tiran / pki-vagans Goto Github PK

View Code? Open in Web Editor NEW

102.0 12.0 33.0 3.34 MB

Vagrant + Ansible for Dogtag PKI (WIP and highly experimental)

License: GNU General Public License v2.0

Ruby 1.80% Shell 1.05% Python 4.96% Makefile 0.09% HTML 1.55% CSS 58.41% JavaScript 32.15%

pki-vagans's Introduction

Vagrant + Ansible for FreeIPA and Dogtag PKI

Authors: Christian Heimes [email protected]

The playbook is partly inspired by and based on Adam Young's rippowam https://github.com/admiyo/rippowam.

Requirements

The FreeIPA setup needs about 3 to 3.5 GB of free RAM and 6 to 7 GB disk space.

Install dependencies

sudo dnf install ansible libvirt vagrant vagrant-libvirt vagrant-hostmanager libselinux-python nss-tools krb5-pkinit
sudo systemctl enable libvirtd
sudo systemctl start libvirtd
sudo usermod -G libvirt -a YOUR_USER

Either restart your session or use newgrp to join the new user group (current shell only).

$ newgrp libvirt

passwords

The default password for the users root and vagrant, FreeIPA's admin user, 389-DS, PKI CA and PKI KRA is Secret123. The Directory Manager password is DMSecret456.

FreeIPA

$ cd ipa
$ ./setup.sh

Vagrant's multi-machine setup can run into a race condition and starts provisioning before all machines have a new SSH key. vagrant up --no-provision followed by vagrant provision is more stable. Sometimes the initial provision fails to configure the client or replica. A second provisioning run with vagrant provision fixes most issues.

The FreeIPA playbook deploys six machines:

ipamaster (master.ipa.example) with CA and KRA
ipareplica1 (replica1.ipa.example)
ipaclient1 (client1.ipa.example)
ipafilesserver (fileserver.ipa.example) for NFS, Samba and Apache demos
ipavpnserver (vpn.ipa.example) for ocserv VPN
ipaidpserver (idp.ipa.example) for Ipsilon IdP

When the machines are up, you can acquire a Kerberos ticket and start a local instance of Firefox to explore the WebUI. The admin password is Secret123.

$ bin/ipa_kinit admin
$ bin/ipa_firefox
$ bin/ipa_ssh [email protected]

FreeIPA test server

$ cd ipatests
$ ./setup.sh

One test machine:

ipatestmaster (master.ipatests.local) with CA and KRA

Dogtag PKI

$ cd pki
$ vagrant up

The playbook for Dogtag PKI deploys 389-DS, a CA and a KRA in one VM.

pki_server (dogtag.pki.example)

Python 3 dependencies

There is a shell script in pki/rpms that will download some dependencies.

forceful cleanup

rm -rf /var/lib/pki/ /var/log/pki/ /etc/sysconfig/pki-tomcat/ /etc/sysconfig/pki/tomcat/pki-tomcat/ /root/.dogtag/pki-tomcat /etc/pki/pki-tomcat/

Vagrant quick manual

create VM

$ cd pki
$ vagrant up

Provision the VM again

For example to update RPMs

$ vagrant provision

Log into VM

$ vagrant ssh <machine>

Destroy VM

$ vagrant destroy

Install custom RPMs

Copy or symlink files or directories with RPMs into pki/rpms or ipa/rpms and set custom_rpms to True. The Ansible playbook will pick up all RPMs (even in symlinked and nested directory structures) and install them.

