From 74b81ffb8fe226e6b97d1d52faf462aede771def Mon Sep 17 00:00:00 2001 From: stdweird Date: Sun, 3 Nov 2019 17:51:25 +0100 Subject: [PATCH 1/5] ncm-freeipa: make the list of required package for CLI ipa client installation configurable --- .../main/pan/components/freeipa/config.pan | 16 ++++++++++++ .../main/pan/components/freeipa/schema.pan | 2 ++ ncm-freeipa/src/main/perl/freeipa.pm | 25 +++++++------------ 3 files changed, 27 insertions(+), 16 deletions(-) diff --git a/ncm-freeipa/src/main/pan/components/freeipa/config.pan b/ncm-freeipa/src/main/pan/components/freeipa/config.pan index d67cabaad8..02fae232e8 100644 --- a/ncm-freeipa/src/main/pan/components/freeipa/config.pan +++ b/ncm-freeipa/src/main/pan/components/freeipa/config.pan @@ -1 +1,17 @@ ${componentconfig} + +variable FREEIPA_CLI_REQUIRES_PAM_KRB5 ?= true; + +'cli_packages' ?= { + t = list( + 'ncm-freeipa', + 'nss-pam-ldapd', + 'ipa-client', + 'nss-tools', + 'openssl', + ); + if (FREEIPA_CLI_REQUIRES_PAM_KRB5) { + append(t, 'pam_krb5'); + }; + t; +}; diff --git a/ncm-freeipa/src/main/pan/components/freeipa/schema.pan b/ncm-freeipa/src/main/pan/components/freeipa/schema.pan index 633e87c83d..93ab27f8ef 100755 --- a/ncm-freeipa/src/main/pan/components/freeipa/schema.pan +++ b/ncm-freeipa/src/main/pan/components/freeipa/schema.pan @@ -160,4 +160,6 @@ type ${project.artifactId}_component = { }; true; } + @{Packages required for CLI installation (e.g. in kickstart)} + 'cli_packages' : string[] }; diff --git a/ncm-freeipa/src/main/perl/freeipa.pm b/ncm-freeipa/src/main/perl/freeipa.pm index 640b98ce03..ef1ee5e2f3 100755 --- a/ncm-freeipa/src/main/perl/freeipa.pm +++ b/ncm-freeipa/src/main/perl/freeipa.pm @@ -123,16 +123,6 @@ $NCM::Component::${project.artifactId}::NoActionSupported = 1; Readonly my $DEBUGAPI_LEVEL => 3; Readonly::Array my @GET_KEYTAB => qw(/usr/sbin/ipa-getkeytab); -# packages to install with yum for dependencies -Readonly::Array our @CLI_YUM_PACKAGES => qw( - ncm-freeipa - nss-pam-ldapd - ipa-client - nss-tools - openssl - pam_krb5 -); - Readonly my $IPA_BASEDIR => '/etc/ipa'; Readonly our $IPA_QUATTOR_BASEDIR => "$IPA_BASEDIR/quattor"; @@ -587,16 +577,18 @@ sub _manual_initialisation my $tree = $config->getTree($self->prefix()); my $network = $config->getTree('/system/network'); - my $yum_packages = join(" ", ); - my $domain = $tree->{domain} || $network->{domainname}; # Is optional, but we use the template value; not the CLI default my $hostcert = $tree->{hostcert} ? 1 : 0; - my @yum = qw(yum -y install); - push(@yum, @CLI_YUM_PACKAGES); - push(@yum, qw(-c /tmp/aii/yum/yum.conf)) if $opts{aii}; + my @cli_packages = @{$tree->{cli_packages}}; + my @yum; + if (@cli_packages) { + push(@yum, qw(yum -y install), @cli_packages); + push(@yum, qw(-c /tmp/aii/yum/yum.conf)) if $opts{aii}; + + } my @cli = qw(PERL5LIB=/usr/lib/perl perl -MNCM::Component::FreeIPA::CLI -w -e install --); @@ -614,7 +606,8 @@ sub _manual_initialisation ); my @cmds; - push(@cmds, join(" ", @yum), join(" ", @cli)); + push(@cmds, join(" ", @yum)) if @yum; + push(@cmds, join(" ", @cli)); return join("\n", @cmds); } From 622abd47e60146daf14a72bc5836529ad11b8390 Mon Sep 17 00:00:00 2001 From: stdweird Date: Sun, 3 Nov 2019 18:10:40 +0100 Subject: [PATCH 