PSMDB-1776: Adding Kerberos Docker Role (#449)

Author: keithquinnpercona

jstests/test_kerberos_simple.js

@@ -39,7 +39,7 @@
     }
 
     //add principal
-    _runCmd("kadmin.local -q 'addprinc -pw exttestrw exttestrw'");
+    _runCmd('docker exec kerberos sh -lc "kadmin.local -q \'addprinc -pw exttestrw exttestrw@PERCONATEST.COM\'"');
     _runCmd("kinit exttestrw <<<'exttestrw'");
 
     //check connection

psmdb-tarball/psmdb-tarball/playbooks/playbook.yml

@@ -77,4 +77,4 @@
     - role: '../../../roles/docker'
     - role: '../../../roles/openldap'
     - role: '../../../roles/kmip-vault'
-    - role: '../../../roles/kerberos'
+    - role: '../../../roles/kerberos-docker'

psmdb-tarball/psmdb-tarball/playbooks/prepare.yml

@@ -211,4 +211,3 @@
       virtualenv: /opt/venv
       virtualenv_command: /opt/python/bin/virtualenv
       virtualenv_python: /opt/python/bin/python3
-

psmdb/psmdb/playbooks/playbook.yml

@@ -10,4 +10,4 @@
     - role: '../../../roles/easyrsa'
     - role: '../../../roles/openldap'
     - role: '../../../roles/kmip-vault'
-    - role: '../../../roles/kerberos'
+    - role: '../../../roles/kerberos-docker'

psmdb/psmdb/tests/test_psmdb_install.py

@@ -321,7 +321,7 @@ def test_auth(host,auth):
     if auth == 'GSSAPI':
         with host.sudo():
             hostname = host.check_output('hostname')
-            host.check_output('kadmin.local -q "addprinc -pw exttestrw exttestrw"')
+            host.check_output('docker exec kerberos sh -c "kadmin.local -q \'addprinc -pw exttestrw exttestrw\'"')
             host.check_output('bash -c "kinit exttestrw <<<\'exttestrw\'"')
             result = host.check_output('mongo -u [email protected] --host '+ hostname +' --authenticationMechanism=GSSAPI --authenticationDatabase \'$external\' --quiet --eval "db.runCommand({connectionStatus : 1})"')
             print(result)
@@ -378,7 +378,7 @@ def test_encryption(host,encryption,cipher):
         conf['security']['kmip']['clientCertificateFile'] = MONGO_PEM_FILE
         conf['security']['kmip']['serverCAFile'] = CA_KMIP_FILE
 
-    #erase data and setup config 
+    #erase data and setup config
     apply_conf(host,conf,True)
 
     #check startup with encryption

roles/kerberos-docker/tasks/Debian.yml

@@ -0,0 +1,9 @@
+- name: Install dependencies (Debian)
+  apt:
+    update_cache: yes
+    name:
+      - krb5-user
+      - python3-docker
+    state: present
+  become: yes
+  when: ansible_os_family == "Debian"

roles/kerberos-docker/tasks/RedHat.yml

@@ -0,0 +1,37 @@
+- name: Install pip (RedHat)
+  become: true
+  package:
+    name: python3-pip
+    state: present
+  when: ansible_os_family == "RedHat"
+
+- name: Create venv (RedHat)
+  become: true
+  command: /usr/bin/python3 -m venv /opt/ansible-venv
+  args:
+    creates: /opt/ansible-venv/bin/python
+  when: ansible_os_family == "RedHat"
+
+- name: Upgrade pip in venv (RedHat)
+  become: true
+  command: /opt/ansible-venv/bin/python -m pip install --upgrade pip
+  when: ansible_os_family == "RedHat"
+
+- name: Install packages in venv (RedHat)
+  become: true
+  command: /opt/ansible-venv/bin/python -m pip install --upgrade --ignore-installed docker requests
+  when: ansible_os_family == "RedHat"
+
+- name: Use venv interpreter (RedHat)
+  set_fact:
+    ansible_python_interpreter: /opt/ansible-venv/bin/python
+  when: ansible_os_family == "RedHat"
+
+- name: Install dependencies (Redhat)
+  yum:
+    update_cache: yes
+    name:
+      - krb5-workstation
+    state: present
+  become: yes
+  when: ansible_os_family == "RedHat"