When something fails

$ sudo systemctl restart libvirtd.service
$ vagrant provision

Provision non Vagrant machines

Create an inventory.cfg

[ipaserver_master]
master.domain.example

[ipaserver_replica]
replica1.domain.example
replica2.domain.example

[ipa_client]
client1.domain.example
client2.domain.example
client3.domain.example

and shell script

#!/bin/sh
set -ex

PKI_VAGANS="/path/to/pki-vagans"
IPA_DOMAIN="domain.example"

export ANSIBLE_CONFIG=${PKI_VAGANS}/ansible/ansible.cfg

ansible-playbook \
    -i inventory.cfg \
    ${PKI_VAGANS}/ansible/ipa-playbook.yml \
    -vv \
    --extra-vars='{"package_install":true,"package_upgrade":true,"coprs_enabled":[],"ipa_replica_kra":false,"ipa_domain": "'${IPA_DOMAIN}'"}'

Ansible roles

bootstrap

General bootstrapping tasks to set up networking and Ansible dependecies (Python 2).

common

Common tasks for FreeIPA and Dogtag:

firewalld
SELinux
rngd
time zones
hosts

ipa

FreeIPA base package and common facts

ipa-client

Configure host as FreeIPA client

ipa-httpd

Prepare Apache HTTPD for Ipsilon IdP, GSSAPI and SAML2 service point example

ipa-httpexample

GSSAPI + mod_lookup_identity example

ipa-inventory

Create local configuration files and scripts for kinit, ssh and Firefox

ipa-ipsilon-idp

Set up Ipsilon IdP with SAML2, Persona and OpenID

ipa-nfsserver

Kerberized NFS server and auto.fs for home directories

ipaserver

Install FreeIPA server packages

ipaserver-master

Set up FreeIPA master

ipaserver-replica

Set up FreeIPA replica

ipa-smbserver

Kerberized Samba/CIFS server

ipa-sp-example

SAML2 service point example with mod_auth_mellon

ipa-vpnserver

Kerberized occserv (OpenConnect) VPN server with MS-KKDCP support.

pki

Install Dogtag PKI base packages for stand-alone CA

pki-389ds

Configure 389-DS LDAP server for Dogtag

pki-ca

Configure Dogtag CA instance

pki-kra

Configure Dogtag KRA instance

pki-vagans's People

Contributors

Stargazers

Watchers

pki-vagans's Issues

Vagrant Box cheimes/freeipa-f27 has no released versions

When downloading from Vagrant Cloud:

An error occurred while executing multiple actions in parallel.
Any errors that occurred are shown below.

An error occurred while executing the action on the 'ipaclient1'
machine. Please handle this error then try again:

The box you're attempting to add doesn't support the provider
you requested. Please find an alternate box or use an alternate
provider. Double-check your requested provider to verify you didn't
simply misspell it.

If you're adding a box from HashiCorp's Vagrant Cloud, make sure the box is
released.

Name: cheimes/freeipa-f27
Address: https://vagrantcloud.com/cheimes/freeipa-f27
Requested provider: [:libvirt]

file not found: /etc/httpd/alias/kra-agent.pem

in master branch, after run ipa/setup.sh got one ansible task failure message.

fatal: [ipamaster]: FAILED! => {"changed": false, "msg": "file not found: /etc/httpd/alias/kra-agent.pem"}

provision fail when running ansible 2.9.x

Hi all,

I have tried to run setup.sh script from pki and ipa directories and I have got the error below:

$ vagrant up
Bringing machine 'pki_server' up with 'libvirt' provider...
==> pki_server: Box 'cheimes/dogtag-f25' could not be found. Attempting to find and install...
    pki_server: Box Provider: libvirt
    pki_server: Box Version: >= 0
==> pki_server: Loading metadata for box 'cheimes/dogtag-f25'
    pki_server: URL: https://vagrantcloud.com/cheimes/dogtag-f25
==> pki_server: Adding box 'cheimes/dogtag-f25' (v10.3.5.2017021300) for provider: libvirt
    pki_server: Downloading: https://vagrantcloud.com/cheimes/boxes/dogtag-f25/versions/10.3.5.2017021300/providers/libvirt.box
    pki_server: Download redirected to host: vagrantcloud-files-production.s3.amazonaws.com
==> pki_server: Successfully added box 'cheimes/dogtag-f25' (v10.3.5.2017021300) for 'libvirt'!
==> pki_server: Uploading base box image as volume into libvirt storage...
==> pki_server: Creating image (snapshot of base box volume).
==> pki_server: Creating domain with the following settings...
==> pki_server:  -- Name:              pki_pki_server
==> pki_server:  -- Domain type:       kvm
==> pki_server:  -- Cpus:              2
==> pki_server:  -- Feature:           acpi
==> pki_server:  -- Feature:           apic
==> pki_server:  -- Feature:           pae
==> pki_server:  -- Memory:            1024M
==> pki_server:  -- Management MAC:    
==> pki_server:  -- Loader:            
==> pki_server:  -- Nvram:             
==> pki_server:  -- Base box:          cheimes/dogtag-f25
==> pki_server:  -- Storage pool:      default
==> pki_server:  -- Image:             /var/lib/libvirt/images/pki_pki_server.img (6G)
==> pki_server:  -- Volume Cache:      default
==> pki_server:  -- Kernel:            
==> pki_server:  -- Initrd:            
==> pki_server:  -- Graphics Type:     vnc
==> pki_server:  -- Graphics Port:     -1
==> pki_server:  -- Graphics IP:       127.0.0.1
==> pki_server:  -- Graphics Password: Not defined
==> pki_server:  -- Video Type:        cirrus
==> pki_server:  -- Video VRAM:        9216
==> pki_server:  -- Sound Type:	
==> pki_server:  -- Keymap:            en-us
==> pki_server:  -- TPM Path:          
==> pki_server:  -- INPUT:             type=mouse, bus=ps2
==> pki_server: Creating shared folders metadata...
==> pki_server: Starting domain.
==> pki_server: Waiting for domain to get an IP address...
==> pki_server: Waiting for SSH to become available...
    pki_server: 
    pki_server: Vagrant insecure key detected. Vagrant will automatically replace
    pki_server: this with a newly generated keypair for better security.
    pki_server: 
    pki_server: Inserting generated public key within guest...
    pki_server: Removing insecure key from the guest if it's present...
    pki_server: Key inserted! Disconnecting and reconnecting using new SSH key...
==> pki_server: Setting hostname...
==> pki_server: Configuring and enabling network interfaces...
    pki_server: SSH address: 192.168.121.16:22
    pki_server: SSH username: vagrant
    pki_server: SSH auth method: private key
==> pki_server: Running provisioner: ansible...
Vagrant has automatically selected the compatibility mode '2.0'
according to the Ansible version installed (2.9.2).

Alternatively, the compatibility mode can be specified in your Vagrantfile:
https://www.vagrantup.com/docs/provisioning/ansible_common.html#compatibility_mode

    pki_server: Running ansible-playbook...
[WARNING]: Found both group and host with same name: pki_server

ERROR! Unexpected Exception, this is probably a bug: 'CallbackModule' object has no attribute 'set_options'
to see the full traceback, use -vvv
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.

I have fixed by reinstalling ansible in the virtualenv, but forcing a version 2.8.x (this works for the Vagrant descriptor at pki directory).

pip install "ansible>=2.8.0,<2.9.0"

After that I provisioned the VM again with vagrant provision, and everything worked properly.

Probably internal changes on ansible 2.9.0 brake some functionalities (or some bug exists).

I guess that it could be needed to report that ansible 2.9.x is not supported yet to address users about this situation.

I was running the above on a centos7 vm, using ansible 2.9.2 (I installed ansible using pip instead of the yum package).

Clarify that Ansible playbook works without Vagrant

@spoore1 pointed out an issue in my documentation. He assumed that the Ansible playbook requires Vagrant to work. The Ansible parts works perfectly fine without Vagrant. I have used it a bunch of times to deploy a FreeIPA system on a RHEV cluster or combined it with Kubernetes' Ansible playbook.