IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
7902c784963c64b2d0fba8e7fa03529e793c221c
freeipa/ipaserver/install/kra.py

154 lines
4.5 KiB
Python
Raw Normal View History

merge KRA installation machinery to a single module This is a prerequisite to further refactoring of KRA install/uninstall functionality in all IPA install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-15 19:02:22 +02:00
#
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
install: introduce installer class hierarchy Add class hierarchy which allows inherting knob definitions between the various client and server install scripts. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-09 12:44:22 +01:00
"""
KRA installer module
"""
Add absolute_import future imports Add absolute_import from __future__ so that pylint does not fail and to achieve python3 behavior in python2. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-04-05 09:21:16 +02:00
from __future__ import absolute_import
Ensure IPA is running (ideally) before uninstalling the KRA The KRA attempts to unregister itself from the security domain which requires that IPA be running for this to succeed. 1. Move the KRA uninstall call prior to stopping all IPA services 2. Try to start IPA if it isn't running and a KRA is configured It isn't mandatory that IPA be running for the KRA uninstall to succeed but it will suppress a pretty scary backtrace and error message. https://pagure.io/freeipa/issue/8550 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-01-25 11:40:22 -05:00
import logging
Allow to install the KRA on a promoted server Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-25 15:42:25 -04:00
import os
Don't allow standalone KRA uninstalls KRA uninstallation is very likely to break the user's setup. Don't allow it at least till we can be safely sure we are able to remove it in a standalone manner without breaking anything. https://pagure.io/freeipa/issue/6538 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-08 16:38:12 +01:00
from ipalib import api
kra: promote: Get ticket before calling custodia When installing second (or consequent) KRA instance keys are retrieved using custodia. Custodia checks that the keys are synchronized in master's directory server and the check uses GSSAPI and therefore fails if there's no ticket in ccache. https://pagure.io/freeipa/issue/7020 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-14 15:39:58 +02:00
from ipalib.install.kinit import kinit_keytab
Allow to install the KRA on a promoted server Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-25 15:42:25 -04:00
from ipaplatform import services
install: drop support for Dogtag 9 Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
2015-11-09 18:28:47 +01:00
from ipaplatform.paths import paths
KRA Install: check replica file if contains req. certificates https://fedorahosted.org/freeipa/ticket/5059 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-01 14:02:24 +02:00
from ipapython import ipautil
install: re-introduce option groups Re-introduce option groups in ipa-client-install, ipa-server-install and ipa-replica-install. https://pagure.io/freeipa/issue/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-08 08:03:13 +00:00
from ipapython.install.core import group
krainstance: set correct issuer DN in uid=ipakra entry If IPA CA has custom subject DN (not "CN=Certificate Authority,{subject_base}"), the uid=ipakra people entry gets an incorrect 'description' attribute. The issuer DN in the 'description' attribute is based on the aforementioned pattern, instead of the actual IPA CA subject DN. Update KRAInstance.configure_instance() to require the CA subject DN argument. Update ipaserver.install.kra.install() to pass the CA subject DN. Fixes: https://pagure.io/freeipa/issue/8084 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-10-04 13:30:37 +10:00
from ipaserver.install import ca, cainstance
merge KRA installation machinery to a single module This is a prerequisite to further refactoring of KRA install/uninstall functionality in all IPA install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-15 19:02:22 +02:00
from ipaserver.install import krainstance
from ipaserver.install import dsinstance
install: introduce installer class hierarchy Add class hierarchy which allows inherting knob definitions between the various client and server install scripts. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-09 12:44:22 +01:00
from ipaserver.install import service as _service
from . import dogtag
merge KRA installation machinery to a single module This is a prerequisite to further refactoring of KRA install/uninstall functionality in all IPA install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-15 19:02:22 +02:00
