Hide Forgot
instead of telling user to make sure ports are open, ipa-server-install should offer to open them for you The following network ports must be open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp Would you like to modify the existing firewall configuration? [Y/n]
Moving RFE to 6.3.0.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2110
Verified # rpm -qa ansible-freeipa ansible-freeipa-0.1.6-3.el8.noarch Now rules added to the necessary firewall ports 1) Firewall stopped before server installation Console output:- On Server ========== [root@ipaserver1 ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor pres> Active: inactive (dead) Docs: man:firewalld(1) On Controller ============= TASK [ipaserver : Install - Configure firewalld] *********************************************************** task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:413 <ipaserver1.test.local> ESTABLISH SSH CONNECTION FOR USER: None <ipaserver1.test.local> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 ipaserver1.test.local '/bin/sh -c '"'"'echo ~ && sleep 0'"'"'' <ipaserver1.test.local> (0, b'/root\n', b'') <ipaserver1.test.local> ESTABLISH SSH CONNECTION FOR USER: None <ipaserver1.test.local> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 ipaserver1.test.local '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053 `" && echo ansible-tmp-1566554695.0504465-149489153310053="` echo /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053 `" ) && sleep 0'"'"'' <ipaserver1.test.local> (0, b'ansible-tmp-1566554695.0504465-149489153310053=/root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053\n', b'') Using module file /usr/local/lib/python3.6/site-packages/ansible/modules/commands/command.py <ipaserver1.test.local> PUT /root/.ansible/tmp/ansible-local-20037rycwt47_/tmpf8p23588 TO /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/AnsiballZ_command.py <ipaserver1.test.local> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 '[ipaserver1.test.local]' <ipaserver1.test.local> (0, b'sftp> put /root/.ansible/tmp/ansible-local-20037rycwt47_/tmpf8p23588 /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/AnsiballZ_command.py\n', b'') <ipaserver1.test.local> ESTABLISH SSH CONNECTION FOR USER: None <ipaserver1.test.local> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 ipaserver1.test.local '/bin/sh -c '"'"'chmod u+x /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/ /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/AnsiballZ_command.py && sleep 0'"'"'' <ipaserver1.test.local> (0, b'', b'') <ipaserver1.test.local> ESTABLISH SSH CONNECTION FOR USER: None <ipaserver1.test.local> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 -tt ipaserver1.test.local '/bin/sh -c '"'"'sudo -H -S -n -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-bnomccxwebzbhxffkmrghgzgmehcdgdr ; /usr/libexec/platform-python /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"'' Escalation succeeded <ipaserver1.test.local> (1, b'\r\n{"msg": "non-zero return code", "cmd": ["firewall-cmd", "--permanent", "--add-service=freeipa-ldap", "--add-service=freeipa-ldaps", "--add-service=dns", "--add-service=ntp"], "stdout": "", "stderr": "FirewallD is not running", "rc": 252, "start": "2019-08-23 06:04:55.645419", "end": "2019-08-23 06:04:55.924955", "delta": "0:00:00.279536", "changed": true, "failed": true, "invocation": {"module_args": {"_raw_params": "firewall-cmd --permanent --add-service=freeipa-ldap --add-service=freeipa-ldaps \\n--add-service=dns --add-service=ntp\\n", "warn": true, "_uses_shell": false, "stdin_add_newline": true, "strip_empty_ends": true, "argv": null, "chdir": null, "executable": null, "creates": null, "removes": null, "stdin": null}}}\r\n', b'Shared connection to ipaserver1.test.local closed.\r\n') <ipaserver1.test.local> Failed to connect to the host via ssh: Shared connection to ipaserver1.test.local closed. <ipaserver1.test.local> ESTABLISH SSH CONNECTION FOR USER: None <ipaserver1.test.local> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b0d460c3c0 ipaserver1.test.local '/bin/sh -c '"'"'rm -f -r /root/.ansible/tmp/ansible-tmp-1566554695.0504465-149489153310053/ > /dev/null 2>&1 && sleep 0'"'"'' <ipaserver1.test.local> (0, b'', b'') fatal: [ipaserver1.test.local]: FAILED! => { "changed": true, "cmd": [ "firewall-cmd", "--permanent", "--add-service=freeipa-ldap", "--add-service=freeipa-ldaps", "--add-service=dns", "--add-service=ntp" ], "delta": "0:00:00.279536", "end": "2019-08-23 06:04:55.924955", "invocation": { "module_args": { "_raw_params": "firewall-cmd --permanent --add-service=freeipa-ldap --add-service=freeipa-ldaps \n--add-service=dns --add-service=ntp\n", "_uses_shell": false, "argv": null, "chdir": null, "creates": null, "executable": null, "removes": null, "stdin": null, "stdin_add_newline": true, "strip_empty_ends": true, "warn": true } }, "msg": "non-zero return code", "rc": 252, "start": "2019-08-23 06:04:55.645419", "stderr": "FirewallD is not running", "stderr_lines": [ "FirewallD is not running" ], "stdout": "", "stdout_lines": [] } PLAY RECAP ************************************************************************************************* ipaserver1.test.local : ok=35 changed=18 unreachable=0 failed=1 skipped=28 rescued=0 ignored=0 ===================================================================================== 2)Firewall started before server installation Console output:- On Server ========== [root@ipaserver1 ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor pres> Active: active (running) since Fri 2019-08-23 06:51:29 EDT; 2min 14s ago Docs: man:firewalld(1) Main PID: 8251 (firewalld) Tasks: 2 (limit: 26213) Memory: 21.6M CGroup: /system.slice/firewalld.service └─8251 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --no> Aug 23 06:51:28 ipaserver1.test.local systemd[1]: Starting firewalld - dynamic fire> Aug 23 06:51:29 ipaserver1.test.local systemd[1]: Started firewalld - dynamic firew> lines 1-12/12 (END) On Controller ============= [root@kvm-01-guest29 ~]# ansible-playbook -vv -i inventory/hosts.cluster install-cluster.yml ansible-playbook 2.8.4 config file = None configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/local/lib/python3.6/site-packages/ansible executable location = /usr/local/bin/ansible-playbook python version = 3.6.8 (default, Aug 6 2019, 19:43:07) [GCC 8.3.1 20190507 (Red Hat 8.3.1-4)] No config file found; using defaults PLAYBOOK: install-cluster.yml ****************************************************************************** 2 plays in install-cluster.yml PLAY [Install IPA servers] ********************************************************************************* TASK [Gathering Facts] ************************************************************************************* task path: /root/install-cluster.yml:2 ok: [ipaserver1.test.local] META: ran handlers TASK [ipaserver : Import variables specific to distribution] *********************************************** task path: /usr/share/ansible/roles/ipaserver/tasks/main.yml:4 ok: [ipaserver1.test.local] => (item=/usr/share/ansible/roles/ipaserver/vars/RedHat-8.yml) => {"ansible_facts": {"ipaserver_packages": ["@idm:DL1/server"], "ipaserver_packages_adtrust": ["@idm:DL1/adtrust"], "ipaserver_packages_dns": ["@idm:DL1/dns"]}, "ansible_included_var_files": ["/usr/share/ansible/roles/ipaserver/vars/RedHat-8.yml"], "ansible_loop_var": "item", "changed": false, "item": "/usr/share/ansible/roles/ipaserver/vars/RedHat-8.yml"} TASK [ipaserver : Install IPA server] ********************************************************************** task path: /usr/share/ansible/roles/ipaserver/tasks/main.yml:12 included: /usr/share/ansible/roles/ipaserver/tasks/install.yml for ipaserver1.test.local TASK [ipaserver : Install - Ensure that IPA server packages are installed] ********************************* task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:5 ok: [ipaserver1.test.local] => {"changed": false, "msg": "Nothing to do", "rc": 0, "results": []} TASK [ipaserver : Install - Ensure that IPA server packages for dns are installed] ************************* task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:10 ok: [ipaserver1.test.local] => {"changed": false, "msg": "Nothing to do", "rc": 0, "results": []} TASK [ipaserver : Install - Ensure that IPA server packages for adtrust are installed] ********************* task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:16 skipping: [ipaserver1.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} * * * * * TASK [ipaserver : Install - Setup HTTP] ******************************************************************** task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:293 changed: [ipaserver1.test.local] => {"changed": true} TASK [ipaserver : Install - Setup KRA] ********************************************************************* task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:325 skipping: [ipaserver1.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [ipaserver : Install - Setup DNS] ********************************************************************* task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:336 changed: [ipaserver1.test.local] => {"changed": true} TASK [ipaserver : Install - Setup ADTRUST] ***************************************************************** task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:353 skipping: [ipaserver1.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [ipaserver : Install - Set DS password] *************************************************************** task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:368 changed: [ipaserver1.test.local] => {"changed": true} TASK [Install - Setup client] ****************************************************************************** task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:385 * * * * * TASK [ipaserver : Install - Configure firewalld] *********************************************************** task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:413 changed: [ipaserver1.test.local] => {"changed": true, "cmd": ["firewall-cmd", "--permanent", "--add-service=freeipa-ldap", "--add-service=freeipa-ldaps", "--add-service=dns", "--add-service=ntp"], "delta": "0:00:00.369963", "end": "2019-08-23 07:01:44.442069", "rc": 0, "start": "2019-08-23 07:01:44.072106", "stderr": "", "stderr_lines": [], "stdout": "success", "stdout_lines": ["success"]} TASK [ipaserver : Install - Configure firewalld runtime] *************************************************** task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:425 changed: [ipaserver1.test.local] => {"changed": true, "cmd": ["firewall-cmd", "--add-service=freeipa-ldap", "--add-service=freeipa-ldaps", "--add-service=dns", "--add-service=ntp"], "delta": "0:00:00.436310", "end": "2019-08-23 07:01:45.342103", "rc": 0, "start": "2019-08-23 07:01:44.905793", "stderr": "", "stderr_lines": [], "stdout": "success", "stdout_lines": ["success"]} TASK [ipaserver : Uninstall IPA server] ******************************************************************** task path: /usr/share/ansible/roles/ipaserver/tasks/main.yml:16 skipping: [ipaserver1.