IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-16 11:21:56 -06:00
Code Issues Packages Projects Releases Wiki Activity
9b0fa8debf
freeipa/install/tools/ipa-server-install

1029 lines
41 KiB
Plaintext
Raw Normal View History

import initial install tool
0000-12-31 18:09:24 -05:50
#! /usr/bin/python -E
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
Give back smaller and more readable ranges by default. Instead of allocating a completely random start between 1M and 2G and a range of 1M values, give 10000 possible 200k ranges. They all start at a 200k boundary so they generate more readable IDs, at least until there arent't too many users/replicas involved.
2010-12-06 15:16:49 -06:00
# Simo Sorce <ssorce@redhat.com>
# Rob Crittenden <rcritten@redhat.com>
import initial install tool
0000-12-31 18:09:24 -05:50
#
Give back smaller and more readable ranges by default. Instead of allocating a completely random start between 1M and 2G and a range of 1M values, give 10000 possible 200k ranges. They all start at a 200k boundary so they generate more readable IDs, at least until there arent't too many users/replicas involved.
2010-12-06 15:16:49 -06:00
# Copyright (C) 2007-2010 Red Hat
import initial install tool
0000-12-31 18:09:24 -05:50
# see file 'COPYING' for use and warranty information
#
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
import initial install tool
0000-12-31 18:09:24 -05:50
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import initial install tool
0000-12-31 18:09:24 -05:50
#
# requires the following packages:
# fedora-ds-base
# openldap-clients
# nss-tools
Update for new python library layout.
0000-12-31 18:09:24 -05:50
import sys
Patch to fix the installer crashing if selinux is disabled. Also changes the exception to contain the complete command. Add a check to make sure installer is running as root. Add signal handler to detect a user-cancelled installation. Detect existing DS instances and prompt to remove them.
2007-10-02 15:56:51 -05:00
import os
Verify that the LDAP ports are available during installation.
2007-10-15 12:27:05 -05:00
import errno
import initial install tool
0000-12-31 18:09:24 -05:50
import logging
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
import grp
Try to catch more error conditions during installation Modify the way we detect SELinux to use selinuxenabled instead of using a try/except. Handle SASL/GSSAPI authentication failures when getting a connection
2007-10-03 16:37:13 -05:00
import subprocess
Patch to fix the installer crashing if selinux is disabled. Also changes the exception to contain the complete command. Add a check to make sure installer is running as root. Add signal handler to detect a user-cancelled installation. Detect existing DS instances and prompt to remove them.
2007-10-02 15:56:51 -05:00
import signal
import shutil
import glob
Print traceback to the install log on unexpected error.
0000-12-31 18:09:24 -05:50
import traceback
Cache installer questions for the 2-step process of an externally-signed CA Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
2009-11-18 13:28:33 -06:00
from ConfigParser import RawConfigParser
Add option to the installer for uid/gid starting numbers. This also adds a new option to the template system. If you include eval(string) in a file that goes through the templater then the string in the eval will be evaluated by the Python interpreter. This is used so one can do $UIDSTART+1. If any errors occur during the evaluation the original string is is returned, eval() and all so it is up to the developer to make sure the evaluation passes. The default value for uid and gid is now a random value between 1,000,000 and (2^31 - 1,000,000)
2009-08-27 13:12:55 -05:00
import random
Fix installing with an external CA and wait for dogtag to come up There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
2011-01-26 09:53:02 -06:00
import tempfile
NTP configuration for client and server. Configure ipa servers as an ntp server and clients to (by default) us the ipa server as an ntp server. Also corrected the messages about which ports should be opened.
0000-12-31 18:09:24 -05:50
Get merged tree into an installalble state. I have only tested the all, rpms and *clean targets directly. install may work but the rpm moves a lot of things around for us. The Apache configuration file isn't in its final state but it works with the new mod_python configuration.
2009-02-02 12:50:53 -06:00
from ipaserver.install import dsinstance
from ipaserver.install import krbinstance
from ipaserver.install import bindinstance
from ipaserver.install import httpinstance
from ipaserver.install import ntpinstance
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
from ipaserver.install import certs
Make the CA a required component and configured by default. To install IPA without dogtag use the --selfsign option. The --ca option is now deprecated. 552995
2010-02-24 10:38:09 -06:00
from ipaserver.install import cainstance
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
Get merged tree into an installalble state. I have only tested the all, rpms and *clean targets directly. install may work but the rpm moves a lot of things around for us. The Apache configuration file isn't in its final state but it works with the new mod_python configuration.
2009-02-02 12:50:53 -06:00
from ipaserver.install import service
Rename ipa-python directory to ipapython so it is a real python library We used to install it as ipa, now installing it as ipapython. The rpm is still ipa-python.
2009-02-05 14:03:08 -06:00
from ipapython import version
Get merged tree into an installalble state. I have only tested the all, rpms and *clean targets directly. install may work but the rpm moves a lot of things around for us. The Apache configuration file isn't in its final state but it works with the new mod_python configuration.
2009-02-02 12:50:53 -06:00
from ipaserver.install.installutils import *
Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
2010-03-24 09:51:31 -05:00
from ipaserver.plugins.ldap2 import ldap2
NTP configuration for client and server. Configure ipa servers as an ntp server and clients to (by default) us the ipa server as an ntp server. Also corrected the messages about which ports should be opened.
0000-12-31 18:09:24 -05:50
Rename ipa-python directory to ipapython so it is a real python library We used to install it as ipa, now installing it as ipapython. The rpm is still ipa-python.
2009-02-05 14:03:08 -06:00
from ipapython import sysrestore
from ipapython.ipautil import *
Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
2010-03-24 09:51:31 -05:00
from ipalib import api, errors, util
Ensure that the zonemgr passed to the installer conforms to IA5String. ticket 1164
2011-04-22 16:18:57 -05:00
from ipalib.parameters import IA5Str
Log script options to logfile Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
2010-10-29 13:24:31 -05:00
from ipapython.config import IPAOptionParser
Validate that the certificate subject base is in valid DN format. https://fedorahosted.org/freeipa/ticket/1176
2011-07-07 10:55:20 -05:00
from ipalib.dn import DN
import initial install tool
0000-12-31 18:09:24 -05:50
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
pw_name = None
Fix a couple of syntax errors in the installer. I meant to push these along with the original patch but pushed the wrong one.
2010-04-27 16:51:13 -05:00
uninstalling = False
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
Validate that the certificate subject base is in valid DN format. https://fedorahosted.org/freeipa/ticket/1176
2011-07-07 10:55:20 -05:00
VALID_SUBJECT_ATTRS = ['cn', 'st', 'o', 'ou', 'dnqualifier', 'c',
'serialnumber', 'l', 'title', 'sn', 'givenname',
'initials', 'generationqualifier', 'dc', 'mail',
'uid', 'postaladdress', 'postalcode', 'postofficebox',
'houseidentifier', 'e', 'street', 'pseudonym',
'incorporationlocality', 'incorporationstate',
'incorporationcountry', 'businesscategory']
Ensure that the zonemgr passed to the installer conforms to IA5String. ticket 1164
2011-04-22 16:18:57 -05:00
def zonemgr_callback(option, opt_str, value, parser):
"""
Make sure the zonemgr is an IA5String.
"""
name = opt_str.replace('--','')
v = unicode(value, 'utf-8')
ia = IA5Str(name)
ia._convert_scalar(v)
parser.values.zonemgr = value
Add option to the installer for uid/gid starting numbers. This also adds a new option to the template system. If you include eval(string) in a file that goes through the templater then the string in the eval will be evaluated by the Python interpreter. This is used so one can do $UIDSTART+1. If any errors occur during the evaluation the original string is is returned, eval() and all so it is up to the developer to make sure the evaluation passes. The default value for uid and gid is now a random value between 1,000,000 and (2^31 - 1,000,000)
2009-08-27 13:12:55 -05:00
Validate that the certificate subject base is in valid DN format. https://fedorahosted.org/freeipa/ticket/1176
2011-07-07 10:55:20 -05:00
def subject_callback(option, opt_str, value, parser):
"""
Make sure the certificate subject base is a valid DN
"""
name = opt_str.replace('--','')
v = unicode(value, 'utf-8')
try:
dn = DN(v)
Clean up existing DN object usage
2011-07-28 13:32:26 -05:00
for rdn in dn:
if rdn.attr.lower() not in VALID_SUBJECT_ATTRS:
raise ValueError('invalid attribute: %s' % rdn.attr)
Validate that the certificate subject base is in valid DN format. https://fedorahosted.org/freeipa/ticket/1176
2011-07-07 10:55:20 -05:00
except ValueError, e:
raise ValueError('Invalid subject base format: %s' % str(e))
Use information from the certificate subject when setting the NSS nickname. There were a few places in the code where certs were loaded from a PKCS#7 file or a chain in a PEM file. The certificates got very generic nicknames. We can instead pull the subject from the certificate and use that as the nickname. https://fedorahosted.org/freeipa/ticket/1141
2011-07-11 16:39:30 -05:00
parser.values.subject = str(dn) # may as well normalize it
Validate that the certificate subject base is in valid DN format. https://fedorahosted.org/freeipa/ticket/1176
2011-07-07 10:55:20 -05:00
import initial install tool
0000-12-31 18:09:24 -05:50
def parse_options():
Give back smaller and more readable ranges by default. Instead of allocating a completely random start between 1M and 2G and a range of 1M values, give 10000 possible 200k ranges. They all start at a 200k boundary so they generate more readable IDs, at least until there arent't too many users/replicas involved.
2010-12-06 15:16:49 -06:00
# Guaranteed to give a random 200k range below the 2G mark (uint32_t limit)
namespace = random.randint(1, 10000) * 200000
Log script options to logfile Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
2010-10-29 13:24:31 -05:00
parser = IPAOptionParser(version=version.VERSION)
import initial install tool
0000-12-31 18:09:24 -05:50
parser.add_option("-r", "--realm", dest="realm_name",
help="realm name")
Verify current domain with user during installation Use that domain when creating replicas Resolves 432066
2008-02-15 19:47:29 -06:00
parser.add_option("-n", "--domain", dest="domain_name",
help="domain name")
Add password request for admin user Set password for admin user using the Directory Mangaer account and the mozldapldappaswd binary to get and SSL connection Fix some timeout problems with deploying keytabs Fix ipa_pwd_extop to actuallt correctly detect an SSL connection Do not ask for the user to use for the directory unless 'dirsrv' is an existing user which may clash, create it silently
2007-08-31 17:40:01 -05:00
parser.add_option("-p", "--ds-password", dest="dm_password",
Log script options to logfile Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
2010-10-29 13:24:31 -05:00
sensitive=True, help="admin password")
parser.add_option("-P", "--master-password",
dest="master_password", sensitive=True,
We do not require the Master password anymore, fix code and error message
2008-02-25 16:18:18 -06:00
help="kerberos master password (normally autogenerated)")
Log script options to logfile Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
2010-10-29 13:24:31 -05:00
parser.add_option("-a", "--admin-password",
sensitive=True, dest="admin_password",
Add password request for admin user Set password for admin user using the Directory Mangaer account and the mozldapldappaswd binary to get and SSL connection Fix some timeout problems with deploying keytabs Fix ipa_pwd_extop to actuallt correctly detect an SSL connection Do not ask for the user to use for the directory unless 'dirsrv' is an existing user which may clash, create it silently
2007-08-31 17:40:01 -05:00
help="admin user kerberos password")
Added additional debugging information.
0000-12-31 18:09:24 -05:50
parser.add_option("-d", "--debug", dest="debug", action="store_true",
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
default=False, help="print debugging information")
Make the CA a required component and configured by default. To install IPA without dogtag use the --selfsign option. The --ca option is now deprecated. 552995
2010-02-24 10:38:09 -06:00
parser.add_option("", "--selfsign", dest="selfsign", action="store_true",
default=False, help="Configure a self-signed CA instance rather than a dogtag CA")
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
parser.add_option("", "--external-ca", dest="external_ca", action="store_true",
default=False, help="Generate a CSR to be signed by an external CA")
parser.add_option("", "--external_cert_file", dest="external_cert_file",
help="File containing PKCS#10 certificate")
parser.add_option("", "--external_ca_file", dest="external_ca_file",
help="File containing PKCS#10 of the external CA chain")
Improve kerberos install patch from Simo.
