How to create a gitlab ci/cd with ipaserver and ipareplica?

[awsmaythem]

hello all,
How can i create a gitlab project about deploy or replica or cluster
because i create with all the settings and inventory files and roles it's not working

for example :
ci/cd file:
`
stages:

• deploy

deploy:
stage: deploy
image: git.test.local:9000/infra-public/docker-images/ansible:2.9-alpine-3.13
before_script:
- eval $(ssh-agent -s)
- echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
- mkdir -p ~/.ssh
- chmod 400 ~/.ssh
- export ANSIBLE_HOST_KEY_CHECKING=False
- ansible-galaxy collection install freeipa.ansible_freeipa
script:
- ansible-playbook -v -i inventory/hosts.replica install-replica.yml
`
inventory file:

`[ipaserver]
ipa-aws1.test.local
ipa-aws2.test.local

[ipaserver:vars]
ipaadmin_password=test1234
ipadm_password=test1234
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
ipaserver_setup_dns=yes
ipaserver_auto_forwarders=yes
ipaserver_install_packages=no
ipaserver_setup_firewalld=no
ipaserver_ip_addresses=192.168.15.8,192.168.15.9

[ipareplicas]
ipa-aws3r.test.local ipa-aws1.test.local=ipa-aws3r.test.local
ipa-aws4r.test.local ipa-aws2.test.local=ipa-aws4r.test.local

[ipareplicas:vars]
ipaadmin_password=test1234
ipadm_password=test1234
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
ipareplica_install_packages=no
ipareplica_setup_firewalld=no
ipareplica_setup_ca=yes
ipareplica_ip_addresses=192.168.15.10,192.168.15.11
`

but it's failed in pipeline:

