search

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA
GNU General Public License v3.0
482 stars 230 forks source link

New IPA Server Replica has no server roles #1172

Closed Aethylred closed 8 months ago

Aethylred commented 8 months ago

I've successfully deployed an IPA server, and an replica of that server.

However the deployed replica is not assigned any Server Roles and does not provide AD trust agent, AD trust controller, CA server, DNS server, or KRA server roles

i.e. It's not been promoted to those roles. This is the expected outcome when deploying a replica using ipa-replica-install

I do not see a ipaserver_promote or ipareplica_promote module or a way of setting IPA server roles.

I'm not sure if this is the correct method of making a full peer replica cluster where the replica is the failover of the first server.

[root@ipa02 ~]# kinit admin
Password for admin@IPA.LOCAL: 
[root@ipa02 ~]# ipa server-show ipa01.ipa.local
  Server name: ipa01.ipa.local
  Managed suffixes: domain, ca
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: AD trust agent, AD trust controller, CA server, DNS server, IPA master, KRA server
[root@ipa02 ~]# ipa server-show ipa02.ipa.local
  Server name: ipa02.ipa.local
  Managed suffixes: domain
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: IPA master

Cleaned up inventory is:

---
all:
  vars:
    ansible_user: "{{ vault_ansible_user }}"
    ansible_ssh_pass: "{{ vault_ansible_pass }}"
    ansible_become_pass: "{{ vault_ansible_become_pass }}"
    ipaclient_mkhomedir: no
    ipaclient_domain: ipa.local
   # specify FQDN hostnames because we're connecting via IP
    ipaclient_hostname: "{{ short_hostname }}.{{ ipaclient_domain }}"
    ipaserver_hostname: "{{ ipaclient_hostname }}"
    ipareplica_hostname: "{{ ipaclient_hostname }}"

  children:
    ipa_cluster:
      children:
        ipa_server:
          hosts:
            ipa01:
              primary_ip: 10.1.1.1
              short_hostname: ipa01
        ipa_replica:
          hosts:
            ipa02:
              primary_ip: 10.1.1.2
              short_hostname: ipa02

The (cleaned up) variables are:

---
# Default ariables for configuring IPA Client
ipaclient_servers:
  - ipa01.ipa.local
  - ipa02.ipa.local
ipaadmin_principal: "{{ vault_ipa_admin_account }}"
ipaadmin_password: "{{ vault_ipa_admin_password }}"
ipaclient_domain: ipa.local
ipaclient_realm: "{{ ipaclient_domain | upper }}"
ipaclient_no_ntp: true

# IPA Server settings

# Define IPA Server variables
ipaserver_domain: "{{ ipaclient_domain }}"
ipaserver_realm: "{{ ipaclient_domain | upper }}"

# Enable Features
ipaserver_setup_kra: true
ipaserver_setup_adtrust: true

# Define DNS
ipaserver_setup_dns: true
ipaserver_allow_zone_overlap: true
ipaserver_no_dnssec_validation: false
ipaserver_forwarders:
  - 192.168.1.53

# Set IPA Replica

ipareplica_setup_ca: true
ipareplica_setup_adtrust: true
ipareplica_setup_kra: true
ipareplica_setup_dns: true
ipareplica_forwarders: "{{ ipaserver_forwarders }}"

The playbook is:

---
# Setup IPA Cluster
- name: Install Primary IPA Server
  hosts: ipa_server
  vars:
     # connect via IP address because we're installing the DNS
      ansible_host: "{{ primary_ip }}"

  tasks:

    - name: Install Primary IPA Server
      ansible.builtin.import_role:
        name: freeipa.ansible_freeipa.ipaserver
      become: true

- name: Install IPA Replicas
  hosts: ipa_replica

  tasks:

    - name: Install IPA Replicas
      ansible.builtin.import_role:
        name: freeipa.ansible_freeipa.ipareplica
      become: true
t-woerner commented 8 months ago

The inventory file above is not providing any information about ipa_replica group. Are the ipareplica_setup_X variables really set while promoting the client?

Aethylred commented 8 months ago

Added the inventory, I've cleaned out some stuff about configuring the network interfaces & mounting LVMs. Note that we're connecting via an IP address as we're installing the DNS these hosts are expecting to use. The hosts do have entries in /etc/hosts so they can resolve their names to do the setup.

Are the ipareplica_setup_X variables really set while promoting the client?

I don't know that, it's why I'm here.

Aethylred commented 8 months ago

Since I'm a RedHat customer, I've created a support ticket as well.

Aethylred commented 8 months ago

Found it, there was a typo that I FIXED when creating the fake inventory.

In my actual code I'd used ipa_replica and ipa_replicas as a group inconsistently.