roles/kerberos-docker/tasks/main.yml

@@ -0,0 +1,139 @@
+- include_tasks: "RedHat.yml"
+- include_tasks: "Debian.yml"
+
+- name: Get system hostname
+  ansible.builtin.shell: hostname
+  register: hostname_raw
+  changed_when: false
+
+- name: Set hostname variable
+  ansible.builtin.set_fact:
+    hostname: "{{ hostname_raw.stdout }}"
+
+- name: Remove pre-existing kerberos container
+  docker_container:
+    name: kerberos
+    state: absent
+    keep_volumes: false
+
+- name: Create required folders
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: '0750'
+  loop:
+    - /var/lib/krb5kdc
+    - /keytabs
+
+- name: Copy KDC configuration file to host
+  template:
+    src: krb5.conf
+    dest: "/etc/krb5.conf"
+
+- name: Start Kerberos container
+  community.docker.docker_container:
+    name: kerberos
+    image: "alpine"
+    command: >
+      sh -c '
+          apk add --no-cache bash krb5 krb5-server krb5-pkinit &&
+          if [ ! -f /var/lib/krb5kdc/principal ]; then
+            kdb5_util -P password create &&
+            kadmin.local -q "addprinc -pw password root/admin";
+          fi &&
+          /usr/sbin/krb5kdc -n
+        '
+    restart_policy: unless-stopped
+    published_ports:
+      - "88:88/udp"
+      - "88:88/tcp"
+    volumes:
+      - "/etc/krb5.conf:/etc/krb5.conf"
+      - "/var/lib/krb5kdc:/var/lib/krb5kdc"
+      - "/keytabs:/keytabs"
+
+- name: Waiting for Kerberos container to be ready
+  ansible.builtin.command:
+    cmd: >
+      docker exec kerberos sh -c 'test -x /usr/sbin/kadmin.local'
+  register: kadmin_check
+  retries: 10
+  delay: 2
+  until: kadmin_check.rc == 0
+  changed_when: false
+
+- name: Create MongoDB service principal for mongod
+  ansible.builtin.command:
+    cmd: >
+      docker exec kerberos sh -c 'kadmin.local -q "addprinc -randkey mongodb/{{ hostname }}@PERCONATEST.COM"'
+  register: add_service_princ
+  failed_when: >
+    add_service_princ.rc != 0 and
+    ("already exists" not in (add_service_princ.stderr | default(''))) and
+    ("already exists" not in (add_service_princ.stdout | default('')))
+
+- name: Create Service Key and store it in the Keytab
+  ansible.builtin.command:
+    cmd: >
+      docker exec kerberos sh -c 'kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/{{ hostname }}@PERCONATEST.COM"'
+
+- name: Copy mongodb.keytab from container to host
+  ansible.builtin.command:
+    cmd: >
+      docker cp kerberos:/keytabs/mongodb.keytab /etc/mongodb.keytab
+  register: docker_cp_keytab
+  changed_when: docker_cp_keytab.rc == 0
+
+- name: Give /etc/mongodb.keytab mongod permissions
+  ansible.builtin.file:
+    path: /etc/mongodb.keytab
+    owner: mongod
+    group: mongod
+    mode: '0600'
+
+- name: Add KRB5_KTNAME variable for PSMDB (Debian)
+  lineinfile:
+    path: /etc/default/mongod
+    line: KRB5_KTNAME=/etc/mongodb.keytab
+    create: yes
+  when: ansible_os_family == "Debian"
+
+- name: Add KRB5_KTNAME variable for PSMDB (RedHat)
+  lineinfile:
+    path: /etc/sysconfig/mongod
+    line: KRB5_KTNAME=/etc/mongodb.keytab
+    create: yes
+  when: ansible_os_family == "RedHat"
+
+- name: Check if Percona directory exists
+  ansible.builtin.stat:
+    path: /percona-server-mongodb
+  register: percona_dir
+
+- name: Restart mongod to pick up Kerberos keytab env
+  ansible.builtin.service:
+    name: mongod
+    state: restarted
+    enabled: yes
+  when: not percona_dir.stat.isdir | default(false)
+
+- name: Adding short form of hostname to /etc/hosts (Debian 11)
+  become: true
+  ansible.builtin.replace:
+    path: /etc/hosts
+    regexp: '^\s*(127\.0\.1\.1)\s+.*$'
+    replace: '\1 {{ hostname }}'
+    unsafe_writes: true
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version | int == 11
+
+- name: Add kerberos user to /etc/hosts
+  lineinfile:
+    state: present
+    dest: /etc/hosts
+    line: '127.0.0.1 {{ hostname }}'
+    unsafe_writes: yes

roles/kerberos-docker/templates/krb5.conf

@@ -0,0 +1,19 @@
+
+[libdefaults]
+    default_realm = PERCONATEST.COM
+    forwardable = true
+    dns_lookup_realm = false
+    dns_lookup_kdc = false
+    ignore_acceptor_hostname = true
+    rdns = false
+    ticket_lifetime = 10m
+    renew_lifetime = 10m
+[realms]
+    PERCONATEST.COM = {
+        kdc_ports = 88
+        kdc = 127.0.0.1
+    }
+[domain_realm]
+    .perconatest.com = PERCONATEST.COM
+    perconatest.com = PERCONATEST.COM
+    kerberos = PERCONATEST.COM

roles/kmip-vault/tasks/main.yml

@@ -39,7 +39,8 @@
           "max_lease_ttl": "720h",
           "ui": true,
           "log_level": "debug",
-          "log_format": "json"
+          "log_format": "json",
+          "api_addr": "https://127.0.0.1:8200"
         }
       VAULT_ADDR: https://127.0.0.1:8200
       VAULT_CACERT: /etc/vault/ca.crt
@@ -49,16 +50,17 @@
     capabilities:
       - "IPC_LOCK"
 
-- name: Wait for Vault TCP port to open
-  wait_for:
-    host: 127.0.0.1
-    port: 8200
-    delay: 1
-    timeout: 60
-
-- name: Wait for 5 seconds
-  ansible.builtin.wait_for:
-    timeout: 5
+- name: Poll Vault health endpoint until API is responding
+  ansible.builtin.uri:
+    url: "https://127.0.0.1:8200/v1/sys/health"
+    method: GET
+    status_code: [200, 429, 472, 473, 501]
+    return_content: yes
+    validate_certs: no
+  register: vault_health
+  retries: 10
+  delay: 2
+  until: vault_health.status in [200, 429, 472, 473, 501]
 
 - name: Initiate Vault
   community.docker.docker_container_exec: