search

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA
GNU General Public License v3.0
494 stars 232 forks source link

ipaserver: FreeIPA >= 4.12.0 fails to install #1245

Closed aph3rson closed 3 months ago

aph3rson commented 3 months ago

Attempting to deploy the freeipa.ansible_freeipa.ipaserver role fails as-of FreeIPA 4.12.0.

The following exception gets caught in the debugger during installation:

fatal: [freeipa]: FAILED! => {
    "changed": false,
    "module_stderr": "Shared connection to 192.168.2.100 closed.\r\n",
    "module_stdout": "/tmp/ansible_freeipa.ansible_freeipa.ipaserver_prepare_payload_66xdrzfj/ansible_freeipa.ansible_freeipa.ipaserver_prepare_payload.zip/ansible_collections/freeipa/ansible_freeipa/plugins/modules/ipaserver_prepare.py:401: DeprecationWarning: Use 'ipapython.ipachangeconf.IPAChangeConfg'\r\nTraceback (most recent call last):\r\n  File \"/home/bootstrap/.ansible/tmp/ansible-tmp-1718763556.2267206-308656-98351157257907/AnsiballZ_ipaserver_prepare.py\", line 107, in <module>\r\n    _ansiballz_main()\r\n  File \"/home/bootstrap/.ansible/tmp/ansible-tmp-1718763556.2267206-308656-98351157257907/AnsiballZ_ipaserver_prepare.py\", line 99, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n  File \"/home/bootstrap/.ansible/tmp/ansible-tmp-1718763556.2267206-308656-98351157257907/AnsiballZ_ipaserver_prepare.py\", line 47, in invoke_module\r\n    runpy.run_module(mod_name='ansible_collections.freeipa.ansible_freeipa.plugins.modules.ipaserver_prepare', init_globals=dict(_module_fqn='ansible_collections.freeipa.ansible_freeipa.plugins.modules.ipaserver_prepare', _modlib_path=modlib_path),\r\n  File \"<frozen runpy>\", line 226, in run_module\r\n  File \"<frozen runpy>\", line 98, in _run_module_code\r\n  File \"<frozen runpy>\", line 88, in _run_code\r\n  File \"/tmp/ansible_freeipa.ansible_freeipa.ipaserver_prepare_payload_66xdrzfj/ansible_freeipa.ansible_freeipa.ipaserver_prepare_payload.zip/ansible_collections/freeipa/ansible_freeipa/plugins/modules/ipaserver_prepare.py\", line 549, in <module>\r\n  File \"/tmp/ansible_freeipa.ansible_freeipa.ipaserver_prepare_payload_66xdrzfj/ansible_freeipa.ansible_freeipa.ipaserver_prepare_payload.zip/ansible_collections/freeipa/ansible_freeipa/plugins/modules/ipaserver_prepare.py\", line 471, in main\r\n  File \"/usr/lib/python3.12/site-packages/ipaserver/install/ca.py\", line 364, in install_check\r\n    if options.token_name:\r\n       ^^^^^^^^^^^^^^^^^^\r\nAttributeError: 'options_obj' object has no attribute 'token_name'. Did you mean: 'domain_name'?\r\n",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

When we call the install_check function, the options arg now expects some new parameters, which appear to be related to this commit: https://github.com/freeipa/freeipa/commit/82c0b19acce147b3f82183b561883c7ca9137403. This adds HSM-related options to the FreeIPA installer, which ansible-freeipa does not have support for.

Fixes here would likely involve surfacing these arguments into the role, or setting options.token_name to None. Arguably, FreeIPA could better-handle options being malformed here, but I don't know if that function is intended to be called by things that aren't FreeIPA.

aph3rson commented 3 months ago

Workaround

Manually overwriting ipaserver_packages and friends in my ipaserver role args helps. 4.11.1 does not have the HSM functionality present. I'm installing on Fedora 40, package name might differ on a different OS. See the name arg here. I also am not installing adtrust, there's a similar variable for that that needs to be modified.

    - name: Install and configure FreeIPA role
      vars:
        # ...
        # TODO: Remove after https://github.com/freeipa/ansible-freeipa/issues/1245 is fixed.
        ipaserver_packages:
          - freeipa-server-4.11.1
        ipaserver_packages_dns:
          - freeipa-server-dns-4.11.1
      ansible.builtin.include_role:
        name: freeipa.ansible_freeipa.ipaserver
abbra commented 3 months ago

Yes, this is known. @t-woerner is working on a fix.

aph3rson commented 3 months ago

@abbra @t-woerner is there another issue I should be following, then? I searched here (and in freeipa/freeipa), didn't see anything for this specific problem.

abbra commented 3 months ago

There is IPA issue https://pagure.io/freeipa/issue/9603 about part of the problem but since some changes on the ansible-freeipa also needed, I think we can use the issue you created for tracking this work.

t-woerner commented 3 months ago

This should be fixed with version 1.13.2.

The PR https://github.com/freeipa/ansible-freeipa/pull/1246 is part of it.