IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-15 19:01:55 -06:00
Code Issues Packages Projects Releases Wiki Activity
78810f9068
freeipa/ipaserver/install/installutils.py

704 lines
24 KiB
Python
Raw Normal View History

Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
# Authors: Simo Sorce <ssorce@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# along with this program. If not, see <http://www.gnu.org/licenses/>.
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
#
import socket
import errno
import getpass
User provided certs.
0000-12-31 18:09:24 -05:50
import os
import re
import fileinput
import sys
Require that the hostname is a DNS A record and that the forward and reverse match. 433515
2008-03-03 15:10:06 -06:00
import struct
Properly detect when ports are available. The DS setup program uses Perl and does a similar port available test. It seems that perl always sets FD_CLOEXEC and python does not. This is why the port test would pass in python but fail in perl. 439024
2008-03-27 14:33:06 -05:00
import fcntl
Make the IPA installer IPv6 friendly Notable changes include: * parse AAAA records in dnsclient * also ask for AAAA records when verifying FQDN * do not use functions that are not IPv6 aware - notably socket.gethostbyname() The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html section "Interface Checklist"
2010-12-01 10:22:56 -06:00
import netaddr
Wait for Directory Server ports to open When Directory Server operation is run right after the server restart the listening ports may not be opened yet. This makes the installation fail. This patch fixes this issue by waiting for both secure and insecure Directory Server ports to open after every restart. https://fedorahosted.org/freeipa/ticket/1076
2011-03-14 11:56:17 -05:00
import time
Make dogtag an optional (and default un-) installed component in a replica. A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251
2011-06-17 15:47:39 -05:00
import tempfile
Add common is_installed() fn, better uninstall logging, check for errors. The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
2011-08-29 10:16:52 -05:00
import shutil
Move install script error handling to a common function All of our install/admin scripts had a try/except block calling the main function and handling common exceptions. These were copy-pasted from each other and modified to various levels of sophistication. This refactors them out of installers to a single function, which includes a final pass/fail message for all of the scripts. Non-install scripts that set up the same log handler levels for stderr and log file are not changed, as it's not possible to log to only the logfile without changing the logger configuration. https://fedorahosted.org/freeipa/ticket/2071
2012-05-31 07:34:09 -05:00
from ConfigParser import SafeConfigParser
import traceback
Replace DNS client based on acutil with python-dns IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837
2012-05-11 07:38:09 -05:00
from dns import resolver, rdatatype
from dns.exception import DNSException
Move install script error handling to a common function All of our install/admin scripts had a try/except block calling the main function and handling common exceptions. These were copy-pasted from each other and modified to various levels of sophistication. This refactors them out of installers to a single function, which includes a final pass/fail message for all of the scripts. Non-install scripts that set up the same log handler levels for stderr and log file are not changed, as it's not possible to log to only the logfile without changing the logger configuration. https://fedorahosted.org/freeipa/ticket/2071
2012-05-31 07:34:09 -05:00
import ldap
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
Replace DNS client based on acutil with python-dns IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837
2012-05-11 07:38:09 -05:00
from ipapython import ipautil, sysrestore
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
from ipapython.ipa_log_manager import *
Improve hostname verification in install tools Our install tools like ipa-server-install, ipa-replica-{prepare, install} may allow hostnames that do not match the requirements in ipalib. This creates a disconnect and may cause issues when user cannot delete hostnames created by install tools. This patch makes sure that ipalib requirements are applied to install tools hostnames as well. https://fedorahosted.org/freeipa/ticket/2089
2012-03-01 04:01:45 -06:00
from ipalib.util import validate_hostname
Move install script error handling to a common function All of our install/admin scripts had a try/except block calling the main function and handling common exceptions. These were copy-pasted from each other and modified to various levels of sophistication. This refactors them out of installers to a single function, which includes a final pass/fail message for all of the scripts. Non-install scripts that set up the same log handler levels for stderr and log file are not changed, as it's not possible to log to only the logfile without changing the logger configuration. https://fedorahosted.org/freeipa/ticket/2071
2012-05-31 07:34:09 -05:00
from ipapython import config
from ipalib import errors
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Add common is_installed() fn, better uninstall logging, check for errors. The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
2011-08-29 10:16:52 -05:00
# Used to determine install status
Enable ipa_memcached when upgrading Add support for autobind to services. This is a bit of a special case so I currently require the caller to specify ldapi separately. It only makes sense to do this only in upgrade cases. Also uninstall ipa_memcached when uninstalling the server. https://fedorahosted.org/freeipa/ticket/2399
2012-02-15 15:55:59 -06:00
IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
Add common is_installed() fn, better uninstall logging, check for errors. The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
2011-08-29 10:16:52 -05:00
Improve ipa-replica-prepare DNS check Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
2011-10-06 04:26:03 -05:00
class BadHostError(Exception):
pass
class HostLookupError(BadHostError):
pass
class HostForwardLookupError(HostLookupError):
pass
class HostReverseLookupError(HostLookupError):
pass
class HostnameLocalhost(HostLookupError):
Fix reverse zone creation in ipa-replica-prepare When a new reverse zone was created in ipa-replica-prepare (this may happen when a new replica is from different subnet), the master DNS address was corrupted by invalid A/AAAA record. This caused problems for example in installing replica. https://fedorahosted.org/freeipa/ticket/1223
2011-05-27 10:05:45 -05:00
pass