0000-12-31 18:09:24 -05:50
parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
Parse netmasks in IP addresses passed to server install. ticket 1212
2011-05-27 13:17:22 -05:00
parser.add_option("--ip-address", dest="ip_address",
Fix creation of reverse DNS zones. Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
2011-07-11 03:14:53 -05:00
type="ip", ip_local=True,
Improve IP address handling in IPA option parser Implements a way to pass match_local and parse_netmask parameters to IP option checker. Now, there is just one common option type "ip" with new optional attributes "ip_local" and "ip_netmask" which can be used to pass IP address validation parameters. https://fedorahosted.org/freeipa/ticket/1333
2011-06-16 03:47:11 -05:00
help="Master Server IP Address")
Add --setup-dns option. It will replace --setup-bind
2009-06-25 07:42:08 -05:00
parser.add_option("--setup-dns", dest="setup_dns", action="store_true",
default=False, help="configure bind with our zone")
Use DNS forwarders in /etc/named.conf This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command line.
2009-09-01 16:28:52 -05:00
parser.add_option("--forwarder", dest="forwarders", action="append",
Improve IP address handling in IPA option parser Implements a way to pass match_local and parse_netmask parameters to IP option checker. Now, there is just one common option type "ip" with new optional attributes "ip_local" and "ip_netmask" which can be used to pass IP address validation parameters. https://fedorahosted.org/freeipa/ticket/1333
2011-06-16 03:47:11 -05:00
type="ip", help="Add a DNS forwarder")
Use DNS forwarders in /etc/named.conf This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command line.
2009-09-01 16:28:52 -05:00
parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
default=False, help="Do not add any DNS forwarders, use root servers instead")
Fix creation of reverse DNS zones. Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
2011-07-11 03:14:53 -05:00
parser.add_option("--reverse-zone", dest="reverse_zone", help="The reverse DNS zone to use")
Create the reverse zone by default A new option to specify reverse zone creation for unattended installs https://fedorahosted.org/freeipa/ticket/678
2011-01-04 07:55:47 -06:00
parser.add_option("--no-reverse", dest="no_reverse", action="store_true",
default=False, help="Do not create reverse DNS zone")
Ensure that the zonemgr passed to the installer conforms to IA5String. ticket 1164
2011-04-22 16:18:57 -05:00
parser.add_option("--zonemgr", action="callback", callback=zonemgr_callback,
type="string",
Add new DNS install argument for setting the zone mgr e-mail addr. ticket 125
2010-09-20 14:41:20 -05:00
help="DNS zone manager e-mail address. Defaults to root")
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
default=False, help="unattended installation never prompts the user")
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
parser.add_option("", "--uninstall", dest="uninstall", action="store_true",
default=False, help="uninstall an existing installation")
Start ntpd first unless we do not want it. Make sure we do sync the clock leaping to the current correct time. This avoids problems with bad dates on certificates, etc..
2008-02-20 10:03:46 -06:00
parser.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false",
help="do not configure ntp", default=True)
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
default=True, help="disables pkinit setup steps")
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
help="PKCS#12 file containing the Directory Server SSL certificate")
parser.add_option("--http_pkcs12", dest="http_pkcs12",
help="PKCS#12 file containing the Apache Server SSL certificate")
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
parser.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
help="PKCS#12 file containing the Kerberos KDC SSL certificate")
Log script options to logfile Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
2010-10-29 13:24:31 -05:00
parser.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True,
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
help="The password of the Directory Server PKCS#12 file")
Log script options to logfile Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
2010-10-29 13:24:31 -05:00
parser.add_option("--http_pin", dest="http_pin", sensitive=True,
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
help="The password of the Apache Server PKCS#12 file")
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
parser.add_option("--pkinit_pin", dest="pkinit_pin",
help="The password of the Kerberos KDC PKCS#12 file")
add --no-host-dns option to ipa-server-install - allows specifying a hostname that might actually exist but you do not want to even attempt to resolve it via DNS
2008-09-16 21:18:11 -05:00
parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
default=False,
help="Do not use DNS for hostname lookup during installation")
import initial install tool
0000-12-31 18:09:24 -05:50
id ranges: change DNA configuration Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
2010-11-11 17:15:28 -06:00
parser.add_option("--idstart", dest="idstart", default=namespace, type=int,
help="The starting value for the IDs range (default random)")
parser.add_option("--idmax", dest="idmax", default=0, type=int,
Fixed in ipa-server-install help and man page https://fedorahosted.org/freeipa/ticket/831
2011-02-16 02:20:00 -06:00
help="The max value value for the IDs range (default: idstart+199999)")
Validate that the certificate subject base is in valid DN format. https://fedorahosted.org/freeipa/ticket/1176
2011-07-07 10:55:20 -05:00
parser.add_option("--subject", action="callback", callback=subject_callback,
type="string",
Use Realm as certs subject base name Also use the realm name as nickname for the CA certificate
2010-11-01 12:51:14 -05:00
help="The certificate subject base (default O=<realm-name>)")
Create default HBAC rule allowing any user to access any host from any host This is to make initial installation and testing easier. Use the --no_hbac_allow option on the command-line to disable this when doing an install. To remove it from a running server do: ipa hbac-del allow_all
2010-05-04 14:24:54 -05:00
parser.add_option("--no_hbac_allow", dest="hbac_allow", default=False,
action="store_true",
help="Don't install allow_all HBAC rule")
Add option to install without the automatic redirect to the Web UI. ticket 1570
2011-08-16 12:34:04 -05:00
parser.add_option("--no-ui-redirect", dest="ui_redirect", action="store_false",
default=True, help="Do not automatically redirect to the Web UI")
import initial install tool
0000-12-31 18:09:24 -05:50
options, args = parser.parse_args()
Log script options to logfile Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
2010-10-29 13:24:31 -05:00
safe_options = parser.get_safe_opts(options)
import initial install tool
0000-12-31 18:09:24 -05:50
Verify that passwords specified through command line options of ipa-server-install meet the length requirement. ticket 1621
2011-08-15 02:02:39 -05:00
if options.dm_password is not None and len(options.dm_password) < 8:
parser.error("DS admin password must be at least 8 characters long")
if options.admin_password is not None and len(options.admin_password) < 8:
parser.error("Admin user password must be at least 8 characters long")
Use DNS forwarders in /etc/named.conf This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command line.
2009-09-01 16:28:52 -05:00
if not options.setup_dns:
if options.forwarders:
parser.error("You cannot specify a --forwarder option without the --setup-dns option")
if options.no_forwarders:
parser.error("You cannot specify a --no-forwarders option without the --setup-dns option")
Fix creation of reverse DNS zones. Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
2011-07-11 03:14:53 -05:00
if options.reverse_zone:
parser.error("You cannot specify a --reverse-zone option without the --setup-dns option")
Create the reverse zone by default A new option to specify reverse zone creation for unattended installs https://fedorahosted.org/freeipa/ticket/678
2011-01-04 07:55:47 -06:00
if options.no_reverse:
parser.error("You cannot specify a --no-reverse option without the --setup-dns option")
Use DNS forwarders in /etc/named.conf This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command line.
2009-09-01 16:28:52 -05:00
elif options.forwarders and options.no_forwarders:
parser.error("You cannot specify a --forwarder option together with --no-forwarders")
Fix creation of reverse DNS zones. Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
2011-07-11 03:14:53 -05:00
elif options.reverse_zone and options.no_reverse:
parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
Use DNS forwarders in /etc/named.conf This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command line.
2009-09-01 16:28:52 -05:00
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
if options.uninstall:
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
if (options.realm_name or
Connect to the ldap during the uninstallation We need to ask the user for a password and connect to the ldap so the bind uninstallation procedure can remove old records. This is of course only helpful if one has more than one IPA server configured.
2010-04-15 04:08:48 -05:00
options.admin_password or options.master_password):
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
parser.error("In uninstall mode, -a, -r and -P options are not allowed")
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
elif options.unattended:
Make the -u option optional in unattended mode Fixes: https://fedorahosted.org/freeipa/ticket/836
2011-01-24 13:58:11 -06:00
if (not options.realm_name or
We do not require the Master password anymore, fix code and error message
2008-02-25 16:18:18 -06:00
not options.dm_password or not options.admin_password):
Make the -u option optional in unattended mode Fixes: https://fedorahosted.org/freeipa/ticket/836
2011-01-24 13:58:11 -06:00
parser.error("In unattended mode you need to provide at least -r, -p and -a options")
Use DNS forwarders in /etc/named.conf This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command line.
2009-09-01 16:28:52 -05:00
if options.setup_dns:
if not options.forwarders and not options.no_forwarders:
parser.error("You must specify at least one --forwarder option or --no-forwarders option")
import initial install tool
0000-12-31 18:09:24 -05:50
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
# If any of the PKCS#12 options are selected, all are required. Create a
# list of the options and count it to enforce that all are required without
# having a huge set of it blocks.
pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
cnt = pkcs12.count(None)
if cnt > 0 and cnt < 4:
Remove unnecessary "error: " prefixes The parser.error() method prepends the "error: " prefix itself. Adding it to the error string is not necessary and doesn't look good.
2009-11-23 01:42:30 -06:00
parser.error("All PKCS#12 options are required if any are used.")
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
Make the CA a required component and configured by default. To install IPA without dogtag use the --selfsign option. The --ca option is now deprecated. 552995
2010-02-24 10:38:09 -06:00
if (options.external_cert_file or options.external_ca_file) and options.selfsign:
parser.error("--selfsign cannot be used with the external CA options.")
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
Fix external CA install. ticket 1523
2011-07-26 06:21:36 -05:00
if options.external_ca:
if options.external_cert_file:
parser.error("You cannot specify --external_cert_file together with --external-ca")
if options.external_ca_file:
parser.error("You cannot specify --external_ca_file together with --external-ca")
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
if ((options.external_cert_file and not options.external_ca_file) or
(not options.external_cert_file and options.external_ca_file)):
Fix external CA install. ticket 1523
2011-07-26 06:21:36 -05:00
parser.error("if either external CA option is used, both are required.")
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
Fix installing IPA with an external CA - cache all interactive answers - set non-interactive to True for the second run so nothing is asked - convert boolean values that are read in - require absolute paths for the external CA and signed cert files - fix the invocation message for the second ipa-server-install run
2010-04-01 16:20:38 -05:00
if (options.external_ca_file and not os.path.isabs(options.external_ca_file)):
parser.error("--external-ca-file must use an absolute path")
if (options.external_cert_file and not os.path.isabs(options.external_cert_file)):
parser.error("--external-cert-file must use an absolute path")
id ranges: change DNA configuration Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
2010-11-11 17:15:28 -06:00
if options.idmax == 0:
Give back smaller and more readable ranges by default. Instead of allocating a completely random start between 1M and 2G and a range of 1M values, give 10000 possible 200k ranges. They all start at a 200k boundary so they generate more readable IDs, at least until there arent't too many users/replicas involved.
2010-12-06 15:16:49 -06:00
options.idmax = int(options.idstart) + 200000 - 1
id ranges: change DNA configuration Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
2010-11-11 17:15:28 -06:00
if options.idmax < options.idstart:
Fix typo in ipa-server-install.
2011-04-07 10:26:15 -05:00
parser.error("idmax (%u) cannot be smaller than idstart (%u)" %
id ranges: change DNA configuration Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
2010-11-11 17:15:28 -06:00
(options.idmax, options.idstart))
Automatically disable pkinit when not supported
2010-11-19 10:22:10 -06:00
#Automatically disable pkinit w/ dogtag until that is supported
if not options.pkinit_pkcs12 and not options.selfsign:
options.setup_pkinit = False
Log script options to logfile Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
2010-10-29 13:24:31 -05:00
return safe_options, options
import initial install tool
0000-12-31 18:09:24 -05:50
Patch to fix the installer crashing if selinux is disabled. Also changes the exception to contain the complete command. Add a check to make sure installer is running as root. Add signal handler to detect a user-cancelled installation. Detect existing DS instances and prompt to remove them.
