Ansible playbook to enable FIPS and install Satellite 6.4

.gitignore

@@ -61,3 +61,7 @@ docs/_build/
 
 # Galaxy Roles
 galaxy_roles/
+mazer_roles/
+
+# Variable samples
+vars/satellite_common.local.yml

README.md

@@ -16,15 +16,21 @@ We also recommend to install yamllint, ansible-lint and ansible-review.
 
 Befor running any Satellite6 playbooks,
 
-1. Check and Install the roles from ansible galaxy, if any
+1. Check and Install dependent roles from ansible galaxy and [mazer](https://galaxy.ansible.com/docs/mazer/install.html), if any
 
    ```
    # ansible-galaxy install -r requirements.yml
+   # mazer install --namespace forklift git+https://github.com/theforeman/forklift
    ```
 
-2. Check and configure required variables
+2. Check and configure required variables in `satellite_common.local.yml`
+   by first making a copy of it.
    (i.e RHSM Credentials, Satellite setup links and so on).
 
+   ```
+   cp satellite_common.yml satellite_common.local.yml
+   ```
+
 3. Make a copy of inventory from inventory.sample file. 
 
    ```

ansible.cfg

@@ -1,8 +1,9 @@
 [defaults]
 library = foreman-ansible-modules/modules
 module_utils = foreman-ansible-modules/module_utils
-roles_path = $PWD/galaxy_roles:$PWD/roles
+roles_path = $PWD/galaxy_roles:$PWD/roles:$PWD/galaxy_roles/pulp-ci/pulp-ci/ci/ansible/roles:$PWD/mazer_roles/forklift/forklift/roles
 inventory = inventory_files/inventory
 retry_files_enabled = False
 stdout_callback = yaml
 display_skipped_hosts = False
+timeout = 10

playbooks/install/satellite_63.yml

@@ -1,4 +1,11 @@
 ---
 - hosts: sat63
+  vars_files:
+    - ../../vars/satellite_common.local.yml
+    - ../../vars/satellite_63.yml
   roles:
     - partition-disk
+    - redhat_subscriptions
+    - satellite6_repositories
+    - update_os_packages
+    - install_satellite6

playbooks/install/satellite_64.yml

@@ -1,4 +1,11 @@
 ---
 - hosts: sat64
+  vars_files:
+    - ../../vars/satellite_common.local.yml
+    - ../../vars/satellite_64.yml
   roles:
     - partition-disk
+    - redhat_subscriptions
+    - satellite6_repositories
+    - update_os_packages
+    - install_satellite6

playbooks/install/satellite_64_fips.yml

@@ -0,0 +1,21 @@
+---
+- hosts: sat64
+  vars_files:
+    - ../../vars/satellite_common.local.yml
+    - ../../vars/satellite_64.yml
+    - ../../vars/satellite_fips.yml
+  roles:
+    - pulp-fips
+    - satellite6_repositories
+    - puppet_repositories
+    - update_os_packages
+    - epel_repositories
+    - foreman_repositories
+    - katello_repositories
+    - install_katello
+    - katello_client
+    - partition-disk
+    - redhat_subscriptions
+    - install_satellite6
+    - fips_workaround
+    - foreman_installer

requirements.yml

@@ -1,3 +1,6 @@
 ---
 # from galaxy
 # - src: username.rolename
+
+# from git
+- src: https://github.com/pulp/pulp-ci

roles/enable-fips/README.md

@@ -0,0 +1,44 @@
+Ansible Role for Enabling FIPS
+==============================
+
+This Ansible role enables FIPS for a remote host.
+
+Requirements
+------------
+
+No Requirements are required for this role.
+
+Role Variables
+--------------
+
+No variables required for this role.
+
+Dependencies
+------------
+
+This role is not dependent upon any galaxy roles.
+
+Example Playbook
+----------------
+
+Here is a simple example of enable-fips role:
+
+- hosts: localhost
+  remote_user: root
+  roles:
+    - enable-fips
+
+License
+-------
+
+ GNU GENERAL PUBLIC LICENSE
+
+    Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc.
+
+
+Author Information
+------------------
+
+This is developed by Satellite QE team, irc: #robottelo on Freenode

roles/enable-fips/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# defaults file for enable-fips

roles/enable-fips/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for enable-fips

roles/enable-fips/meta/main.yml

@@ -0,0 +1,20 @@
+---
+# Standards: 0.2
+galaxy_info:
+  author: Satellite QE Team
+  description: Satellite QE Team
+  company: Red Hat
+
+  license: GPLv3
+
+  min_ansible_version: 2.5.0
+
+  platforms:
+    - name: RHEL
+      versions:
+        - 7
+
+  galaxy_tags: []
+
+
+dependencies: []

roles/enable-fips/tasks/edit_kernel.yml

@@ -0,0 +1,7 @@
+---
+- name: "Get boot_uuid"
+  command: 'findmnt -no uuid /boot'
+  register: uuid
+
+- name: "Edit kernel fips and boot arguments"
+  command: 'grubby --update-kernel=DEFAULT --args="fips=1 boot=UUID={{ uuid.stdout }}"'