2/5] ncm-freeipa: CLI: support pre and post version 4.7 differences in ipa-client-install --- ncm-freeipa/src/main/perl/FreeIPA/CLI.pm | 40 +++++++++++++++++++++--- 1 file changed, 36 insertions(+), 4 deletions(-) diff --git a/ncm-freeipa/src/main/perl/FreeIPA/CLI.pm b/ncm-freeipa/src/main/perl/FreeIPA/CLI.pm index 4e85aee4bb..d1ac346a81 100644 --- a/ncm-freeipa/src/main/perl/FreeIPA/CLI.pm +++ b/ncm-freeipa/src/main/perl/FreeIPA/CLI.pm @@ -3,6 +3,7 @@ use parent qw(CAF::Application NCM::Component::freeipa CAF::Reporter CAF::Object Exporter); use NCM::Component::freeipa; +use version; our @EXPORT = qw(install); @@ -15,8 +16,10 @@ use Readonly; Readonly::Array my @TIME_SERVICES => qw(ntpd chronyd ptpd ptpd2); Readonly::Array my @NTPDATE_SYNC => qw(/usr/sbin/ntpdate -U ntp -b -v); -Readonly::Array my @IPA_INSTALL => qw(ipa-client-install --unattended --debug --noac); -Readonly::Array my @IPA_INSTALL_NOS => qw(sssd sudo sshd ssh ntp dns-sshfp nisdomain); +Readonly::Array my @IPA_INSTALL => qw(ipa-client-install --unattended --debug); +Readonly::Array my @IPA_INSTALL_PRE47 => qw(--noac); +Readonly::Array my @IPA_INSTALL_NOS => qw(sudo sshd ssh ntp dns-sshfp nisdomain); +Readonly::Array my @IPA_INSTALL_NOS_PRE47 => qw(sssd); # Location based discovery # http://www.freeipa.org/page/V4/DNS_Location_Mechanism @@ -215,6 +218,28 @@ sub location_based_discovery return; } +# Return version instance C version information (from C) +# Return undef in case of problem. +sub get_ipa_install_version +{ + my ($self) = @_; + + my $proc = CAF::Process->new( + [$IPA_INSTALL[0], "--version"], + log => $self, + keeps_state => 1, + ); + my $output = $proc->output(); + + # e.g. '4.6.5' + if ($output && $output =~ m/\D((?:\d+)(?:\.\d+)+)\s*$/) { + return version->new("v$1"); + } else { + $self->error("Failed to parse output from $proc: $output"); + return; + } +} + # TODO: ipa-join is enough? sub ipa_install @@ -224,17 +249,24 @@ sub ipa_install my $ec = SUCCESS; $self->debug(1, "begin ipa_install with primary $primary realm $realm"); + my @ipa_install = @IPA_INSTALL; + my @ipa_install_nos = @IPA_INSTALL_NOS; + my $version = $self->get_ipa_install_version(); + if ($version < version->new('4.7.0')) { + push(@ipa_install, @IPA_INSTALL_PRE47); + push(@ipa_install_nos, @IPA_INSTALL_NOS_PRE47); + } #$self->pre_time($opts{ntpserver}); # It is ok to log this, the password is an OTP # TODO: set expiration window on password or cron job to reset password my $cmd = [ - @IPA_INSTALL, + @ipa_install, '--realm', $realm, '--domain', $domain, '--password', $otp, - map {"--no-$_"} @IPA_INSTALL_NOS, # Nothing after this, will all be map'ped + map {"--no-$_"} @ipa_install_nos, # Nothing after this, will all be map'ped ]; if ($self->location_based_discovery($domain, $primary)) { From 1973304f458580f8bc8bab4874f5071c7b57c21a Mon Sep 17 00:00:00 2001 From: stdweird Date: Tue, 18 Aug 2020 22:53:15 +0200 Subject: [PATCH 3/5] ncm-freeipa: install released version with AII CLI --- ncm-freeipa/src/main/pan/components/freeipa/config.pan | 2 +- ncm-freeipa/src/test/perl/aii-basic.t | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ncm-freeipa/src/main/pan/components/freeipa/config.pan b/ncm-freeipa/src/main/pan/components/freeipa/config.pan index 02fae232e8..993213cc0e 100644 --- a/ncm-freeipa/src/main/pan/components/freeipa/config.pan +++ b/ncm-freeipa/src/main/pan/components/freeipa/config.pan @@ -4,7 +4,7 @@ variable FREEIPA_CLI_REQUIRES_PAM_KRB5 ?