2007-10-02 15:56:51 -05:00
def signal_handler(signum, frame):
global ds
print "\nCleaning up..."
if ds:
print "Removing configuration for %s instance" % ds.serverid
ds.stop()
if ds.serverid:
Get merged tree into an installalble state. I have only tested the all, rpms and *clean targets directly. install may work but the rpm moves a lot of things around for us. The Apache configuration file isn't in its final state but it works with the new mod_python configuration.
2009-02-02 12:50:53 -06:00
dsinstance.erase_ds_instance_data (ds.serverid)
Patch to fix the installer crashing if selinux is disabled. Also changes the exception to contain the complete command. Add a check to make sure installer is running as root. Add signal handler to detect a user-cancelled installation. Detect existing DS instances and prompt to remove them.
2007-10-02 15:56:51 -05:00
sys.exit(1)
Cache installer questions for the 2-step process of an externally-signed CA Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
2009-11-18 13:28:33 -06:00
ANSWER_CACHE = "/root/.ipa_cache"
Fix installing with an external CA and wait for dogtag to come up There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
2011-01-26 09:53:02 -06:00
def read_cache(dm_password):
Cache installer questions for the 2-step process of an externally-signed CA Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
2009-11-18 13:28:33 -06:00
"""
Returns a dict of cached answers or None if no cache file exists.
"""
if not ipautil.file_exists(ANSWER_CACHE):
return {}
Fix installing with an external CA and wait for dogtag to come up There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
2011-01-26 09:53:02 -06:00
top_dir = tempfile.mkdtemp("ipa")
try:
clearfile = "%s/cache" % top_dir
decrypt_file(ANSWER_CACHE, clearfile, dm_password, top_dir)
except Exception, e:
shutil.rmtree(top_dir)
raise RuntimeError("Problem decrypting answer cache in %s, check your password." % ANSWER_CACHE)
Cache installer questions for the 2-step process of an externally-signed CA Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
2009-11-18 13:28:33 -06:00
optdict={}
parser = RawConfigParser()
try:
Fix installing with an external CA and wait for dogtag to come up There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
2011-01-26 09:53:02 -06:00
fp = open(clearfile, "r")
Cache installer questions for the 2-step process of an externally-signed CA Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
2009-11-18 13:28:33 -06:00
parser.readfp(fp)
optlist = parser.items('options')
fp.close()
except IOError, e:
Fix installing with an external CA and wait for dogtag to come up There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
2011-01-26 09:53:02 -06:00
raise RuntimeError("Error reading cache file %s: %s" % (ANSWER_CACHE, str(e)))
finally:
shutil.rmtree(top_dir)
Cache installer questions for the 2-step process of an externally-signed CA Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
2009-11-18 13:28:33 -06:00
for opt in optlist:
Fix installing IPA with an external CA - cache all interactive answers - set non-interactive to True for the second run so nothing is asked - convert boolean values that are read in - require absolute paths for the external CA and signed cert files - fix the invocation message for the second ipa-server-install run
2010-04-01 16:20:38 -05:00
value = opt[1]
if value.lower() in ['true', 'false']:
value = value.lower() == 'true'
if value == 'None':
value = None
optdict[opt[0]] = value
Cache installer questions for the 2-step process of an externally-signed CA Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
2009-11-18 13:28:33 -06:00
# These are the only ones that may be overridden
if 'external_ca_file' in optdict:
del optdict['external_ca_file']
if 'external_cert_file' in optdict:
del optdict['external_cert_file']
return optdict
def write_cache(options):
"""
Takes a dict as input and writes a cached file of answers
"""
# convert the options instance into a dict
optdict = eval(str(options))
parser = RawConfigParser()
Fix installing with an external CA and wait for dogtag to come up There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
2011-01-26 09:53:02 -06:00
top_dir = tempfile.mkdtemp("ipa")
Cache installer questions for the 2-step process of an externally-signed CA Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
2009-11-18 13:28:33 -06:00
try:
Fix installing with an external CA and wait for dogtag to come up There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
2011-01-26 09:53:02 -06:00
fp = open("%s/cache" % top_dir, "w")
Cache installer questions for the 2-step process of an externally-signed CA Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
2009-11-18 13:28:33 -06:00
parser.add_section('options')
for opt in optdict:
parser.set('options', opt, optdict[opt])
parser.write(fp)
fp.close()
Fix installing with an external CA and wait for dogtag to come up There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
2011-01-26 09:53:02 -06:00
ipautil.encrypt_file("%s/cache" % top_dir, ANSWER_CACHE, options.dm_password, top_dir);
Cache installer questions for the 2-step process of an externally-signed CA Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
2009-11-18 13:28:33 -06:00
except IOError, e:
raise RuntimeError("Unable to cache command-line options %s" % str(e))
Fix installing with an external CA and wait for dogtag to come up There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
2011-01-26 09:53:02 -06:00
finally:
shutil.rmtree(top_dir)
Cache installer questions for the 2-step process of an externally-signed CA Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
2009-11-18 13:28:33 -06:00
add --no-host-dns option to ipa-server-install - allows specifying a hostname that might actually exist but you do not want to even attempt to resolve it via DNS
2008-09-16 21:18:11 -05:00
def read_host_name(host_default,no_host_dns=False):
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
host_name = ""
print "Enter the fully qualified domain name of the computer"
print "on which you're setting up server software. Using the form"
print "<hostname>.<domainname>"
print "Example: master.example.com."
print ""
print ""
if host_default == "":
host_default = "master.example.com"
Wrap up the raw_input() to user_input() for convenience and uniformity.
2008-07-21 05:25:37 -05:00
while True:
host_name = user_input("Server host name", host_default, allow_empty = False)
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
print ""
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
try:
add --no-host-dns option to ipa-server-install - allows specifying a hostname that might actually exist but you do not want to even attempt to resolve it via DNS
2008-09-16 21:18:11 -05:00
verify_fqdn(host_name,no_host_dns)
Verify that the hostname is correct in /etc/hosts Don't ignore exceptions when getting the hostname from the user 433515
2008-03-06 12:17:28 -06:00
except Exception, e:
raise e
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
else:
Wrap up the raw_input() to user_input() for convenience and uniformity.
2008-07-21 05:25:37 -05:00
break
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
return host_name
Fix unattended install
2008-02-25 16:16:18 -06:00
def read_domain_name(domain_name, unattended):
Verify current domain with user during installation Use that domain when creating replicas Resolves 432066
2008-02-15 19:47:29 -06:00
print "The domain name has been calculated based on the host name."
print ""
Fix unattended install
2008-02-25 16:16:18 -06:00
if not unattended:
Wrap up the raw_input() to user_input() for convenience and uniformity.
2008-07-21 05:25:37 -05:00
domain_name = user_input("Please confirm the domain name", domain_name)
Fix unattended install
2008-02-25 16:16:18 -06:00
print ""
Verify current domain with user during installation Use that domain when creating replicas Resolves 432066
2008-02-15 19:47:29 -06:00
return domain_name
Fix unattended install
2008-02-25 16:16:18 -06:00
def read_realm_name(domain_name, unattended):
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
print "The kerberos protocol requires a Realm name to be defined."
print "This is typically the domain name converted to uppercase."
print ""
Use LDAP instead of flat file for zone storage
2009-05-12 08:20:24 -05:00
Fix unattended install
2008-02-25 16:16:18 -06:00
if unattended:
Wrap up the raw_input() to user_input() for convenience and uniformity.
2008-07-21 05:25:37 -05:00
return domain_name.upper()
realm_name = user_input("Please provide a realm name", domain_name.upper())
Fix lint false positives.
2011-04-07 09:53:52 -05:00
upper_dom = realm_name.upper() #pylint: disable=E1103
Wrap up the raw_input() to user_input() for convenience and uniformity.
2008-07-21 05:25:37 -05:00
if upper_dom != realm_name:
print "An upper-case realm name is required."
if not user_input("Do you want to use " + upper_dom + " as realm name?", True):
Fix unattended install
2008-02-25 16:16:18 -06:00
print ""
Wrap up the raw_input() to user_input() for convenience and uniformity.
2008-07-21 05:25:37 -05:00
print "An upper-case realm name is required. Unable to continue."
sys.exit(1)
else:
realm_name = upper_dom
print ""
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
return realm_name
Wrap up the raw_input() to user_input() for convenience and uniformity.
2008-07-21 05:25:37 -05:00
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
def read_dm_password():
print "Certain directory server operations require an administrative user."
print "This user is referred to as the Directory Manager and has full access"
Missed closing quote
2008-01-29 10:33:44 -06:00
print "to the Directory for system management tasks and will be added to the"
Include some additional information when installing IPA. Remove 8080 as a port that needs to be opened bz 430088
2008-01-25 16:08:36 -06:00
print "instance of directory server created for IPA."
Fix message about no spaces in password - spaces work fine with ssl setup shell script removed.
0000-12-31 18:09:24 -05:50
print "The password must be at least 8 characters long."
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
print ""
#TODO: provide the option of generating a random password
dm_password = read_password("Directory Manager")
return dm_password
def read_admin_password():
print "The IPA server requires an administrative user, named 'admin'."
print "This user is a regular system account used for IPA server administration."
print ""
#TODO: provide the option of generating a random password
admin_password = read_password("IPA admin")
return admin_password
Don't prompt regarding previous DS installations in unattended mode. 449150
2008-05-30 14:31:13 -05:00
def check_dirsrv(unattended):
Get merged tree into an installalble state. I have only tested the all, rpms and *clean targets directly. install may work but the rpm moves a lot of things around for us. The Apache configuration file isn't in its final state but it works with the new mod_python configuration.
2009-02-02 12:50:53 -06:00
serverids = dsinstance.check_existing_installation()
Remove questions from ipaserver.dsinstance Let's assume that all ipaserver.dsinstance could be used somewhere where asking questions on stdout/stdin is not approriate and re-factor the code to be suitable in those situations too. i.e. make check_existing_installation() return a list of server IDs and make check_ports() return an (unsecure, secure) tuple indication which ports are in use. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-22 02:03:06 -06:00
if serverids:
print ""
print "An existing Directory Server has been detected."
The True/False logic was reversed, so "no" meant remove the existing instance
2008-09-12 17:37:11 -05:00
if unattended or not user_input("Do you wish to remove it and create a new one?", False):
Include some additional information when installing IPA. Remove 8080 as a port that needs to be opened bz 430088
2008-01-25 16:08:36 -06:00
print ""
print "Only a single Directory Server instance is allowed on an IPA"
print "server, the one used by IPA itself."
Remove questions from ipaserver.dsinstance Let's assume that all ipaserver.dsinstance could be used somewhere where asking questions on stdout/stdin is not approriate and re-factor the code to be suitable in those situations too. i.e. make check_existing_installation() return a list of server IDs and make check_ports() return an (unsecure, secure) tuple indication which ports are in use. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-22 02:03:06 -06:00
sys.exit(1)
try:
service.stop("dirsrv")
except:
pass
for serverid in serverids:
Get merged tree into an installalble state. I have only tested the all, rpms and *clean targets directly. install may work but the rpm moves a lot of things around for us. The Apache configuration file isn't in its final state but it works with the new mod_python configuration.
2009-02-02 12:50:53 -06:00
dsinstance.erase_ds_instance_data(serverid)
Remove questions from ipaserver.dsinstance Let's assume that all ipaserver.dsinstance could be used somewhere where asking questions on stdout/stdin is not approriate and re-factor the code to be suitable in those situations too. i.e. make check_existing_installation() return a list of server IDs and make check_ports() return an (unsecure, secure) tuple indication which ports are in use. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-22 02:03:06 -06:00
Get merged tree into an installalble state. I have only tested the all, rpms and *clean targets directly. install may work but the rpm moves a lot of things around for us. The Apache configuration file isn't in its final state but it works with the new mod_python configuration.