Ensure IPA is running (ideally) before uninstalling the KRA The KRA attempts to unregister itself from the security domain which requires that IPA be running for this to succeed. 1. Move the KRA uninstall call prior to stopping all IPA services 2. Try to start IPA if it isn't running and a KRA is configured It isn't mandatory that IPA be running for the KRA uninstall to succeed but it will suppress a pretty scary backtrace and error message. https://pagure.io/freeipa/issue/8550 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-01-25 11:40:22 -05:00
logger = logging.getLogger(__name__)
merge KRA installation machinery to a single module This is a prerequisite to further refactoring of KRA install/uninstall functionality in all IPA install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-15 19:02:22 +02:00
vault: Fix ipa-kra-install Use state in LDAP rather than local state to check if KRA is installed. Use correct log file names. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
2015-06-10 08:50:42 +00:00
def install_check(api, replica_config, options):
replica install: merge KRA agent cert export into KRA install Merge all KRA agent cert export code paths into a single code path in KRA install. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-10-26 15:28:53 +02:00
if replica_config is not None and not replica_config.setup_kra:
return
install: drop support for Dogtag 9 Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
2015-11-09 18:28:47 +01:00
kra = krainstance.KRAInstance(api.env.realm)
vault: Fix ipa-kra-install Use state in LDAP rather than local state to check if KRA is installed. Use correct log file names. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
2015-06-10 08:50:42 +00:00
if kra.is_installed():
merge KRA installation machinery to a single module This is a prerequisite to further refactoring of KRA install/uninstall functionality in all IPA install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-15 19:02:22 +02:00
raise RuntimeError("KRA is already installed.")
if not options.setup_ca:
if cainstance.is_ca_installed_locally():
vault: Fix ipa-kra-install Use state in LDAP rather than local state to check if KRA is installed. Use correct log file names. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
2015-06-10 08:50:42 +00:00
if api.env.dogtag_version >= 10:
merge KRA installation machinery to a single module This is a prerequisite to further refactoring of KRA install/uninstall functionality in all IPA install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-15 19:02:22 +02:00
# correct dogtag version of CA installed
pass
else:
raise RuntimeError(
"Dogtag must be version 10.2 or above to install KRA")
else:
raise RuntimeError(
"Dogtag CA is not installed. Please install the CA first")
if replica_config is not None:
vault: Fix ipa-kra-install Use state in LDAP rather than local state to check if KRA is installed. Use correct log file names. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
2015-06-10 08:50:42 +00:00
if not api.Command.kra_is_enabled()['result']:
Modify error message to install first instance of KRA First instance of KRA should be installed by ipa-kra-install. https://fedorahosted.org/freeipa/ticket/5460 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-11-30 18:18:38 +01:00
raise RuntimeError(
"KRA is not installed on the master system. Please use "
"'ipa-kra-install' command to install the first instance.")
merge KRA installation machinery to a single module This is a prerequisite to further refactoring of KRA install/uninstall functionality in all IPA install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-15 19:02:22 +02:00
Use single Custodia instance in installers Installers now pass a single CustodiaInstance object around, instead of creating new instances on demand. In case of replica promotion with CA, the instance gets all secrets from a master with CA present. Before, an installer created multiple instances and may have requested CA key material from a different machine than DM password hash. In case of Domain Level 1 and replica promotion, the CustodiaInstance no longer adds the keys to the local instance and waits for replication to other replica. Instead the installer directly uploads the new public keys to the remote 389-DS instance. Without promotion, new Custodia public keys are still added to local 389-DS over LDAPI. Fixes: https://pagure.io/freeipa/issue/7518 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
2018-04-26 12:06:36 +02:00
def install(api, replica_config, options, custodia):
merge KRA installation machinery to a single module This is a prerequisite to further refactoring of KRA install/uninstall functionality in all IPA install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-15 19:02:22 +02:00
if replica_config is None:
Don't run kra.configure_instance if not necessary If kra should not be set up, don't run the code as it would only prolong the installations. Previously, krainstance configuration would be performed just to export the client certificate and private key to authenticate to certificate server. This is now performed somewhere else therefore there's no need to run KRAInstance.configure_instance. The kra.install() method still performs actions on replicas and we're keeping it in server installer to conform to the installers design. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-04 08:41:26 +01:00
if not options.setup_kra:
return
install: merge all KRA install code paths into one Merge KRA install code paths use in ipa-replica-install in either domain level and ipa-kra-install into one. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-10-26 09:44:49 +02:00
realm_name = api.env.realm
dm_password = options.dm_password
host_name = api.env.host
subject_base = dsinstance.DsInstance().find_subject_base()
pkcs12_info = None
master_host = None
promote = False
merge KRA installation machinery to a single module This is a prerequisite to further refactoring of KRA install/uninstall functionality in all IPA install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-15 19:02:22 +02:00
else:
Don't run kra.configure_instance if not necessary If kra should not be set up, don't run the code as it would only prolong the installations. Previously, krainstance configuration would be performed just to export the client certificate and private key to authenticate to certificate server. This is now performed somewhere else therefore there's no need to run KRAInstance.configure_instance. The kra.install() method still performs actions on replicas and we're keeping it in server installer to conform to the installers design. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-04 08:41:26 +01:00
if not replica_config.setup_kra:
return
install: merge all KRA install code paths into one Merge KRA install code paths use in ipa-replica-install in either domain level and ipa-kra-install into one. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-10-26 09:44:49 +02:00
krafile = os.path.join(replica_config.dir, 'kracert.p12')
Remove DL0 specific code from kra in ipaserver/install The code to add missing KRA certificates has been removed from install_check as it was only reached if replica_config is not None and promote was False for DL0 replica installations. Also the other places. Promote is now hard set to True if replica_config is not None in install for later use in krainstance. See: https://pagure.io/freeipa/issue/7689 Signed-off-by: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-09-10 15:07:55 +02:00
with ipautil.private_ccache():
ccache = os.environ['KRB5CCNAME']
kinit_keytab(
'host/{env.host}@{env.realm}'.format(env=api.env),
paths.KRB5_KEYTAB,
ccache)
custodia.get_kra_keys(
krafile,
replica_config.dirman_password)
install: merge all KRA install code paths into one Merge KRA install code paths use in ipa-replica-install in either domain level and ipa-kra-install into one. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-10-26 09:44:49 +02:00
realm_name = replica_config.realm_name
dm_password = replica_config.dirman_password
host_name = replica_config.host_name
subject_base = replica_config.subject_base
pkcs12_info = (krafile,)
master_host = replica_config.kra_host_name
Remove DL0 specific code from kra in ipaserver/install The code to add missing KRA certificates has been removed from install_check as it was only reached if replica_config is not None and promote was False for DL0 replica installations. Also the other places. Promote is now hard set to True if replica_config is not None in install for later use in krainstance. See: https://pagure.io/freeipa/issue/7689 Signed-off-by: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-09-10 15:07:55 +02:00
promote = True
install: merge all KRA install code paths into one Merge KRA install code paths use in ipa-replica-install in either domain level and ipa-kra-install into one. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-10-26 09:44:49 +02:00
krainstance: set correct issuer DN in uid=ipakra entry If IPA CA has custom subject DN (not "CN=Certificate Authority,{subject_base}"), the uid=ipakra people entry gets an incorrect 'description' attribute. The issuer DN in the 'description' attribute is based on the aforementioned pattern, instead of the actual IPA CA subject DN. Update KRAInstance.configure_instance() to require the CA subject DN argument. Update ipaserver.install.kra.install() to pass the CA subject DN. Fixes: https://pagure.io/freeipa/issue/8084 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-10-04 13:30:37 +10:00
ca_subject = ca.lookup_ca_subject(api, subject_base)
