search

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA
GNU General Public License v3.0
505 stars 231 forks source link

ipaserver role is not idempotent #124

Open thatnerdjosh opened 5 years ago

thatnerdjosh commented 5 years ago

When running the ansible role with the following playbook the first time, all the services seem to install fine however the ipaclient was having trouble recognizing the domain name for the server. Upon running the playbook again however, since the ipaserver_test.py found that the modules were already installed, it didn't bother to try and run some necessary tasks which could have failed in previous runs, therefore we get a successful run even though the configuration hasn't completed.

---
- hosts: ipaservers
  roles:
    - role: freeipa.ansible_freeipa.ipaserver

After diving into the code, it seems related to several code blocks in the test file which are not returning consistent information and causing certain parts to not run. My guess is the checks need to go beyond is_ipa_configured to check if it is actually fully configured properly.

    if not options.external_ca and not options.external_cert_files and \
       is_ipa_configured():
        options._installation_cleanup = False
        ansible_module.log(
            "IPA server is already configured on this system. If you want "
            "to reinstall the IPA server, please uninstall it first.")
        ansible_module.exit_json(changed=False,
                                 server_already_configured=True)

I am interested in helping resolve this, but could use some guidance as far as architecture of the modules/roles to determine the best route to fix this so that if there are failures we can re-run the roles.

t-woerner commented 4 years ago

The issue is that the underlying ipa server code is not able to easily handle the rerun case. The client role is able to be run again with the repair mode. This can be used to fix deployment issues for the client and also to adapt the client to a changed domain. But this is sadly not simple in the server case as the server is setting up several services in the system. There should be not be issues with the server if the role was running without a failure in the first place.

t-woerner commented 4 years ago

To make the server and also the replica role idempotent it is needed to compare the actual configuration of the services to the needed configuration for IPA. After this has been done the required changes to the configuration need to be done to make the services working as expected.

jnm27 commented 3 years ago

This is important. And is a bug by Ansible standards, not an enhancement. Anyone working it?