2009-02-02 12:50:53 -06:00
(ds_unsecure, ds_secure) = dsinstance.check_ports()
Remove questions from ipaserver.dsinstance Let's assume that all ipaserver.dsinstance could be used somewhere where asking questions on stdout/stdin is not approriate and re-factor the code to be suitable in those situations too. i.e. make check_existing_installation() return a list of server IDs and make check_ports() return an (unsecure, secure) tuple indication which ports are in use. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-22 02:03:06 -06:00
if not ds_unsecure or not ds_secure:
print "IPA requires ports 389 and 636 for the Directory Server."
print "These are currently in use:"
if not ds_unsecure:
print "\t389"
if not ds_secure:
print "\t636"
sys.exit(1)
install-script: Do not ask to remove DNS data When we uninstall we wipe out the entire LDAP database, so it doesn't really make mush sense to try to also remove single entries from it. This avoids the --uninstall procedure to fail because the DM password is not available or the LDAP server is down, and we are just trying to cleanup everything.
2010-10-06 09:16:54 -05:00
def uninstall():
Connect to the ldap during the uninstallation We need to ask the user for a password and connect to the ldap so the bind uninstallation procedure can remove old records. This is of course only helpful if one has more than one IPA server configured.
2010-04-15 04:08:48 -05:00
Use a different user for dogtag DS instance Also shut down all services before starting uninstall. ticket 349
2010-11-08 10:05:37 -06:00
print "Shutting down all IPA services"
try:
(stdout, stderr, rc) = run(["/usr/sbin/ipactl", "stop"], raiseonerr=False)
except Exception, e:
pass
print "Removing IPA client configuration"
Call client uninstall from server uninstall so that uninstall reverses also client bits.
2008-03-31 16:35:45 -05:00
try:
Fix certmonger errors when doing a client or server uninstall. This started with the client uninstaller returning a 1 when not installed. There was no way to tell whether the uninstall failed or the client simply wasn't installed which caused no end of grief with the installer. This led to a lot of certmonger failures too, either trying to stop tracking a non-existent cert or not handling an existing tracked certificate. I moved the certmonger code out of the installer and put it into the client/server shared ipapython lib. It now tries a lot harder and smarter to untrack a certificate. ticket 142
2010-08-31 16:21:25 -05:00
(stdout, stderr, rc) = run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--uninstall"], raiseonerr=False)
Remove spurious error in server uninstaller about client uninstall failure. This was meant to catch the case where the client wasn't configured and it missed the most obvious one: the client was installed and is now uninstalled.
2010-09-23 11:07:29 -05:00
if rc not in [0,2]:
logging.debug("ipa-client-install returned %d" % rc)
Fix certmonger errors when doing a client or server uninstall. This started with the client uninstaller returning a 1 when not installed. There was no way to tell whether the uninstall failed or the client simply wasn't installed which caused no end of grief with the installer. This led to a lot of certmonger failures too, either trying to stop tracking a non-existent cert or not handling an existing tracked certificate. I moved the certmonger code out of the installer and put it into the client/server shared ipapython lib. It now tries a lot harder and smarter to untrack a certificate. ticket 142
2010-08-31 16:21:25 -05:00
raise RuntimeError(stdout)
Call client uninstall from server uninstall so that uninstall reverses also client bits.
2008-03-31 16:35:45 -05:00
except Exception, e:
print "Uninstall of client side components failed!"
print "ipa-client-install returned: " + str(e)
Get merged tree into an installalble state. I have only tested the all, rpms and *clean targets directly. install may work but the rpm moves a lot of things around for us. The Apache configuration file isn't in its final state but it works with the new mod_python configuration.
2009-02-02 12:50:53 -06:00
ntpinstance.NTPInstance(fstore).uninstall()
Make the installer/uninstaller more aware of its state We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients
2010-05-03 14:21:51 -05:00
if cainstance.CADSInstance().is_configured():
Implement an installer for the Dogtag certificate system. The CA is currently not automatically installed. You have to pass in the --ca flag to install it. What works: - installation - unistallation - cert/ra plugins can issue and retrieve server certs What doesn't work: - self-signed CA is still created and issues Apache and DS certs - dogtag and python-nss not in rpm requires - requires that CS be in the "pre" install state from pkicreate
2009-04-01 21:39:44 -05:00
cainstance.CADSInstance().uninstall()
Move Selfsigned CA creation out of dsinstance This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
2010-12-08 15:35:12 -06:00
if cainstance.CAInstance(api.env.realm, certs.NSS_DIR).is_configured():
cainstance.CAInstance(api.env.realm, certs.NSS_DIR).uninstall()
Get merged tree into an installalble state. I have only tested the all, rpms and *clean targets directly. install may work but the rpm moves a lot of things around for us. The Apache configuration file isn't in its final state but it works with the new mod_python configuration.
2009-02-02 12:50:53 -06:00
bindinstance.BindInstance(fstore).uninstall()
httpinstance.HTTPInstance(fstore).uninstall()
krbinstance.KrbInstance(fstore).uninstall()
Inconsistent sysrestore file handling by IPA server installer IPA server/replica uninstallation may fail when it tries to restore a Directory server configuration file in sysrestore directory, which was already restored before. The problem is in Directory Server uninstaller which uses and modifies its own image of sysrestore directory state instead of using the common uninstaller image. https://fedorahosted.org/freeipa/ticket/1026
2011-03-01 07:17:03 -06:00
dsinstance.DsInstance(fstore=fstore).uninstall()
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
fstore.restore_all_files()
Cache installer questions for the 2-step process of an externally-signed CA Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
2009-11-18 13:28:33 -06:00
try:
os.remove(ANSWER_CACHE)
except Exception:
pass
Remove some configuration files we create upon un-installation This is particularly important for Apache since we'd leave the web server handling unconfigured locations.
2010-01-28 13:22:50 -06:00
# ipa-client-install removes /etc/ipa/default.conf
try:
os.remove("/etc/httpd/conf.d/ipa-rewrite.conf")
os.remove("/etc/httpd/conf.d/ipa.conf")
except:
pass
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
Refresh state data before removing the dirsrv user, fixes uninstall. The state is read only at initialization time. This works ok when individual services remove their state data but when worked upon again at the top-level it still has the full state in memory, so when the state file is re-written all of the data that was removed is re-added. ticket 916
2011-02-07 12:31:51 -06:00
sstore._load()
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
group_exists = sstore.restore_state("install", "group_exists")
if group_exists == False:
try:
grp.getgrnam(dsinstance.DS_GROUP)
try:
ipautil.run(["/usr/sbin/groupdel", dsinstance.DS_GROUP])
except ipautil.CalledProcessError, e:
logging.critical("failed to delete group %s" % e)
except KeyError:
logging.info("Group %s already removed", dsinstance.DS_GROUP)
chkconfig the ipa service off when it is uninstalled. ticket 1056
2011-03-07 15:29:08 -06:00
service.chkconfig_off('ipa')
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
return 0
ipa-server-install now renders UI assets
2009-11-02 15:16:27 -06:00
Use ldapi: instead of unsecured ldap: in ipa core tools. The patch also corrects exception handling in some of the tools. Fix #874
2011-02-15 13:11:27 -06:00
def set_subject_in_config(realm_name, dm_password, suffix, subject_base):
ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % (
dsinstance.realm_to_serverid(realm_name)
)
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
try:
Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
2010-03-24 09:51:31 -05:00
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
except errors.ExecutionError, e:
Use ldapi: instead of unsecured ldap: in ipa core tools. The patch also corrects exception handling in some of the tools. Fix #874
2011-02-15 13:11:27 -06:00
logging.critical("Could not connect to the Directory Server on %s" % realm_name)
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
raise e
Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
2010-03-24 09:51:31 -05:00
(dn, entry_attrs) = conn.get_ipa_config()
if 'ipacertificatesubjectbase' not in entry_attrs:
mod = {'ipacertificatesubjectbase': subject_base}
conn.update_entry(dn, mod)
conn.disconnect()
ipa-server-install now renders UI assets
2009-11-02 15:16:27 -06:00
Added additional debugging information.
0000-12-31 18:09:24 -05:50
def main():
Patch to fix the installer crashing if selinux is disabled. Also changes the exception to contain the complete command. Add a check to make sure installer is running as root. Add signal handler to detect a user-cancelled installation. Detect existing DS instances and prompt to remove them.
2007-10-02 15:56:51 -05:00
global ds
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
global pw_name
Fix a couple of syntax errors in the installer. I meant to push these along with the original patch but pushed the wrong one.
2010-04-27 16:51:13 -05:00
global uninstalling
Patch to fix the installer crashing if selinux is disabled. Also changes the exception to contain the complete command. Add a check to make sure installer is running as root. Add signal handler to detect a user-cancelled installation. Detect existing DS instances and prompt to remove them.
2007-10-02 15:56:51 -05:00
ds = None
Print traceback to the install log on unexpected error.
0000-12-31 18:09:24 -05:50
Log script options to logfile Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
2010-10-29 13:24:31 -05:00
safe_options, options = parse_options()
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Patch to fix the installer crashing if selinux is disabled. Also changes the exception to contain the complete command. Add a check to make sure installer is running as root. Add signal handler to detect a user-cancelled installation. Detect existing DS instances and prompt to remove them.
2007-10-02 15:56:51 -05:00
if os.getegid() != 0:
Use sys.exit to quit scripts Instead of print and return, use sys.exit() to quit scripts with an error message and a non zero return code. https://fedorahosted.org/freeipa/ticket/425
2010-11-08 16:13:48 -06:00
sys.exit("Must be root to set up server")
Run ipa-client-install after server install bits
2008-02-20 09:16:19 -06:00
Patch to fix the installer crashing if selinux is disabled. Also changes the exception to contain the complete command. Add a check to make sure installer is running as root. Add signal handler to detect a user-cancelled installation. Detect existing DS instances and prompt to remove them.
2007-10-02 15:56:51 -05:00
signal.signal(signal.SIGTERM, signal_handler)
signal.signal(signal.SIGINT, signal_handler)
Make Install and Uninstall have different log files
2008-03-24 11:22:34 -05:00
if options.uninstall:
Fix a couple of syntax errors in the installer. I meant to push these along with the original patch but pushed the wrong one.
2010-04-27 16:51:13 -05:00
uninstalling = True
Make Install and Uninstall have different log files
2008-03-24 11:22:34 -05:00
standard_logging_setup("/var/log/ipaserver-uninstall.log", options.debug)
else:
standard_logging_setup("/var/log/ipaserver-install.log", options.debug)
print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log"
Fix external CA install. ticket 1523
2011-07-26 06:21:36 -05:00
if not options.external_ca and not options.external_cert_file and (dsinstance.DsInstance().is_configured() or cainstance.CADSInstance().is_configured()):
Forbid reinstallation in ipa-client-install The --force option may be misused to reinstall an existing IPA client. This is not supported and may lead to unexpected errors. When required, the cleanest way to re-install IPA client is to run uninstall and then install again. This patch also includes few cosmetic changes in messages to user to provide more consistent user experience with the script. https://fedorahosted.org/freeipa/ticket/1117
2011-04-27 09:09:43 -05:00
sys.exit("IPA server is already configured on this system.\n"
+ "If you want to reinstall the IPA server please uninstall it first.")
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
IPA replica/server install does not check for a client When IPA replica or server is configured it does not check for possibly installed client. This will cause the installation to fail in the very end. This patch adds a check for already configured client and suggests removing it before server/replica installation. https://fedorahosted.org/freeipa/ticket/1002
2011-02-24 06:02:27 -06:00
client_fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore')
if client_fstore.has_files():
sys.exit("IPA client is already configured on this system.\n"
+ "Please uninstall it first before configuring the IPA server.")
Log script options to logfile Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
2010-10-29 13:24:31 -05:00
logging.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
Log interactive options in install scripts
2010-11-11 00:29:51 -06:00
logging.debug("missing options might be asked for interactively later\n")
Log script options to logfile Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
2010-10-29 13:24:31 -05:00
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
global fstore
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
global sstore
sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore')
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
Move api finalization in ipa-server-install after writing default.conf We will need to have ipalib correctly configured before we start installing DNS entries with api.Command.dns.