Running with gitlab-runner 15.2.1 (32fc1585) on git-runner04 vkCvEtSx Resolving secrets 00:00 Preparing the "docker" executor 00:01 Using Docker executor with image git.test.local:9000/infra-public/docker-images/ansible:2.9-alpine-3.13 ... Authenticating with credentials from job payload (GitLab Registry) Pulling docker image git.elcld.net:9000/infra-public/docker-images/ansible:2.9-alpine-3.13 ... Using docker image sha256:8f592ef26ea171c15d68c43c8018dc33548a98b13561f03b6ae0753539a20fd8 for git.test.local:9000/infra-public/docker-images/ansible:2.9-alpine-3.13 with digest git.elcld.net:9000/infra-public/docker-images/ansible@sha256:66174846605f5f3b6faea1e23a22cec27368741381f4f444c45788a8d4f68742 ... Preparing environment 00:01 Running on runner-vkcvetsx-project-884-concurrent-0 via run4-rhv2.test.local... Getting source from Git repository 00:01 Fetching changes with git depth set to 20... Reinitialized existing Git repository in /builds/amaytham/freeipa/.git/ Checking out 86f72a37 as main... Skipping Git submodules setup Executing "step_script" stage of the job script 00:11 Using docker image sha256:8f592ef26ea171c15d68c43c8018dc33548a98b13561f03b6ae0753539a20fd8 for git.test.local:9000/infra-public/docker-images/ansible:2.9-alpine-3.13 with digest git.elcld.net:9000/infra-public/docker-images/ansible@sha256:66174846605f5f3b6faea1e23a22cec27368741381f4f444c45788a8d4f68742 ... $ eval $(ssh-agent -s) Agent pid 14 $ echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - Identity added: (stdin) ((stdin)) $ mkdir -p ~/.ssh $ chmod 400 ~/.ssh $ export ANSIBLE_HOST_KEY_CHECKING=False $ ansible-galaxy collection install freeipa.ansible_freeipa Process install dependency map |Starting collection install process |Installing 'freeipa.ansible_freeipa:1.9.2' to '/root/.ansible/collections/ansible_collections/freeipa/ansible_freeipa' $ ansible-playbook -v -i inventory/hosts.replica install-replica.yml No config file found; using defaults PLAY [Playbook to configure IPA replicas] ************************************** TASK [Gathering Facts] ********************************************************* ok: [ipa-aws4r.test.local] ok: [ipa-aws3r.test.local] TASK [ipareplica : Import variables specific to distribution] ****************** ok: [ipa-aws3r.test.local] => (item=/builds/amaytham/freeipa/roles/ipareplica/vars/default.yml) => {"ansible_facts": {"ipareplica_packages": ["freeipa-server", "python3-libselinux"], "ipareplica_packages_adtrust": ["freeipa-server-trust-ad"], "ipareplica_packages_dns": ["freeipa-server-dns"], "ipareplica_packages_firewalld": ["firewalld"]}, "ansible_included_var_files": ["/builds/amaytham/freeipa/roles/ipareplica/vars/default.yml"], "ansible_loop_var": "item", "changed": false, "item": "/builds/amaytham/freeipa/roles/ipareplica/vars/default.yml"} ok: [ipa-aws4r.test.local] => (item=/builds/amaytham/freeipa/roles/ipareplica/vars/default.yml) => {"ansible_facts": {"ipareplica_packages": ["freeipa-server", "python3-libselinux"], "ipareplica_packages_adtrust": ["freeipa-server-trust-ad"], "ipareplica_packages_dns": ["freeipa-server-dns"], "ipareplica_packages_firewalld": ["firewalld"]}, "ansible_included_var_files": ["/builds/amaytham/freeipa/roles/ipareplica/vars/default.yml"], "ansible_loop_var": "item", "changed": false, "item": "/builds/amaytham/freeipa/roles/ipareplica/vars/default.yml"} TASK [ipareplica : Install IPA replica] **************************************** included: /builds/amaytham/freeipa/roles/ipareplica/tasks/install.yml for ipa-aws3r.test.local, ipa-aws4r.test.local TASK [ipareplica : Install - Ensure IPA replica packages are installed] ******** skipping: [ipa-aws3r.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} skipping: [ipa-aws4r.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [ipareplica : Install - Ensure IPA replica packages for dns are installed] *** skipping: [ipa-aws3r.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} skipping: [ipa-aws4r.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [ipareplica : Install - Ensure IPA replica packages for adtrust are installed] *** skipping: [ipa-aws3r.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} skipping: [ipa-aws4r.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [ipareplica : Install - Ensure that firewall packages installed] ********** skipping: [ipa-aws3r.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} skipping: [ipa-aws4r.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [ipareplica : Firewalld service - Ensure that firewalld is running] ******* skipping: [ipa-aws3r.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} skipping: [ipa-aws4r.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [Firewalld - Verify runtime zone "{{ ipareplica_firewalld_zone }}"] ******* skipping: [ipa-aws3r.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} skipping: [ipa-aws4r.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [Firewalld - Verify permanent zone "{{ ipareplica_firewalld_zone }}"] ***** skipping: [ipa-aws3r.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} skipping: [ipa-aws4r.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [Install - Set ipareplica_servers] **************************************** skipping: [ipa-aws3r.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} skipping: [ipa-aws4r.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [ipareplica : Install - Set default principal if no keytab is given] ****** ok: [ipa-aws3r.test.local] => {"ansible_facts": {"ipaadmin_principal": "admin"}, "changed": false} ok: [ipa-aws4r.test.local] => {"ansible_facts": {"ipaadmin_principal": "admin"}, "changed": false} TASK [ipareplica : Install - Replica installation test] ************************ fatal: [ipa-aws4r.test.local]: FAILED! => {"changed": false, "msg": "No module named 'ipapython'"} fatal: [ipa-aws3r.test.local]: FAILED! => {"changed": false, "msg": "No module named 'ipapython'"} PLAY RECAP ********************************************************************* ipa-aws3r.test.local : ok=4 changed=0 unreachable=0 failed=1 skipped=8 rescued=0 ignored=0 ipa-aws4r.test.local : ok=4 changed=0 unreachable=0 failed=1 skipped=8 rescued=0 ignored=0 Cleaning up project directory and file based variables 00:01 ERROR: Job failed: exit code 2

where did i make a mistake?

[awsmaythem]

the tree of folders and files are from your github

1. .copr
2. .github/workflows
3. inventory
4. meta
5. molecule
6. playbooks
7. plugins
8. roles
9. tests
10. utils
11. .ansible-lint
12. .gitignore
13. .gitlab-ci.yml Update .gitlab-ci.yml
14. .pre-commit-config.yaml
15. .yamllint
16. galaxy.yml
17. id_rsa_freeipa_server.pub
18. install-replica.yml
19. pytest.ini
20. requirements-dev.txt
21. requirements-docker.yml
22. requirements-podman.yml
23. requirements-tests.txt
24. requirements.txt
25. setup.cfg
26. setup.py

[t-woerner]

Hello,
this is expected as ipaserver_install_packages and ipareplica_install_packages have been disabled. Therefore the needed packages and bindings are not installed. ipa*_install_packages should only be disabled if all the needed packages have been installed (manually) before.

[rjeffman]

@awsmaythem I had a hard time having a primary server and a replica on the same host, using containers (still an open issue for me). Along of what @t-woerner wrote, you might want to look at https://github.com/freeipa/freeipa-container on deploying FreeIPA as containers.

