2013-05-28 06:31:37 -05:00
|
|
|
# Authors:
|
|
|
|
# Petr Viktorin <pviktori@redhat.com>
|
|
|
|
#
|
|
|
|
# Copyright (C) 2013 Red Hat
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
"""Common tasks for FreeIPA integration tests"""
|
|
|
|
|
|
|
|
import os
|
|
|
|
import textwrap
|
2013-06-05 11:30:39 -05:00
|
|
|
import re
|
2013-06-27 08:28:13 -05:00
|
|
|
import collections
|
|
|
|
import itertools
|
2013-07-17 07:28:05 -05:00
|
|
|
import time
|
|
|
|
|
2015-09-14 07:52:48 -05:00
|
|
|
import dns
|
2013-07-17 07:28:05 -05:00
|
|
|
from ldif import LDIFWriter
|
2015-09-14 07:52:48 -05:00
|
|
|
from six import StringIO
|
2013-05-28 06:31:37 -05:00
|
|
|
|
2013-06-05 11:30:39 -05:00
|
|
|
from ipapython import ipautil
|
2014-05-29 07:47:17 -05:00
|
|
|
from ipaplatform.paths import paths
|
2013-07-17 07:28:05 -05:00
|
|
|
from ipapython.dn import DN
|
2013-05-28 06:31:37 -05:00
|
|
|
from ipapython.ipa_log_manager import log_mgr
|
2013-09-04 09:29:06 -05:00
|
|
|
from ipatests.test_integration import util
|
2014-11-13 09:23:56 -06:00
|
|
|
from ipatests.test_integration.env_config import env_to_script
|
2013-10-16 06:54:26 -05:00
|
|
|
from ipatests.test_integration.host import Host
|
2016-01-06 09:18:17 -06:00
|
|
|
from ipalib import errors
|
|
|
|
from ipalib.util import get_reverse_zone_default, verify_host_resolvable
|
2015-11-27 10:00:23 -06:00
|
|
|
from ipalib.constants import DOMAIN_SUFFIX_NAME
|
2015-12-04 10:12:05 -06:00
|
|
|
from ipalib.constants import DOMAIN_LEVEL_0
|
2013-05-28 06:31:37 -05:00
|
|
|
|
|
|
|
log = log_mgr.get_logger(__name__)
|
|
|
|
|
2015-09-25 14:09:24 -05:00
|
|
|
IPATEST_NM_CONFIG = '20-ipatest-unmanaged-resolv.conf'
|
|
|
|
|
2013-05-28 06:31:37 -05:00
|
|
|
|
2015-08-27 12:19:28 -05:00
|
|
|
def check_arguments_are(slice, instanceof):
|
|
|
|
"""
|
|
|
|
:param: slice - tuple of integers denoting the beginning and the end
|
|
|
|
of argument list to be checked
|
|
|
|
:param: instanceof - name of the class the checked arguments should be
|
|
|
|
instances of
|
|
|
|
Example: @check_arguments_are((1, 3), int) will check that the second
|
|
|
|
and third arguments are integers
|
|
|
|
"""
|
|
|
|
def wrapper(func):
|
|
|
|
def wrapped(*args):
|
|
|
|
for i in args[slice[0]:slice[1]]:
|
|
|
|
assert isinstance(i, instanceof), "Wrong type: %s: %s" % (i, type(i))
|
|
|
|
return func(*args)
|
|
|
|
return wrapped
|
|
|
|
return wrapper
|
|
|
|
|
2015-09-30 05:17:53 -05:00
|
|
|
def prepare_reverse_zone(host, ip):
|
|
|
|
zone = get_reverse_zone_default(ip)
|
2016-02-01 03:49:33 -06:00
|
|
|
result = host.run_command(["ipa",
|
2015-09-30 05:17:53 -05:00
|
|
|
"dnszone-add",
|
|
|
|
zone], raiseonerr=False)
|
2016-02-01 03:49:33 -06:00
|
|
|
if result.returncode > 0:
|
|
|
|
log.warning(result.stderr_text)
|
|
|
|
return zone, result.returncode
|
2015-08-27 12:19:28 -05:00
|
|
|
|
2013-06-27 03:44:02 -05:00
|
|
|
def prepare_host(host):
|
2013-10-16 06:54:26 -05:00
|
|
|
if isinstance(host, Host):
|
|
|
|
env_filename = os.path.join(host.config.test_dir, 'env.sh')
|
2014-01-23 06:33:59 -06:00
|
|
|
|
|
|
|
# First we try to run simple echo command to test the connection
|
|
|
|
host.run_command(['true'], set_env=False)
|
|
|
|
|
2013-10-16 06:54:26 -05:00
|
|
|
host.collect_log(env_filename)
|
|
|
|
host.transport.mkdir_recursive(host.config.test_dir)
|
|
|
|
host.put_file_contents(env_filename, env_to_script(host.to_env()))
|
2013-06-27 03:44:02 -05:00
|
|
|
|
|
|
|
|
2015-11-02 04:51:34 -06:00
|
|
|
def allow_sync_ptr(host):
|
|
|
|
kinit_admin(host)
|
|
|
|
host.run_command(["ipa", "dnsconfig-mod", "--allow-sync-ptr=true"],
|
|
|
|
raiseonerr=False)
|
|
|
|
|
|
|
|
|
2016-01-14 07:59:37 -06:00
|
|
|
def apply_common_fixes(host, fix_resolv=True):
|
2013-06-05 11:30:39 -05:00
|
|
|
fix_etc_hosts(host)
|
|
|
|
fix_hostname(host)
|
2015-09-25 14:09:24 -05:00
|
|
|
modify_nm_resolv_conf_settings(host)
|
2016-01-14 07:59:37 -06:00
|
|
|
if fix_resolv:
|
|
|
|
fix_resolv_conf(host)
|
2016-01-29 06:47:20 -06:00
|
|
|
prepare_host(host)
|
2013-06-05 11:30:39 -05:00
|
|
|
|
|
|
|
|
|
|
|
def backup_file(host, filename):
|
2013-09-17 05:24:40 -05:00
|
|
|
if host.transport.file_exists(filename):
|
2013-06-05 11:30:39 -05:00
|
|
|
backupname = os.path.join(host.config.test_dir, 'file_backup',
|
|
|
|
filename.lstrip('/'))
|
2013-09-17 05:24:40 -05:00
|
|
|
host.transport.mkdir_recursive(os.path.dirname(backupname))
|
2013-06-05 11:30:39 -05:00
|
|
|
host.run_command(['cp', '-af', filename, backupname])
|
|
|
|
return True
|
|
|
|
else:
|
|
|
|
rmname = os.path.join(host.config.test_dir, 'file_remove')
|
|
|
|
host.run_command('echo %s >> %s' % (
|
|
|
|
ipautil.shell_quote(filename),
|
|
|
|
ipautil.shell_quote(rmname)))
|
|
|
|
contents = host.get_file_contents(rmname)
|
2013-09-17 05:24:40 -05:00
|
|
|
host.transport.mkdir_recursive(os.path.dirname(rmname))
|
2013-06-05 11:30:39 -05:00
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
|
|
def fix_etc_hosts(host):
|
2014-05-29 07:47:17 -05:00
|
|
|
backup_file(host, paths.HOSTS)
|
|
|
|
contents = host.get_file_contents(paths.HOSTS)
|
2013-06-05 11:30:39 -05:00
|
|
|
# Remove existing mentions of the host's FQDN, short name, and IP
|
2015-12-06 11:44:43 -06:00
|
|
|
# Removing of IP must be done as first, otherwise hosts file may be
|
|
|
|
# corrupted
|
|
|
|
contents = re.sub('^%s.*' % re.escape(host.ip), '', contents,
|
|
|
|
flags=re.MULTILINE)
|
2013-06-05 11:30:39 -05:00
|
|
|
contents = re.sub('\s%s(\s|$)' % re.escape(host.hostname), ' ', contents,
|
|
|
|
flags=re.MULTILINE)
|
|
|
|
contents = re.sub('\s%s(\s|$)' % re.escape(host.shortname), ' ', contents,
|
|
|
|
flags=re.MULTILINE)
|
|
|
|
# Add the host's info again
|
|
|
|
contents += '\n%s %s %s\n' % (host.ip, host.hostname, host.shortname)
|
2013-06-25 05:29:25 -05:00
|
|
|
log.debug('Writing the following to /etc/hosts:\n%s', contents)
|
2014-05-29 07:47:17 -05:00
|
|
|
host.put_file_contents(paths.HOSTS, contents)
|
2013-06-05 11:30:39 -05:00
|
|
|
|
|
|
|
|
|
|
|
def fix_hostname(host):
|
2014-05-29 07:47:17 -05:00
|
|
|
backup_file(host, paths.ETC_HOSTNAME)
|
|
|
|
host.put_file_contents(paths.ETC_HOSTNAME, host.hostname + '\n')
|
2013-06-05 11:30:39 -05:00
|
|
|
host.run_command(['hostname', host.hostname])
|
|
|
|
|
|
|
|
backupname = os.path.join(host.config.test_dir, 'backup_hostname')
|
|
|
|
host.run_command('hostname > %s' % ipautil.shell_quote(backupname))
|
|
|
|
|
|
|
|
|
2015-09-25 14:09:24 -05:00
|
|
|
def host_service_active(host, service):
|
|
|
|
res = host.run_command(['systemctl', 'is-active', '--quiet', service],
|
|
|
|
raiseonerr=False)
|
|
|
|
|
|
|
|
if res.returncode == 0:
|
|
|
|
return True
|
|
|
|
else:
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
|
|
def modify_nm_resolv_conf_settings(host):
|
|
|
|
if not host_service_active(host, 'NetworkManager'):
|
|
|
|
return
|
|
|
|
|
|
|
|
config = "[main]\ndns=none\n"
|
|
|
|
path = os.path.join(paths.NETWORK_MANAGER_CONFIG_DIR, IPATEST_NM_CONFIG)
|
|
|
|
|
|
|
|
host.put_file_contents(path, config)
|
|
|
|
host.run_command(['systemctl', 'restart', 'NetworkManager'],
|
|
|
|
raiseonerr=False)
|
|
|
|
|
|
|
|
|
|
|
|
def undo_nm_resolv_conf_settings(host):
|
|
|
|
if not host_service_active(host, 'NetworkManager'):
|
|
|
|
return
|
|
|
|
|
|
|
|
path = os.path.join(paths.NETWORK_MANAGER_CONFIG_DIR, IPATEST_NM_CONFIG)
|
|
|
|
host.run_command(['rm', '-f', path], raiseonerr=False)
|
|
|
|
host.run_command(['systemctl', 'restart', 'NetworkManager'],
|
|
|
|
raiseonerr=False)
|
|
|
|
|
|
|
|
|
2013-06-05 11:30:39 -05:00
|
|
|
def fix_resolv_conf(host):
|
2014-05-29 07:47:17 -05:00
|
|
|
backup_file(host, paths.RESOLV_CONF)
|
|
|
|
lines = host.get_file_contents(paths.RESOLV_CONF).splitlines()
|
2013-06-05 11:30:39 -05:00
|
|
|
lines = ['#' + l if l.startswith('nameserver') else l for l in lines]
|
|
|
|
for other_host in host.domain.hosts:
|
|
|
|
if other_host.role in ('master', 'replica'):
|
|
|
|
lines.append('nameserver %s' % other_host.ip)
|
|
|
|
contents = '\n'.join(lines)
|
2013-06-25 05:29:25 -05:00
|
|
|
log.debug('Writing the following to /etc/resolv.conf:\n%s', contents)
|
2014-05-29 07:47:17 -05:00
|
|
|
host.put_file_contents(paths.RESOLV_CONF, contents)
|
2013-06-05 11:30:39 -05:00
|
|
|
|
|
|
|
|
2014-04-07 05:40:52 -05:00
|
|
|
def fix_apache_semaphores(master):
|
2014-05-29 07:47:17 -05:00
|
|
|
systemd_available = master.transport.file_exists(paths.SYSTEMCTL)
|
2014-04-07 05:40:52 -05:00
|
|
|
|
|
|
|
if systemd_available:
|
|
|
|
master.run_command(['systemctl', 'stop', 'httpd'], raiseonerr=False)
|
|
|
|
else:
|
2015-08-27 12:19:28 -05:00
|
|
|
master.run_command([paths.SBIN_SERVICE, 'httpd', 'stop'],
|
|
|
|
raiseonerr=False)
|
2014-04-07 05:40:52 -05:00
|
|
|
|
|
|
|
master.run_command('for line in `ipcs -s | grep apache | cut -d " " -f 2`; '
|
|
|
|
'do ipcrm -s $line; done', raiseonerr=False)
|
|
|
|
|
|
|
|
|
2013-06-05 11:30:39 -05:00
|
|
|
def unapply_fixes(host):
|
|
|
|
restore_files(host)
|
|
|
|
restore_hostname(host)
|
2015-09-25 14:09:24 -05:00
|
|
|
undo_nm_resolv_conf_settings(host)
|
2013-06-05 11:30:39 -05:00
|
|
|
|
2013-06-27 03:44:02 -05:00
|
|
|
# Clean up the test directory
|
|
|
|
host.run_command(['rm', '-rvf', host.config.test_dir])
|
|
|
|
|
2013-06-05 11:30:39 -05:00
|
|
|
|
|
|
|
def restore_files(host):
|
|
|
|
backupname = os.path.join(host.config.test_dir, 'file_backup')
|
|
|
|
rmname = os.path.join(host.config.test_dir, 'file_remove')
|
2013-10-30 06:22:56 -05:00
|
|
|
|
2014-01-22 08:11:04 -06:00
|
|
|
# Prepare command for restoring context of the backed-up files
|
2013-10-30 06:22:56 -05:00
|
|
|
sed_remove_backupdir = 's/%s//g' % backupname.replace('/', '\/')
|
2014-01-22 08:11:04 -06:00
|
|
|
restorecon_command = (
|
|
|
|
"find %s | "
|
|
|
|
"sed '%s' | "
|
|
|
|
"sed '/^$/d' | "
|
|
|
|
"xargs -d '\n' "
|
|
|
|
"/sbin/restorecon -v" % (backupname, sed_remove_backupdir))
|
|
|
|
|
|
|
|
# Prepare command for actual restoring of the backed up files
|
2014-03-20 05:45:13 -05:00
|
|
|
copyfiles_command = 'if [ -d %(dir)s/ ]; then cp -arvf %(dir)s/* /; fi' % {
|
|
|
|
'dir': ipautil.shell_quote(backupname)}
|
2014-01-22 08:11:04 -06:00
|
|
|
|
|
|
|
# Run both commands in one session. For more information, see:
|
|
|
|
# https://fedorahosted.org/freeipa/ticket/4133
|
2014-02-19 09:31:12 -06:00
|
|
|
host.run_command('%s ; (%s ||:)' % (copyfiles_command, restorecon_command))
|
2013-10-30 06:22:56 -05:00
|
|
|
|
|
|
|
# Remove all the files that did not exist and were 'backed up'
|
2013-06-05 11:30:39 -05:00
|
|
|
host.run_command(['xargs', '-d', r'\n', '-a', rmname, 'rm', '-vf'],
|
|
|
|
raiseonerr=False)
|
|
|
|
host.run_command(['rm', '-rvf', backupname, rmname], raiseonerr=False)
|
|
|
|
|
|
|
|
|
|
|
|
def restore_hostname(host):
|
|
|
|
backupname = os.path.join(host.config.test_dir, 'backup_hostname')
|
|
|
|
try:
|
|
|
|
hostname = host.get_file_contents(backupname)
|
|
|
|
except IOError:
|
2013-06-25 05:29:25 -05:00
|
|
|
log.debug('No hostname backed up on %s' % host.hostname)
|
2013-06-05 11:30:39 -05:00
|
|
|
else:
|
|
|
|
host.run_command(['hostname', hostname.strip()])
|
|
|
|
host.run_command(['rm', backupname])
|
|
|
|
|
|
|
|
|
2013-05-28 06:31:37 -05:00
|
|
|
def enable_replication_debugging(host):
|
|
|
|
log.info('Enable LDAP replication logging')
|
|
|
|
logging_ldif = textwrap.dedent("""
|
|
|
|
dn: cn=config
|
|
|
|
changetype: modify
|
|
|
|
replace: nsslapd-errorlog-level
|
|
|
|
nsslapd-errorlog-level: 8192
|
|
|
|
""")
|
|
|
|
host.run_command(['ldapmodify', '-x',
|
|
|
|
'-D', str(host.config.dirman_dn),
|
|
|
|
'-w', host.config.dirman_password],
|
|
|
|
stdin_text=logging_ldif)
|
|
|
|
|
|
|
|
|
2015-10-06 13:28:18 -05:00
|
|
|
def install_master(host, setup_dns=True, setup_kra=False):
|
2014-05-29 07:47:17 -05:00
|
|
|
host.collect_log(paths.IPASERVER_INSTALL_LOG)
|
|
|
|
host.collect_log(paths.IPACLIENT_INSTALL_LOG)
|
2013-06-27 03:40:39 -05:00
|
|
|
inst = host.domain.realm.replace('.', '-')
|
2014-05-29 07:47:17 -05:00
|
|
|
host.collect_log(paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst)
|
|
|
|
host.collect_log(paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst)
|
2013-05-28 06:31:37 -05:00
|
|
|
|
2016-01-14 07:59:37 -06:00
|
|
|
apply_common_fixes(host, fix_resolv=False)
|
2014-04-07 05:40:52 -05:00
|
|
|
fix_apache_semaphores(host)
|
2013-06-05 11:30:39 -05:00
|
|
|
|
2014-10-23 08:06:34 -05:00
|
|
|
args = [
|
|
|
|
'ipa-server-install', '-U',
|
2015-12-17 09:25:46 -06:00
|
|
|
'-n', host.domain.name,
|
|
|
|
'-r', host.domain.realm,
|
2014-10-23 08:06:34 -05:00
|
|
|
'-p', host.config.dirman_password,
|
2015-11-02 04:51:34 -06:00
|
|
|
'-a', host.config.admin_password,
|
|
|
|
"--domain-level=%i" % host.config.domain_level
|
2014-10-23 08:06:34 -05:00
|
|
|
]
|
2013-05-28 06:31:37 -05:00
|
|
|
|
2014-10-23 08:06:34 -05:00
|
|
|
if setup_dns:
|
|
|
|
args.extend([
|
|
|
|
'--setup-dns',
|
2015-12-21 04:22:06 -06:00
|
|
|
'--forwarder', host.config.dns_forwarder,
|
|
|
|
'--auto-reverse'
|
2014-10-23 08:06:34 -05:00
|
|
|
])
|
|
|
|
|
|
|
|
host.run_command(args)
|
2013-05-28 06:31:37 -05:00
|
|
|
enable_replication_debugging(host)
|
2014-04-09 06:38:07 -05:00
|
|
|
setup_sssd_debugging(host)
|
2013-05-28 06:31:37 -05:00
|
|
|
|
2015-10-06 13:28:18 -05:00
|
|
|
if setup_kra:
|
|
|
|
args = [
|
|
|
|
"ipa-kra-install",
|
|
|
|
"-p", host.config.dirman_password,
|
|
|
|
"-U",
|
|
|
|
]
|
|
|
|
host.run_command(args)
|
|
|
|
|
2013-06-27 03:44:02 -05:00
|
|
|
kinit_admin(host)
|
2013-05-28 06:31:37 -05:00
|
|
|
|
2013-07-16 06:23:59 -05:00
|
|
|
|
2015-10-06 13:28:18 -05:00
|
|
|
def get_replica_filename(replica):
|
|
|
|
return os.path.join(replica.config.test_dir, 'replica-info.gpg')
|
|
|
|
|
|
|
|
|
2015-11-02 04:51:34 -06:00
|
|
|
def domainlevel(host):