install: merge all KRA install code paths into one Merge KRA install code paths use in ipa-replica-install in either domain level and ipa-kra-install into one. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-10-26 09:44:49 +02:00
kra = krainstance.KRAInstance(realm_name)
Add pki.ini override option Allow to specify a pki.ini overlay file on the command line. The override file can be used to override pkispawn settings. Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-09-03 12:45:30 +02:00
kra.configure_instance(
realm_name, host_name, dm_password, dm_password,
subject_base=subject_base,
krainstance: set correct issuer DN in uid=ipakra entry If IPA CA has custom subject DN (not "CN=Certificate Authority,{subject_base}"), the uid=ipakra people entry gets an incorrect 'description' attribute. The issuer DN in the 'description' attribute is based on the aforementioned pattern, instead of the actual IPA CA subject DN. Update KRAInstance.configure_instance() to require the CA subject DN argument. Update ipaserver.install.kra.install() to pass the CA subject DN. Fixes: https://pagure.io/freeipa/issue/8084 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-10-04 13:30:37 +10:00
ca_subject=ca_subject,
Add pki.ini override option Allow to specify a pki.ini overlay file on the command line. The override file can be used to override pkispawn settings. Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-09-03 12:45:30 +02:00
pkcs12_info=pkcs12_info,
master_host=master_host,
promote=promote,
pki_config_override=options.pki_config_override,
)
merge KRA installation machinery to a single module This is a prerequisite to further refactoring of KRA install/uninstall functionality in all IPA install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-15 19:02:22 +02:00
install: introduce installer class hierarchy Add class hierarchy which allows inherting knob definitions between the various client and server install scripts. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-09 12:44:22 +01:00
_service.print_msg("Restarting the directory server")
merge KRA installation machinery to a single module This is a prerequisite to further refactoring of KRA install/uninstall functionality in all IPA install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-15 19:02:22 +02:00
ds = dsinstance.DsInstance()
ds.restart()
Make the path to CS.cfg a class variable Rather than passing around the path to CS.cfg for the CA and KRA set it at object creation and use everywhere. Make update_cert_config() a real class method instead of a static method. It wasn't being called that way in any case and makes it possible to use the class config file. Related: https://pagure.io/freeipa/issue/6703 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-11-08 13:21:22 -05:00
kra.enable_client_auth_to_db()
merge KRA installation machinery to a single module This is a prerequisite to further refactoring of KRA install/uninstall functionality in all IPA install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-15 19:02:22 +02:00
Don't run kra.configure_instance if not necessary If kra should not be set up, don't run the code as it would only prolong the installations. Previously, krainstance configuration would be performed just to export the client certificate and private key to authenticate to certificate server. This is now performed somewhere else therefore there's no need to run KRAInstance.configure_instance. The kra.install() method still performs actions on replicas and we're keeping it in server installer to conform to the installers design. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-04 08:41:26 +01:00
# Restart apache for new proxy config file
services.knownservices.httpd.restart(capture_output=True)
named: Allow using of a custom OpenSSL engine for BIND For now Debian, Fedora, RHEL, etc. build BIND with 'native PKCS11' support. Till recently, that was the strict requirement of DNSSEC. The problem is that this restricts cross-platform features of FreeIPA. With the help of libp11, which provides `pkcs11` engine plugin for the OpenSSL library for accessing PKCS11 modules in a semi- transparent way, FreeIPA could utilize OpenSSL version of BIND. BIND in turn provides ability to specify the OpenSSL engine on the command line of `named` and all the BIND `dnssec-*` tools by using the `-E engine_name`. Fixes: https://pagure.io/freeipa/issue/8094 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-30 16:47:08 +03:00
# Restarted named to restore bind-dyndb-ldap operation, see
Restart named-pkcs11 after KRA installation KRA installer restarts 389-DS, which disrupts named-pkcs11 bind-dyndb-ldap for a short while. Restart named-pkcs11 to fix DNS resolver. Fixes: https://pagure.io/freeipa/issue/5813 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-02-05 15:27:44 +01:00
