Add support for RedHat 9

Signed-off-by: Kibahop <[email protected]>
Puppet-Finland · Jan 23, 2023 · 6706c32 · 6706c32
1 parent 92762aa
commit 6706c32
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 29 deletions.
diff --git a/README.md b/README.md
@@ -204,7 +204,8 @@ and passed to the IPA installer.
 If true, then the parameter '--fixed-primary' is passed to the IPA installer.
 
 #### `idstart`
-From the IPA man pages: "The starting user and group id number".
+From the IPA man pages: "The starting user and group id number". Note that this
+will clash with installer on RedHat 9. See adjust_login_defs parameter.
 
 #### `idmax`
 From the IPA man pages: "The max value for the IDs range (default: idstart+199999)".
@@ -291,10 +292,13 @@ The public or external FQDN used to access the IPA Web UI behind the reverse pro
 #### `webui_proxy_https_port`
 The HTTPS port to use for the reverse proxy. Cannot be 443.
 
+#### `adjust_login_defs`
+Adjust UID_MAX and GID_MAX in login.defs. This is require on RedHat 9. Default false.
+
 
 ## Limitations
 
-This module has only been tested on Centos 7.
+This module has only been tested on Centos 7 and RedHat 9.
 
 ## Testing
 A vagrantfile is provided for easy testing.

diff --git a/lib/facter/ipa_server_version.rb b/lib/facter/ipa_server_version.rb
@@ -0,0 +1,11 @@
+Facter.add(:ipa_server_version) do
+  setcode do
+    family = Facter.value('osfamily')
+    case family
+    when 'RedHat'
+      Facter::Core::Execution.execute('/bin/rpm -q ipa-server --queryformat "%{VERSION}"')
+    when 'Debian'
+      Facter::Core::Execution.execute('/usr/bin/dpkg-query -W -f="${Version}" ipa-server')
+    end
+  end
+end
diff --git a/manifests/config/webui.pp b/manifests/config/webui.pp
@@ -18,33 +18,38 @@
       'G',
     )
 
-    exec { 'semanage-port-http_port_t':
-      command => "semanage port -a -t http_port_t -p tcp ${proxy_https_port}",
-      unless  => "semanage port -l|grep -E \"^http_port_t.*tcp.*${proxy_https_port}\"",
-      path    => ['/bin','/sbin','/usr/bin','/usr/sbin'],
-    }
+    # IPA switched to mod_ssl as the crypto engine for Apache as of version 4.7.0
+    # see https://www.freeipa.org/page/Releases/4.7.0#Highlights_in_4.7.0
+    if versioncmp($::ipa_server_version, '4.7.0') < 0 {
 
-    file_line { 'webui_additional_https_port_listener':
-      ensure => present,
-      path   => '/etc/httpd/conf.d/nss.conf',
-      line   => "Listen ${proxy_https_port}",
-      after  => 'Listen\ 443',
-      notify => Service['httpd'],
-    }
+      exec { 'semanage-port-http_port_t':
+        command => "semanage port -a -t http_port_t -p tcp ${proxy_https_port}",
+        unless  => "semanage port -l|grep -E \"^http_port_t.*tcp.*${proxy_https_port}\"",
+        path    => ['/bin','/sbin','/usr/bin','/usr/sbin'],
+      }
 
-    file { '/etc/httpd/conf.d/ipa-rewrite.conf':
-      ensure  => file,
-      replace => true,
-      content => template('easy_ipa/ipa-rewrite.conf.erb'),
-      notify  => Service['httpd'],
-    }
+      file_line { 'webui_additional_https_port_listener':
+        ensure => present,
+        path   => '/etc/httpd/conf.d/nss.conf',
+        line   => "Listen ${proxy_https_port}",
+        after  => 'Listen\ 443',
+        notify => Service['httpd'],
+      }
+
+      file { '/etc/httpd/conf.d/ipa-rewrite.conf':
+        ensure  => file,
+        replace => true,
+        content => template('easy_ipa/ipa-rewrite.conf.erb'),
+        notify  => Service['httpd'],
+      }
 
-    file { '/etc/httpd/conf.d/ipa-webui-proxy.conf':
-      ensure  => file,
-      replace => true,
-      content => template('easy_ipa/ipa-webui-proxy.conf.erb'),
-      notify  => Service['httpd'],
-      require => Exec['semanage-port-http_port_t'],
+      file { '/etc/httpd/conf.d/ipa-webui-proxy.conf':
+        ensure  => file,
+        replace => true,
+        content => template('easy_ipa/ipa-webui-proxy.conf.erb'),
+        notify  => Service['httpd'],
+        require => Exec['semanage-port-http_port_t'],
+      }
     }
   }
 

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -152,6 +152,9 @@
 # @param webui_proxy_https_port
 #      (integer) The HTTPS port to use for the reverse proxy. Cannot be 443.
 #
+# @param adjust_login_defs
+#      (boolean) Adjust UID_MAX and GID_MAX in login.defs. Without this newer installers fail. Default false.
+#
 # TODO: Allow creation of root zone for isolated networks -- https://www.freeipa.org/page/Howto/DNS_in_isolated_networks
 # TODO: Class comments.
 # TODO: Dependencies and metadata updates.
@@ -202,6 +205,7 @@
   Boolean $webui_force_https                       = false,
   String $webui_proxy_external_fqdn                = 'localhost',
   String $webui_proxy_https_port                   = '8440',
+  Boolean $adjust_login_defs                       = false,
 ) {
   if $manage {
     # Include per-OS parameters and fail on unsupported OS
@@ -240,7 +244,26 @@
       default => '--no-sshd',
     }
 
-    require easy_ipa::validate_params
-    contain easy_ipa::install
+    if $adjust_login_defs {
+
+      file_line {
+        default:
+          path    => '/etc/login.defs',
+          replace => true,
+          ;
+        'adjust uid max':
+          line  => "UID_MAX\t11999",
+          match => '^UID_MAX\s*60000$',
+          ;
+        'adjust gid max':
+          line  => "GID_MAX\t11999",
+          match => '^GID_MAX\s*60000$',
+          ;
+      }
+    }
   }
+
+  require easy_ipa::validate_params
+  contain easy_ipa::install
 }
+
diff --git a/metadata.json b/metadata.json
@@ -33,7 +33,8 @@
       "operatingsystem": "RedHat",
       "operatingsystemrelease": [
         "7",
-        "8"
+        "8",
+        "9"
       ]
     },
     {
-Original file line number
+Diff line change
@@ Expand Up / @@ -33,7 +33,8 @@ @@
           "operatingsystem": "RedHat",
           "operatingsystemrelease": [
             "7",
-            "8"
+            "8",
+            "9"
           ]
         },
         {
@@ Expand Down @@