a whole bunch of updates to make ansible work correctly for my test cluster

d7363d4f · Chris Hines · 0af09735 · d7363d4f · d7363d4f · d7363d4f
Commit d7363d4f authored 10 years ago by Chris Hines
--- a/dynamicInventory
+++ b/dynamicInventory
@@ -175,7 +175,8 @@ class OpenStackConnection:
 		for server in nc.servers.list():
                        if server.id in instance_ids:
                            if server.metadata and 'ansible_host_group' in server.metadata:
-                                    hostname = socket.gethostbyaddr(server.networks.values()[0][0])[0]
+                                    #hostname = socket.gethostbyaddr(server.networks.values()[0][0])[0]
+                                    hostname = server.name
                                    # Set Ansible Host Group
                                    if server.metadata['ansible_host_group'] in inventory:
                                            inventory[server.metadata['ansible_host_group']].append(hostname)
@@ -183,6 +184,8 @@ class OpenStackConnection:
                                            inventory[server.metadata['ansible_host_group']] = [hostname]
                                    # Set the other host variables
                                    inventory['_meta']['hostvars'][hostname] = {}
+                                    inventory['_meta']['hostvars'][hostname]['ansible_ssh_host'] = server.networks.values()[0][0]
+                                    inventory['_meta']['hostvars'][hostname]['ansible_remote_tmp'] = '/tmp/ansible'
                                    for key in server.metadata.keys():
                                        if 'ansible_ssh' in key:
                                            inventory['_meta']['hostvars'][hostname][key] = server.metadata[key]

--- a/roles/dump_ldap_config/tasks/main.yml
+++ b/roles/dump_ldap_config/tasks/main.yml
+---
+- name: grab cacert
+  shell: cat /etc/openldap/certs/cacert.pem
+  register: ldapCaCertContents
+
+- name: dump vars
+  template: src=ldapConfig.j2 dest=/tmp/ldapConfig.out
+
+- name: fetch vars
+  fetch: src=/tmp/ldapConfig.out dest=/tmp/ldapConfig.out flat=yes
+
--- a/roles/dump_ldap_config/templates/ldapConfig.j2
+++ b/roles/dump_ldap_config/templates/ldapConfig.j2
+---
+ldapServerHostIpLine: "{{ ansible_eth0.ipv4.address }} {{ ansible_fqdn }}"
+ldapCaCertContents: |
+{% for l in  ldapCaCertContents.stdout_lines %}
+  {{ l }}
+{% endfor %}
+ldapCaCertFile: /etc/ssl/certs/cacert.crt
+ldapDomain: "{{ ldapDomain }}"
+ldapURI: "ldaps://{{ ansible_fqdn }}:636"
+ldapBindDN: "{{ ldapBindDN }}"
+ldapBindDNPassword: "{{ ldapBindDNPassword }}"
+ldapBase: "{{ ldapBase }}"
+ldapGroupBase: "{{ ldapGroupBase }}"
+ldapRfc2307Pam: ""
+ldap_access_filter: "(objectClass=posixAccount)"
--- a/roles/easy-rsa-certificate/tasks/buildCert.yml
+++ b/roles/easy-rsa-certificate/tasks/buildCert.yml
@@ -2,6 +2,7 @@
 - name: "Check client ca certificate"
  register: ca_cert
  stat: "path={{ x509_cacert_file }}"
+  sudo: true

 - name: "Check certificate and key"
  shell: (openssl x509 -noout -modulus -in {{ x509_cert_file }}  | openssl md5 ; openssl rsa -noout -modulus -in {{ x509_key_file }} | openssl md5) | uniq | wc -l
@@ -46,7 +47,7 @@
  when: needcert

 - name: "Creating CSR"
-  shell: " cd /etc/easy-rsa/2.0; . ./vars; export EASY_RSA=\"${EASY_RSA:-.}\"; \"$EASY_RSA\"/pkitool --csr {{ x509_csr_args }} {{ x509_common_name }}"
+  shell: "cd /etc/easy-rsa/2.0; . ./vars; export EASY_RSA=\"${EASY_RSA:-.}\"; \"$EASY_RSA\"/pkitool --csr {{ x509_csr_args }} {{ x509_common_name }}"
  when: needcert
  sudo: true


--- a/roles/easy-rsa-common/tasks/installEasyRsa.yml
+++ b/roles/easy-rsa-common/tasks/installEasyRsa.yml
@@ -6,7 +6,7 @@
  when: ansible_os_family == 'RedHat'
 - 
  name: "Installing easy-rsa"
-  apt: "name=openvpn state=present"
+  apt: "name=openvpn state=present update_cache=yes"
  sudo: True
  when: ansible_os_family == 'Debian'
 - 

--- a/roles/easy-rsa-common/tasks/main.yml
+++ b/roles/easy-rsa-common/tasks/main.yml
@@ -3,6 +3,3 @@
  include: installEasyRsa.yml
 -
  include: copyConfigurationFile.yml
-
-  include: yumList.yml
-
--- a/roles/karaage2.7/meta/main.yml
+++ b/roles/karaage2.7/meta/main.yml
 ---
 dependencies:
-    - { role: easy-rsa-certificate, x509_csr_args: "--server" }
+    - { role: easy-rsa-certificate, x509_csr_args: "", x509_sign_args: "--server", x509_cacert_file: "/etc/ssl/certs/ca.crt", x509_key_file: "/etc/ssl/private/server.key", x509_cert_file: "/etc/ssl/certs/server.crt", x509_common_name: "{{ ansible_fqdn }}" }
--- a/roles/karaage2.7/tasks/main.yml
+++ b/roles/karaage2.7/tasks/main.yml
 ---
- include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
+- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_version }}_{{ ansible_architecture }}.yml"

 - name: install system packages apt
  apt: name={{ item }} state=installed update_cache=true

--- a/roles/ldapserver/meta/main.yml
+++ b/roles/ldapserver/meta/main.yml
 ---
 dependencies:
-  - { role: easy-rsa-certificate, x509_csr_args: "--server" }
+    - { role: easy-rsa-certificate, x509_csr_args: "", x509_sign_args: "--server", x509_cacert_file: "/etc/ssl/certs/ca.crt", x509_key_file: "/etc/ssl/private/server.key", x509_cert_file: "/etc/ssl/certs/server.crt", x509_common_name: "{{ ansible_fqdn }}" }
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
 ---

- include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
+- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_version }}_{{ ansible_architecture }}.yml"

 - name: install system packages apt
  apt: name={{ item }} state=installed update_cache=true

--- a/roles/nfs-client/tasks/mountFileSystem.yml
+++ b/roles/nfs-client/tasks/mountFileSystem.yml
@@ -4,10 +4,41 @@
 #  with_items: exportList
 #  register: result 
  
+- name: "stop fail2ban"
+  service: name=fail2ban state=stopped
+  sudo: true
+
+- name: restart idmap 
+  service: name={{ item }} state=restarted
+  with_items:
+    - rpcbind
+    - rpcidmapd
+  sudo: true
+
 - name: "Mounting NFS mounts"
-  mount: name={{ item.name }} src={{ hostvars[nfs_server]['ansible_'+item.interface]['ipv4']['address'] }}:{{ item.src }} fstype={{ item.fstype }} opts={{ item.opts }} state=mounted
+  mount: name={{ item.src }} src={{ item.ipv4 }}:{{ item.name }} fstype={{ item.fstype }} opts={{ item.opts }} state=mounted
  with_items: exportList 
  notify: "restart authentication"
  notify: "restart idmap"
  sudo: true 
+  ignore_errors: true
+  register: firstMount
  when: exportList is defined 
+
+- name: "Wait for nfs to stabailse"
+  command: sleep 60
+  delegate_to: 127.0.0.1
+  when: firstMount | failed
+
+- name: "Mounting NFS mounts"
+  mount: name={{ item.src }} src={{ item.ipv4 }}:{{ item.name }} fstype={{ item.fstype }} opts={{ item.opts }} state=mounted
+  with_items: exportList 
+  notify: "restart authentication"
+  notify: "restart idmap"
+  sudo: true 
+  when: exportList is defined and firstMount | failed
+
+- name: "restart fail2ban"
+  service: name=fail2ban state=started
+  sudo: true
+
--- a/roles/nfs-server/tasks/main.yml
+++ b/roles/nfs-server/tasks/main.yml
 ---
 - include: mkFilesystem.yml 
- include: fileSymbolicLink.yml
 - include: startServer.yml
--- a/roles/openLdapClient/tasks/configLdapClient.yml
+++ b/roles/openLdapClient/tasks/configLdapClient.yml
@@ -6,22 +6,41 @@
    - nsswitch.conf
  sudo: true

+- name: "get cert dir"
+  shell: "dirname {{ ldapCaCertFile }}"
+  delegate_to: localhost
+  run_once: true
+  register: ldapCaCertDir
+
+- name: "make basedir"
+  file: path={{ ldapCaCertDir.stdout }} state=directory owner=root
+  sudo: true
+
 - name: "Copy the CA cert"
  copy: src={{ ldapCaCertSrc }} dest={{ ldapCaCertFile }} owner=root mode=644
  sudo: true
  when: ldapCaCertSrc is defined

+- name: "Template CA cert"
+  template: src=ldapCaCert.j2 dest={{ ldapCaCertFile }} owner=root mode=644
+  sudo: true
+  when: ldapCaCertContents is defined
+
+- name: "Copy pam config to ldap client"
+  template: src=system-auth-ac.j2 dest=/etc/pam.d/system-auth
+  sudo: true
+
 - name: "Copy pam config to ldap client"
-  template: src=system-auth-ac.j2 dest=/etc/pam.d/system-auth-ac
+  template: src=password-auth.j2 dest=/etc/pam.d/password-auth
  sudo: true

 - name: "Copy system auth to ldap client"
  template: src=authconfig.j2 dest=/etc/sysconfig/authconfig
  sudo: true