# https://pagure.io/freeipa/issue/5813
named: Allow using of a custom OpenSSL engine for BIND For now Debian, Fedora, RHEL, etc. build BIND with 'native PKCS11' support. Till recently, that was the strict requirement of DNSSEC. The problem is that this restricts cross-platform features of FreeIPA. With the help of libp11, which provides `pkcs11` engine plugin for the OpenSSL library for accessing PKCS11 modules in a semi- transparent way, FreeIPA could utilize OpenSSL version of BIND. BIND in turn provides ability to specify the OpenSSL engine on the command line of `named` and all the BIND `dnssec-*` tools by using the `-E engine_name`. Fixes: https://pagure.io/freeipa/issue/8094 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-30 16:47:08 +03:00
named = services.knownservices.named # alias for current named
Restart named-pkcs11 after KRA installation KRA installer restarts 389-DS, which disrupts named-pkcs11 bind-dyndb-ldap for a short while. Restart named-pkcs11 to fix DNS resolver. Fixes: https://pagure.io/freeipa/issue/5813 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-02-05 15:27:44 +01:00
if named.is_running():
named.restart(capture_output=True)
Allow to install the KRA on a promoted server Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-25 15:42:25 -04:00
merge KRA installation machinery to a single module This is a prerequisite to further refactoring of KRA install/uninstall functionality in all IPA install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-15 19:02:22 +02:00
Ensure IPA is running (ideally) before uninstalling the KRA The KRA attempts to unregister itself from the security domain which requires that IPA be running for this to succeed. 1. Move the KRA uninstall call prior to stopping all IPA services 2. Try to start IPA if it isn't running and a KRA is configured It isn't mandatory that IPA be running for the KRA uninstall to succeed but it will suppress a pretty scary backtrace and error message. https://pagure.io/freeipa/issue/8550 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-01-25 11:40:22 -05:00
def uninstall_check(options):
"""IPA needs to be running so pkidestroy can unregister KRA"""
kra = krainstance.KRAInstance(api.env.realm)
if not kra.is_installed():
return
result = ipautil.run([paths.IPACTL, 'status'],
raiseonerr=False)
if result.returncode not in [0, 4]:
try:
ipautil.run([paths.IPACTL, 'start'])
except Exception:
logger.info("Re-starting IPA failed, continuing uninstall")
Don't allow standalone KRA uninstalls KRA uninstallation is very likely to break the user's setup. Don't allow it at least till we can be safely sure we are able to remove it in a standalone manner without breaking anything. https://pagure.io/freeipa/issue/6538 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-08 16:38:12 +01:00
def uninstall():
install: drop support for Dogtag 9 Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
2015-11-09 18:28:47 +01:00
kra = krainstance.KRAInstance(api.env.realm)
Don't allow standalone KRA uninstalls KRA uninstallation is very likely to break the user's setup. Don't allow it at least till we can be safely sure we are able to remove it in a standalone manner without breaking anything. https://pagure.io/freeipa/issue/6538 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-08 16:38:12 +01:00
kra.stop_tracking_certificates()
vault: Fix ipa-kra-install Use state in LDAP rather than local state to check if KRA is installed. Use correct log file names. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
2015-06-10 08:50:42 +00:00
if kra.is_installed():
kra.uninstall()
install: introduce installer class hierarchy Add class hierarchy which allows inherting knob definitions between the various client and server install scripts. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-09 12:44:22 +01:00
install: re-introduce option groups Re-introduce option groups in ipa-client-install, ipa-server-install and ipa-replica-install. https://pagure.io/freeipa/issue/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-08 08:03:13 +00:00
@group
install: introduce installer class hierarchy Add class hierarchy which allows inherting knob definitions between the various client and server install scripts. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-09 12:44:22 +01:00
class KRAInstallInterface(dogtag.DogtagInstallInterface):
"""
Interface of the KRA installer
Knobs defined here will be available in:
* ipa-server-install
* ipa-replica-prepare
* ipa-replica-install
* ipa-kra-install
"""
install: re-introduce option groups Re-introduce option groups in ipa-client-install, ipa-server-install and ipa-replica-install. https://pagure.io/freeipa/issue/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-08 08:03:13 +00:00
description = "KRA"
Reference in New Issue Copy Permalink