freeipa/ipaplatform/base/constants.py

#
# Copyright (C) 2015  FreeIPA Contributors see COPYING for license
#

'''
This base platform module exports platform dependant constants.
'''
import sys


class BaseConstantsNamespace:
    IS_64BITS = sys.maxsize > 2 ** 32
    DEFAULT_ADMIN_SHELL = '/bin/bash'
    DEFAULT_SHELL = '/bin/sh'
    DS_USER = 'dirsrv'
    DS_GROUP = 'dirsrv'
    HTTPD_USER = "apache"
    HTTPD_GROUP = "apache"
    GSSPROXY_USER = "root"
    IPA_ADTRUST_PACKAGE_NAME = "freeipa-server-trust-ad"
    IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
    KDCPROXY_USER = "kdcproxy"
    NAMED_USER = "named"
    NAMED_GROUP = "named"
    NAMED_DATA_DIR = "data/"
    NAMED_ZONE_COMMENT = ""
    PKI_USER = 'pkiuser'
    PKI_GROUP = 'pkiuser'
    # ntpd init variable used for daemon options
    NTPD_OPTS_VAR = "OPTIONS"
    # quote used for daemon options
    NTPD_OPTS_QUOTE = "\""
    ODS_USER = "ods"
    ODS_GROUP = "ods"
    # nfsd init variable used to enable kerberized NFS
    SECURE_NFS_VAR = "SECURE_NFS"
    SELINUX_BOOLEAN_ADTRUST = {
        'samba_portmapper': 'on',
    }
    SELINUX_BOOLEAN_HTTPD = {
        'httpd_can_network_connect': 'on',
        'httpd_manage_ipa': 'on',
        'httpd_run_ipa': 'on',
        'httpd_dbus_sssd': 'on',
    }
    SSSD_USER = "sssd"
    # WSGI module override, only used on Fedora
    MOD_WSGI_PYTHON2 = None
    MOD_WSGI_PYTHON3 = None
    # WSGIDaemonProcess process count. On 64bit platforms, each process
    # consumes about 110 MB RSS, from which are about 35 MB shared.
    WSGI_PROCESSES = 4 if IS_64BITS else 2
    # high ciphers without RC4, MD5, TripleDES, pre-shared key, secure
    # remote password, and DSA cert authentication.
    TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP:!aDSS"


constants = BaseConstantsNamespace()
ipaplatform: Add constants submodule Introduce a ipaplatform/constants.py file to store platform related constants, which are not paths. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> 2015-07-02 05:38:43 -05:00			`#`
			`# Copyright (C) 2015 FreeIPA Contributors see COPYING for license`
			`#`

			`'''`
			`This base platform module exports platform dependant constants.`
			`'''`
Increase WSGI process count to 5 on 64bit Increase the WSGI daemon worker process count from 2 processes to 5 processes. This allows IPA RPC to handle more parallel requests. The additional processes increase memory consumption by approximante 250 MB in total. Since memory is scarce on 32bit platforms, only 64bit platforms are bumped to 5 workers. Fixes: https://pagure.io/freeipa/issue/7587 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2018-06-14 10:04:13 -05:00			`import sys`
ipaplatform: Add constants submodule Introduce a ipaplatform/constants.py file to store platform related constants, which are not paths. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> 2015-07-02 05:38:43 -05:00

Py3: Remove subclassing from object Python 2 had old style and new style classes. Python 3 has only new style classes. There is no point to subclass from object any more. See: https://pagure.io/freeipa/issue/7715 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 2018-09-26 04:59:50 -05:00			`class BaseConstantsNamespace:`
Increase WSGI process count to 5 on 64bit Increase the WSGI daemon worker process count from 2 processes to 5 processes. This allows IPA RPC to handle more parallel requests. The additional processes increase memory consumption by approximante 250 MB in total. Since memory is scarce on 32bit platforms, only 64bit platforms are bumped to 5 workers. Fixes: https://pagure.io/freeipa/issue/7587 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2018-06-14 10:04:13 -05:00			`IS_64BITS = sys.maxsize > 2 ** 32`
Make use of the single configuration point for the default shells For now all the default shells of users and admin are hardcoded in different parts of the project. This makes it impossible to run the test suite against the setup, which has the default shell differed from '/bin/sh'. The single configuration point for the shell of users and admin is added to overcome this limitation. Fixes: https://pagure.io/freeipa/issue/7978 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Christian Heimes <cheimes@redhat.com> 2019-06-15 09:25:51 -05:00			`DEFAULT_ADMIN_SHELL = '/bin/bash'`
			`DEFAULT_SHELL = '/bin/sh'`
Move user/group constants for PKI and DS into ipaplatform https://fedorahosted.org/freeipa/ticket/5619 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 2016-01-19 07:18:30 -06:00			`DS_USER = 'dirsrv'`
			`DS_GROUP = 'dirsrv'`
ipaplatform: Add HTTPD_USER to constants, and use it. https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: Tomas Babej <tbabej@redhat.com> 2015-10-06 08:02:37 -05:00			`HTTPD_USER = "apache"`
Separate RA cert store from the HTTP cert store This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2016-12-13 09:32:32 -06:00			`HTTPD_GROUP = "apache"`
Configure HTTPD to work via Gss-Proxy https://fedorahosted.org/freeipa/ticket/4189 https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2016-11-29 10:10:22 -06:00			`GSSPROXY_USER = "root"`
ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad When adding the option --setup-adtrust to ipa-replica-install, we need to check that the package freeipa-server-trust-ad is installed. To avoid relying on OS-specific commands like yum, the check is instead ensuring that the file /usr/share/ipa/smb.conf.empty is present (this file is delivered by the package). When the check is unsuccessful, ipa-replica-install exits with an error message. Fixes: https://pagure.io/freeipa/issue/7602 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2018-10-23 02:29:38 -05:00			`IPA_ADTRUST_PACKAGE_NAME = "freeipa-server-trust-ad"`
DNS: check if DNS package is installed Instead of separate checking of DNS required packages, we need just check if IPA DNS package is installed. https://fedorahosted.org/freeipa/ticket/4058 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com> 2015-07-01 08:05:45 -05:00			`IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"`
ipaplatform: Move remaining user/group constants to ipaplatform.constants. Use ipaplatform.constants in every corner instead of importing other bits or calling some platform specific things, and remove most of the remaining hardcoded uid's. https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: David Kupka <dkupka@redhat.com> 2016-03-18 05:22:33 -05:00			`KDCPROXY_USER = "kdcproxy"`
ipaplatform: Add NAMED_USER to constants https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: Tomas Babej <tbabej@redhat.com> 2015-10-06 08:27:21 -05:00			`NAMED_USER = "named"`
ipaplatform: Move remaining user/group constants to ipaplatform.constants. Use ipaplatform.constants in every corner instead of importing other bits or calling some platform specific things, and remove most of the remaining hardcoded uid's. https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: David Kupka <dkupka@redhat.com> 2016-03-18 05:22:33 -05:00			`NAMED_GROUP = "named"`
named.conf: Disable duplicate zone on debian, and modify data dir zone already imported via default zones. Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 2017-03-29 10:17:28 -05:00			`NAMED_DATA_DIR = "data/"`
			`NAMED_ZONE_COMMENT = ""`
Move user/group constants for PKI and DS into ipaplatform https://fedorahosted.org/freeipa/ticket/5619 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 2016-01-19 07:18:30 -06:00			`PKI_USER = 'pkiuser'`
			`PKI_GROUP = 'pkiuser'`
ipaplatform: Add NTPD_OPTS_VAR and NTPD_OPTS_QUOTE to constants https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: Tomas Babej <tbabej@redhat.com> 2015-10-06 10:46:00 -05:00			`# ntpd init variable used for daemon options`
			`NTPD_OPTS_VAR = "OPTIONS"`
			`# quote used for daemon options`
			`NTPD_OPTS_QUOTE = "\""`