I'm working on using Vagrant and libvirt virtual machines to deploy a cluster (primary server, one replica, one client) using Github machinery. The current status is "WIP", and code can be found at #1010

[awsmaythem]

hi again
the problem was ipareplica_install_packages is disabled in inventory i re-enable it and this error result :

fatal: [ipa-aws4r.test.local]: FAILED! => {"changed": false, "failures": ["freeipa-server All matches were filtered out by modular filtering for argument: freeipa-server"], "msg": "Failed to install some of the specified packages", "rc": 1, "results": []}

the nodes OS is rocky 8.5 is it that the problem?

[rjeffman]

Rocky Linux used to work well. I don't have access to an image for 8.5, but testing on a 8.6 OpenStack cloud image, the server installation was fine. I didn't tried to install a replica, but I except no issues with that.

That error is usually caused by repository (mis?)configuration.

[awsmaythem]

the cluster need to be not in containers normal installation is required :
i have 4 nodes the 2 nodes is installed freeipa server and the secound nodes for freeipa replica from first 2 nodes and this need to be using ansible
Please help on installing 2 nodes replica installation

[rjeffman]

You may also find something useful here: https://rafaeljeffman.com/projects/freeipa/en/cluster-deployment-ansible.html

This was tested with local VMs, both using libvirt and vagrant with libvirt and virtualbox providers. With virtualbox I had a few issues with replica install, as I don't have much experience with it.

[awsmaythem]

i found why it's giving me error the module on rocky 8.5 is not enabled

fatal: [ipa-aws4r.test.local]: FAILED! => {"changed": false, "failures": ["freeipa-server All matches were filtered out by modular filtering for argument: freeipa-server"], "msg": "Failed to install some of the specified packages", "rc": 1, "results": []}

i run this command on the node and it's solve the problem

dnf module enable idm

now i need to find why it's stopped on install ipa client
Unable to find IPA Server to join

[awsmaythem]

@rjeffman thanks for the useful link https://rafaeljeffman.com/projects/freeipa/en/cluster-deployment-ansible.html
and thanks @t-woerner for notify me that ipaserver_install_packages was not active

please check if my inventory file (hosts.replica) is correct or not :

[ipaserver]
ipa-aws1.test.local ansible_host=192.168.15.8
ipa-aws2.test.local ansible_host=192.168.15.9

[ipaserver:vars]
ipaadmin_password=test1234
ipadm_password=test1234
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
ipaserver_install_packages=yes
ipaserver_ip_addresses=192.168.15.8,192.168.15.9

[ipareplicas]
ipa-aws3r.test.local ansible_host=192.168.15.10
ipa-aws4r.test.local ansible_host=192.168.15.11

[ipareplicas:vars]
ipaadmin_password=test1234
ipadm_password=test1234
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
ipareplica_server=ipa-aws3r.test.local
ipaserver_hostname=ipa-aws1.test.local
ipaclient_all_ip_addresses=yes
ipareplica_install_packages=yes
ipareplica_ip_addresses=192.168.15.10,192.168.15.11

with running this command :
`ansible-playbook -v -i inventory/hosts.replica install-replica.yml'

and i added
dnf module enable idm:DL1 and added hosts to 2 replica vm's ipa-aws3r.test.local and ipa-aws4r.test.local
/etc/hosts

192.168.15.8 ipa-aws1.test.local
192.168.15.9 ipa-aws2.test.local
192.168.15.10 ipa-aws3r.test.local
192.168.15.11 ipa-aws4r.test.local

because it's always end up on error
[Install - Replica installation test]
fatal: [ipa-aws3r.test.local]: FAILED! => {"changed": false, "msg": "Unable to find IPA Server to join"} fatal: [ipa-aws4r.test.local]: FAILED! => {"changed": false, "msg": "Unable to find IPA Server to join"}

[t-woerner]

There are two servers in ipaserver, there can only be one initial master server for a domain.

[awsmaythem]

ok can i set 3 nodes replica to one master and how the inventory be set as? @t-woerner

[awsmaythem]

ok i added ipaclient and set 1 master node and 1 repilca node

[ipaserver]
ipa-aws1.test.local

[ipaserver:vars]
ipaadmin_password=test1234
ipadm_password=test1234
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
ipaserver_install_packages=yes
ipaserver_ip_addresses=192.168.15.8

[ipaclients]
ipa-aws3r.test.local

[ipaclients:vars]
ipaadmin_principal=test1234
ipaadmin_password=test1234
ipaclient_domain=test.local
ipaclient_configure_dns_resolver=yes
ipaclient_dns_servers=192.168.15.8
ipaclient_install_packages=yes

[ipareplicas]
ipa-aws3r.test.local

[ipareplicas:vars]
ipaadmin_password=test1234
ipadm_password=test1234
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
ipareplica_setup_firewalld=no
ipaserver_hostname=ipa-aws1.test.local
ipaclient_force_join=yes
ipaclient_all_ip_addresses=yes
ipareplica_install_packages=yes
ipareplica_ip_addresses=192.168.15.10

but it's give me and error at :

fatal: [ipa-aws3r.test.local]: FAILED! => {"changed": false, "msg": "Kerberos authentication failed: kinit: Client '********@TEST.LOCAL' not found in Kerberos database while getting initial credentials\n"}

is this correct? i mean the inventory

[awsmaythem]

the error is change because i was mistyped the value and added wrong env here is my new inv file