Move install script error handling to a common function All of our install/admin scripts had a try/except block calling the main function and handling common exceptions. These were copy-pasted from each other and modified to various levels of sophistication. This refactors them out of installers to a single function, which includes a final pass/fail message for all of the scripts. Non-install scripts that set up the same log handler levels for stderr and log file are not changed, as it's not possible to log to only the logfile without changing the logger configuration. https://fedorahosted.org/freeipa/ticket/2071
2012-05-31 07:34:09 -05:00
class ScriptError(StandardError):
"""An exception that records an error message and a return value
"""
def __init__(self, msg = '', rval = 1):
self.msg = msg
self.rval = rval
def __str__(self):
return self.msg
Make dogtag an optional (and default un-) installed component in a replica. A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251
2011-06-17 15:47:39 -05:00
class ReplicaConfig:
def __init__(self):
self.realm_name = ""
self.domain_name = ""
self.master_host_name = ""
self.dirman_password = ""
self.host_name = ""
self.dir = ""
self.subject_base = ""
self.setup_ca = False
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
def get_fqdn():
fqdn = ""
try:
fqdn = socket.getfqdn()
except:
try:
fqdn = socket.gethostname()
except:
fqdn = ""
return fqdn
Verify that the hostname is correct in /etc/hosts Don't ignore exceptions when getting the hostname from the user 433515
2008-03-06 12:17:28 -06:00
Check hostname resolution sanity Always check (even with --setup-dns or --no-host-dns) that if the host name or ip address resolves, it resolves to sane value. Otherwise report an error. Misconfigured /etc/hosts causing these errors could harm the installation later. https://fedorahosted.org/freeipa/ticket/1923
2011-10-07 07:23:20 -05:00
def verify_fqdn(host_name, no_host_dns=False, local_hostname=True):
Fix ipa-replica-prepare always warning the user about not using the system hostname. ticket 1717
2011-09-26 04:34:16 -05:00
"""
Improve ipa-replica-prepare DNS check Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
2011-10-06 04:26:03 -05:00
Run fqdn checks for given host:
- test hostname format
- test that hostname is fully qualified
- test forward and reverse hostname DNS lookup
Fix ipa-replica-prepare always warning the user about not using the system hostname. ticket 1717
2011-09-26 04:34:16 -05:00
Improve ipa-replica-prepare DNS check Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
2011-10-06 04:26:03 -05:00
Raises `BadHostError` or derived Exceptions if there is an error
Fix ipa-replica-prepare always warning the user about not using the system hostname. ticket 1717
2011-09-26 04:34:16 -05:00
:param host_name: The host name to verify.
Improve ipa-replica-prepare DNS check Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
2011-10-06 04:26:03 -05:00
:param no_host_dns: If true, skip DNS resolution tests of the host name.
Check hostname resolution sanity Always check (even with --setup-dns or --no-host-dns) that if the host name or ip address resolves, it resolves to sane value. Otherwise report an error. Misconfigured /etc/hosts causing these errors could harm the installation later. https://fedorahosted.org/freeipa/ticket/1923
2011-10-07 07:23:20 -05:00
:param local_hostname: If true, run additional checks for local hostnames
Fix ipa-replica-prepare always warning the user about not using the system hostname. ticket 1717
2011-09-26 04:34:16 -05:00
"""
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
if len(host_name.split(".")) < 2 or host_name == "localhost.localdomain":
Improve ipa-replica-prepare DNS check Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
2011-10-06 04:26:03 -05:00
raise BadHostError("Invalid hostname '%s', must be fully-qualified." % host_name)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Ensure that the system hostname is lower-case. ticket 1080
2011-03-17 09:22:33 -05:00
if host_name != host_name.lower():
Improve ipa-replica-prepare DNS check Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
2011-10-06 04:26:03 -05:00
raise BadHostError("Invalid hostname '%s', must be lower-case." % host_name)
Ensure that the system hostname is lower-case. ticket 1080
2011-03-17 09:22:33 -05:00
Make sure that hostname specified by user is not an IP address. ticket 1375
2011-07-25 10:14:01 -05:00
if ipautil.valid_ip(host_name):
Improve ipa-replica-prepare DNS check Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
2011-10-06 04:26:03 -05:00
raise BadHostError("IP address not allowed as a hostname")
Make sure that hostname specified by user is not an IP address. ticket 1375
2011-07-25 10:14:01 -05:00
Improve hostname verification in install tools Our install tools like ipa-server-install, ipa-replica-{prepare, install} may allow hostnames that do not match the requirements in ipalib. This creates a disconnect and may cause issues when user cannot delete hostnames created by install tools. This patch makes sure that ipalib requirements are applied to install tools hostnames as well. https://fedorahosted.org/freeipa/ticket/2089
2012-03-01 04:01:45 -06:00
try:
# make sure that the host name meets the requirements in ipalib
validate_hostname(host_name)
except ValueError, e:
raise BadHostError("Invalid hostname '%s', %s" % (host_name, unicode(e)))
Check hostname resolution sanity Always check (even with --setup-dns or --no-host-dns) that if the host name or ip address resolves, it resolves to sane value. Otherwise report an error. Misconfigured /etc/hosts causing these errors could harm the installation later. https://fedorahosted.org/freeipa/ticket/1923
2011-10-07 07:23:20 -05:00
if local_hostname:
try:
Replace DNS client based on acutil with python-dns IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837
2012-05-11 07:38:09 -05:00
root_logger.debug('Check if %s is a primary hostname for localhost', host_name)
Check hostname resolution sanity Always check (even with --setup-dns or --no-host-dns) that if the host name or ip address resolves, it resolves to sane value. Otherwise report an error. Misconfigured /etc/hosts causing these errors could harm the installation later. https://fedorahosted.org/freeipa/ticket/1923
2011-10-07 07:23:20 -05:00
ex_name = socket.gethostbyaddr(host_name)
Replace DNS client based on acutil with python-dns IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837
2012-05-11 07:38:09 -05:00
root_logger.debug('Primary hostname for localhost: %s', ex_name[0])
Check hostname resolution sanity Always check (even with --setup-dns or --no-host-dns) that if the host name or ip address resolves, it resolves to sane value. Otherwise report an error. Misconfigured /etc/hosts causing these errors could harm the installation later. https://fedorahosted.org/freeipa/ticket/1923
