commit 969e1e0cccb4e05b0f6f7f4bbab38fb6bfc19594 Author: kwizart <kwizart(a)gmail.com&gt; Date: Wed Dec 18 15:27:13 2019 +0100 sync base .../files/common-scripts/fix-ifcfg-mac-address.sh | 15 +++++ roles/base/files/common-scripts/nag-once | 15 +++-- roles/base/tasks/keytab.yml | 16 +++++ roles/base/tasks/main.yml | 65 ++++++++++++++++---- roles/base/tasks/postfix.yml | 8 ++- 5 files changed, 97 insertions(+), 22 deletions(-) --- diff --git a/roles/base/files/common-scripts/fix-ifcfg-mac-address.sh b/roles/base/files/common-scripts/fix-ifcfg-mac-address.sh new file mode 100644 index 0000000..8dd5fd5 --- /dev/null +++ b/roles/base/files/common-scripts/fix-ifcfg-mac-address.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +for iface in `ls /etc/sysconfig/network-scripts/ifcfg-* | sed 's/.*\-//g'`; do + # Ignore local interface + [[ "$iface" == "lo" ]] && continue + + correct_mac="$(ip a show dev $iface | grep 'link/ether' | awk '{print $2}')" + current_mac="$(grep HWADDR /etc/sysconfig/network-scripts/ifcfg-$iface | cut -d= -f2 | sed 's/"//g')" + + [[ "$correct_mac" == "$current_mac" ]] && continue + + sed -i "s/$current_mac/$correct_mac/" /etc/sysconfig/network-scripts/ifcfg-$iface +done + +service network restart +service NetworkManager restart diff --git a/roles/base/files/common-scripts/nag-once b/roles/base/files/common-scripts/nag-once index 992023c..aef5999 100755 --- a/roles/base/files/common-scripts/nag-once +++ b/roles/base/files/common-scripts/nag-once @@ -7,6 +7,7 @@ # copyright (c) 2011 Red Hat, inc # gpl v2 blah blah # skvidal - skvidal(a)fedoraproject.org +from __future__ import print_function import tempfile import sys @@ -86,23 +87,23 @@ def main(): if theinput != old_output or (tti and now - old_date > tti): if theinput.strip(): # if there is nothing here, don't output and don't drop a \n on the end of it - print theinput, + print(theinput,) fo = open(mydir + '/output', 'w') fo.write(theinput) fo.flush() fo.close() - except Exception, e: - print >> sys.stderr, e - print >> sys.stderr, theinput + except Exception as e: + print(e, file=sys.stderr) + print(theinput, file=sys.stderr) if __name__ == '__main__': try: main() - except Exception, e: - print >> sys.stderr, e + except Exception as e: + print(e, file=sys.stderr) if not sys.stdin.isatty(): - print >> sys.stderr, sys.stdin.read() + print(sys.stdin.read(), file=sys.stderr) diff --git a/roles/base/tasks/keytab.yml b/roles/base/tasks/keytab.yml index a6f43cc..5d3ac00 100644 --- a/roles/base/tasks/keytab.yml +++ b/roles/base/tasks/keytab.yml @@ -9,6 +9,8 @@ - krb5 - name: Get admin keytab + vars: + ansible_python_interpreter: /usr/bin/python2 delegate_to: "{{ ipa_server }}" shell: echo "{{ipa_admin_password}}" | kinit admin tags: @@ -18,6 +20,8 @@ when: not host_keytab_status.stat.exists - name: Create host entry + vars: + ansible_python_interpreter: /usr/bin/python2 delegate_to: "{{ ipa_server }}" command: ipa host-add {{inventory_hostname}} register: host_add_result @@ -30,6 +34,8 @@ when: not host_keytab_status.stat.exists - name: Create additional host entries + vars: + ansible_python_interpreter: /usr/bin/python2 delegate_to: "{{ ipa_server }}" command: ipa host-add {{item}} with_items: "{{ additional_host_keytabs }}" @@ -43,6 +49,8 @@ when: not host_keytab_status.stat.exists - name: Generate host keytab + vars: + ansible_python_interpreter: /usr/bin/python2 delegate_to: "{{ ipa_server }}" command: ipa-getkeytab -s {{ipa_server}} -p host/{{inventory_hostname}} -k /tmp/{{inventory_hostname}}.kt register: getkeytab_result @@ -55,6 +63,8 @@ when: not host_keytab_status.stat.exists - name: Add additional host keytabs + vars: + ansible_python_interpreter: /usr/bin/python2 delegate_to: "{{ ipa_server }}" command: ipa-getkeytab -s {{ipa_server}} -p host/{{item}} -k /tmp/{{inventory_hostname}}.kt with_items: "{{ additional_host_keytabs }}" @@ -68,6 +78,8 @@ when: not host_keytab_status.stat.exists - name: Destroy kerberos ticket + vars: + ansible_python_interpreter: /usr/bin/python2 delegate_to: "{{ ipa_server }}" command: kdestroy -A tags: @@ -77,6 +89,8 @@ when: not host_keytab_status.stat.exists - name: Get keytab + vars: + ansible_python_interpreter: /usr/bin/python2 delegate_to: "{{ ipa_server }}" command: base64 /tmp/{{inventory_hostname}}.kt register: keytab @@ -87,6 +101,8 @@ when: not host_keytab_status.stat.exists - name: Destroy stored keytab + vars: + ansible_python_interpreter: /usr/bin/python2 delegate_to: "{{ ipa_server }}" file: path=/tmp/{{inventory_hostname}}.kt state=absent tags: diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 05531b6..89334d0 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -5,7 +5,7 @@ # Things in here are things we want to do to every machine no matter what. # -- name: ensure packages required for semanage are installed (yum) +- name: ensure packages required for semanage are installed (rhel 6 and 7) package: name={{ item }} state=present with_items: - policycoreutils-python @@ -13,7 +13,7 @@ - selinux when: ansible_distribution_major_version|int < 8 -- name: ensure packages required for semanage are installed (dnf) +- name: ensure packages required for semanage are installed (fedora/rhel8) package: name=policycoreutils-python-utils state=present when: ansible_distribution_major_version|int > 27 and ansible_cmdline.ostree is not defined tags: @@ -52,7 +52,18 @@ ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none notify: - restart NetworkManager - when: ansible_distribution_major_version|int >=7 and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv + when: ansible_distribution_major_version|int >=7 and ansible_distribution == 'RedHat' and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv + tags: + - config + - resolvconf + - base + - ifcfg + +- name: disable resolv.conf control from NM + ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none + notify: + - restart NetworkManager + when: ansible_distribution_major_version|int >=29 and ansible_distribution == 'Fedora' and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv tags: - config - resolvconf @@ -79,7 +90,15 @@ # - restart NetworkManager - reload NetworkManager-connections - apply interface-changes - when: (virthost is not defined) and (item.startswith(('eth','br','enc','em'))) and (hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['type'] == 'ether') and (ansible_distribution_major_version|int >=7) and hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['active'] and nmclitest is success and ( not ansible_ifcfg_blacklist ) and ( ansible_ifcfg_whitelist is not defined or item in ansible_ifcfg_whitelist ) + when: + - virthost is not defined + - item.startswith(('eth','br','enc','em')) + - hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['type'] == 'ether' + - hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['active'] + - ansible_distribution_major_version|int >=7 + - nmclitest is success + - not ansible_ifcfg_blacklist + - ansible_ifcfg_whitelist is not defined or item in ansible_ifcfg_whitelist tags: - config - ifcfg @@ -92,7 +111,7 @@ tags: - packages - base - when: ansible_distribution_major_version|int < 22 and ansible_distribution_major_version|int != 8 + when: ansible_distribution_major_version|int < 8 - name: global default packages to install (dnf) dnf: @@ -140,7 +159,7 @@ tags: - packages - base - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 8 - name: dist pkgs to install (yum) package: @@ -149,16 +168,14 @@ tags: - packages - base - when: ansible_distribution_major_version|int < 22 + when: ansible_distribution_major_version|int < 8 - name: dist pkgs to remove (dnf) - dnf: - state: absent - name: "{{ base_pkgs_erase }}" + dnf: state=absent name="{{ base_pkgs_erase }}" tags: - packages - base - when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined + when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined - name: dist pkgs to install (dnf) dnf: @@ -343,7 +360,7 @@ - name: install our custom selinux module command: semodule -i /usr/local/share/rsyslog/rsyslog-audit.pp - when: selinux_module is changed + when: selinux_module is changed and ansible_distribution_major_version|int < 31 tags: - rsyslogd - config @@ -463,3 +480,27 @@ - name: Setup host keytab import_tasks: keytab.yml when: env == 'DISABLED' + +# SSSD-KCM has been showing way too many bugs with it saying "I have a ticket" while the ticket +# is actually expired, and kinit's still not refreshing them and such alike. +# Let's just nuke it for now. +- name: We do NOT use sssd-kcm + file: path=/etc/krb5.conf.d/kcm_default_ccache state=absent + tags: + - base + - config + - krb5 + +# rhel8 hosts do not have /usr/bin/python, but there are a few things we call +# with that because they also run the same on python2 hosts. +# So, we set python3 to /usr/bin/python on those hosts: +- name: set /usr/bin/python to python3 on rhel8 hosts + alternatives: + name: python + link: /usr/bin/python + path: /usr/bin/python3 + when: ansible_distribution == 'RedHat' and ansible_distribution_major_version|int == 8 + tags: + - base + - config + - python3alternative diff --git a/roles/base/tasks/postfix.yml b/roles/base/tasks/postfix.yml index a1bb2da..ac40534 100644 --- a/roles/base/tasks/postfix.yml +++ b/roles/base/tasks/postfix.yml @@ -31,8 +31,10 @@ - base - name: Deploy sender_access file - copy: src="{{private}}/files/smtpd/sender_access" dest="/etc/postfix/sender_access" - when: postfix_group == "smtp-mm" + copy: src="{{private}}/files/smtpd/sender_access.{{postfix_group}}" dest="/etc/postfix/sender_access" + when: postfix_group == "smtp-mm" or postfix_group == "mailman" or postfix_group == "gateway" + notify: + - restart postfix tags: - postfix - config @@ -89,7 +91,7 @@ - name: Copy gateway.key copy: src="{{private}}/files/smtpd/gateway.key" - dest=/etc/pki/tls/private/ + dest=/etc/pki/tls/private/gateway.key owner=root group=postfix mode=0640