 So welcome. This is the talk Ansible Deployment and Management Updates for IDM. According to the plan it changed a little bit so there will be no bigger demo. If there's time left there will be a small demo, but let's start. So the again now you see there are several things. So small overview over Ansible Free APA and afterwards the changes. So for the roles, management modules, new roles and new management modules and also utilities in the end. So here's you have a overview of over Ansible Free APA in the current state. So all the bold mark things are the new stuff that has been added since last dev.conf. So we have an additional role. This is the backup role for backup and restore. And for management modules, according additionally to the other ones. So last time we added HBAC and also DNS stuff. And now we have several modules, RBIC modules and also IPod location ipad trust. I will show some examples about this later in the demo in this presentation. I'm sorry. So the availability and distribution and versions this has not changed. So we still have RPMs, we have a collection and Galaxy and we have several supported distributions. In DBN 10, I think server is now possible, but I'm not sure. So this needs to be verified. And for all management modules, we have a minimum requirement of IPA 4.4 and for the deployment roles. So for server, we have 4.5 plus for replica we have 4.6 plus and for client we have 4.4 plus. So simply let's say everything with 4.6 up is supported by all roles and modules. So the requirements. So under controller, we need an Ansible version. 2.8 plus is supported for all RPMs that we are providing for Ansible IPA and also upstream. We also have a collection Ansible collection and Galaxy. Right now it's fully supported in Ansible 2.8 and 2.10 plus. There is an issue with 2.9 right now in the deployment roles. You will run into a spec is none error because Ansible is importing modular utils, not in the really correct way. So it tries to load all imports and fails because it's trying this on the controller to make sure to copy the right files to the nodes. There is currently a workaround. This is work in progress. So this is something that we will add in the next weeks to make the Ansible collection and Galaxy working for the deployment. Additionally, you will need K in it. So you will need covers utilities. As soon as you want to use a one-time password. And Python 3 GSS API is required also for OTP if you use a key tab for installing the client. On the node, you will need a supported free IPA version and a supported distribution. That means you need to have packages for free IPA available and also the files in Ansible free IPA that are defining which packages or modules need to be installed to be able to use free IPA. So we have enhancement and deployment roles. So there is one thing that has been added for IPA server and IPA replica roles for the deployment. So there is a new setting that is called IPA server firewall D zone for the server and IPA replica firewall D zone for the replica. Up to now, firewall D is automatically enabled and also configured within the default zone. And with the setting you can define to use another zone for the server and replica deployment. It's very important to open the firewall. So for the server, the firewall is opened after the deployment. But for replica, it needs to be opened before because there is a connection check that is making sure that the replica is able to speak to the server and the other way around. So it's very important to open the firewall ports for free IPA for IPA before you deploy, otherwise you will fail. So the connection check will fail and you will see an error message. And to be able to have this a little bit more tunable, we have this setting now. So it simplifies life if you have more than one zone in use and want to have your server only available within your internal zone, for example. We have also enhancements and management modules. So for IPA group, the POSIX option has been added. So now it's possible to ensure a group has been added within a group is a non-POSIX group or to change from a non-POSIX to a POSIX group. But the second one cannot be completely unimportant because it's changing the type. So it is not failing. But in the first try, it will make sure that it's non-POSIX. In the second try, it will not fail. And we have new roles. And this is the biggest addition to Ansible Free AP. In the latest version, we have the IPA backup role. This role is able to do backup and restore of IPA servers, so servers and replicas. You can do a server local backup and also backup to a controller. You can copy backup files, existing backup files, or even all backup files that are available on the server. Let's not say files, it's a directory in fact. From a server to the controller, you can also remove specific backups or all backups from the server. You can restore a local backup on the server and also from a controller. And it will, if you restore and you have an empty machine with no packages installed, it will make sure that the needed packages are installed to be able to restore properly. And it will fail if the packages cannot be found. So it's needed to have the packages in the repository. Or YAM configured or DNF, or whatever you use to install packages on your system. It can copy backups from the controller to a server and it will configure file will be accordingly. And there is also setting to turn file will be configuration of the same as we have an IPA server and hyper replica role. And here we have an example of IPA backup role usage. You see it's using IPA server and it's doing a backup to the controller. So IPA backup to controller is yes, just defaults to no, which means there will be a local backup on the server itself. There isn't a setting to make sure to define if IPA backup to controller is set to yes to keep the backup on the server. This defaults to no. So as soon as you