support deployment of replica KDCs incl. kprop sync script and new molecule test scenario

.travis.yml

@@ -9,10 +9,12 @@ services:
 before_install:
   - sudo apt-get -qq update
 install:
-  - pip install molecule
+  # molecule version >v2.22 required for compatibility with ansible 2.8.x (provided in the used docker image)
+  - pip install molecule==2.22
   - pip install docker
 script:
   - molecule test
+  - molecule test --scenario-name kdc-with-replica
 
 notifications:
   webhooks: https://galaxy.ansible.com/api/v1/notifications/

defaults/main.yml

@@ -1,5 +1,10 @@
 ---
 kerberos_server_realm_name: EXAMPLE.COM
+kerberos_server_domain: "{{ kerberos_server_realm_name|lower }}"
+# List of kdc hosts (the 1.entry is the master, the other will be replica kdcs)
+kerberos_server_kdcs:
+  - "{{ ansible_hostname }}"
+kerberos_server_kadmin_host: "{{ ansible_hostname }}"
 kerberos_server_kdc_port: 88
 kerberos_server_master_db_pass: foobar
 kerberos_server_kadmin_pass: foobar
@@ -9,6 +14,11 @@ kerberos_server_renew_lifetime: 7d
 kerberos_server_supported_enctypes: >
   aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal
   des-cbc-md5:normal des-cbc-crc:normal
+# krb5.conf 'rdns' parameter
+kerberos_server_rdns: true
+kerberos_server_kadmin_cmd: kadmin.local
+kerberos_server_kprop_replication_enabled: "{{ kerberos_server_kdcs | length >= 2 }}"
+kerberos_server_kprop_cronjob_enabled: "{{ kerberos_server_kprop_replication_enabled }}"
 
 kerberos_server_users: []
 # To add users, add entries lik this:

handlers/main.yml

@@ -1,6 +1,17 @@
 ---
-- name: restart kerberos
+- name: restart kdc
   service:
-    name: "{{ item }}"
+    name: "{{ kerberos_kdc_service }}"
     state: restarted
-  with_items: "{{ kerberos_service }}"
+
+- name: restart kadmin
+  service:
+    name: "{{ kerberos_kadmin_service }}"
+    state: restarted
+  when: is_master_host
+
+- name: restart kprop
+  service:
+    name: "{{ kerberos_kprop_service }}"
+    state: restarted
+  when: is_replica_host

meta/main.yml

@@ -1,14 +1,15 @@
 ---
 galaxy_info:
   author: "Matthias Baumann & Jan Hentschel"
+  description: "Role to install kerberos server(s)"
   company: Ultra Tendency GmbH
   license: BSD 3-Clause
   min_ansible_version: 1.4
   platforms:
     - name: EL
       versions:
         - 7
-  categories:
+  galaxy_tags:
     - kerberos
     - kdc
-dependencies: []
+dependencies: [ ]

molecule/default/molecule.yml

@@ -6,8 +6,9 @@ driver:
 lint:
   name: yamllint
 platforms:
-  - name: centos-7
-    image: fiercely/centos7:systemd
+  - name: "${MOLECULE_DISTRO:-centos7}"
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    pre_build_image: True
     privileged: True
     volume_mounts:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"

molecule/default/tests/test_default.py

@@ -25,7 +25,7 @@ def test_kdc_conf(host):
     assert kdc_conf.is_file
     assert kdc_conf.user == 'root'
     assert kdc_conf.group == 'root'
-    assert oct(kdc_conf.mode) == '0600'
+    assert kdc_conf.mode == 0o600
 
 
 @pytest.mark.parametrize('content', [
@@ -50,7 +50,7 @@ def test_kadm5_acl(host):
     assert kadm5_acl.is_file
     assert kadm5_acl.user == 'root'
     assert kadm5_acl.group == 'root'
-    assert oct(kadm5_acl.mode) == '0600'
+    assert kadm5_acl.mode == 0o600
 
 
 @pytest.mark.parametrize('content', [
@@ -70,16 +70,16 @@ def test_krb5_conf(host):
     assert krb5_conf.is_file
     assert krb5_conf.user == 'root'
     assert krb5_conf.group == 'root'
-    assert oct(krb5_conf.mode) == '0644'
+    assert krb5_conf.mode == 0o644
 
 
 @pytest.mark.parametrize('content', [
     "default_realm = EXAMPLE.COM",
     "ticket_lifetime = 24h",
     "renew_lifetime = 7d",
     "EXAMPLE.COM = {",
-    "kdc = centos-7.example.com",
-    "admin_server = centos-7.example.com",
+    "kdc = centos7",
+    "admin_server = centos7",
     ".example.com = EXAMPLE.COM",
     "example.com = EXAMPLE.COM"
 ])

molecule/kdc-with-replica/Dockerfile.j2

@@ -0,0 +1,14 @@
+# Molecule managed
+
+{% if item.registry is defined %}
+FROM {{ item.registry.url }}/{{ item.image }}
+{% else %}
+FROM {{ item.image }}
+{% endif %}
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \
+    elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi

molecule/kdc-with-replica/INSTALL.rst

@@ -0,0 +1,22 @@
+*******
+Docker driver installation guide
+*******
+
+Requirements
+============
+
+* Docker Engine
+
+Install
+=======
+
+Please refer to the `Virtual environment`_ documentation for installation best
+practices. If not using a virtual environment, please consider passing the
+widely recommended `'--user' flag`_ when invoking ``pip``.
+
+.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
+.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
+
+.. code-block:: bash
+
+    $ pip install 'molecule[docker]'