2011-10-07 07:23:20 -05:00
if host_name != ex_name[0]:
raise HostLookupError("The host name %s does not match the primary host name %s. "\
"Please check /etc/hosts or DNS name resolution" % (host_name, ex_name[0]))
except socket.gaierror:
pass
IPA installation with --no-host-dns fails --no-host-dns option should allow installing IPA server on a host without a DNS resolvable name. Update parse_ip_address and verify_ip_address functions has been changed not to return None and print error messages in case of an error, but rather let the Exception be handled by the calling routine. https://fedorahosted.org/freeipa/ticket/1246
2011-05-31 05:51:38 -05:00
if no_host_dns:
print "Warning: skipping DNS resolution of host", host_name
return
Better check for IPA nServer own address, avoid manually parsing /etc/hosts by using nsswitch calls that read it and also take in account any other name resolution mechanism that might be installed (like NIS lol :-). This also should make the check support IPv6 transparently too (not tested)
2008-03-30 19:00:43 -05:00
try:
Replace DNS client based on acutil with python-dns IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837
2012-05-11 07:38:09 -05:00
root_logger.debug('Search DNS for %s', host_name)
Better check for IPA nServer own address, avoid manually parsing /etc/hosts by using nsswitch calls that read it and also take in account any other name resolution mechanism that might be installed (like NIS lol :-). This also should make the check support IPv6 transparently too (not tested)
2008-03-30 19:00:43 -05:00
hostaddr = socket.getaddrinfo(host_name, None)
Replace DNS client based on acutil with python-dns IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837
2012-05-11 07:38:09 -05:00
except Exception, e:
root_logger.debug('Search failed: %s', e)
Improve ipa-replica-prepare DNS check Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
2011-10-06 04:26:03 -05:00
raise HostForwardLookupError("Unable to resolve host name, check /etc/hosts or DNS name resolution")
Better check for IPA nServer own address, avoid manually parsing /etc/hosts by using nsswitch calls that read it and also take in account any other name resolution mechanism that might be installed (like NIS lol :-). This also should make the check support IPv6 transparently too (not tested)
2008-03-30 19:00:43 -05:00
if len(hostaddr) == 0:
Improve ipa-replica-prepare DNS check Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
2011-10-06 04:26:03 -05:00
raise HostForwardLookupError("Unable to resolve host name, check /etc/hosts or DNS name resolution")
Better check for IPA nServer own address, avoid manually parsing /etc/hosts by using nsswitch calls that read it and also take in account any other name resolution mechanism that might be installed (like NIS lol :-). This also should make the check support IPv6 transparently too (not tested)
2008-03-30 19:00:43 -05:00
Replace DNS client based on acutil with python-dns IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837
2012-05-11 07:38:09 -05:00
# Verify this is NOT a CNAME
try:
root_logger.debug('Check if %s is not a CNAME', host_name)
resolver.query(host_name, rdatatype.CNAME)
raise HostReverseLookupError("The IPA Server Hostname cannot be a CNAME, only A and AAAA names are allowed.")
except DNSException:
pass
# list of verified addresses to prevent multiple searches for the same address
verified = set()
Better check for IPA nServer own address, avoid manually parsing /etc/hosts by using nsswitch calls that read it and also take in account any other name resolution mechanism that might be installed (like NIS lol :-). This also should make the check support IPv6 transparently too (not tested)
2008-03-30 19:00:43 -05:00
for a in hostaddr:
Replace DNS client based on acutil with python-dns IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837
2012-05-11 07:38:09 -05:00
address = a[4][0]
if address in verified:
continue
if address == '127.0.0.1' or address == '::1':
raise HostForwardLookupError("The IPA Server hostname must not resolve to localhost (%s). A routable IP address must be used. Check /etc/hosts to see if %s is an alias for %s" % (address, host_name, address))
Better check for IPA nServer own address, avoid manually parsing /etc/hosts by using nsswitch calls that read it and also take in account any other name resolution mechanism that might be installed (like NIS lol :-). This also should make the check support IPv6 transparently too (not tested)
2008-03-30 19:00:43 -05:00
try:
Replace DNS client based on acutil with python-dns IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837
2012-05-11 07:38:09 -05:00
root_logger.debug('Check reverse address of %s', address)
revname = socket.gethostbyaddr(address)[0]
except Exception, e:
root_logger.debug('Check failed: %s', e)
Improve ipa-replica-prepare DNS check Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
2011-10-06 04:26:03 -05:00
raise HostReverseLookupError("Unable to resolve the reverse ip address, check /etc/hosts or DNS name resolution")
Replace DNS client based on acutil with python-dns IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837
2012-05-11 07:38:09 -05:00
root_logger.debug('Found reverse name: %s', revname)
Better check for IPA nServer own address, avoid manually parsing /etc/hosts by using nsswitch calls that read it and also take in account any other name resolution mechanism that might be installed (like NIS lol :-). This also should make the check support IPv6 transparently too (not tested)
2008-03-30 19:00:43 -05:00
if revname != host_name:
Improve ipa-replica-prepare DNS check Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
2011-10-06 04:26:03 -05:00
raise HostReverseLookupError("The host name %s does not match the reverse lookup %s" % (host_name, revname))
Replace DNS client based on acutil with python-dns IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837
2012-05-11 07:38:09 -05:00
verified.add(address)
Verify that the hostname is correct in /etc/hosts Don't ignore exceptions when getting the hostname from the user 433515
2008-03-06 12:17:28 -06:00
Check /etc/hosts file in ipa-server-install There may already be a record in /etc/hosts for chosen IP address which may not be detected under some circumstances. Make sure that /etc/hosts is checked properly. https://fedorahosted.org/freeipa/ticket/1923
2011-10-13 05:15:41 -05:00
def record_in_hosts(ip, host_name=None, file="/etc/hosts"):
"""
Search record in /etc/hosts - static table lookup for hostnames
In case of match, returns a tuple of ip address and a list of
hostname aliases
When no record is matched, None is returned
:param ip: IP address
:param host_name: Optional hostname to search
:param file: Optional path to the lookup table
"""
Fine tuning DNS options Add pointer to self to /etc/hosts to avoid chicken/egg problems when restarting DNS. On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't attempt to do any resolving. Leave it to true on clients. Set rdns to false on both server and client. https://fedorahosted.org/freeipa/ticket/931
2011-02-10 14:47:45 -06:00
hosts = open(file, 'r').readlines()
for line in hosts:
Fix handling of /etc/hosts ticket 971
2011-02-15 10:51:18 -06:00
line = line.rstrip('\n')
fields = line.partition('#')[0].split()
if len(fields) == 0:
Fine tuning DNS options Add pointer to self to /etc/hosts to avoid chicken/egg problems when restarting DNS. On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't attempt to do any resolving. Leave it to true on clients. Set rdns to false on both server and client. https://fedorahosted.org/freeipa/ticket/931
2011-02-10 14:47:45 -06:00
continue
Fix handling of /etc/hosts ticket 971
2011-02-15 10:51:18 -06:00
try:
hosts_ip = fields[0]
names = fields[1:]
if hosts_ip != ip:
continue
Check /etc/hosts file in ipa-server-install There may already be a record in /etc/hosts for chosen IP address which may not be detected under some circumstances. Make sure that /etc/hosts is checked properly. https://fedorahosted.org/freeipa/ticket/1923
2011-10-13 05:15:41 -05:00
if host_name is not None:
if host_name in names:
return (hosts_ip, names)
else:
return None
return (hosts_ip, names)
Fix handling of /etc/hosts ticket 971
2011-02-15 10:51:18 -06:00
except IndexError:
print "Warning: Erroneous line '%s' in %s" % (line, file)
continue
Fine tuning DNS options Add pointer to self to /etc/hosts to avoid chicken/egg problems when restarting DNS. On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't attempt to do any resolving. Leave it to true on clients. Set rdns to false on both server and client. https://fedorahosted.org/freeipa/ticket/931
2011-02-10 14:47:45 -06:00
Check /etc/hosts file in ipa-server-install There may already be a record in /etc/hosts for chosen IP address which may not be detected under some circumstances. Make sure that /etc/hosts is checked properly. https://fedorahosted.org/freeipa/ticket/1923
2011-10-13 05:15:41 -05:00
return None
Fine tuning DNS options Add pointer to self to /etc/hosts to avoid chicken/egg problems when restarting DNS. On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't attempt to do any resolving. Leave it to true on clients. Set rdns to false on both server and client. https://fedorahosted.org/freeipa/ticket/931
2011-02-10 14:47:45 -06:00
def add_record_to_hosts(ip, host_name, file="/etc/hosts"):
hosts_fd = open(file, 'r+')
hosts_fd.seek(0, 2)
hosts_fd.write(ip+'\t'+host_name+' '+host_name.split('.')[0]+'\n')
hosts_fd.close()
Move some functions from ipa-server-install into installutils We will need these functions in the new upcoming ipa-dns-install command.
2009-11-23 02:15:35 -06:00
def read_ip_address(host_name, fstore):
while True:
ip = ipautil.user_input("Please provide the IP address to be used for this host name", allow_empty = False)
IPA installation with --no-host-dns fails --no-host-dns option should allow installing IPA server on a host without a DNS resolvable name. Update parse_ip_address and verify_ip_address functions has been changed not to return None and print error messages in case of an error, but rather let the Exception be handled by the calling routine. https://fedorahosted.org/freeipa/ticket/1246
2011-05-31 05:51:38 -05:00
try:
Clean up of IP address checks in install scripts. Fixes ipa-dns-install incorrect warning. ticket 1486
2011-07-18 06:36:47 -05:00
ip_parsed = ipautil.CheckedIPAddress(ip, match_local=True)
IPA installation with --no-host-dns fails --no-host-dns option should allow installing IPA server on a host without a DNS resolvable name. Update parse_ip_address and verify_ip_address functions has been changed not to return None and print error messages in case of an error, but rather let the Exception be handled by the calling routine. https://fedorahosted.org/freeipa/ticket/1246
2011-05-31 05:51:38 -05:00
except Exception, e:
print "Error: Invalid IP Address %s: %s" % (ip, e)
continue
else:
Move some functions from ipa-server-install into installutils We will need these functions in the new upcoming ipa-dns-install command.
2009-11-23 02:15:35 -06:00
break
Parse netmasks in IP addresses passed to server install. ticket 1212
2011-05-27 13:17:22 -05:00
return ip_parsed
Move some functions from ipa-server-install into installutils We will need these functions in the new upcoming ipa-dns-install command.
2009-11-23 02:15:35 -06:00
def read_dns_forwarders():
addrs = []
Some more changes for DNS forwarders prompt
2010-04-06 12:47:21 -05:00
if ipautil.user_input("Do you want to configure DNS forwarders?", True):
print "Enter the IP address of DNS forwarder to use, or press Enter to finish."
Make the DNS forwarders interactive input less confusing Fixes #558984
2010-02-08 12:31:57 -06:00
while True:
ip = ipautil.user_input("Enter IP address for a DNS forwarder",
allow_empty=True)
if not ip:
break
IPA installation with --no-host-dns fails --no-host-dns option should allow installing IPA server on a host without a DNS resolvable name. Update parse_ip_address and verify_ip_address functions has been changed not to return None and print error messages in case of an error, but rather let the Exception be handled by the calling routine. https://fedorahosted.org/freeipa/ticket/1246
2011-05-31 05:51:38 -05:00
try:
Clean up of IP address checks in install scripts. Fixes ipa-dns-install incorrect warning. ticket 1486
2011-07-18 06:36:47 -05:00
ip_parsed = ipautil.CheckedIPAddress(ip, parse_netmask=False)
IPA installation with --no-host-dns fails --no-host-dns option should allow installing IPA server on a host without a DNS resolvable name. Update parse_ip_address and verify_ip_address functions has been changed not to return None and print error messages in case of an error, but rather let the Exception be handled by the calling routine. https://fedorahosted.org/freeipa/ticket/1246
2011-05-31 05:51:38 -05:00
except Exception, e:
print "Error: Invalid IP Address %s: %s" % (ip, e)
Some more changes for DNS forwarders prompt
2010-04-06 12:47:21 -05:00
print "DNS forwarder %s not added" % ip
Make the DNS forwarders interactive input less confusing Fixes #558984
2010-02-08 12:31:57 -06:00
continue
print "DNS forwarder %s added" % ip
Parse netmasks in IP addresses passed to server install. ticket 1212
2011-05-27 13:17:22 -05:00
addrs.append(str(ip_parsed))
Move some functions from ipa-server-install into installutils We will need these functions in the new upcoming ipa-dns-install command.
2009-11-23 02:15:35 -06:00
if not addrs:
print "No DNS forwarders configured"
return addrs
Allow passwords to work without a tty ala: echo password | some_program
2008-09-12 19:34:25 -05:00
def get_password(prompt):
if os.isatty(sys.stdin.fileno()):
return getpass.getpass(prompt)
else:
return sys.stdin.readline().rstrip()
Work around pkisilent bugs. Check directory manager password and certificate subject base for invalid characters. (https://bugzilla.redhat.com/show_bug.cgi?id=658641) Shell-escape pkisilent command-line arguments. (https://bugzilla.redhat.com/show_bug.cgi?id=741180) ticket 1636
2011-09-26 01:27:01 -05:00
def _read_password_default_validator(password):
if len(password) < 8:
raise ValueError("Password must be at least 8 characters long")
def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator):
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
correct = False
Install tools crash when password prompt is interrupted When getpass.getpass() function is interrupted via CTRL+D, EOFError exception is thrown. Most of the install tools are not prepared for this event and crash with this exception. Make sure that it is handled properly and nice error message is printed. https://fedorahosted.org/freeipa/ticket/1916
2011-10-06 01:22:08 -05:00
pwd = None
try:
while not correct:
if not retry:
correct = True
pwd = get_password(user + " password: ")
if not pwd:
Work around pkisilent bugs. Check directory manager password and certificate subject base for invalid characters. (https://bugzilla.redhat.com/show_bug.cgi?id=658641) Shell-escape pkisilent command-line arguments. (https://bugzilla.redhat.com/show_bug.cgi?id=741180) ticket 1636
2011-09-26 01:27:01 -05:00
continue
Install tools crash when password prompt is interrupted When getpass.getpass() function is interrupted via CTRL+D, EOFError exception is thrown. Most of the install tools are not prepared for this event and crash with this exception. Make sure that it is handled properly and nice error message is printed. https://fedorahosted.org/freeipa/ticket/1916
2011-10-06 01:22:08 -05:00
if validate:
try:
validator(pwd)
except ValueError, e:
print str(e)
pwd = None
continue
if not confirm:
correct = True
continue
pwd_confirm = get_password("Password (confirm): ")
if pwd != pwd_confirm:
print "Password mismatch!"
print ""
pwd = None
else:
correct = True
except EOFError:
return None
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
print ""
return pwd
User provided certs.
0000-12-31 18:09:24 -05:50
def update_file(filename, orig, subst):
if os.path.exists(filename):
Ensure that file ownership doesn't change when config is updated. Out of the blue update_file() and set_directive() changed file ownership to root:root when it updated some files. This was causing dogtag to break. So grab the owner before opening the file and reset it after closing. ticket 928
2011-02-10 21:13:42 -06:00
st = os.stat(filename)
User provided certs.
0000-12-31 18:09:24 -05:50
pattern = "%s" % re.escape(orig)
p = re.compile(pattern)
for line in fileinput.input(filename, inplace=1):
if not p.search(line):
sys.stdout.write(line)
else:
sys.stdout.write(p.sub(subst, line))
fileinput.close()
Ensure that file ownership doesn't change when config is updated. Out of the blue update_file() and set_directive() changed file ownership to root:root when it updated some files. This was causing dogtag to break. So grab the owner before opening the file and reset it after closing. ticket 928
2011-02-10 21:13:42 -06:00
os.chown(filename, st.st_uid, st.st_gid) # reset perms
User provided certs.
0000-12-31 18:09:24 -05:50
return 0
else:
print "File %s doesn't exist." % filename
return 1
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
def set_directive(filename, directive, value, quotes=True, separator=' '):
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
"""Set a name/value pair directive in a configuration file.
Remove root autobind search restriction, fix upgrade logging & error handling. There was no point in limiting autobind root to just search cn=config since it could always just modify its way out of the box, so remove the restriction. The upgrade log wasn't being created. Clearing all other loggers before we calling logging.basicConfig() fixes this. Add a global exception when performing updates so we can gracefully catch and log problems without leaving the server in a bad state. https://fedorahosted.org/freeipa/ticket/1243 https://fedorahosted.org/freeipa/ticket/1254
2011-06-09 12:16:07 -05:00
A value of None means to drop the directive.
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
This has only been tested with nss.conf
"""
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
valueset = False
Ensure that file ownership doesn't change when config is updated. Out of the blue update_file() and set_directive() changed file ownership to root:root when it updated some files. This was causing dogtag to break. So grab the owner before opening the file and reset it after closing. ticket 928
2011-02-10 21:13:42 -06:00
st = os.stat(filename)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
fd = open(filename)
Clean up some problems discovered with pylint and pychecker Much of this is formatting to make pylint happy but it also fixes some real bugs.
2009-08-11 16:08:09 -05:00
newfile = []
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
for line in fd:
if directive in line:
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
valueset = True
Remove root autobind search restriction, fix upgrade logging & error handling. There was no point in limiting autobind root to just search cn=config since it could always just modify its way out of the box, so remove the restriction. The upgrade log wasn't being created. Clearing all other loggers before we calling logging.basicConfig() fixes this. Add a global exception when performing updates so we can gracefully catch and log problems without leaving the server in a bad state. https://fedorahosted.org/freeipa/ticket/1243 https://fedorahosted.org/freeipa/ticket/1254
2011-06-09 12:16:07 -05:00
if value is not None:
if quotes:
newfile.append('%s%s"%s"\n' % (directive, separator, value))
else:
newfile.append('%s%s%s\n' % (directive, separator, value))
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
else:
Clean up some problems discovered with pylint and pychecker Much of this is formatting to make pylint happy but it also fixes some real bugs.
2009-08-11 16:08:09 -05:00
newfile.append(line)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
fd.close()
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
if not valueset:
Remove root autobind search restriction, fix upgrade logging & error handling. There was no point in limiting autobind root to just search cn=config since it could always just modify its way out of the box, so remove the restriction. The upgrade log wasn't being created. Clearing all other loggers before we calling logging.basicConfig() fixes this. Add a global exception when performing updates so we can gracefully catch and log problems without leaving the server in a bad state. https://fedorahosted.org/freeipa/ticket/1243 https://fedorahosted.org/freeipa/ticket/1254
2011-06-09 12:16:07 -05:00
if value is not None:
if quotes:
newfile.append('%s%s"%s"\n' % (directive, separator, value))
else:
newfile.append('%s%s%s\n' % (directive, separator, value))
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
fd = open(filename, "w")
Clean up some problems discovered with pylint and pychecker Much of this is formatting to make pylint happy but it also fixes some real bugs.
2009-08-11 16:08:09 -05:00
fd.write("".join(newfile))
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
fd.close()
Ensure that file ownership doesn't change when config is updated. Out of the blue update_file() and set_directive() changed file ownership to root:root when it updated some files. This was causing dogtag to break. So grab the owner before opening the file and reset it after closing. ticket 928
2011-02-10 21:13:42 -06:00
os.chown(filename, st.st_uid, st.st_gid) # reset perms
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
Clean up some problems discovered with pylint and pychecker Much of this is formatting to make pylint happy but it also fixes some real bugs.
2009-08-11 16:08:09 -05:00
def get_directive(filename, directive, separator=' '):
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
"""
A rather inefficient way to get a configuration directive.
"""
fd = open(filename, "r")
for line in fd:
if directive in line:
line = line.strip()
result = line.split(separator, 1)[1]
result = result.strip('"')
Add LDAP upgrade over ldapi support. This disables all but the ldapi listener in DS so it will be quiet when we perform our upgrades. It is expected that any other clients that also use ldapi will be shut down by other already (krb5 and dns). Add ldapi as an option in ipaldap and add the beginning of pure offline support (e.g. direct editing of LDIF files).
2010-05-27 10:58:31 -05:00
result = result.strip(' ')
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
fd.close()
return result
fd.close()
return None
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
def kadmin(command):
ipa-kdb: Change install to use the new ipa-kdb kdc backend Use ipakdb instead of kldap and change install procedures accordingly Note that we do not need to store the master key in a keytab as we can read it off of ldap in our driver.
2011-06-08 16:21:23 -05:00
ipautil.run(["kadmin.local", "-q", command,
"-x", "ipa-setup-override-restrictions"])
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
def kadmin_addprinc(principal):
kadmin("addprinc -randkey " + principal)
def kadmin_modprinc(principal, options):
kadmin("modprinc " + options + " " + principal)
def create_keytab(path, principal):
try:
if ipautil.file_exists(path):
os.remove(path)
except os.error:
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.critical("Failed to remove %s." % path)
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
kadmin("ktadd -k " + path + " " + principal)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Fix reverse zone creation in ipa-replica-prepare When a new reverse zone was created in ipa-replica-prepare (this may happen when a new replica is from different subnet), the master DNS address was corrupted by invalid A/AAAA record. This caused problems for example in installing replica. https://fedorahosted.org/freeipa/ticket/1223
2011-05-27 10:05:45 -05:00
def resolve_host(host_name):
try:
addrinfos = socket.getaddrinfo(host_name, None,
socket.AF_UNSPEC, socket.SOCK_STREAM)
Fix ipa-server-install for dual NICs A server may have 2 or more NICs and its hostname may thus resolve to 2 and more forward addresses. IP address checks in install scripts does not expect this setup and may fail or crash. This script adds a support for multiple forward addresses for a hostname. The install scripts do not crash now. When one IP address is needed, user is asked to choose from all detected server IP addresses. https://fedorahosted.org/freeipa/ticket/2154
2012-01-20 01:30:40 -06:00
ip_list = []
Fix reverse zone creation in ipa-replica-prepare When a new reverse zone was created in ipa-replica-prepare (this may happen when a new replica is from different subnet), the master DNS address was corrupted by invalid A/AAAA record. This caused problems for example in installing replica. https://fedorahosted.org/freeipa/ticket/1223
2011-05-27 10:05:45 -05:00
for ai in addrinfos:
ip = ai[4][0]
if ip == "127.0.0.1" or ip == "::1":
raise HostnameLocalhost("The hostname resolves to the localhost address")
Fix ipa-server-install for dual NICs A server may have 2 or more NICs and its hostname may thus resolve to 2 and more forward addresses. IP address checks in install scripts does not expect this setup and may fail or crash. This script adds a support for multiple forward addresses for a hostname. The install scripts do not crash now. When one IP address is needed, user is asked to choose from all detected server IP addresses. https://fedorahosted.org/freeipa/ticket/2154
2012-01-20 01:30:40 -06:00
ip_list.append(ip)
return ip_list
except socket.error:
return []
Make dogtag an optional (and default un-) installed component in a replica. A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251
2011-06-17 15:47:39 -05:00
def get_host_name(no_host_dns):
"""
Get the current FQDN from the socket and verify that it is valid.
no_host_dns is a boolean that determines whether we enforce that the
hostname is resolvable.