2009-12-03 09:32:56 -06:00
# Configuration for ipalib, we will bootstrap and finalize later, after
# we are sure we have the configuration file ready.
ipa-server-install now renders UI assets
2009-11-02 15:16:27 -06:00
cfg = dict(
Retrieve the LDAP schema using kerberos credentials. This is required so we can disable anonymous access in 389-ds.
2010-03-17 09:01:24 -05:00
context='installer',
ipa-server-install now renders UI assets
2009-11-02 15:16:27 -06:00
in_server=True,
respect debug arg during server install The debug flag (e.g. -d) was not being respected during server install. This patch corrects that.
2009-11-19 09:33:50 -06:00
debug=options.debug
ipa-server-install now renders UI assets
2009-11-02 15:16:27 -06:00
)
Only initialize the API once in the installer Make the ldap2 plugin schema loader ignore SERVER_DOWN errors 525303
2009-09-28 22:34:15 -05:00
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
if options.uninstall:
Connect to the ldap during the uninstallation We need to ask the user for a password and connect to the ldap so the bind uninstallation procedure can remove old records. This is of course only helpful if one has more than one IPA server configured.
2010-04-15 04:08:48 -05:00
# We will need at least api.env, finalize api now. This system is
# already installed, so the configuration file is there.
api.bootstrap(**cfg)
api.finalize()
Call client uninstall from server uninstall so that uninstall reverses also client bits.
2008-03-31 16:35:45 -05:00
if not options.unattended:
print "\nThis is a NON REVERSIBLE operation and will delete all data and configuration!\n"
Fix python syntax error: missing colon.
2008-08-06 10:27:04 -05:00
if not user_input("Are you sure you want to continue with the uninstall procedure?", False):
Call client uninstall from server uninstall so that uninstall reverses also client bits.
2008-03-31 16:35:45 -05:00
print ""
print "Aborting uninstall operation."
sys.exit(1)
install-script: Do not ask to remove DNS data When we uninstall we wipe out the entire LDAP database, so it doesn't really make mush sense to try to also remove single entries from it. This avoids the --uninstall procedure to fail because the DM password is not available or the LDAP server is down, and we are just trying to cleanup everything.
2010-10-06 09:16:54 -05:00
return uninstall()
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
Fix external CA install. ticket 1523
2011-07-26 06:21:36 -05:00
if options.external_ca:
if cainstance.CADSInstance().is_configured():
print "CA is already installed.\nRun the installer with --external_cert_file and --external_ca_file."
sys.exit(1)
elif options.external_cert_file:
if not cainstance.CADSInstance().is_configured():
# This can happen if someone passes external_ca_file without
# already having done the first stage of the CA install.
print "CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca."
sys.exit(1)
if not ipautil.file_exists(options.external_cert_file):
print "%s does not exist" % options.external_cert_file
sys.exit(1)
if not ipautil.file_exists(options.external_ca_file):
print "%s does not exist" % options.external_ca_file
sys.exit(1)
Cache installer questions for the 2-step process of an externally-signed CA Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
2009-11-18 13:28:33 -06:00
# This will override any settings passed in on the cmdline
Fix installing with an external CA and wait for dogtag to come up There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
2011-01-26 09:53:02 -06:00
if ipautil.file_exists(ANSWER_CACHE):
Fix external CA install. ticket 1523
2011-07-26 06:21:36 -05:00
dm_password = read_password("Directory Manager", confirm=False)
Fix installing with an external CA and wait for dogtag to come up There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
2011-01-26 09:53:02 -06:00
options._update_loose(read_cache(dm_password))
Cache installer questions for the 2-step process of an externally-signed CA Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
2009-11-18 13:28:33 -06:00
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
print "=============================================================================="
Proper use of set up vs setup (verb vs noun) Resolves #529787
2010-02-03 13:56:17 -06:00
print "This program will set up the FreeIPA Server."
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
print ""
Include some additional information when installing IPA. Remove 8080 as a port that needs to be opened bz 430088
2008-01-25 16:08:36 -06:00
print "This includes:"
Make it clear which packages are being configured and which aren't. 450175
2008-06-06 14:25:36 -05:00
if options.conf_ntp:
print " * Configure the Network Time Daemon (ntpd)"
Include some additional information when installing IPA. Remove 8080 as a port that needs to be opened bz 430088
2008-01-25 16:08:36 -06:00
print " * Create and configure an instance of Directory Server"
KDC is Key Distribution Center, not Kerberos Domain Controller 435949
2008-03-04 13:47:47 -06:00
print " * Create and configure a Kerberos Key Distribution Center (KDC)"
Include some additional information when installing IPA. Remove 8080 as a port that needs to be opened bz 430088
2008-01-25 16:08:36 -06:00
print " * Configure Apache (httpd)"
Add --setup-dns option. It will replace --setup-bind
2009-06-25 07:42:08 -05:00
if options.setup_dns:
Make it clear which packages are being configured and which aren't. 450175
2008-06-06 14:25:36 -05:00
print " * Configure DNS (bind)"
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
if options.setup_pkinit:
print " * Configure the KDC to enable PKINIT"
Make it clear which packages are being configured and which aren't. 450175
2008-06-06 14:25:36 -05:00
if not options.conf_ntp:
print ""
print "Excluded by options:"
print " * Configure the Network Time Daemon (ntpd)"
Include some additional information when installing IPA. Remove 8080 as a port that needs to be opened bz 430088
2008-01-25 16:08:36 -06:00
print ""
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
print "To accept the default shown in brackets, press the Enter key."
print ""
Fix installing with an external CA and wait for dogtag to come up There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
2011-01-26 09:53:02 -06:00
if not options.external_ca and not options.external_cert_file:
# Let it past if there is an external_cert_file defined on the chance
# that we are coming in without a cache file.
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
check_dirsrv(options.unattended)
Added additional debugging information.
0000-12-31 18:09:24 -05:50
Add interactive prompts to ipa-server-install Change unattended flag to be -U Change master password flag to be -P instead of -m Improve ipa-client-install readability for user prompts
2007-08-20 17:40:32 -05:00
realm_name = ""
host_name = ""
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
domain_name = ""
ip_address = ""
Add interactive prompts to ipa-server-install Change unattended flag to be -U Change master password flag to be -P instead of -m Improve ipa-client-install readability for user prompts
2007-08-20 17:40:32 -05:00
master_password = ""
Add password request for admin user Set password for admin user using the Directory Mangaer account and the mozldapldappaswd binary to get and SSL connection Fix some timeout problems with deploying keytabs Fix ipa_pwd_extop to actuallt correctly detect an SSL connection Do not ask for the user to use for the directory unless 'dirsrv' is an existing user which may clash, create it silently
2007-08-31 17:40:01 -05:00
dm_password = ""
admin_password = ""
Fix creation of reverse DNS zones. Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
2011-07-11 03:14:53 -05:00
reverse_zone = None
Add interactive prompts to ipa-server-install Change unattended flag to be -U Change master password flag to be -P instead of -m Improve ipa-client-install readability for user prompts
2007-08-20 17:40:32 -05:00
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
# check bind packages are installed
Add --setup-dns option. It will replace --setup-bind
2009-06-25 07:42:08 -05:00
if options.setup_dns:
Ask the user before overwriting /etc/named.conf
2009-11-13 09:57:51 -06:00
if not bindinstance.check_inst(options.unattended):
Use sys.exit to quit scripts Instead of print and return, use sys.exit() to quit scripts with an error message and a non zero return code. https://fedorahosted.org/freeipa/ticket/425
2010-11-08 16:13:48 -06:00
sys.exit("Aborting installation")
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
Skip DNS validation checks if we're setting up DNS in ipa-server-install. If we're going to be authoritative ourselves don't bother with what other DNS servers think. ticket 1036
2011-03-03 15:03:44 -06:00
# Don't require an external DNS to say who we are if we are
# setting up a local DNS server.
options.no_host_dns = True
Improve kerberos install patch from Simo.
0000-12-31 18:09:24 -05:50
# check the hostname is correctly configured, it must be as the kldap
Make the IPA installer IPv6 friendly Notable changes include: * parse AAAA records in dnsclient * also ask for AAAA records when verifying FQDN * do not use functions that are not IPv6 aware - notably socket.gethostbyname() The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html section "Interface Checklist"
2010-12-01 10:22:56 -06:00
# utilities just use the hostname as returned by getaddrinfo to set
Improve kerberos install patch from Simo.
0000-12-31 18:09:24 -05:50
# up some of the standard entries
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
host_default = ""
Improve kerberos install patch from Simo.
0000-12-31 18:09:24 -05:50
if options.host_name:
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
host_default = options.host_name
Improve kerberos install patch from Simo.
0000-12-31 18:09:24 -05:50
else:
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
host_default = get_fqdn()
Run ipa-client-install after server install bits
2008-02-20 09:16:19 -06:00
Verify that the hostname is fully-qualified before accessing the service information in ipactl. Fail gracefully if the supplied hostname isn't fully-qualified in ipa-server-install. ticket 1035
2011-06-24 09:56:25 -05:00
try:
if options.unattended:
add --no-host-dns option to ipa-server-install - allows specifying a hostname that might actually exist but you do not want to even attempt to resolve it via DNS
2008-09-16 21:18:11 -05:00
verify_fqdn(host_default,options.no_host_dns)
Verify that the hostname is fully-qualified before accessing the service information in ipactl. Fail gracefully if the supplied hostname isn't fully-qualified in ipa-server-install. ticket 1035
2011-06-24 09:56:25 -05:00
host_name = host_default
else:
host_name = read_host_name(host_default,options.no_host_dns)
except RuntimeError, e:
sys.exit(str(e) + "\n")
Verify current domain with user during installation Use that domain when creating replicas Resolves 432066
2008-02-15 19:47:29 -06:00
Ensure hostnames are lower during installation and when adding service princs 447381
2008-05-20 09:17:20 -05:00
host_name = host_name.lower()
Log interactive options in install scripts
2010-11-11 00:29:51 -06:00
logging.debug("will use host_name: %s\n" % host_name)
Ensure hostnames are lower during installation and when adding service princs 447381
2008-05-20 09:17:20 -05:00
Verify current domain with user during installation Use that domain when creating replicas Resolves 432066
2008-02-15 19:47:29 -06:00
if not options.domain_name:
Fix unattended install
2008-02-25 16:16:18 -06:00
domain_name = read_domain_name(host_name[host_name.find(".")+1:], options.unattended)
Log interactive options in install scripts
2010-11-11 00:29:51 -06:00
logging.debug("read domain_name: %s\n" % domain_name)
Verify current domain with user during installation Use that domain when creating replicas Resolves 432066
2008-02-15 19:47:29 -06:00
else:
Fix unattended install
2008-02-25 16:16:18 -06:00
domain_name = options.domain_name
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
Ensure hostnames are lower during installation and when adding service princs 447381
2008-05-20 09:17:20 -05:00
domain_name = domain_name.lower()
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
# Check we have a public IP that is associated with the hostname
Parse netmasks in IP addresses passed to server install. ticket 1212
2011-05-27 13:17:22 -05:00
hostaddr = resolve_host(host_name)
if hostaddr is not None:
The IP address provided to ipa-server-install must be local Compare the configured interfaces with the supplied IP address and optional netmask to determine if the interface is available. https://fedorahosted.org/freeipa/ticket/1175
2011-06-13 15:37:40 -05:00
ip = CheckedIPAddress(hostaddr, match_local=True)
Parse netmasks in IP addresses passed to server install. ticket 1212
2011-05-27 13:17:22 -05:00
else:
ip = options.ip_address
Clean up of IP address checks in install scripts. Fixes ipa-dns-install incorrect warning. ticket 1486
2011-07-18 06:36:47 -05:00
if ip is None:
print "Unable to resolve IP address for host name"
if options.unattended:
sys.exit(1)
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
Parse netmasks in IP addresses passed to server install. ticket 1212
2011-05-27 13:17:22 -05:00
if options.ip_address:
if options.ip_address != ip and not options.setup_dns:
Use sys.exit to quit scripts Instead of print and return, use sys.exit() to quit scripts with an error message and a non zero return code. https://fedorahosted.org/freeipa/ticket/425
2010-11-08 16:13:48 -06:00
print >>sys.stderr, "Error: the hostname resolves to an IP address that is different"
print >>sys.stderr, "from the one provided on the command line. Please fix your DNS"
print >>sys.stderr, "or /etc/hosts file and restart the installation."