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} META: ran handlers META: ran handlers PLAY [Install IPA replicas] ******************************************************************************** TASK [Gathering Facts] ************************************************************************************* task path: /root/install-cluster.yml:10 ok: [ipareplica2.test.local] META: ran handlers TASK [ipareplica : Import variables specific to distribution] ********************************************** task path: /usr/share/ansible/roles/ipareplica/tasks/main.yml:4 ok: [ipareplica2.test.local] => (item=/usr/share/ansible/roles/ipareplica/vars/RedHat-8.yml) => {"ansible_facts": {"ipareplica_packages": ["@idm:DL1/server"], "ipareplica_packages_adtrust": ["@idm:DL1/adtrust"], "ipareplica_packages_dns": ["@idm:DL1/dns"]}, "ansible_included_var_files": ["/usr/share/ansible/roles/ipareplica/vars/RedHat-8.yml"], "ansible_loop_var": "item", "changed": false, "item": "/usr/share/ansible/roles/ipareplica/vars/RedHat-8.yml"} TASK [ipareplica : Install IPA replica] ******************************************************************** task path: /usr/share/ansible/roles/ipareplica/tasks/main.yml:12 included: /usr/share/ansible/roles/ipareplica/tasks/install.yml for ipareplica2.test.local * * * * * TASK [ipareplica : Install - Setup DNS] ******************************************************************** task path: /usr/share/ansible/roles/ipareplica/tasks/install.yml:672 changed: [ipareplica2.test.local] => {"changed": true} TASK [ipareplica : Install - Setup adtrust] **************************************************************** task path: /usr/share/ansible/roles/ipareplica/tasks/install.yml:696 skipping: [ipareplica2.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} TASK [ipareplica : Install - Enable IPA] ******************************************************************* task path: /usr/share/ansible/roles/ipareplica/tasks/install.yml:718 changed: [ipareplica2.test.local] => {"changed": true} TASK [ipareplica : Install - Cleanup root IPA cache] ******************************************************* task path: /usr/share/ansible/roles/ipareplica/tasks/install.yml:735 ok: [ipareplica2.test.local] => {"changed": false, "path": "/root/.ipa_cache", "state": "absent"} TASK [ipareplica : Uninstall IPA replica] ****************************************************************** task path: /usr/share/ansible/roles/ipareplica/tasks/main.yml:16 skipping: [ipareplica2.test.local] => {"changed": false, "skip_reason": "Conditional result was False"} META: ran handlers META: ran handlers PLAY RECAP ************************************************************************************************* ipareplica2.test.local : ok=51 changed=37 unreachable=0 failed=0 skipped=26 rescued=0 ignored=0 ipaserver1.test.local : ok=37 changed=20 unreachable=0 failed=0 skipped=29 rescued=0 ignored=0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3418
Automated test console output: =============================== Version: ansible-freeipa-0.1.8-3.el8.noarch 2020-03-20T11:56:06 ansible_freeipa_tests/test_idm_deploy_master.py::TestMaster30::test_with_firewalld_stop 2020-03-20T11:56:06 [1m-------------------------------- live log call ---------------------------------[0m 2020-03-20T11:56:06 [paramiko.transport] [32mINFO[0m Connected (version 2.0, client OpenSSH_8.0) 2020-03-20T11:56:06 [paramiko.transport] [32mINFO[0m Authentication (publickey) successful! 2020-03-20T11:56:06 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['systemctl', 'stop', 'firewalld'] 2020-03-20T11:56:07 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['systemctl', 'status', 'firewalld'] 2020-03-20T11:56:07 [paramiko.transport] [32mINFO[0m Connected (version 2.0, client OpenSSH_8.0) 2020-03-20T11:56:07 [paramiko.transport] [32mINFO[0m Authentication (publickey) successful! 2020-03-20T11:56:07 [pytest_multihost.host.Host.ansible.ParamikoTransport] [32mINFO[0m WRITE inventory/server.hosts 2020-03-20T11:56:07 [paramiko.transport.sftp] [32mINFO[0m [chan 0] Opened sftp connection (server version 3) 2020-03-20T11:56:07 [pytest_multihost.host.Host.ansible.ParamikoTransport] [32mINFO[0m PUT install-server.yaml 2020-03-20T11:56:07 [pytest_multihost.host.Host.ansible.ParamikoTransport] [32mINFO[0m RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/server.hosts', 'install-server.yaml'] 2020-03-20T12:05:57 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['ipactl', 'status'] 2020-03-20T12:06:00 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['kinit', 'admin'] 2020-03-20T12:06:00 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['ipa', 'server-role-show', 'master.ipadomain.test', 'DNS server'] 2020-03-20T12:06:04 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['systemctl', 'status', 'firewalld'] 2020-03-20T12:06:04 [32mPASSED[0m[36m [ 10%][0m