Will raise a RuntimeError on error, returns hostname on success
"""
hostname = get_fqdn()
verify_fqdn(hostname, no_host_dns)
return hostname
Let replicas install without DNS Let ipa-replica-prepare and ipa-replica-install work without proper DNS records as records in /etc/hosts are sufficient for DS replication. 1) ipa-replica-prepare now just checks if the replica hostname is resolvable (DNS records are not required). It is now able to prepare a replica file even when the replica IP address is present in /etc/hosts only. 2) ipa-replica-install is now able to proceed when the hostname is not resolvable. It uses an IP address passed in a new option --ip-address to create a record in /etc/hosts in the same way as ipa-server-install does. https://fedorahosted.org/freeipa/ticket/2139
2012-01-04 13:04:21 -06:00
def get_server_ip_address(host_name, fstore, unattended, options):
# Check we have a public IP that is associated with the hostname
try:
hostaddr = resolve_host(host_name)
except HostnameLocalhost:
print >> sys.stderr, "The hostname resolves to the localhost address (127.0.0.1/::1)"
print >> sys.stderr, "Please change your /etc/hosts file so that the hostname"
print >> sys.stderr, "resolves to the ip address of your network interface."
print >> sys.stderr, "The KDC service does not listen on localhost"
print >> sys.stderr, ""
print >> sys.stderr, "Please fix your /etc/hosts file and restart the setup program"
sys.exit(1)
ip_add_to_hosts = False
Fix ipa-server-install for dual NICs A server may have 2 or more NICs and its hostname may thus resolve to 2 and more forward addresses. IP address checks in install scripts does not expect this setup and may fail or crash. This script adds a support for multiple forward addresses for a hostname. The install scripts do not crash now. When one IP address is needed, user is asked to choose from all detected server IP addresses. https://fedorahosted.org/freeipa/ticket/2154
2012-01-20 01:30:40 -06:00
if len(hostaddr) > 1:
print >> sys.stderr, "The server hostname resolves to more than one address:"
for addr in hostaddr:
print >> sys.stderr, " %s" % addr
if options.ip_address:
if str(options.ip_address) not in hostaddr:
print >> sys.stderr, "Address passed in --ip-address did not match any resolved"
print >> sys.stderr, "address!"
sys.exit(1)
print "Selected IP address:", str(options.ip_address)
ip = options.ip_address
else:
if unattended:
print >> sys.stderr, "Please use --ip-address option to specify the address"
sys.exit(1)
else:
ip = read_ip_address(host_name, fstore)
elif len(hostaddr) == 1:
Include more information when IP address is not local during installation. Provide the IP address we resolved when displaying the exception. Also handle the exception ourselves with sys.exit(). https://fedorahosted.org/freeipa/ticket/2654
2012-05-16 15:38:01 -05:00
try:
ip = ipautil.CheckedIPAddress(hostaddr[0], match_local=True)
except ValueError, e:
sys.exit("Invalid IP Address %s for %s: %s" % (hostaddr[0], host_name, unicode(e)))
Let replicas install without DNS Let ipa-replica-prepare and ipa-replica-install work without proper DNS records as records in /etc/hosts are sufficient for DS replication. 1) ipa-replica-prepare now just checks if the replica hostname is resolvable (DNS records are not required). It is now able to prepare a replica file even when the replica IP address is present in /etc/hosts only. 2) ipa-replica-install is now able to proceed when the hostname is not resolvable. It uses an IP address passed in a new option --ip-address to create a record in /etc/hosts in the same way as ipa-server-install does. https://fedorahosted.org/freeipa/ticket/2139
2012-01-04 13:04:21 -06:00
else:
# hostname is not resolvable
ip = options.ip_address
ip_add_to_hosts = True
if ip is None:
print "Unable to resolve IP address for host name"
if unattended:
sys.exit(1)
if options.ip_address:
if options.ip_address != ip and not options.setup_dns:
print >>sys.stderr, "Error: the hostname resolves to an IP address that is different"
print >>sys.stderr, "from the one provided on the command line. Please fix your DNS"
print >>sys.stderr, "or /etc/hosts file and restart the installation."
sys.exit(1)
ip = options.ip_address
if ip is None:
ip = read_ip_address(host_name, fstore)
root_logger.debug("read ip_address: %s\n" % str(ip))
ip_address = str(ip)
# check /etc/hosts sanity, add a record when needed
hosts_record = record_in_hosts(ip_address)
if hosts_record is None:
if ip_add_to_hosts:
print "Adding ["+ip_address+" "+host_name+"] to your /etc/hosts file"
fstore.backup_file("/etc/hosts")
add_record_to_hosts(ip_address, host_name)
else:
primary_host = hosts_record[1][0]
if primary_host != host_name:
print >>sys.stderr, "Error: there is already a record in /etc/hosts for IP address %s:" \
% ip_address
print >>sys.stderr, hosts_record[0], " ".join(hosts_record[1])
print >>sys.stderr, "Chosen hostname %s does not match configured canonical hostname %s" \
% (host_name, primary_host)
print >>sys.stderr, "Please fix your /etc/hosts file and restart the installation."
sys.exit(1)
return ip
Make dogtag an optional (and default un-) installed component in a replica. A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251
2011-06-17 15:47:39 -05:00
def expand_replica_info(filename, password):
"""
Decrypt and expand a replica installation file into a temporary
location. The caller is responsible to remove this directory.
"""
top_dir = tempfile.mkdtemp("ipa")
tarfile = top_dir+"/files.tar"
dir = top_dir + "/realm_info"
ipautil.decrypt_file(filename, tarfile, password, top_dir)
ipautil.run(["tar", "xf", tarfile, "-C", top_dir])
os.remove(tarfile)
return top_dir, dir
def read_replica_info(dir, rconfig):
"""
Read the contents of a replica installation file.
rconfig is a ReplicaConfig object
"""
filename = dir + "/realm_info"
fd = open(filename)
config = SafeConfigParser()
config.readfp(fd)
rconfig.realm_name = config.get("realm", "realm_name")
rconfig.master_host_name = config.get("realm", "master_host_name")
rconfig.domain_name = config.get("realm", "domain_name")
rconfig.host_name = config.get("realm", "destination_host")
rconfig.subject_base = config.get("realm", "subject_base")
Check IPA configuration in install tools Install tools may fail with unexpected error when IPA server is not installed on a system. Improve user experience by implementing a check to affected tools. https://fedorahosted.org/freeipa/ticket/1327 https://fedorahosted.org/freeipa/ticket/1347
2011-07-18 02:33:57 -05:00
def check_server_configuration():
"""
Check if IPA server is configured on the system.
This is done by checking if there are system restore (uninstall) files
present on the system. Note that this check can only be run with root
privileges.