Fix up function return values so we can return 1 on an installation error. 447973
2008-05-22 15:36:11 -05:00
return 1
Run ipa-client-install after server install bits
2008-02-20 09:16:19 -06:00
Parse netmasks in IP addresses passed to server install. ticket 1212
2011-05-27 13:17:22 -05:00
ip = options.ip_address
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
Parse netmasks in IP addresses passed to server install. ticket 1212
2011-05-27 13:17:22 -05:00
if ip is None:
Move some functions from ipa-server-install into installutils We will need these functions in the new upcoming ipa-dns-install command.
2009-11-23 02:15:35 -06:00
ip = read_ip_address(host_name, fstore)
Parse netmasks in IP addresses passed to server install. ticket 1212
2011-05-27 13:17:22 -05:00
logging.debug("read ip_address: %s\n" % str(ip))
ip_address = str(ip)
Fix creation of reverse DNS zones. Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
2011-07-11 03:14:53 -05:00
if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, ip):
sys.exit(1)
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
print "The IPA Master Server will be configured with"
print "Hostname: " + host_name
print "IP address: " + ip_address
print "Domain name: " + domain_name
Add interactive prompts to ipa-server-install Change unattended flag to be -U Change master password flag to be -P instead of -m Improve ipa-client-install readability for user prompts
2007-08-20 17:40:32 -05:00
print ""
if not options.realm_name:
Fix unattended install
2008-02-25 16:16:18 -06:00
realm_name = read_realm_name(domain_name, options.unattended)
Log interactive options in install scripts
2010-11-11 00:29:51 -06:00
logging.debug("read realm_name: %s\n" % realm_name)
Add interactive prompts to ipa-server-install Change unattended flag to be -U Change master password flag to be -P instead of -m Improve ipa-client-install readability for user prompts
2007-08-20 17:40:32 -05:00
else:
Ensure that the realm name is upper-case. 449182
2008-06-03 10:28:27 -05:00
realm_name = options.realm_name.upper()
Add interactive prompts to ipa-server-install Change unattended flag to be -U Change master password flag to be -P instead of -m Improve ipa-client-install readability for user prompts
2007-08-20 17:40:32 -05:00
Use Realm as certs subject base name Also use the realm name as nickname for the CA certificate
2010-11-01 12:51:14 -05:00
if not options.subject:
options.subject = "O=%s" % realm_name
Add password request for admin user Set password for admin user using the Directory Mangaer account and the mozldapldappaswd binary to get and SSL connection Fix some timeout problems with deploying keytabs Fix ipa_pwd_extop to actuallt correctly detect an SSL connection Do not ask for the user to use for the directory unless 'dirsrv' is an existing user which may clash, create it silently
2007-08-31 17:40:01 -05:00
if not options.dm_password:
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
dm_password = read_dm_password()
Add interactive prompts to ipa-server-install Change unattended flag to be -U Change master password flag to be -P instead of -m Improve ipa-client-install readability for user prompts
2007-08-20 17:40:32 -05:00
else:
Add password request for admin user Set password for admin user using the Directory Mangaer account and the mozldapldappaswd binary to get and SSL connection Fix some timeout problems with deploying keytabs Fix ipa_pwd_extop to actuallt correctly detect an SSL connection Do not ask for the user to use for the directory unless 'dirsrv' is an existing user which may clash, create it silently
2007-08-31 17:40:01 -05:00
dm_password = options.dm_password
Add interactive prompts to ipa-server-install Change unattended flag to be -U Change master password flag to be -P instead of -m Improve ipa-client-install readability for user prompts
2007-08-20 17:40:32 -05:00
if not options.master_password:
Generate master password from Simo.
0000-12-31 18:09:24 -05:50
master_password = ipa_generate_password()
Add interactive prompts to ipa-server-install Change unattended flag to be -U Change master password flag to be -P instead of -m Improve ipa-client-install readability for user prompts
2007-08-20 17:40:32 -05:00
else:
master_password = options.master_password
Improve kerberos install patch from Simo.
0000-12-31 18:09:24 -05:50
Add password request for admin user Set password for admin user using the Directory Mangaer account and the mozldapldappaswd binary to get and SSL connection Fix some timeout problems with deploying keytabs Fix ipa_pwd_extop to actuallt correctly detect an SSL connection Do not ask for the user to use for the directory unless 'dirsrv' is an existing user which may clash, create it silently
2007-08-31 17:40:01 -05:00
if not options.admin_password:
Hi, Here is another patch for the installer. It does a few things: * use socket.getfqdn() but fallback to gethostname() * streamlines the hostname prompting * fixes a bunch of spelling and grammatical errors * fixes a bug in the hostname reading/verification logic * allows "yes" and "no" as answers * modularizes and reuses code where possible * changes some of the prompts to be more like the FDS installer - some text is copied (which is easy to use IMO) * tries to make the prompts fit on smaller screens (<80 chars) Hope you agree that it is better. :) Thanks, Jon
0000-12-31 18:09:24 -05:50
admin_password = read_admin_password()
Add password request for admin user Set password for admin user using the Directory Mangaer account and the mozldapldappaswd binary to get and SSL connection Fix some timeout problems with deploying keytabs Fix ipa_pwd_extop to actuallt correctly detect an SSL connection Do not ask for the user to use for the directory unless 'dirsrv' is an existing user which may clash, create it silently
2007-08-31 17:40:01 -05:00
else:
admin_password = options.admin_password
Use DNS forwarders in /etc/named.conf This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command line.
2009-09-01 16:28:52 -05:00
if options.setup_dns:
if options.no_forwarders:
dns_forwarders = ()
elif options.forwarders:
dns_forwarders = options.forwarders
else:
dns_forwarders = read_dns_forwarders()
Ask for reverse DNS zone information in attended install right after asking for DNS forwarders, so that DNS configuration is done in one place. ticket 1522
2011-07-26 07:53:19 -05:00
if options.reverse_zone:
reverse_zone = bindinstance.normalize_zone(options.reverse_zone)
elif not options.no_reverse:
reverse_zone = bindinstance.get_reverse_zone_default(ip)
if not options.unattended and bindinstance.create_reverse():
reverse_zone = bindinstance.read_reverse_zone(reverse_zone, ip)
if reverse_zone is not None:
print "Using reverse zone %s" % reverse_zone
Fixed dns_forwarders not being defined when options.setup_dns is False
2009-09-08 02:03:55 -05:00
else:
dns_forwarders = ()
Log interactive options in install scripts
2010-11-11 00:29:51 -06:00
logging.debug("will use dns_forwarders: %s\n" % str(dns_forwarders))
Use DNS forwarders in /etc/named.conf This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command line.
2009-09-01 16:28:52 -05:00
Move api finalization in ipa-server-install after writing default.conf We will need to have ipalib correctly configured before we start installing DNS entries with api.Command.dns.
2009-12-03 09:32:56 -06:00
# Create the management framework config file and finalize api
Fix IPA install for secure umask Make sure that IPA can be installed with root umask set to secure value 077. ipa-server-install was failing in DS configuration phase when dirsrv tried to read boot.ldif created during installation. https://fedorahosted.org/freeipa/ticket/1282
2011-06-17 07:19:45 -05:00
old_umask = os.umask(022) # must be readable for httpd
try:
fd = open("/etc/ipa/default.conf", "w")
fd.write("[global]\n")
Let the framework be able to override the hostname. The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
2011-06-23 01:06:49 -05:00
fd.write("host=" + host_name + "\n")
Fix IPA install for secure umask Make sure that IPA can be installed with root umask set to secure value 077. ipa-server-install was failing in DS configuration phase when dirsrv tried to read boot.ldif created during installation. https://fedorahosted.org/freeipa/ticket/1282
2011-06-17 07:19:45 -05:00
fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
fd.write("realm=" + realm_name + "\n")
fd.write("domain=" + domain_name + "\n")
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name)
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
fd.write("enable_ra=True\n")
if not options.selfsign:
fd.write("ra_plugin=dogtag\n")
fd.write("mode=production\n")
fd.close()
finally:
os.umask(old_umask)
Move api finalization in ipa-server-install after writing default.conf We will need to have ipalib correctly configured before we start installing DNS entries with api.Command.dns.
2009-12-03 09:32:56 -06:00
api.bootstrap(**cfg)
api.finalize()
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
if not options.unattended:
print ""
print "The following operations may take some minutes to complete."
print "Please wait until the prompt is returned."
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
print ""
Start ntpd first unless we do not want it. Make sure we do sync the clock leaping to the current correct time. This avoids problems with bad dates on certificates, etc..
2008-02-20 10:03:46 -06:00
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
# Create DS group if it doesn't exist yet
try:
grp.getgrnam(dsinstance.DS_GROUP)
logging.debug("ds group %s exists" % dsinstance.DS_GROUP)
group_exists = True
except KeyError:
group_exists = False
args = ["/usr/sbin/groupadd", "-r", dsinstance.DS_GROUP]
try:
ipautil.run(args)
logging.debug("done adding DS group")
except ipautil.CalledProcessError, e:
logging.critical("failed to add DS group: %s" % e)
sstore.backup_state("install", "group_exists", group_exists)
Move ntp configuration up top. Also move down some dsinstance related operation close to other dsinstance operations. Fixes: https://fedorahosted.org/freeipa/ticket/595
2010-12-08 09:25:49 -06:00
# Configure ntpd
if options.conf_ntp:
ntp = ntpinstance.NTPInstance(fstore)
Fix installing with an external CA and wait for dogtag to come up There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
2011-01-26 09:53:02 -06:00
if not ntp.is_configured():
ntp.create_instance()
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
Move Selfsigned CA creation out of dsinstance This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
2010-12-08 15:35:12 -06:00
if options.selfsign:
ca = certs.CertDB(realm_name, host_name=host_name,
subject_base=options.subject)
ca.create_self_signed()
else:
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
# Clean up any previous self-signed CA that may exist
try:
os.remove(certs.CA_SERIALNO)
except:
pass
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
# Figure out what state we're in. See cainstance.py for more info on
# the 3 states.
Fix external CA install. ticket 1523
2011-07-26 06:21:36 -05:00
if options.external_cert_file:
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
external = 2
Fix external CA install. ticket 1523
2011-07-26 06:21:36 -05:00
elif options.external_ca:
external = 1
else:
external = 0
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
Do better detection on status of CA DS instance when installing. The conditional used to determine if thd CA 389-ds instance was already configured was rather poor so it was possible to pass command-line arguments in to confuse it. This would cause it to not be installed at all causing the dogtag installation to fail in a strange way. https://fedorahosted.org/freeipa/ticket/1244
2011-06-10 14:28:46 -05:00
cs = cainstance.CADSInstance(host_name, realm_name, domain_name, dm_password)
if not cs.is_configured():
Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085
2011-03-14 15:27:19 -05:00
cs.create_instance(realm_name, host_name, domain_name, dm_password, subject_base=options.subject)
Move Selfsigned CA creation out of dsinstance This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
2010-12-08 15:35:12 -06:00
ca = cainstance.CAInstance(realm_name, certs.NSS_DIR)
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
if external == 0:
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
ca.configure_instance(host_name, dm_password, dm_password,
subject_base=options.subject)
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
elif external == 1:
Do better detection on status of CA DS instance when installing. The conditional used to determine if thd CA 389-ds instance was already configured was rather poor so it was possible to pass command-line arguments in to confuse it. This would cause it to not be installed at all causing the dogtag installation to fail in a strange way. https://fedorahosted.org/freeipa/ticket/1244
2011-06-10 14:28:46 -05:00
# stage 1 of external CA installation
Fix installing IPA with an external CA - cache all interactive answers - set non-interactive to True for the second run so nothing is asked - convert boolean values that are read in - require absolute paths for the external CA and signed cert files - fix the invocation message for the second ipa-server-install run
2010-04-01 16:20:38 -05:00
options.realm_name = realm_name
options.domain_name = domain_name
options.master_password = master_password
Fix installing with an external CA and wait for dogtag to come up There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
2011-01-26 09:53:02 -06:00
options.dm_password = dm_password
options.admin_password = admin_password
Fix external CA install. ticket 1523
2011-07-26 06:21:36 -05:00
options.host_name = host_name
Fix installing IPA with an external CA - cache all interactive answers - set non-interactive to True for the second run so nothing is asked - convert boolean values that are read in - require absolute paths for the external CA and signed cert files - fix the invocation message for the second ipa-server-install run
2010-04-01 16:20:38 -05:00
options.unattended = True
Fix external CA install. ticket 1523
2011-07-26 06:21:36 -05:00
options.forwarders = dns_forwarders
options.reverse_zone = reverse_zone
Cache installer questions for the 2-step process of an externally-signed CA Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
2009-11-18 13:28:33 -06:00
write_cache(options)
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
ca.configure_instance(host_name, dm_password, dm_password,
csr_file="/root/ipa.csr",
subject_base=options.subject)
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
else:
Do better detection on status of CA DS instance when installing. The conditional used to determine if thd CA 389-ds instance was already configured was rather poor so it was possible to pass command-line arguments in to confuse it. This would cause it to not be installed at all causing the dogtag installation to fail in a strange way. https://fedorahosted.org/freeipa/ticket/1244
2011-06-10 14:28:46 -05:00
# stage 2 of external CA installation
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
ca.configure_instance(host_name, dm_password, dm_password,
cert_file=options.external_cert_file,
cert_chain_file=options.external_ca_file,
subject_base=options.subject)
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
Fix Install using dogtag. The CA is installed before DS so we need to wait until DS is actually installed to be able to ldap_enable the CA instance. Fixes: https://fedorahosted.org/freeipa/ticket/612
2010-12-10 13:53:06 -06:00
# Now put the CA cert where other instances exepct it
ca.publish_ca_cert("/etc/ipa/ca.crt")
Added additional debugging information.
0000-12-31 18:09:24 -05:50
# Create a directory server instance
Inconsistent sysrestore file handling by IPA server installer IPA server/replica uninstallation may fail when it tries to restore a Directory server configuration file in sysrestore directory, which was already restored before. The problem is in Directory Server uninstaller which uses and modifies its own image of sysrestore directory state instead of using the common uninstaller image. https://fedorahosted.org/freeipa/ticket/1026
2011-03-01 07:17:03 -06:00
ds = dsinstance.DsInstance(fstore=fstore)
Move ntp configuration up top. Also move down some dsinstance related operation close to other dsinstance operations. Fixes: https://fedorahosted.org/freeipa/ticket/595
2010-12-08 09:25:49 -06:00
if options.dirsrv_pin:
[pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, options.dirsrv_pin)
os.close(pw_fd)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
if options.dirsrv_pkcs12:
pkcs12_info = (options.dirsrv_pkcs12, pw_name)
Implement an installer for the Dogtag certificate system. The CA is currently not automatically installed. You have to pass in the --ca flag to install it. What works: - installation - unistallation - cert/ra plugins can issue and retrieve server certs What doesn't work: - self-signed CA is still created and issues Apache and DS certs - dogtag and python-nss not in rpm requires - requires that CS be in the "pre" install state from pkicreate
2009-04-01 21:39:44 -05:00
try:
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
ds.create_instance(realm_name, host_name, domain_name,
dm_password, pkcs12_info,
subject_base=options.subject,
hbac_allow=not options.hbac_allow)
Implement an installer for the Dogtag certificate system. The CA is currently not automatically installed. You have to pass in the --ca flag to install it. What works: - installation - unistallation - cert/ra plugins can issue and retrieve server certs What doesn't work: - self-signed CA is still created and issues Apache and DS certs - dogtag and python-nss not in rpm requires - requires that CS be in the "pre" install state from pkicreate
2009-04-01 21:39:44 -05:00
finally:
os.remove(pw_name)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
else:
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
ds.create_instance(realm_name, host_name, domain_name,
id ranges: change DNA configuration Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
2010-11-11 17:15:28 -06:00
dm_password, self_signed_ca=options.selfsign,
idstart=options.idstart, idmax=options.idmax,
subject_base=options.subject,
hbac_allow=not options.hbac_allow)
import initial install tool
0000-12-31 18:09:24 -05:50
Use TLS for dogtag replication agreements. Configure the dogtag 389-ds instance with SSL so we can enable TLS for the dogtag replication agreements. The NSS database we use is a symbolic link to the IPA 389-ds instance. ticket 1060
2011-03-09 23:06:15 -06:00
# We need to ldap_enable the CA now that DS is up and running
Fix Install using dogtag. The CA is installed before DS so we need to wait until DS is actually installed to be able to ldap_enable the CA instance. Fixes: https://fedorahosted.org/freeipa/ticket/612
2010-12-10 13:53:06 -06:00
if not options.selfsign:
ca.ldap_enable('CA', host_name, dm_password,
util.realm_to_suffix(realm_name))
Use TLS for dogtag replication agreements. Configure the dogtag 389-ds instance with SSL so we can enable TLS for the dogtag replication agreements. The NSS database we use is a symbolic link to the IPA 389-ds instance. ticket 1060
2011-03-09 23:06:15 -06:00
# Turn on SSL in the dogtag LDAP instance. This will get restarted
# later, we don't need SSL now.
Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085
2011-03-14 15:27:19 -05:00
cs.create_certdb()
Use TLS for dogtag replication agreements. Configure the dogtag 389-ds instance with SSL so we can enable TLS for the dogtag replication agreements. The NSS database we use is a symbolic link to the IPA 389-ds instance. ticket 1060
2011-03-09 23:06:15 -06:00
cs.enable_ssl()
Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085
2011-03-14 15:27:19 -05:00
# Add the IPA service for storing the PKI-IPA server certificate.
Fix external CA installation When re-creating the CADS instance it needs to be more fully-populated so we have enough information to create an SSL certificate and move the principal to a real entry. https://fedorahosted.org/freeipa/ticket/1245
2011-06-08 14:56:29 -05:00
cs.add_simple_service(cs.principal)
Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085
2011-03-14 15:27:19 -05:00
cs.add_cert_to_service()
Use TLS for dogtag replication agreements. Configure the dogtag 389-ds instance with SSL so we can enable TLS for the dogtag replication agreements. The NSS database we use is a symbolic link to the IPA 389-ds instance. ticket 1060
2011-03-09 23:06:15 -06:00
Fix Install using dogtag. The CA is installed before DS so we need to wait until DS is actually installed to be able to ldap_enable the CA instance. Fixes: https://fedorahosted.org/freeipa/ticket/612
2010-12-10 13:53:06 -06:00
# Create a kerberos instance
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
if options.pkinit_pin:
[pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, options.dirsrv_pin)
os.close(pw_fd)
Get merged tree into an installalble state. I have only tested the all, rpms and *clean targets directly. install may work but the rpm moves a lot of things around for us. The Apache configuration file isn't in its final state but it works with the new mod_python configuration.
2009-02-02 12:50:53 -06:00
krb = krbinstance.KrbInstance(fstore)
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
if options.pkinit_pkcs12:
pkcs12_info = (options.pkinit_pkcs12, pw_name)
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
krb.create_instance(realm_name, host_name, domain_name,
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
dm_password, master_password,
setup_pkinit=options.setup_pkinit,
pkcs12_info=pkcs12_info,
subject_base=options.subject)
else:
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
krb.create_instance(realm_name, host_name, domain_name,
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
dm_password, master_password,
setup_pkinit=options.setup_pkinit,
self_signed_ca=options.selfsign,
subject_base=options.subject)
if options.pkinit_pin:
os.remove(pw_name)
Improve kerberos install patch from Simo.
0000-12-31 18:09:24 -05:50
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
# The DS instance is created before the keytab, add the SSL cert we
# generated
ds.add_cert_to_service()
First step in enabling SSL in the IPA web server
2007-10-15 14:42:12 -05:00
# Create a HTTP instance
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
if options.http_pin:
[pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, options.http_pin)
os.close(pw_fd)
Get merged tree into an installalble state. I have only tested the all, rpms and *clean targets directly. install may work but the rpm moves a lot of things around for us. The Apache configuration file isn't in its final state but it works with the new mod_python configuration.
2009-02-02 12:50:53 -06:00
http = httpinstance.HTTPInstance(fstore)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
if options.http_pkcs12:
pkcs12_info = (options.http_pkcs12, pw_name)
Add option to install without the automatic redirect to the Web UI. ticket 1570
2011-08-16 12:34:04 -05:00
http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=False, pkcs12_info=pkcs12_info, subject_base=options.subject, auto_redirect=options.ui_redirect)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
os.remove(pw_name)
else:
Add option to install without the automatic redirect to the Web UI. ticket 1570
2011-08-16 12:34:04 -05:00
http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=options.selfsign, subject_base=options.subject, auto_redirect=options.ui_redirect)
Add SELinux policy for UI assets This also removes the Index option of /ipa-assets as well as the deprecated IPADebug option. No need to build or install ipa_webgui anymore. Leaving in the code for reference purposes for now.
2009-11-03 14:26:00 -06:00
ipautil.run(["/sbin/restorecon", "/var/cache/ipa/sessions"])
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
Use ldapi: instead of unsecured ldap: in ipa core tools. The patch also corrects exception handling in some of the tools. Fix #874
2011-02-15 13:11:27 -06:00
set_subject_in_config(realm_name, dm_password, util.realm_to_suffix(realm_name), options.subject)
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
Run the LDAP updater at the end of the installation process. Running at the end ensures that /etc/ipa/ipa.conf is created and generally makes it more likely to succeed. Added a new argument to ipa-server-installl, -y <password_file>, so we don't have to pass it on the command-line.
2008-09-15 17:15:12 -05:00
# Apply any LDAP updates. Needs to be done after the configuration file
# is created
service.print_msg("Applying LDAP updates")
ds.apply_updates()
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
# Restart ds and krb after configurations have been changed
ipa-server-install inconsistent capitalization A cosmetic patch to IPA server installation output aimed to make capitalization in installer output consistent. Several installation tasks started with a lowercase letter and several installation task steps started with an uppercase letter. https://fedorahosted.org/freeipa/ticket/776
2011-02-02 09:24:30 -06:00
service.print_msg("Restarting the directory server")
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
ds.restart()
Run ipa-client-install after server install bits
2008-02-20 09:16:19 -06:00
ipa-server-install inconsistent capitalization A cosmetic patch to IPA server installation output aimed to make capitalization in installer output consistent. Several installation tasks started with a lowercase letter and several installation task steps started with an uppercase letter. https://fedorahosted.org/freeipa/ticket/776
2011-02-02 09:24:30 -06:00
service.print_msg("Restarting the KDC")
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
krb.restart()
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
# Restart httpd to pick up the new IPA configuration
ipa-server-install inconsistent capitalization A cosmetic patch to IPA server installation output aimed to make capitalization in installer output consistent. Several installation tasks started with a lowercase letter and several installation task steps started with an uppercase letter. https://fedorahosted.org/freeipa/ticket/776
2011-02-02 09:24:30 -06:00
service.print_msg("Restarting the web server")
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
http.restart()
Setup bind only after restarting kdc and dirsrv BIND starting before we apply LDAP updates and restart kdc and directory server causes trouble. We resolve this for now by postponing BIND setup to the end of installation. Another reason is that we will be using xml-rpc during the setup in the future.
2009-09-02 05:24:17 -05:00
# Create a BIND instance
bind = bindinstance.BindInstance(fstore, dm_password)
Fix creation of reverse DNS zones. Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
2011-07-11 03:14:53 -05:00
bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders, options.conf_ntp, reverse_zone, zonemgr=options.zonemgr)
Setup bind only after restarting kdc and dirsrv BIND starting before we apply LDAP updates and restart kdc and directory server causes trouble. We resolve this for now by postponing BIND setup to the end of installation. Another reason is that we will be using xml-rpc during the setup in the future.
