No better way to learn some more details of Ansible than to automate a task I need to do on a regular basis: ipa-server-install.
My first take at installing FreeIPA (ipa in Centos) via Ansible is pretty simple: use the command module and do it as an Ansible ad-hoc commands:
ansible ipa -i ~/.ossipee/inventory.ini -m shell -u centos --sudo -a "ipa-server-install -U -r AYOUNG -p FreeIPA4All -a FreeIPA4All --setup-dns --forwarder 192.168.52.3"
Next attempt is using a Ansible playbooks. Here is install_ipa.yml
--- - hosts: ipa tasks: - command: ipa-server-install -U -r AYOUNG -p FreeIPA4All -a FreeIPA4All --setup-dns --forwarder 192.168.52.3
Executed with
ansible-playbook -i ~/.ossipee/inventory.ini -u centos --sudo install_ipa.yml
While this is acceptable for a development setup, I want to improve a few things.
- Hide the passwords used for the admin accounts.
- Calculate the Realm from the domain (mostly a to-upper hack using a variable for both)
- Read the resolver out of the existing resolv.conf
Just for completeness, also did this as an Ansible module.
#!/usr/bin/python
import os
import json
import subprocess
def iparesolver():
for text in open("/etc/resolv.conf","r"):
words = text.split()
if words[0] == "nameserver":
return words[1]
def ipa_install_command():
iparealm="RDO.CLOUDLAB.FREEIPA.ORG"
install_command = ["ipa-server-install","-U","-r", iparealm,
"-p", "FreeIPA4All",
"-a", "FreeIPA4All",
"--setup-dns", "--forwarder", iparesolver()]
return install_command
subprocess.call(ipa_install_command())
Executed with
ansible ipa -i ~/.ossipee/inventory.ini -m ipa_server_install -M ./ansible -u centos --sudo
It reports a failure due to the volumes of data returned, but actually successfully installed IPA.
Hi Adam,
I tried to use your ansible module and yes could see the failure it reports. But the failure is not due to the volumes of data returned. I tried to use ansible.module instead of subprocess and it did not report failure.
#!/usr/bin/python
import os
from ansible.module_utils.basic import *
import json
def iparesolver():
for text in open(“/etc/resolv.conf”,”r”):
words = text.split()
if words[0] == “nameserver”:
return words[1]
def ipa_install_command():
iparealm=”RDO.CLOUDLAB.FREEIPA.ORG”
install_command = [“ipa-server-install”,”-U”,”-r”, iparealm,
“-p”, “FreeIPA4All”,
“-a”, “FreeIPA4All”,
“–setup-dns”, “–forwarder”, iparesolver()]
rc, out, err = module.run_command(install_command)
if rc == 0:
module.exit_json(changed = True, output = out.split(‘\n’))
else:
module.fail_json(msg = err.split(‘\n’))
if __name__ == ‘__main__’:
module = AnsibleModule(
argument_spec = dict(),
)
ipa_install_command()
– shanks
Have you thought about about putting it into Ansible Galaxy? Could be useful for others.
Btw, there is a missing tag “freeipa” for that post – I missed it the first time I read your blog.
Hi Adam,
I am new to ansible and freeIPA and looking for some help here!
This is my use case – i want to automatically register IPA client ( my EC2 instances) to my IPA server based on the EC2 tag value. Some thing like this if EC2 tag value is “eng-prod” then i want the ipa client to get registered under my “eng-prod” hostgroup. Would you have some idea how i can go about this? any similar existing playbooks/modules would greatly help
Thanks,
Dee
I did a proof of concept with this in mind a few years back;
http://adam.younglogic.com/2013/09/register-vm-freeipa/
It comes down to two choices. Either pre-create the Host in IPA send an OTP to the instance at boot time, or pass the Admin password to the instance and allow it to autoregister.
I would recommend the first choice, for obvious reasons.
Thanks Adam
I am getting prompted for the admin password every time i run ipa-client-install in -U mode. how do i get rid of password prompt? this is a demo setup so i dont mind usig admin password for now and will later change it to OTP based