roles/enable-fips/tasks/install_dracut.yml

@@ -0,0 +1,8 @@
+---
+- name: "Install dracut-fips"
+  package:
+    name: dracut-fips
+    state: present
+
+- name: "Run dracut"
+  command: dracut --force

roles/enable-fips/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+- name: "Check if FIPS is enabled"
+  slurp:
+    src: '/proc/sys/crypto/fips_enabled'
+  register: fips
+
+- block:
+  - include_tasks: install_dracut.yml
+  - include_tasks: edit_kernel.yml
+  - include_tasks: reboot.yml
+  when: fips.content|b64decode|trim == "0"

roles/enable-fips/tasks/reboot.yml

@@ -0,0 +1,10 @@
+---
+- name: "Restart host"
+  shell: 'sleep 2 && shutdown -r now'
+  async: 1
+  poll: 0
+  ignore_errors: true
+
+- name: "Wait for reboot"
+  become: false
+  local_action: wait_for host={{ inventory_hostname }} port=22 state=started delay=10

roles/enable-fips/tests/inventory

@@ -0,0 +1,2 @@
+[sat63]
+sat63-rhel7 ansible_ssh_host=sat63-rhel7.example.com ansible_user=root

roles/enable-fips/tests/test.yml

@@ -0,0 +1,4 @@
+---
+- hosts: sat63
+  roles:
+    - enable-fips

roles/enable-fips/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for enable-fips

roles/fips_workaround/README.md

@@ -0,0 +1,44 @@
+Ansible Role for Enabling FIPS
+==============================
+
+This Ansible role downloads and runs a script apply a set of patches for installing Satellite on a FIPS-enabled machine.
+
+Requirements
+------------
+
+No Requirements are required for this role.
+
+Role Variables
+--------------
+
+fips_script: link to workaround script for installing FIPS
+
+Dependencies
+------------
+
+This role is not dependent upon any galaxy roles.
+
+Example Playbook
+----------------
+
+Here is a simple example of fips_workaround role:
+
+- hosts: localhost
+  remote_user: root
+  roles:
+    - fips_workaround
+
+License
+-------
+
+ GNU GENERAL PUBLIC LICENSE
+
+    Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc.
+
+
+Author Information
+------------------
+
+This is developed by Satellite QE team, irc: #robottelo on Freenode

roles/fips_workaround/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+# defaults file for fips_workaround
+fips_script: https://gist.githubusercontent.com/iNecas/8cd95a07ce1700068307020e2beb0441/raw/efaadad7c7b971f74d461b04e96a1d0ae45a403e/fips_workaround.sh

roles/fips_workaround/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for fips_workaround

roles/fips_workaround/meta/main.yml

@@ -0,0 +1,20 @@
+---
+# Standards: 0.2
+galaxy_info:
+  author: Satellite QE Team
+  description: Satellite QE Team
+  company: Red Hat
+
+  license: GPLv3
+
+  min_ansible_version: 2.5.0
+
+  platforms:
+    - name: RHEL
+      versions:
+        - 7
+
+  galaxy_tags: []
+
+
+dependencies: []

roles/fips_workaround/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+# tasks file for fips_workaround
+- name: "Download fips_workaround script"
+  get_url:
+    url: "{{ fips_script }}"
+    dest: ~/
+
+- name: "Run fips_workaround script"
+  command: bash ~/fips_workaround.sh
+  tags:
+  - skip_ansible_lint

roles/fips_workaround/tests/inventory

@@ -0,0 +1,2 @@
+[sat63]
+sat63-rhel7 ansible_ssh_host=sat63-rhel7.example.com ansible_user=root

roles/fips_workaround/tests/test.yml

@@ -0,0 +1,4 @@
+---
+- hosts: sat63
+  roles:
+    - fips_workaround

roles/fips_workaround/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for fips_workaround

roles/install_katello/README.md

@@ -0,0 +1,43 @@
+Ansible Role for Installing Katello packages. 
+================================================
+
+This Ansible role installs Katello.
+
+Requirements
+------------
+
+No Requirements are required for this role.
+
+Role Variables
+--------------
+
+No Variables required for this role.
+
+Dependencies
+------------
+
+forklift/katello_repositories
+
+Example Playbook
+----------------
+
+Here is a simple example of install_katello role:
+
+- hosts: localhost
+  roles:
+    - install_katello
+
+License
+-------
+
+ GNU GENERAL PUBLIC LICENSE
+
+    Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc.
+
+
+Author Information
+------------------
+
+This is developed by Satellite QE team, irc: #robottelo on Freenode

roles/install_katello/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# defaults file for install_katello

roles/install_katello/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for install_katello

roles/install_katello/meta/main.yml

@@ -0,0 +1,20 @@
+---
+# Standards: 0.2
+galaxy_info:
+  author: Satellite QE Team
+  description: Satellite QE Team
+  company: Red Hat
+
+  license: GPLv3
+
+  min_ansible_version: 2.5.0
+
+  platforms:
+    - name: RHEL
+      versions:
+        - 7
+
+  galaxy_tags: []
+
+
+dependencies: []

roles/install_katello/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+# Tasks file for install_katello
+- name: Install the latest version of Katello
+  yum:
+    name: katello
+    state: present

roles/install_katello/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+