2009-09-02 05:24:17 -05:00
if options.setup_dns:
Add A and PTR records of ourselves during installation If the DNS zones already exist but don't contain our own records, add them. This patch introduces the ipalib.api into the installers. For now, the code is still little messy. Later patches will abandon the way we create zones now and use ipalib.api exclusively.
2009-09-02 09:22:50 -05:00
api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=dm_password)
Setup bind only after restarting kdc and dirsrv BIND starting before we apply LDAP updates and restart kdc and directory server causes trouble. We resolve this for now by postponing BIND setup to the end of installation. Another reason is that we will be using xml-rpc during the setup in the future.
2009-09-02 05:24:17 -05:00
bind.create_instance()
else:
bind.create_sample_bind_zone()
Add password request for admin user Set password for admin user using the Directory Mangaer account and the mozldapldappaswd binary to get and SSL connection Fix some timeout problems with deploying keytabs Fix ipa_pwd_extop to actuallt correctly detect an SSL connection Do not ask for the user to use for the directory unless 'dirsrv' is an existing user which may clash, create it silently
2007-08-31 17:40:01 -05:00
# Set the admin user kerberos password
ds.change_admin_password(admin_password)
Run ipa-client-install after server install bits
2008-02-20 09:16:19 -06:00
# Call client install script
try:
Let the framework be able to override the hostname. The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
2011-06-23 01:06:49 -05:00
run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name])
Run ipa-client-install after server install bits
2008-02-20 09:16:19 -06:00
except Exception, e:
Use sys.exit to quit scripts Instead of print and return, use sys.exit() to quit scripts with an error message and a non zero return code. https://fedorahosted.org/freeipa/ticket/425
2010-11-08 16:13:48 -06:00
sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e))
Run ipa-client-install after server install bits
2008-02-20 09:16:19 -06:00
Introduce ipa control script that reads configuration off ldap This replace the former ipactl script, as well as replace the current way ipa components are started. Instead of enabling each service in the system init scripts, enable only the ipa script, and then let it start all components based on the configuration read from the LDAP tree. resolves: https://fedorahosted.org/freeipa/ticket/294
2010-12-04 14:42:14 -06:00
#Everything installed properly, activate ipa service.
service.chkconfig_on('ipa')
Print warning about NTP After looking into setting up ntpd on the IPA servers I decided it was better just to warn admins. There are just too many valid setups for time synchronization for us to try to get this right. Additionally, just installing ntp and accepting the default config will result in a configuration that is perfectly valid for IPA. This patch checks if ntpd is running and suggests enabling it if it is not - for client and server. It also adds some suggested next steps to the server installation.
0000-12-31 18:09:24 -05:50
print "=============================================================================="
print "Setup complete"
print ""
print "Next steps:"
Make it clear which packages are being configured and which aren't. 450175
2008-06-06 14:25:36 -05:00
print "\t1. You must make sure these network ports are open:"
Print warning about NTP After looking into setting up ntpd on the IPA servers I decided it was better just to warn admins. There are just too many valid setups for time synchronization for us to try to get this right. Additionally, just installing ntp and accepting the default config will result in a configuration that is perfectly valid for IPA. This patch checks if ntpd is running and suggests enabling it if it is not - for client and server. It also adds some suggested next steps to the server installation.
0000-12-31 18:09:24 -05:50
print "\t\tTCP Ports:"
Include some additional information when installing IPA. Remove 8080 as a port that needs to be opened bz 430088
2008-01-25 16:08:36 -06:00
print "\t\t * 80, 443: HTTP/HTTPS"
Print warning about NTP After looking into setting up ntpd on the IPA servers I decided it was better just to warn admins. There are just too many valid setups for time synchronization for us to try to get this right. Additionally, just installing ntp and accepting the default config will result in a configuration that is perfectly valid for IPA. This patch checks if ntpd is running and suggests enabling it if it is not - for client and server. It also adds some suggested next steps to the server installation.
0000-12-31 18:09:24 -05:50
print "\t\t * 389, 636: LDAP/LDAPS"
NTP configuration for client and server. Configure ipa servers as an ntp server and clients to (by default) us the ipa server as an ntp server. Also corrected the messages about which ports should be opened.
0000-12-31 18:09:24 -05:50
print "\t\t * 88, 464: kerberos"
Add --setup-dns option. It will replace --setup-bind
2009-06-25 07:42:08 -05:00
if options.setup_dns:
Make it clear which packages are being configured and which aren't. 450175
2008-06-06 14:25:36 -05:00
print "\t\t * 53: bind"
Print warning about NTP After looking into setting up ntpd on the IPA servers I decided it was better just to warn admins. There are just too many valid setups for time synchronization for us to try to get this right. Additionally, just installing ntp and accepting the default config will result in a configuration that is perfectly valid for IPA. This patch checks if ntpd is running and suggests enabling it if it is not - for client and server. It also adds some suggested next steps to the server installation.
0000-12-31 18:09:24 -05:50
print "\t\tUDP Ports:"
NTP configuration for client and server. Configure ipa servers as an ntp server and clients to (by default) us the ipa server as an ntp server. Also corrected the messages about which ports should be opened.
0000-12-31 18:09:24 -05:50
print "\t\t * 88, 464: kerberos"
Add --setup-dns option. It will replace --setup-bind
2009-06-25 07:42:08 -05:00
if options.setup_dns:
Make it clear which packages are being configured and which aren't. 450175
2008-06-06 14:25:36 -05:00
print "\t\t * 53: bind"
if options.conf_ntp:
print "\t\t * 123: ntp"
Print warning about NTP After looking into setting up ntpd on the IPA servers I decided it was better just to warn admins. There are just too many valid setups for time synchronization for us to try to get this right. Additionally, just installing ntp and accepting the default config will result in a configuration that is perfectly valid for IPA. This patch checks if ntpd is running and suggests enabling it if it is not - for client and server. It also adds some suggested next steps to the server installation.
0000-12-31 18:09:24 -05:50
print ""
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
print "\t2. You can now obtain a kerberos ticket using the command: 'kinit admin'"
Fix sample IPA command example at end of installation Resolves #531455
2010-02-03 13:47:51 -06:00
print "\t This ticket will allow you to use the IPA tools (e.g., ipa user-add)"
Print warning about NTP After looking into setting up ntpd on the IPA servers I decided it was better just to warn admins. There are just too many valid setups for time synchronization for us to try to get this right. Additionally, just installing ntp and accepting the default config will result in a configuration that is perfectly valid for IPA. This patch checks if ntpd is running and suggests enabling it if it is not - for client and server. It also adds some suggested next steps to the server installation.
0000-12-31 18:09:24 -05:50
print "\t and the web user interface."
Add service.is_running() helper Add a simple helper to check whether a service is running and make ipa-server-install use it to check whether ntpd is running. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 04:36:25 -06:00
if not service.is_running("ntpd"):
Print warning about NTP After looking into setting up ntpd on the IPA servers I decided it was better just to warn admins. There are just too many valid setups for time synchronization for us to try to get this right. Additionally, just installing ntp and accepting the default config will result in a configuration that is perfectly valid for IPA. This patch checks if ntpd is running and suggests enabling it if it is not - for client and server. It also adds some suggested next steps to the server installation.
0000-12-31 18:09:24 -05:50
print "\t3. Kerberos requires time synchronization between clients"
print "\t and servers for correct operation. You should consider enabling ntpd."
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
print ""
Better customize the message regarding the CA based on the install options. There are now 3 cases: - Install a dogtag CA and issue server certs using that - Install a selfsign CA and issue server certs using that - Install using either dogtag or selfsign and use the provided PKCS#12 files for the server certs. The installed CA will still be used by the cert plugin to issue any server certs.
2010-03-10 10:55:48 -06:00
if options.http_pkcs12:
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
print "In order for Firefox autoconfiguration to work you will need to"
print "use a SSL signing certificate. See the IPA documentation for more details."
Better customize the message regarding the CA based on the install options. There are now 3 cases: - Install a dogtag CA and issue server certs using that - Install a selfsign CA and issue server certs using that - Install using either dogtag or selfsign and use the provided PKCS#12 files for the server certs. The installed CA will still be used by the cert plugin to issue any server certs.
2010-03-10 10:55:48 -06:00
print "You also need to install a PEM copy of the CA certificate into"
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
print "/usr/share/ipa/html/ca.crt"
Better customize the message regarding the CA based on the install options. There are now 3 cases: - Install a dogtag CA and issue server certs using that - Install a selfsign CA and issue server certs using that - Install using either dogtag or selfsign and use the provided PKCS#12 files for the server certs. The installed CA will still be used by the cert plugin to issue any server certs.
2010-03-10 10:55:48 -06:00
else:
if options.selfsign:
print "Be sure to back up the CA certificate stored in /etc/httpd/alias/cacert.p12"
print "The password for this file is in /etc/httpd/alias/pwdfile.txt"
else:
print "Be sure to back up the CA certificate stored in /root/cacert.p12"
print "This file is required to create replicas. The password for this"
print "file is the Directory Manager password"
Print warning about NTP After looking into setting up ntpd on the IPA servers I decided it was better just to warn admins. There are just too many valid setups for time synchronization for us to try to get this right. Additionally, just installing ntp and accepting the default config will result in a configuration that is perfectly valid for IPA. This patch checks if ntpd is running and suggests enabling it if it is not - for client and server. It also adds some suggested next steps to the server installation.
0000-12-31 18:09:24 -05:50
Fix installing with an external CA and wait for dogtag to come up There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
2011-01-26 09:53:02 -06:00
if ipautil.file_exists(ANSWER_CACHE):
os.remove(ANSWER_CACHE)
import initial install tool
0000-12-31 18:09:24 -05:50
return 0
Karl MacMillan wrote: > > This largish patch makes the build and installation work on 64bit > > machines. The only catch here is that to get a 64bit build you need to > > set LIBDIR on make: > > > > make install LIBDIR=/usr/lib64 > > > > The spec file does this correctly. I couldn't find any reliable way to > > guess this that works both on real systems and in the almost entirely > > empty rpm build root (you can't, for example, check for the existence > > of /usr/lib64).
0000-12-31 18:09:24 -05:50
try:
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
try:
sys.exit(main())
except SystemExit, e:
sys.exit(e)
Fix reverse zone creation in ipa-replica-prepare When a new reverse zone was created in ipa-replica-prepare (this may happen when a new replica is from different subnet), the master DNS address was corrupted by invalid A/AAAA record. This caused problems for example in installing replica. https://fedorahosted.org/freeipa/ticket/1223
2011-05-27 10:05:45 -05:00
except HostnameLocalhost:
print "The hostname resolves to the localhost address (127.0.0.1/::1)"
print "Please change your /etc/hosts file so that the hostname"
print "resolves to the ip address of your network interface."
print "The KDC service does not listen on localhost"
print ""
print "Please fix your /etc/hosts file and restart the setup program"
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
except Exception, e:
Fix a couple of syntax errors in the installer. I meant to push these along with the original patch but pushed the wrong one.
2010-04-27 16:51:13 -05:00
if uninstalling:
Replace a new instance of IPAdmin use in ipa-server-install.
2010-04-27 09:35:07 -05:00
message = "Unexpected error - see ipaserver-uninstall.log for details:\n %s" % str(e)
Fix a couple of syntax errors in the installer. I meant to push these along with the original patch but pushed the wrong one.
2010-04-27 16:51:13 -05:00
else:
Replace a new instance of IPAdmin use in ipa-server-install.
2010-04-27 09:35:07 -05:00
message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
print message
message = str(e)
for str in traceback.format_tb(sys.exc_info()[2]):
message = message + "\n" + str
logging.debug(message)
sys.exit(1)
finally:
if pw_name and ipautil.file_exists(pw_name):
os.remove(pw_name)
Reference in New Issue Copy Permalink