molecule/kdc-with-replica/molecule.yml

@@ -0,0 +1,73 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint:
+  name: yamllint
+# Using geerlingguy's image that provides centos7 with ansible AND systemd
+platforms:
+  - name: "${MOLECULE_DISTRO:-centos7}-01.local"
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    pre_build_image: True
+    privileged: True
+    volume_mounts:
+      - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
+    command: "/usr/sbin/init"
+    groups:
+      - kdc_master
+      - kdcs
+    networks:
+      - name: molecule
+    network_mode: bridge
+
+  - name: "${MOLECULE_DISTRO:-centos7}-02.local"
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    pre_build_image: True
+    privileged: True
+    volume_mounts:
+      - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
+    command: "/usr/sbin/init"
+    groups:
+      - kdc_replica
+      - kdcs
+    networks:
+      - name: molecule
+    network_mode: bridge
+
+provisioner:
+  name: ansible
+  options:
+    diff: true
+    v: True
+  inventory:
+    group_vars:
+      kdcs:
+        # Ensure that the master node is the first in the list (not guaranteed in 'groups.kdcs')
+        kerberos_server_kdcs: "{{ groups.kdc_master + groups.kdc_replica }}"
+        kerberos_server_kadmin_host: "{{ groups.kdc_master[0] }}"
+        kerberos_server_realm_name: EXAMPLE.COM
+        kerberos_server_domain: "local"
+        # To make molecule tests work, need to disable keberos reverse DNS, because docker builtin DNS is inconsistent
+        # Details: Returned PTR were suffixed with the network name, except for the own host (resolved by /etc/hosts)
+        kerberos_server_rdns: "false"
+  lint:
+    name: ansible-lint
+scenario:
+  name: kdc-with-replica
+  test_sequence:
+    - lint
+    - destroy
+    - dependency
+    - syntax
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - destroy
+verifier:
+  name: testinfra
+  lint:
+    name: flake8

molecule/kdc-with-replica/playbook.yml

@@ -0,0 +1,5 @@
+---
+- name: Converge
+  hosts: all
+  roles:
+    - role: kerberos_server

molecule/kdc-with-replica/tests/test_default.py

@@ -0,0 +1,27 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+
+# tests on each kdc
+def test_kdc_conf(host):
+    kdc_conf = host.file("/var/kerberos/krb5kdc/kdc.conf")
+
+    assert kdc_conf.exists
+    assert kdc_conf.is_file
+    assert kdc_conf.user == 'root'
+    assert kdc_conf.group == 'root'
+    assert kdc_conf.mode == 0o600
+
+
+def test_krb5_conf(host):
+    krb5_conf = host.file("/etc/krb5.conf")
+
+    assert krb5_conf.exists
+    assert krb5_conf.is_file
+    assert krb5_conf.user == 'root'
+    assert krb5_conf.group == 'root'
+    assert krb5_conf.mode == 0o644

molecule/kdc-with-replica/tests/test_kdc_master.py

@@ -0,0 +1,40 @@
+import os
+import pytest
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('kdc_master')
+
+kdc_replica_1 = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('kdc_replica')[0]
+
+
+@pytest.mark.parametrize('svc', [
+  'krb5kdc',
+  'kadmin'
+])
+def test_services(host, svc):
+    service = host.service(svc)
+
+    assert service.is_running
+    assert service.is_enabled
+
+
+def test_kprop_kdump_file_written(host):
+    kprop_kdump_file = host.file("/var/kerberos/krb5kdc/slave_datatrans")
+
+    assert kprop_kdump_file.exists
+    assert kprop_kdump_file.user == 'root'
+    assert kprop_kdump_file.group == 'root'
+    assert kprop_kdump_file.mode == 0o600
+
+
+@pytest.mark.parametrize('content', [
+    "Database propagation to "+kdc_replica_1+": SUCCEEDED",
+])
+def test_kprop_kdc_replica_sync_successful(host, content):
+    kprop_kdc_replica_sync_log = host.file("/var/log/kprop_kdc_replica_sync.log")
+
+    assert kprop_kdc_replica_sync_log.exists
+    assert kprop_kdc_replica_sync_log.contains(content)

molecule/kdc-with-replica/tests/test_kdc_replica.py

@@ -0,0 +1,39 @@
+import os
+import pytest
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('kdc_replica')
+
+kdc_master_1 = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('kdc_master')[0]
+
+
+@pytest.mark.parametrize('svc', [
+  'krb5kdc',
+  'kprop'
+])
+def test_services(host, svc):
+    service = host.service(svc)
+
+    assert service.is_running
+    assert service.is_enabled
+
+
+def test_kpropd_acl(host):
+    kpropd_acl = host.file("/var/kerberos/krb5kdc/kpropd.acl")
+
+    assert kpropd_acl.exists
+    assert kpropd_acl.is_file
+    assert kpropd_acl.user == 'root'
+    assert kpropd_acl.group == 'root'
+
+
+@pytest.mark.parametrize('content', [
+    "host/"+kdc_master_1+"@",
+])
+def test_kpropd_acl_content(host, content):
+    kpropd_acl = host.file("/var/kerberos/krb5kdc/kpropd.acl")
+
+    assert kpropd_acl.contains(content)