= true; 'cli_packages' ?= { t = list( - 'ncm-freeipa', + 'ncm-freeipa-${no-snapshot-version}-${rpm.release}', 'nss-pam-ldapd', 'ipa-client', 'nss-tools', diff --git a/ncm-freeipa/src/test/perl/aii-basic.t b/ncm-freeipa/src/test/perl/aii-basic.t index 903f6e4e99..f97446f17e 100644 --- a/ncm-freeipa/src/test/perl/aii-basic.t +++ b/ncm-freeipa/src/test/perl/aii-basic.t @@ -58,7 +58,7 @@ ok(POST_history_ok([ ]), "host_add / host_mod called"); -like($fh, qr(^yum -y install ncm-freeipa nss-pam-ldapd ipa-client nss-tools openssl pam_krb5 -c /tmp/aii/yum/yum.conf$)m, +like($fh, qr(^yum -y install ncm-freeipa-\d+\.\d+\.\d+-\w+ nss-pam-ldapd ipa-client nss-tools openssl pam_krb5 -c /tmp/aii/yum/yum.conf$)m, "install freeipa component and CLI dependencies in post_reboot"); like($fh, qr(^PERL5LIB=/usr/lib/perl perl -MNCM::Component::FreeIPA::CLI -w -e install -- --realm MY.REALM --primary myhost.example.com --domain com --fqdn myhost.example.com --hostcert 1 --otp 'superse\\\$cret\\\$OTP'$)m, "CLI called as expected"); From 06fb4a23677f13cd7fa4ea13674cea8b27c34834 Mon Sep 17 00:00:00 2001 From: stdweird Date: Fri, 28 Jul 2023 10:05:07 +0200 Subject: [PATCH 4/5] ncm-freeipa: fix panlint redundant format in error usage --- ncm-freeipa/src/main/pan/components/freeipa/schema.pan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ncm-freeipa/src/main/pan/components/freeipa/schema.pan b/ncm-freeipa/src/main/pan/components/freeipa/schema.pan index 93ab27f8ef..5e0ca7f544 100755 --- a/ncm-freeipa/src/main/pan/components/freeipa/schema.pan +++ b/ncm-freeipa/src/main/pan/components/freeipa/schema.pan @@ -155,7 +155,7 @@ type ${project.artifactId}_component = { 'principals' ? component_${project.artifactId}_principal{} with { foreach (k; v; SELF) { if (!match(k, '^(client|server|aii)$')) { - error(format("Unsupported principal %s (must be one of client, server or aii)", k)); + error("Unsupported principal %s (must be one of client, server or aii)", k); }; }; true; From e65657aa5ac349292aa74a6610c42208fa9ef9a6 Mon Sep 17 00:00:00 2001 From: stdweird Date: Fri, 28 Jul 2023 11:38:00 +0200 Subject: [PATCH 5/5] github workflow: install rpm-build to trigger the maven rpm properties --- .github/workflows/continuous-integration.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/continuous-integration.yaml b/.github/workflows/continuous-integration.yaml index 4fce5ca106..93f610e7e4 100644 --- a/.github/workflows/continuous-integration.yaml +++ b/.github/workflows/continuous-integration.yaml @@ -23,7 +23,7 @@ jobs: # work, but this is a quick way of pulling in a lot of required dependencies. # Surprisingly `which` is not installed by default and panc depends on it. # libselinux-utils is required for /usr/sbin/selinuxenabled - dnf install -y maven which panc ncm-lib-blockdevices \ + dnf install -y maven which rpm-build panc ncm-lib-blockdevices \ ncm-ncd git libselinux-utils sudo perl-Crypt-OpenSSL-X509 \ perl-Data-Compare perl-Date-Manip perl-File-Touch perl-JSON-Any \ perl-Net-DNS perl-Net-FreeIPA perl-Net-OpenNebula \