When IPA is not configured, this function raises a RuntimeError exception.
Most convenient use case for the function is in install tools that require
configured IPA for its function.
"""
server_fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
if not server_fstore.has_files():
raise RuntimeError("IPA is not configured on this system.")
Add common is_installed() fn, better uninstall logging, check for errors. The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
2011-08-29 10:16:52 -05:00
def remove_file(filename):
"""
Remove a file and log any exceptions raised.
"""
try:
if os.path.exists(filename):
os.unlink(filename)
except Exception, e:
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.error('Error removing %s: %s' % (filename, str(e)))
Add common is_installed() fn, better uninstall logging, check for errors. The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
2011-08-29 10:16:52 -05:00
def rmtree(path):
"""
Remove a directory structure and log any exceptions raised.
"""
try:
if os.path.exists(path):
shutil.rmtree(path)
except Exception, e:
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.error('Error removing %s: %s' % (path, str(e)))
Add common is_installed() fn, better uninstall logging, check for errors. The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
2011-08-29 10:16:52 -05:00
def is_ipa_configured():
"""
Using the state and index install files determine if IPA is already
configured.
"""
installed = False
sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore')
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
for module in IPA_MODULES:
if sstore.has_state(module):
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.debug('%s is configured' % module)
Add common is_installed() fn, better uninstall logging, check for errors. The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
2011-08-29 10:16:52 -05:00
installed = True
else:
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.debug('%s is not configured' % module)
Add common is_installed() fn, better uninstall logging, check for errors. The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
2011-08-29 10:16:52 -05:00
if fstore.has_files():
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.debug('filestore has files')
Add common is_installed() fn, better uninstall logging, check for errors. The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
2011-08-29 10:16:52 -05:00
installed = True
else:
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.debug('filestore is tracking no files')
Add common is_installed() fn, better uninstall logging, check for errors. The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
2011-08-29 10:16:52 -05:00
return installed
Move install script error handling to a common function All of our install/admin scripts had a try/except block calling the main function and handling common exceptions. These were copy-pasted from each other and modified to various levels of sophistication. This refactors them out of installers to a single function, which includes a final pass/fail message for all of the scripts. Non-install scripts that set up the same log handler levels for stderr and log file are not changed, as it's not possible to log to only the logfile without changing the logger configuration. https://fedorahosted.org/freeipa/ticket/2071
2012-05-31 07:34:09 -05:00
def run_script(main_function, operation_name, log_file_name=None,
fail_message=None):
"""Run the given function as a command-line utility
This function:
- Runs the given function
- Formats any errors
- Exits with the appropriate code
:param main_function: Function to call
:param log_file_name: Name of the log file (displayed on unexpected errors)
:param operation_name: Name of the script
:param fail_message: Optional message displayed on failure
"""
root_logger.info('Starting script: %s', operation_name)
try:
try:
return_value = main_function()
except BaseException, e:
if isinstance(e, SystemExit) and (e.code is None or e.code == 0):
# Not an error after all
root_logger.info('The %s command was successful',
operation_name)
else:
# Log at the INFO level, which is not output to the console
# (unless in debug/verbose mode), but is written to a logfile
# if one is open.
tb = sys.exc_info()[2]
root_logger.info('\n'.join(traceback.format_tb(tb)))
root_logger.info('The %s command failed, exception: %s: %s',
operation_name, type(e).__name__, e)
exception = e
if fail_message and not isinstance(e, SystemExit):
print fail_message
raise
else:
if return_value:
root_logger.info('The %s command failed, return value %s',
operation_name, return_value)
else:
root_logger.info('The %s command was successful',
operation_name)
sys.exit(return_value)
except BaseException, error:
handle_error(error, log_file_name)
def handle_error(error, log_file_name=None):
"""Handle specific errors"""
if isinstance(error, SystemExit):
sys.exit(error)
if isinstance(error, RuntimeError):
sys.exit(error)
if isinstance(error, KeyboardInterrupt):
print >> sys.stderr, "Cancelled."
sys.exit(1)
if isinstance(error, ScriptError):
if error.msg:
print >> sys.stderr, error.msg
sys.exit(error.rval)
if isinstance(error, socket.error):
print >> sys.stderr, error
sys.exit(1)
if isinstance(error, ldap.INVALID_CREDENTIALS):
print >> sys.stderr, "Invalid password"
sys.exit(1)
if isinstance(error, ldap.INSUFFICIENT_ACCESS):
print >> sys.stderr, "Insufficient access"
sys.exit(1)
if isinstance(error, ldap.LOCAL_ERROR):
print >> sys.stderr, error.args[0]['info']
sys.exit(1)
if isinstance(error, ldap.SERVER_DOWN):
print >> sys.stderr, error.args[0]['desc']
sys.exit(1)
if isinstance(error, ldap.LDAPError):
print >> sys.stderr, 'LDAP error: %s' % type(error).__name__
print >> sys.stderr, error.args[0]['info']
sys.exit(1)
if isinstance(error, config.IPAConfigError):
print >> sys.stderr, "An IPA server to update cannot be found. Has one been configured yet?"
print >> sys.stderr, "The error was: %s" % error
sys.exit(1)
if isinstance(error, errors.LDAPError):
print >> sys.stderr, "An error occurred while performing operations: %s" % error
sys.exit(1)
if isinstance(error, HostnameLocalhost):
print >> sys.stderr, "The hostname resolves to the localhost address (127.0.0.1/::1)"
print >> sys.stderr, "Please change your /etc/hosts file so that the hostname"
print >> sys.stderr, "resolves to the ip address of your network interface."
print >> sys.stderr, ""
print >> sys.stderr, "Please fix your /etc/hosts file and restart the setup program"
sys.exit(1)
if log_file_name:
print >> sys.stderr, "Unexpected error - see %s for details:" % log_file_name
else:
print >> sys.stderr, "Unexpected error"
print >> sys.stderr, '%s: %s' % (type(error).__name__, error)
sys.exit(1)
Reference in New Issue Copy Permalink