From df922b3d27f6a7d33089b61ba69bd05262f801a9 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 4 Dec 2016 01:20:55 +0000 Subject: [PATCH 01/11] enable kerb for buildarm --- inventory/group_vars/buildarm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/group_vars/buildarm b/inventory/group_vars/buildarm index a301a99860..58fa54060f 100644 --- a/inventory/group_vars/buildarm +++ b/inventory/group_vars/buildarm @@ -3,7 +3,7 @@ fas_client_groups: sysadmin-releng sudoers: "{{ private }}/files/sudo/00releng-sudoers" ansible_ifcfg_blacklist: true -krb_builder: False +krb_builder: True koji_server_url: "http://koji.fedoraproject.org/kojihub" koji_weburl: "http:/koji.fedoraproject.org/koji" From df6cb63cd2dfa28c68a002081ffd9f37308f8517 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 4 Dec 2016 02:00:16 +0000 Subject: [PATCH 02/11] Allow using of the IPA API Signed-off-by: Patrick Uiterwijk --- playbooks/include/proxies-reverseproxy.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index 558f5f4146..a45c74d3c8 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -174,6 +174,14 @@ proxyurl: http://localhost:10053 when: env == "staging" + - role: httpd/reverseproxy + website: id.stg.fedoraproject.org + destname: 00-ipa + remotepath: /ipa + localpath: /ipa + proxyurl: http://localhost:10053 + when: env == "staging" + - role: httpd/reverseproxy website: id.fedoraproject.org destname: id @@ -188,6 +196,14 @@ proxyurl: http://localhost:10053 when: env != "staging" + - role: httpd/reverseproxy + website: id.fedoraproject.org + destname: 00-ipa + remotepath: /ipa + localpath: /ipa + proxyurl: http://localhost:10053 + when: env != "staging" + - role: httpd/reverseproxy website: apps.fedoraproject.org destname: datagrepper From 55d73ac4640ffacede657000af15f94f249f55ee Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 4 Dec 2016 02:47:40 +0000 Subject: [PATCH 03/11] Use IPA UI for checking Signed-off-by: Patrick Uiterwijk --- roles/haproxy/templates/haproxy.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 772859b6b6..56c88afa1f 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -332,7 +332,7 @@ listen ipa 0.0.0.0:10053 {% if env != "staging" %} server ipa02 ipa02:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem {% endif %} - option httpchk GET / + option httpchk GET /ipa/ui/ listen krb5 0.0.0.0:1088 mode tcp From 9b53f51f0e68349eea2e3905d2b9286a037d9c16 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 4 Dec 2016 02:49:47 +0000 Subject: [PATCH 04/11] Disable rewrites on ipa servers Signed-off-by: Patrick Uiterwijk --- roles/ipa/server/files/ipa-rewrite.conf | 1 + roles/ipa/server/tasks/main.yml | 8 ++++++++ 2 files changed, 9 insertions(+) create mode 100644 roles/ipa/server/files/ipa-rewrite.conf diff --git a/roles/ipa/server/files/ipa-rewrite.conf b/roles/ipa/server/files/ipa-rewrite.conf new file mode 100644 index 0000000000..12722ee807 --- /dev/null +++ b/roles/ipa/server/files/ipa-rewrite.conf @@ -0,0 +1 @@ +# VERSION 6 - DO NOT REMOVE THIS LINE diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml index 87cdaf05fa..fa89da9813 100644 --- a/roles/ipa/server/tasks/main.yml +++ b/roles/ipa/server/tasks/main.yml @@ -121,6 +121,14 @@ - config when: not inventory_hostname.startswith("ipa01") and not replication_status.stat.exists +- name: Disable rewrites + copy: src=ipa-rewrite.conf dest=/etc/httpd/conf.d/ipa-rewrite.conf + notify: + - reload httpd + tags: + - ipa/server + - config + - name: Deploy configuration script copy: src=configure-ipa.sh dest=/root/configure-ipa.sh mode=0700 owner=root group=root register: config_deployed From dc64c85788aa37f7fdcd425c0e5101a320f883b7 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 4 Dec 2016 02:54:13 +0000 Subject: [PATCH 05/11] Give ipa keytab for id.fp.o Signed-off-by: Patrick Uiterwijk --- playbooks/groups/ipa.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/playbooks/groups/ipa.yml b/playbooks/groups/ipa.yml index a1d30e30f7..21491091b8 100644 --- a/playbooks/groups/ipa.yml +++ b/playbooks/groups/ipa.yml @@ -42,6 +42,18 @@ roles: - ipa/server + - role: keytab/service + owner_user: apache + owner_group: apache + service: HTTP + host: "id.stg.fedoraproject.org" + when: env == "staging" + - role: keytab/service + owner_user: apache + owner_group: apache + service: HTTP + host: "id.fedoraproject.org" + when: env == "production" handlers: - include: "{{ handlers }}/restart_services.yml" From 78c5d59d7430e1eb84adfea0c8ebc8799b791526 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 4 Dec 2016 03:02:21 +0000 Subject: [PATCH 06/11] Use id.fp.o keytab Signed-off-by: Patrick Uiterwijk --- playbooks/groups/ipa.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/playbooks/groups/ipa.yml b/playbooks/groups/ipa.yml index 21491091b8..4ee394d291 100644 --- a/playbooks/groups/ipa.yml +++ b/playbooks/groups/ipa.yml @@ -55,6 +55,16 @@ host: "id.fedoraproject.org" when: env == "production" + tasks: + - name: Make symlink for keytab + file: state=link path=/etc/httpd/conf/ipa.keytab + src="/etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab" + notify: + - reload httpd + tags: + - ipa/server + - krb5 + handlers: - include: "{{ handlers }}/restart_services.yml" From fcb723e401c80de05bfc44575ce0760eaea758c5 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 4 Dec 2016 03:04:39 +0000 Subject: [PATCH 07/11] We overwrite the existing file Signed-off-by: Patrick Uiterwijk --- playbooks/groups/ipa.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/groups/ipa.yml b/playbooks/groups/ipa.yml index 4ee394d291..63a71ccc79 100644 --- a/playbooks/groups/ipa.yml +++ b/playbooks/groups/ipa.yml @@ -57,7 +57,7 @@ tasks: - name: Make symlink for keytab - file: state=link path=/etc/httpd/conf/ipa.keytab + file: state=link path=/etc/httpd/conf/ipa.keytab force=yes src="/etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab" notify: - reload httpd From d2f89d192af6bb7f26374e730b302f9bb996f230 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 4 Dec 2016 03:06:31 +0000 Subject: [PATCH 08/11] Use proxy for fas sync Signed-off-by: Patrick Uiterwijk --- roles/fas_server/templates/fas.cfg.j2 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/fas_server/templates/fas.cfg.j2 b/roles/fas_server/templates/fas.cfg.j2 index 7ce14dfc2a..752d30522e 100644 --- a/roles/fas_server/templates/fas.cfg.j2 +++ b/roles/fas_server/templates/fas.cfg.j2 @@ -62,13 +62,14 @@ tgcaptcha2.jpeg_generator = 'vanasco_dowty' ### ipa_sync_enabled = True ipa_sync_keytab = '/etc/fas_sync_keytab' -ipa_sync_certfile = '/etc/fas_sync_cert.pem' {% if env == "staging" %} ipa_sync_principal = 'fas_sync@STG.FEDORAPROJECT.ORG' -ipa_sync_server = 'ipa01.stg.phx2.fedoraproject.org' +ipa_sync_server = 'id.stg.phx2.fedoraproject.org' +ipa_sync_certfile = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem' {% else %} ipa_sync_principal = 'fas_sync@FEDORAPROJECT.ORG' ipa_sync_server = 'ipa01.phx2.fedoraproject.org' +ipa_sync_certfile = '/etc/fas_sync_cert.pem' {% endif %} ### From f62f5633fd9d4eeb21a4762432f36bda78a69166 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 4 Dec 2016 03:11:42 +0000 Subject: [PATCH 09/11] Only do this in staging for now Signed-off-by: Patrick Uiterwijk --- playbooks/groups/ipa.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/groups/ipa.yml b/playbooks/groups/ipa.yml index 63a71ccc79..15bf106502 100644 --- a/playbooks/groups/ipa.yml +++ b/playbooks/groups/ipa.yml @@ -64,6 +64,7 @@ tags: - ipa/server - krb5 + when: env == "staging" handlers: - include: "{{ handlers }}/restart_services.yml" From 793fe47fecad9cc5b058d3a98e9a2aea8b9daa05 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 4 Dec 2016 03:12:45 +0000 Subject: [PATCH 10/11] No canonicalization or rdns Signed-off-by: Patrick Uiterwijk --- roles/base/templates/krb5.conf.master.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/base/templates/krb5.conf.master.j2 b/roles/base/templates/krb5.conf.master.j2 index a6d5219bd8..fe0f84ee45 100644 --- a/roles/base/templates/krb5.conf.master.j2 +++ b/roles/base/templates/krb5.conf.master.j2 @@ -12,6 +12,8 @@ includedir /var/lib/sss/pubconf/krb5.include.d/ default_realm = STG.FEDORAPROJECT.ORG {% endif %} dns_lookup_realm = false + dns_canonicalize_hostname = false + rdns = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d From 1652f6776cdf605b461c96bf2df5dab5db3760d0 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 4 Dec 2016 03:13:26 +0000 Subject: [PATCH 11/11] Only apply on stg for now Signed-off-by: Patrick Uiterwijk --- roles/base/templates/krb5.conf.master.j2 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/base/templates/krb5.conf.master.j2 b/roles/base/templates/krb5.conf.master.j2 index fe0f84ee45..65f022748e 100644 --- a/roles/base/templates/krb5.conf.master.j2 +++ b/roles/base/templates/krb5.conf.master.j2 @@ -12,12 +12,14 @@ includedir /var/lib/sss/pubconf/krb5.include.d/ default_realm = STG.FEDORAPROJECT.ORG {% endif %} dns_lookup_realm = false - dns_canonicalize_hostname = false - rdns = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true +{% if env == "staging" + dns_canonicalize_hostname = false + rdns = false +{% endif %} [realms] {% if env == "production" %}