[ipaserver]
ipa-aws1.test.local

[ipaserver:vars]
ipaadmin_password=test1234
ipadm_password=test1234
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
ipaserver_install_packages=yes
ipaserver_ip_addresses=192.168.15.8

[ipaclients]
ipa-aws3r.test.local

[ipaclients:vars]
ipaadmin_principal=admin
ipaadmin_password=test1234
ipaclient_domain=test.local
ipaclient_install_packages=yes
ipaclient_realm=TEST.LOCAL

[ipareplicas]
ipa-aws3r.test.local

[ipareplicas:vars]
ipaclient_domain=test.local
ipaadmin_principal=admin
ipaclient_realm=TEST.LOCAL
ipaadmin_password=test1234
ipadm_password=test1234
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
ipareplica_setup_firewalld=no
ipaserver_hostname=ipa-aws1.test.local
ipaclient_all_ip_addresses=yes
ipareplica_install_packages=yes
ipareplica_ip_addresses=192.168.15.10

now i have a new error

Shared connection to ipa-aws3r.test.local closed
Error: 'Env' object has no attribute 'realm' 

[awsmaythem]

i change the config to much simple inv and edit the playbook
from (present) to (absent)

  roles:
  - role: ipareplica
    state: absent

inv :

[ipaserver]
ipa-aws1.test.local

[ipareplicas]
ipa-aws3r.test.local
ipa-aws4r.test.local ipa-aws1.test.local=ipa-aws3r.test.local

[ipareplicas:vars]
ipareplica_domain=test.local
ipaadmin_principal=admin
ipaadmin_password=test1234
ipadm_password=test1234
ipareplica_install_packages=yes
ipareplica_setup_firewalld=no
ipareplica_ip_addresses=192.168.15.10,192.168.15.11
ipaserver_ip_addresses=192.168.15.8

it's uninstalling the ipa replica
cicd54.log
please help

[awsmaythem]

now it's all working well
inv :

[ipaserver]
ipa-aws1.test.local ansible_host=192.168.15.8

[ipareplicas]
ipa-aws2.test.local ansible_host=192.168.15.9
ipa-aws3r.test.local ansible_host=192.168.15.10
ipa-aws4r.test.local ansible_host=192.168.15.11

[ipareplicas:vars]
ansible_user=root
ipareplica_domain=test.local
ipaadmin_principal=admin
ipaadmin_password=test1234
ipadm_password=test1234
ipareplica_install_packages=yes
ipareplica_setup_firewalld=no
ipareplica_setup_dns=yes
ipareplica_forwarders=8.8.8.8
ipareplica_servers=ipa-aws1.test.local
ipaclient_all_ip_addresses=yes
ipareplica_setup_ca=yes

and changed back the playbook to present

thanks

[awsmaythem]

now i have a diffrent cluster with 2 nodes 1 master 1 replica

it's successfuly replica
but when i uninstall replica the hostname stay in host tab in IPA and cant be removed it and i try to install again replica it's giving me a error message check the log file

inv:

[ipaserver]
ipa-aws1.test.local ansible_host=10.4.17.11

[ipareplicas]
ipa-aws2.test.local ansible_host=10.4.17.12

[ipareplicas:vars]
ansible_user=root
ipareplica_domain=test.local
ipaadmin_principal=admin
ipaadmin_password=test1234
ipadm_password=test1234
ipareplica_install_packages=yes
ipareplica_setup_firewalld=no
ipareplica_setup_dns=yes
ipareplica_forwarders=109.224.14.2
ipareplica_servers=ipa-aws1.test.local
ipaclient_all_ip_addresses=yes
ipaserver_realm=TEST.LOCAL
ipaclient_force_join=yes

cicd65.log

[t-woerner]

The uninstallation is not removing the replica/server from the domain. This is the same as with the command line installers.

But there is work underway to enable this for ipaserver and ipareplica role.

[awsmaythem]

when installing a new deploy ipaserver the ansible giving an error msg

Failed to install some of the specified packages 

and i solve it by manual run in vm

dnf module enable idm:DL1
y

can you add

- name: enable repo
  ansible.builtin.dnf:
    name: idm
    enablerepo: idm:DL1
    state: present

in installation yml file?

[awsmaythem]

note this is only on my ROCKY Linux OS 8.7

[rjeffman]

Is the new deploy on a clean environment?

I was not able to reproduce this issue.