fix(playbooks/freeipa_server,playbooks/freeipa_client): force linear strategy

danyalberchtoldlf · danyalberchtoldlf · commit d3c655fbad73 · 2026-04-27T17:06:49.000+02:00
The ansible-freeipa modules rely on ipalib's global API singleton. Under
Ansible strategies that reuse the target Python interpreter (e.g.
mitogen_linear), the second module call fails with `API.bootstrap()
already called`.

Set `strategy: 'linear'` in both playbooks so they work even when the
user's ansible.cfg defaults to mitogen_linear, and document the
constraint in the freeipa_server and freeipa_client READMEs. Also add a
troubleshooting entry to roles/freeipa_server/README.md for the
follow-up `kinit: Configuration file does not specify default realm`
error caused by partial installs.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -25,6 +25,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+* **playbooks/freeipa_client, playbooks/freeipa_server**: Set `strategy: 'linear'` explicitly so the playbooks work even when the user's `ansible.cfg` defaults to a strategy that reuses the target Python interpreter (e.g. `mitogen_linear`). The ansible-freeipa modules rely on `ipalib`'s global API singleton and otherwise fail with `API.bootstrap() already called` on the second module call.
 * **role:infomaniak_vm**: Stop passing `security_groups` to `openstack.cloud.server`. Since the security group is already applied on the `ext-net1` port, setting it on the server made Neutron attempt the same on internal-network ports where `port_security_enabled` is `false`, failing with `Network requires port_security_enabled and subnet associated in order to apply security groups.`
 * **role:openvpn_server**: Fix `invalid selinux context: [Errno 22] Invalid argument` on RHEL 10 when deploying `server.p12` / `crl.pem`. The SELinux type `openvpn_etc_t` no longer exists in the RHEL 10 core policy (only `openvpn_port_t` and the packet types remain). The role now uses `etc_t` on RHEL 10 via a new OS-specific internal variable `__openvpn_server__selinux_etc_type`; other platforms keep `openvpn_etc_t`
 * **role:repo_epel**: Fix malformed RHEL 10 `epel.repo`: a missing newline in the `[epel-source]` section rendered `enabled=0username=<login>` when `repo_epel__basic_auth_login` was set, causing dnf to reject the file with `Invalid configuration value: enabled=0username=...`
diff --git a/playbooks/freeipa_client.yml b/playbooks/freeipa_client.yml
@@ -2,6 +2,11 @@
   hosts:
     - 'lfops_freeipa_client'
 
+  # The ansible-freeipa modules rely on ipalib's global API singleton and fail
+  # with `API.bootstrap() already called` under strategies that reuse the
+  # target Python interpreter (e.g. mitogen_linear).
+  strategy: 'linear'
+
   pre_tasks:
     - ansible.builtin.import_role:
         name: 'shared'
diff --git a/playbooks/freeipa_server.yml b/playbooks/freeipa_server.yml
@@ -2,6 +2,11 @@
   hosts:
     - 'lfops_freeipa_server'
 
+  # The ansible-freeipa modules rely on ipalib's global API singleton and fail
+  # with `API.bootstrap() already called` under strategies that reuse the
+  # target Python interpreter (e.g. mitogen_linear).
+  strategy: 'linear'
+
   pre_tasks:
     - ansible.builtin.import_role:
         name: 'shared'
diff --git a/roles/freeipa_client/README.md b/roles/freeipa_client/README.md
@@ -6,6 +6,7 @@ This role installs and configures [FreeIPA](https://www.freeipa.org/) as a clien
 ## Mandatory Requirements
 
 * Install the [ansible-freeipa Ansible Collection](https://github.com/freeipa/ansible-freeipa) on the Ansible control node. This can be done by calling `ansible-galaxy collection install freeipa.ansible_freeipa`.
+* The role must be run with Ansible's `linear` strategy (the default). It is incompatible with strategies that reuse the target Python interpreter, such as Mitogen's `mitogen_linear`, because the underlying ansible-freeipa modules use `ipalib`'s global API singleton and fail with `API.bootstrap() already called` on the second module call. The bundled `playbooks/freeipa_client.yml` sets `strategy: 'linear'` explicitly.
 
 
 ## Tags
diff --git a/roles/freeipa_server/README.md b/roles/freeipa_server/README.md
@@ -18,6 +18,7 @@ Ideally, the FreeIPA should be installed on a separate server. If that is not po
 
 * Do not use an existing domain or hostname unless you own the domain. It's a common mistake to use `example.com`. We recommend to use a reserved top level domain from RFC2606 for private test installations, e.g. `ipa.test`.
 * Install the [ansible-freeipa Ansible Collection](https://github.com/freeipa/ansible-freeipa) on the Ansible control node. This can be done by calling `ansible-galaxy collection install freeipa.ansible_freeipa`.
+* The role must be run with Ansible's `linear` strategy (the default). It is incompatible with strategies that reuse the target Python interpreter, such as Mitogen's `mitogen_linear`, because the underlying ansible-freeipa modules use `ipalib`'s global API singleton and fail with `API.bootstrap() already called` on the second module call. The bundled `playbooks/freeipa_server.yml` sets `strategy: 'linear'` explicitly.
 
 
 ## Tags
@@ -612,6 +613,13 @@ freeipa_server__users__host_var:
 ```
 
 
+## Troubleshooting
+
+Q: `Kerberos authentication failed: kinit: Configuration file does not specify default realm when parsing name admin`
+
+A: Raised by the `ipa*` resource management tasks (groups, users, HBAC rules, etc.) after a previous run aborted partway through `ipaserver_setup_*`. The aborted run did not write `/etc/krb5.conf` and `/etc/ipa/default.conf` with a `default_realm`, and the next run's `ipaserver_setup_*` steps consider the install "already done" and skip. Verify on the target with `cat /etc/ipa/default.conf` and `grep default_realm /etc/krb5.conf`. Reset the partial install with `ipa-server-install --uninstall --unattended` and re-run the playbook. **Caution:** this wipes the LDAP backend; only run it on a host that has no production IPA data.
+
+
 ## License
 
 [The Unlicense](https://unlicense.org/)