say IPA backup to controller, yes. The backup will be transferred to the controller and removed from the server afterwards. So IPA backup keep on server can be set to yes to keep it also on the server itself after copying to the controller. Here we have another example to restore an IPA server from controller. So you see IPA backup name is set to the backup name. By the way, if you do a backup within here. It automatically renames your backup. So you will have the server name as a prefix to make sure that you can have several backups at the same time. So let's say you have a server in several replicas and you're creating backups of all of those. Then you're not running into name issues because the server name and replica name will be the prefix of the backup of the backup directory that is created on the controller. So and here we are copying. We are restoring from the controller. That means in the first place, this backup is copied back to the server from the controller. And then this backup is applied and you see you need to give this also the DM password. But this is the also the case with the command line tools. So this role is more or less a big wrapper around the command line tools to allow to to use the controller also. And it has the same requirements as usual. And you see the state is restored. This means this will be restored. If you instead use state copied, it will only copy this backup to the from the controller to the server. But then you don't need the password. There's another example here, for example. So here we are copying a backup from the IPA server. Several backups from the IPA server. You see the IPA backup names. These are the names on the server without the prefix. And IPA backup to controller is set to yes and state is copied. So it will make sure it will copy those from the server to the controller. By the way, it will fail if you provide names that are not existing. And the second one on the right is to remove all backups from the IPA server. If IPA backup name here is not all, but the same as on the left side, it will only remove those. But if it's all, it will remove all available backups on the server. And the state here is absent. So IPA backup is a fairly powerful role. And I think you will have fun with it. And here's another example. We are copying a backup from the controller to the IPA server. And you see here IPA backup name is the full name on the controller. It might be possible to change this in the future that it's using the IPA server name, looking for the IPA backup name with the short word, with the normal name on the server and to automatically prevent the name of the server. But this is not there, but it might be added in the future. It should be simple to do. So we have new management modules also in Ansible VIPA. So here you see a list. So there is IPA location and IPA trust. IPA location has been added only as a test for a utility that I will show later on. IPA trust was an external contribution to manage domain trusts. And we have role-based access control, so RBAC modules. So IPA delegation to manage delegation and delegation attributes. IPA permission to manage permissions and permission attribute members. IPA privilege to manage privileges and privilege permission members. And IPA role to manage roles and members. These are users, groups, hosts, host groups, privileges and services. I will show examples about this later on. And we have IPA self-service to manage self-service and self-service attributes. So here we see a simple example of IPA location. IPA location is a fairly small module. It cannot do really a lot. So it simply makes sure that a location with the name mylocation1 and the description mylocation1 exists. It cannot do a lot more. It can also remove locations. But the only thing it can do is adding and making sure that locations are present or absent. So we are coming to trust, IPA trust module. So the first example is making sure that a one-way trust is present. And yeah, I cannot even show an example for this if I want to because I do not currently have a Windows machine that I can use as a trust for this. And the second one is making sure that a two-way trust is existing. So you see there is the additional two-way setting set to true. It should be yes, not true. But both are working. And so we are coming to the RBAC modules. So there is the IPA delegation module. So in the first example you see it's ensuring that a delegation is present with the attributes business category and employee type and group managers and member group employees. And the second example shows that you can add attribute or make sure that attributes are present or absent with the action member. So here in this example you see it's making this task is making sure that employee type and employee number are absent and you can use delegation with the main basic manager attributes. You can also use present to make sure that attributes are present. And also you can remove delegation modules and you can make sure that they're not existing and you can also change groups and member groups with a task. So the second one is IPA permission module. So the first example ensures that permission, my permission is present with object type host and all rights. And the name of this permission is my permission. And in the second example you see you can also use action member for attributes here. So it's making sure that GICOS is present in my permission. You can also use state absent here to make sure that an attribute is absent in the permission. So we're coming to IPA privilege module. So the first example shows how to make sure that a privilege is present. So it creates a privilege broad privilege with the description with the same as description. In the second part you see you can also use action member here to add permissions. So this example makes sure that write IPA configuration, system write DNS configuration and system update DNS entries is present for this permission. And additionally as before, as for all modules, you can use state absent also with action member to make sure that permissions are not there. And we are coming to IPA role module. There's a little bit more than the others. So in the first example you see it's ensuring that a role is present with all members. So you see here a role with the name same role. There's with the user pinky with a group group 01 with a host host 01 example con with a host group and with two privileges group administrators and user administrators and service service 01. All parameters user group host host group privilege and service can be treated with action member. That means you are you can ensure that a user group host host privilege or services present within a role or absent. So you see two examples for this on the right side. So the first example make sure that the user pinky exists in this role. And in the second one you see that the service 01 exists make sure that the service 01 exists in this role. You can also use state absent here to make sure that users groups host host group privileges so this is absent within a role. So and finally we have the IPA service module. So here a self service user can manage their own details will be created or will be ensured that it exists with permission wide right and attributes title and initials. And in the second example you see action member again with the attribute here. So this makes sure that the initials is really present in this self service. You can also use state absent here to make sure that attributes are not present. Not present within a self service. I think we are fast. So we are coming to utilities. So a nice utility has been added for Ansible free IPA to make it easier for people to create new modules. So this is called new module is placed in utils sub directory in GitHub and also in the just in the releases. It needs a module name of the module you want to create your author name and your email address. It has three options to create a module with member support so members as you have seen before with attributes users groups and so on and to force the creation of this module. This new module was used to create IPA locations IPA location was the test bed for this script. And it automatically creates several directories and files for you that so far you needed to create on your own. So it will create. Oh, there's a modules directory missing it should be plugins modules I'm sorry plugins modules IPA module pie. It will also create playbook example playbooks for your module and playbooks my module sub directory. So these are my module absent and present. And you should add more than those. So these are the basic ones to make sure that the module is doing something. And it will also create the basic test. So in tests my module it will create a file test my module level, which also contains the absent and present examples with additional tests to make sure that they are important. So they will be executed once with a expected result of changed and the second one, it will be executed with a result of not changed. In addition, it creates the read me my module file. So all these are skeletons. And that you need to fill with life. So, but it should give a good start to create new modules for hands for free IPA. So I think we have time for a small demo of a backup role. Let me change to this. So here, it's not doing what it should do. So this is from a colleague of mine. He created that from the beginning. So, so on the left side you see the controller on the right side you see he's logging into a little bit. He is making his crew zoom it up. It's not eligible on the recording I think. Yeah, perfect. Thank you. Yeah, awesome. It's a better now. Okay. Should I start it from the beginning? I think you can you have five minutes easily. Okay. Okay now. So on the left side you see the controller on the right side you see this. He's logging into the server. He's checking the IPA version. So this is a fedora of 32 so it's for 810. And you also see it's fedora release 32. He's looking into the IPA backup directory and it's empty right now. On the left side you see the backup YAML file. So a backup to the controller. Keep on the server is no. This is the default IPA backup data. So you can limit also if it's a full backup or not a full backup. And in this case he's only doing the data backup. So hands up if he is running now you see it's trying to find out what kind of machine it is information to get the backup directory from IPA platform from the installed IPA distribution release. So that was a little bit fast. At first it was copying the backup from the server you see on top still and it removed the backup from the server. And on the right side you see there is no backup. And still IPA is working. He's removing sudo command. A sudo command to show that if he's replying the backup it will be back. So right now you see he's replacing the backup name in the restore YAML file. So you see backup from controller yes keep on server no. This is not needed in this case. Backup data yes and no logs yes. And now he's restoring. At first you see the backup has been copied to the server. And it is applied now. This normally takes some time so it's better to have it in a demo. And it was also ensuring that the firewall is running and the firewall is configured properly. Now it's restoring the backup. It's done. So on the right side you see the formally removed sudo command what it exists again. So the backup was working. So for all the roles and the modules. We have the whole documentation on Ansible Free AP GitHub source repository. You can start directly there. There is the whole documentation of all parameters. There are lots of examples. If you look into the test subfolder, you will see all the tests that we are running upstream to the tests. So these are item potency tests. If you have an issue, please go to issues on this GitHub repository. And if you want to contact us on IRC, there's a free IP channel on free node. This can this is also used for Ansible Free AP not only for free IP. So do you have questions? We have one question in the chat QA section. Is IP admin password clear text password for admin? No, you don't need to have it clear. This is only here in the example so that you see it you can use Ansible Vault for this. But you can also use GSS API for that. There is an example for the GSS API usage in the documentation in Ansible Free API upstream. And also one for Vault usage with deployment in the client and replica role as far as I remember. It's only here to make sure, yeah, you need to provide this setting somehow. But it's up to you how. Yes. And D, I think missed some initial slides. Which IPA version these modules are compatible with right from the initial one. So we are making sure, as written here, that all management modules are working with IPA 4.4 plus. This is early Rails 7. So Rails 7 is now at 4.6 I think. In the latest versions there. In Rails 8 we have 4.8. And also in Fedora we have 4.8. So 4.9 I'm sorry. So we cannot support IPA prior to 4.4 because there was a big API change in IPA. I don't see any other questions. Okay, I will give people more time, opportunity to ask another question and I will ask my own. So if I install free IPA, am I supposed to then configure everything through Ansible? Is it possible or do I still have to edit some configuration files on the machine manually? This depends heavily on what you need to configure. So the normal deployment can completely be done with the deployment roles in Ansible for IPA. They support all parameters that are also available on the command line clients. For management you see we have already a longer list of modules but we are still missing some. So there are lots of IPA commands and we are still adding management modules. So the list is not complete yet. But you see we already have a long list but you most likely find something that is not there yet. And you can use Ansible for IPA in the normal commands. You can mix them for the management. This is no problem. All the modules are using the free IPA API so they are not implementing things differently. Not so much a question, more of a caveat. So we have been using the Ansible free IPA roles in federal infrastructure. And we found that there is a good way to shoot yourself in the foot if you like structure the logic around the clients connected to the IPA server. Because if you then have an IPA client role and they all attempt the same thing on the IPA server. Like you delegate that to the IPA server to ensure that a certain host group, user group, whatever exists. So something they will step on each other's toes like there is a race condition in there. And so it's probably better to structure it from the server view. Like collect the information you have about all the clients that need to be connected, all the users and stuff. And then execute it all in one go because then you won't have these issues. Okay, so you use several clients. Like we have many nodes that hook up with the IPA server for identity management. And we have rules for who's allowed to even log into the machine. Who's allowed to use pseudo to become rude stuff like that. And for that we use the HPEG and pseudo rules. And if we hook that up with with the client node in question. All of these will be executed in parallel across the whole set of Ansible hosts. And then if you touch the same pseudo rule or HPEG rule, like ensure that it's present or that some host is in it, then the same IPA commands will be executed. Touching the same IPA objects at roughly the same time and this will lead to. Yeah. A small question here. How, how have you used Ansible free API on the client for management. So you use management modules. We have a role IPA slash client that just says, okay, this host is a client host to the IPA server. Identity management is done by the by the IPA server. And then when we have cluster wide rules like this group is like this is admin group is allowed to do anything anywhere, stuff like that. And if you have, have these things that affect multiple hosts, but hooked up logically with the client side, then, like, you have, you have a certain group of clients that you run your playbook on. And all of them will try to then execute the same IPA HPEG rule or IPA pseudo rule statement in parallel and then step on each other's toes because one will one will say create the rule. The other one will try to create the rule then fail because it already exists. So that's just a caveat to formulate your your Ansible playbooks from from a server side view, because then you can you can just collect all these are the hosts in question. These are the rules that have to be applied for these hosts so that we can have the correct access to people and services and stuff like that, because then then everything will be done in order, and not step a step on, like, you won't have these race conditions. Okay, but this is that there are two things here. So this is general IPA thing. Yeah, of course, of course, it's true. And it's only helping with this because it's doing this, or it's, it's trying to execute it on all hosts at the same time. But there is one question. Right now, Ansible free IP management modules are not able to be run. Yes, you machines. They run in the context of the client machine, like the Ansible Ansible Ansible playbook. The, the, the command execute has a couple of hosts in the play at that point, and it will want to execute the task on behalf of these hosts, all at the same time. So at first we, we, we helped ourselves with just throttling this to one, which works, but is super slow. And then we, then we had to restructure it so that there is that that we had a decent performance but because we're talking about somewhat up of 200 hosts, which could be, if you do a main playground or something.