Add support for RHEL9

Signed-off-by: Kibahop <[email protected]>
Puppet-Finland · Apr 20, 2023 · 11c79ee · 11c79ee
1 parent 6706c32
commit 11c79ee
Show file tree

Hide file tree

Showing 8 changed files with 56 additions and 8 deletions.
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -4,3 +4,8 @@
 
 inherit_gem:
   voxpupuli-test: rubocop.yml
+
+AllCops:
+  Exclude:
+  - bin/*
+  - spec/fixtures/modules/**/*
diff --git a/lib/facter/gid_max.rb b/lib/facter/gid_max.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+Facter.add(:gid_max) do
+  setcode do
+    lines = File.readlines('/etc/login.defs')
+    lines.find { |line| line.start_with?('GID_MAX') }.split[1].strip.to_i
+  end
+end
diff --git a/lib/facter/ipa_server_version.rb b/lib/facter/ipa_server_version.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Facter.add(:ipa_server_version) do
   setcode do
     family = Facter.value('osfamily')

diff --git a/lib/facter/uid_max.rb b/lib/facter/uid_max.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+Facter.add(:uid_max) do
+  setcode do
+    lines = File.readlines('/etc/login.defs')
+    lines.find { |line| line.start_with?('UID_MAX') }.split[1].strip.to_i
+  end
+end
diff --git a/manifests/config/webui.pp b/manifests/config/webui.pp
@@ -20,8 +20,8 @@
 
     # IPA switched to mod_ssl as the crypto engine for Apache as of version 4.7.0
     # see https://www.freeipa.org/page/Releases/4.7.0#Highlights_in_4.7.0
-    if versioncmp($::ipa_server_version, '4.7.0') < 0 {
-
+    # These are not needed for versions newer than 4.7.10
+    if versioncmp($facts['ipa_server_version'], '4.7.0') < 0 {
       exec { 'semanage-port-http_port_t':
         command => "semanage port -a -t http_port_t -p tcp ${proxy_https_port}",
         unless  => "semanage port -l|grep -E \"^http_port_t.*tcp.*${proxy_https_port}\"",

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -153,7 +153,7 @@
 #      (integer) The HTTPS port to use for the reverse proxy. Cannot be 443.
 #
 # @param adjust_login_defs
-#      (boolean) Adjust UID_MAX and GID_MAX in login.defs. Without this newer installers fail. Default false.
+#      (boolean) Adjust UID_MAX and GID_MAX in login.defs. Without this newer server installers fail. Default false.
 #
 # TODO: Allow creation of root zone for isolated networks -- https://www.freeipa.org/page/Howto/DNS_in_isolated_networks
 # TODO: Class comments.
@@ -217,7 +217,7 @@
     }
 
     $master_principals = suffix(
-      prefix( [$ipa_server_fqdn],
+      prefix([$ipa_server_fqdn],
         'host/'
       ),
       "@${final_realm}"
@@ -245,7 +245,6 @@
     }
 
     if $adjust_login_defs {
-
       file_line {
         default:
           path    => '/etc/login.defs',
@@ -261,9 +260,7 @@
           ;
       }
     }
-  }
 
   require easy_ipa::validate_params
   contain easy_ipa::install
 }
-
diff --git a/manifests/install/server.pp b/manifests/install/server.pp
@@ -16,6 +16,32 @@
 
   $server_install_cmd_opts_idstart = "--idstart=${easy_ipa::idstart}"
 
+  # Newer installers clash with both default UID_MAX and GID_MAX
+  # Note: SUB_* only affect user/group mapping in containers, so not of
+  # concern here
+  if $easy_ipa::adjust_login_defs {
+    if $easy_ipa::idstart < $facts['uid_max'] {
+      $uid_max_value = $easy_ipa::idstart -1
+    }
+    if $easy_ipa::idstart < $facts['gid_max'] {
+      $gid_max_value = $easy_ipa::idstart -1
+    }
+    file_line {
+      default:
+        path    => '/etc/login.defs',
+        replace => true,
+        ;
+      'adjust uid max':
+        line  => "UID_MAX\t${uid_max_value}",
+        match => '^UID_MAX.*$',
+        ;
+      'adjust gid max':
+        line  => "GID_MAX\t${gid_max_value}",
+        match => '^GID_MAX.*$',
+        ;
+    }
+  }
+
   $server_install_cmd_opts_idmax = $easy_ipa::idmax ? {
     undef   => '',
     default => "--idmax=${easy_ipa::idmax}"

diff --git a/plans/update_host_keys.pp b/plans/update_host_keys.pp
@@ -50,12 +50,14 @@
     $rsa = $ipa_client.facts['ssh']['rsa']['key']
     $dsa = $ipa_client.facts['ssh']['dsa']['key']
 
-    $ipa_host_mod_cmd = "ipa host-mod ${ipa_client.facts['fqdn']} --sshpubkey=\"${ed25519}\" --sshpubkey=\"${ecdsa}\" --sshpubkey=\"${rsa}\" --sshpubkey=\"${dsa}\" --updatedns"
+    $ipa_host_mod_cmd = "ipa host-mod ${ipa_client.facts['fqdn']} --sshpubkey=\"${ed25519}\" --sshpubkey=\"${ecdsa}\" --sshpubkey=\"${rsa}\" --sshpubkey=\"${dsa}\" --updatedns"  # lint:ignore:140chars
 
     if $noop {
       out::message("No-op: would run \"${ipa_host_mod_cmd}\" on IPA server")
     } else {
+      # lint:ignore:manifest_whitespace_opening_bracket_before  # lint:ignore:140chars 
       $ipa_host_mod_resultset = run_command($ipa_host_mod_cmd, $ipa_server, '_catch_errors' => true) ['stdout','stderr'].each |$output| {
+        # lint:endignore
         out::message($ipa_host_mod_resultset.first.value[$output])
       }
     }