opendev/puppet-kerberos
Code Issues Proposed changes
puppet-kerberos/manifests/server.pp
Clark Boylan 672583bd10 Workaround broken ubuntu packaging 
Since ubuntu 16.04 or so the krb5-admin-server package is broken in the
postinst scripts. What happens is they try to set a debconf value if the
defaults file for this service sets RUN_KADMIND to false. Unfortunately
the key/question debconf is setting has no associated templates entry so
package install fails.

We work around this by not setting this value in the defaults file on
newer ubuntu and instead rely on our init system to manage that state.

Change-Id: I0ffe2a2acbe76acb0069df18253367ed2528241f
2019-02-21 17:57:25 -08:00

139 lines
3.6 KiB
Puppet
Raw Blame History

# Class kerberos::server
class kerberos::server (
$realm,
$admin_server = [$::fqdn],
$kdcs = [$::fqdn],
$slave = false,
$slaves = [],
) {
include ::haveged
$packages = [
'krb5-admin-server',
'krb5-kdc',
]
package { $packages:
ensure => present,
}
file { '/etc/krb5kdc/kdc.conf':
ensure => present,
replace => true,
content => template('kerberos/kdc.conf.erb'),
require => Package['krb5-kdc'],
}
file { '/etc/krb5kdc/kpropd.acl':
ensure => present,
replace => true,
content => template('kerberos/kpropd.acl.erb'),
require => Package['krb5-kdc'],
}
file { '/etc/krb5kdc/kadm5.acl':
ensure => present,
replace => true,
source => 'puppet:///modules/kerberos/kadm5.acl',
require => Package['krb5-admin-server'],
}
file { '/var/krb5kdc':
ensure => directory,
}
file { '/usr/local/bin/run-kprop.sh':
ensure => present,
replace => true,
mode => '0755',
content => template('kerberos/run-kprop.sh.erb'),
require => Package['krb5-admin-server'],
}
if ($slave) {
$run_admin_server = stopped
$run_kadmind = false
$run_kpropd = running
$kprop_cron = absent
} else {
$run_admin_server = running
$run_kadmind = true
$run_kpropd = stopped
$kprop_cron = present
}
cron { 'kprop':
ensure => $kprop_cron,
user => 'root',
minute => '*/15',
command => '/usr/local/bin/run-kprop.sh >/dev/null 2>&1',
environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',
}
if ($::operatingsystem == 'Ubuntu') and ($::operatingsystemrelease >= '16.04') {
# krb5-admin-server generates this, so make sure this runs after we do
# things with krb5-admin-server
file { '/etc/default/krb5-admin-server':
ensure => present,
replace => true,
content => template('kerberos/krb5-admin-server.defaults.new.erb'),
require => Package['krb5-admin-server'],
}
file { '/etc/systemd/system/krb5-kpropd.service':
ensure => present,
replace => true,
source => 'puppet:///modules/kerberos/krb5-kpropd.service',
require => Package['krb5-admin-server'],
}
service { 'krb5-kpropd':
ensure => $run_kpropd,
require => [
File['/etc/systemd/system/krb5-kpropd.service'],
],
}
# This is a hack to make sure that systemd is aware of the new service
# before we attempt to start it.
exec { 'krb5-kpropd-systemd-daemon-reload':
command => '/bin/systemctl daemon-reload',
before => Service['krb5-kpropd'],
subscribe => File['/etc/systemd/system/krb5-kpropd.service'],
refreshonly => true,
}
} else {
# krb5-admin-server generates this, so make sure this runs after we do
# things with krb5-admin-server
file { '/etc/default/krb5-admin-server':
ensure => present,
replace => true,
content => template('kerberos/krb5-admin-server.defaults.erb'),
require => Package['krb5-admin-server'],
}
file { '/etc/init.d/krb5-kpropd':
ensure => present,
replace => true,
source => 'puppet:///modules/kerberos/krb5-kpropd',
require => Package['krb5-admin-server'],
}
service { 'krb5-kpropd':
ensure => $run_kpropd,
require => [
File['/etc/init.d/krb5-kpropd'],
],
}
}
service { 'krb5-admin-server':
ensure => $run_admin_server,
enable => $run_kadmind,
subscribe => File['/etc/krb5kdc/kadm5.acl'],
require => [
File['/etc/krb5kdc/kadm5.acl'],
Package['krb5-admin-server'],
],
}
}
View Git Blame Copy Permalink