- name: "Copy ldap.conf file "
-  template: src=ldap.conf.j2 dest=/etc/openldap/ldap.conf
-  sudo: true
+#- name: "Copy ldap.conf file "
+#  template: src=ldap.conf.j2 dest=/etc/openldap/ldap.conf
+#  sudo: true

 - name: "Add LDAP server IP address to /etc/hosts"
  lineinfile: dest=/etc/hosts line="{{ ldapServerHostIpLine }}" state=present insertafter=EOF
@@ -33,4 +52,8 @@
  sudo: true
  notify: restart sssd

+- name: "start sssd"
+  service: name=sssd state=started
+  sudo: true
+

--- a/roles/openLdapClient/tasks/installOpenLdap.yml
+++ b/roles/openLdapClient/tasks/installOpenLdap.yml
@@ -2,15 +2,15 @@
 - name: "Install open ldap package yum"
  action: yum pkg={{ item }} state=installed 
  with_items:
-    - openldap
-    - openldap-clients
+      #    - openldap
+      #    - openldap-clients
    - sssd
    - sssd-common
    - sssd-client
    - nss
    - nss-tools
-    - nss-pam-ldapd
-    - pam_ldap
+      #    - nss-pam-ldapd
+      #    - pam_ldap
  sudo: true
  when: ansible_os_family == 'RedHat'


--- a/roles/openLdapClient/templates/authconfig.j2
+++ b/roles/openLdapClient/templates/authconfig.j2
@@ -2,7 +2,7 @@ IPADOMAINJOINED=no
 USEMKHOMEDIR=no
 USEPAMACCESS=no
 CACHECREDENTIALS=yes
-USESSSDAUTH=no
+USESSSDAUTH=yes
 USESHADOW=yes
 USEWINBIND=no
 USEDB=no
@@ -10,7 +10,7 @@ FORCELEGACY=no
 USEFPRINTD=yes
 FORCESMARTCARD=no
 PASSWDALGORITHM=sha512
-USELDAPAUTH=yes
+USELDAPAUTH=no
 USEPASSWDQC=no
 IPAV2NONTP=no
 USELOCAUTHORIZE=yes
@@ -18,9 +18,9 @@ USECRACKLIB=yes
 USEIPAV2=no
 USEWINBINDAUTH=no
 USESMARTCARD=no
-USELDAP=yes
+USELDAP=no
 USENIS=no
 USEKERBEROS=no
 USESYSNETAUTH=no
-USESSSD=no
+USESSSD=yes
 USEHESIOD=no
--- a/roles/openLdapClient/templates/ldapCaCert.j2
+++ b/roles/openLdapClient/templates/ldapCaCert.j2
+{{ ldapCaCertContents }}
--- a/roles/openLdapClient/templates/password-auth.j2
+++ b/roles/openLdapClient/templates/password-auth.j2
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so nullok try_first_pass
+auth        requisite     pam_succeed_if.so uid >= 500 quiet
+auth        sufficient    pam_sss.so use_first_pass
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+account     required      pam_permit.so
+
+password    requisite     pam_cracklib.so try_first_pass retry=3
+password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
+password    sufficient    pam_sss.so use_authtok
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
+session     optional      pam_sss.so
+
--- a/roles/openLdapClient/templates/sssd.j2
+++ b/roles/openLdapClient/templates/sssd.j2
@@ -27,6 +27,7 @@ ldap_tls_cacert = {{ ldapCaCertFile }}
 ldap_default_bind_dn = {{ ldapBindDN }} 
 ldap_default_authtok_type = password
 ldap_default_authtok = {{ ldapBindDNPassword }} 
+ldap_access_filter = {{ ldap_access_filter }}

 {{ ldapRfc2307 }}


--- a/roles/openLdapClient/templates/system-auth-ac.j2
+++ b/roles/openLdapClient/templates/system-auth-ac.j2
@@ -4,21 +4,21 @@
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 500 quiet
-auth        sufficient    pam_ldap.so use_first_pass
+auth        sufficient    pam_sss.so use_first_pass
 auth        required      pam_deny.so

 account     required      pam_unix.so broken_shadow
 account     sufficient    pam_succeed_if.so uid < 500 quiet
-account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
+account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 account     required      pam_permit.so

 password    requisite     pam_cracklib.so try_first_pass retry=3
 password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
-password    sufficient    pam_ldap.so use_authtok
+password    sufficient    pam_sss.so use_authtok
 password    required      pam_deny.so

 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
-session     optional      pam_ldap.so
+session     optional      pam_sss.so
--- a/roles/slurm/tasks/main.yml
+++ b/roles/slurm/tasks/main.yml
@@ -16,11 +16,11 @@
  sudo: true

 - name: create slurm group
-  group: name=slurm
+  group: name=slurm system=yes
  sudo: true

 - name: create slurm user
-  user: name=slurm group=slurm
+  user: name=slurm group=slurm system=yes
  sudo: true

 - name: install slurm rpms