa_autodns is defined
     - pvc_type == 'ECS' | default(false)
     - freeipa_autodns | default(false)
   block:
@@ -50,13 +85,15 @@
       community.general.ipa_dnszone:
         ipa_host: "{{ groups.krb5_server | first }}"
         ipa_pass: "{{ ipaadmin_password }}"
+        ipa_user: "{{ ipa_admin_user }}"
         state: present
         zone_name: "apps.{{ krb5_realm | lower }}"
 
     - name: Ensure wildcard record is prepared for PvC ECS
       community.general.ipa_dnsrecord:
         ipa_host: "{{ groups.krb5_server | first }}"
         ipa_pass: "{{ ipaadmin_password }}"
+        ipa_user: "{{ ipa_admin_user }}"
         state: present
         zone_name: "{{ __dns_record_item }}"
         record_name: "*"