ipaplatform: Move remaining user/group constants to ipaplatform.constants. Use ipaplatform.constants in every corner instead of importing other bits or calling some platform specific things, and remove most of the remaining hardcoded uid's. https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: David Kupka <dkupka@redhat.com> 2016-03-18 05:22:33 -05:00			`ODS_USER = "ods"`
			`ODS_GROUP = "ods"`
ipaplatform: Add SECURE_NFS_VAR to constants https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: Tomas Babej <tbabej@redhat.com> 2015-10-06 08:35:24 -05:00			`# nfsd init variable used to enable kerberized NFS`
			`SECURE_NFS_VAR = "SECURE_NFS"`
adtrust: move SELinux settings to constants SELinux is platform dependend, moving boolean setting to platform module. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 2017-05-18 10:23:54 -05:00			`SELINUX_BOOLEAN_ADTRUST = {`
			`'samba_portmapper': 'on',`
			`}`
httpd: move SELinux settings to constants SELinux is platform dependend, moving boolean setting to platform module. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 2017-05-18 10:19:23 -05:00			`SELINUX_BOOLEAN_HTTPD = {`
			`'httpd_can_network_connect': 'on',`
			`'httpd_manage_ipa': 'on',`
			`'httpd_run_ipa': 'on',`
			`'httpd_dbus_sssd': 'on',`
			`}`
ipaplatform: Move remaining user/group constants to ipaplatform.constants. Use ipaplatform.constants in every corner instead of importing other bits or calling some platform specific things, and remove most of the remaining hardcoded uid's. https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: David Kupka <dkupka@redhat.com> 2016-03-18 05:22:33 -05:00			`SSSD_USER = "sssd"`
Replace wsgi package conflict with config file Instead of a package conflict, freeIPA now uses an Apache config file to enforce the correct wsgi module. The workaround only applies to Fedora since it is the only platform that permits parallel installation of Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and Debian doesn't permit installation of both variants. See: https://pagure.io/freeipa/issue/7161 Fixes: https://pagure.io/freeipa/issue/7394 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2018-02-06 03:05:49 -06:00			`# WSGI module override, only used on Fedora`
			`MOD_WSGI_PYTHON2 = None`
			`MOD_WSGI_PYTHON3 = None`
Increase WSGI process count to 5 on 64bit Increase the WSGI daemon worker process count from 2 processes to 5 processes. This allows IPA RPC to handle more parallel requests. The additional processes increase memory consumption by approximante 250 MB in total. Since memory is scarce on 32bit platforms, only 64bit platforms are bumped to 5 workers. Fixes: https://pagure.io/freeipa/issue/7587 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2018-06-14 10:04:13 -05:00			`# WSGIDaemonProcess process count. On 64bit platforms, each process`
			`# consumes about 110 MB RSS, from which are about 35 MB shared.`
Use 4 WSGI workers on 64bit systems Commit f1d5ab3a03191dbb02e5f95308cf8c4f1971cdcf increases WSGI worker count to five. This turned out to be a bit much for our test systems. Four workers are good enough and still double the old amount. See: https://pagure.io/freeipa/issue/7587 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tibor Dudlak <tdudlak@redhat.com> 2018-06-25 03:59:18 -05:00			`WSGI_PROCESSES = 4 if IS_64BITS else 2`
Use system-wide crypto-policies on Fedora HTTPS connections from IPA framework and bind named instance now use system-wide crypto-policies on Fedora. For HTTPS the 'DEFAULT' crypto policy also includes unnecessary ciphers for PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA, they are explicitly excluded. See: https://bugzilla.redhat.com/show_bug.cgi?id=1179925 See: https://bugzilla.redhat.com/show_bug.cgi?id=1179220 Fixes: https://pagure.io/freeipa/issue/4853 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 2018-02-09 04:50:32 -06:00			`# high ciphers without RC4, MD5, TripleDES, pre-shared key, secure`
			`# remote password, and DSA cert authentication.`
			`TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP:!aDSS"`
Replace wsgi package conflict with config file Instead of a package conflict, freeIPA now uses an Apache config file to enforce the correct wsgi module. The workaround only applies to Fedora since it is the only platform that permits parallel installation of Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and Debian doesn't permit installation of both variants. See: https://pagure.io/freeipa/issue/7161 Fixes: https://pagure.io/freeipa/issue/7394 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2018-02-06 03:05:49 -06:00
Use namespace-aware meta importer for ipaplatform Instead of symlinks and build-time configuration the ipaplatform module is now able to auto-detect platforms on import time. The meta importer uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE' on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora". The meta importer is able to handle namespace packages and the ipaplatform package has been turned into a namespace package in order to support external platform specifications. https://fedorahosted.org/freeipa/ticket/6474 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2017-10-11 05:09:30 -05:00
			`constants = BaseConstantsNamespace()`