|
|
|
|
# Dynamically determines the domainlevel on master. Needed for scenarios
|
|
|
|
# when domainlevel is changed during the test execution.
|
|
|
|
result = host.run_command(['ipa', 'domainlevel-get'], raiseonerr=False)
|
|
|
|
level = 0
|
|
|
|
domlevel_re = re.compile('.*(\d)')
|
|
|
|
if result.returncode == 0:
|
|
|
|
# "domainlevel-get" command doesn't exist on ipa versions prior to 4.3
|
|
|
|
level = int(domlevel_re.findall(result.stdout_text)[0])
|
|
|
|
return level
|
|
|
|
|
2016-02-01 03:49:33 -06:00
|
|
|
def master_authoritative_for_client_domain(master, client):
|
|
|
|
zone = ".".join(client.hostname.split('.')[1:])
|
|
|
|
result = master.run_command(["ipa", "dnszone-show", zone],
|
|
|
|
raiseonerr=False)
|
|
|
|
if result.returncode == 0:
|
|
|
|
return True
|
|
|
|
else:
|
|
|
|
return False
|
|
|
|
|
2015-11-02 04:51:34 -06:00
|
|
|
|
2015-10-13 06:38:29 -05:00
|
|
|
def replica_prepare(master, replica):
|
2013-06-05 11:30:39 -05:00
|
|
|
apply_common_fixes(replica)
|
2014-04-07 05:40:52 -05:00
|
|
|
fix_apache_semaphores(replica)
|
2015-09-30 05:17:53 -05:00
|
|
|
prepare_reverse_zone(master, replica.ip)
|
2016-02-01 03:49:33 -06:00
|
|
|
args = ['ipa-replica-prepare',
|
|
|
|
'-p', replica.config.dirman_password,
|
|
|
|
replica.hostname]
|
|
|
|
if master_authoritative_for_client_domain(master, replica):
|
|
|
|
args.extend(['--ip-address', replica.ip])
|
|
|
|
master.run_command(args)
|
2013-05-28 06:31:37 -05:00
|
|
|
replica_bundle = master.get_file_contents(
|
2014-06-25 09:12:19 -05:00
|
|
|
paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname)
|
2015-10-06 13:28:18 -05:00
|
|
|
replica_filename = get_replica_filename(replica)
|
2013-05-28 06:31:37 -05:00
|
|
|
replica.put_file_contents(replica_filename, replica_bundle)
|
2015-10-13 06:38:29 -05:00
|
|
|
|
|
|
|
|
|
|
|
def install_replica(master, replica, setup_ca=True, setup_dns=False,
|
|
|
|
setup_kra=False):
|
|
|
|
replica.collect_log(paths.IPAREPLICA_INSTALL_LOG)
|
|
|
|
replica.collect_log(paths.IPAREPLICA_CONNCHECK_LOG)
|
2015-11-02 04:51:34 -06:00
|
|
|
allow_sync_ptr(master)
|
|
|
|
# Otherwise ipa-client-install would not create a PTR
|
|
|
|
# and replica installation would fail
|
2015-09-30 05:17:53 -05:00
|
|
|
args = ['ipa-replica-install', '-U',
|
2013-07-16 06:23:59 -05:00
|
|
|
'-p', replica.config.dirman_password,
|
2016-02-01 03:49:33 -06:00
|
|
|
'-w', replica.config.admin_password]
|
2013-07-16 06:23:59 -05:00
|
|
|
if setup_ca:
|
|
|
|
args.append('--setup-ca')
|
2014-10-23 08:06:34 -05:00
|
|
|
if setup_dns:
|
|
|
|
args.extend([
|
|
|
|
'--setup-dns',
|
|
|
|
'--forwarder', replica.config.dns_forwarder
|
|
|
|
])
|
2016-02-01 03:49:33 -06:00
|
|
|
if master_authoritative_for_client_domain(master, replica):
|
|
|
|
args.extend(['--ip-address', replica.ip])
|
2015-12-04 11:24:31 -06:00
|
|
|
if domainlevel(master) == DOMAIN_LEVEL_0:
|
2015-11-02 04:51:34 -06:00
|
|
|
# prepare the replica file on master and put it to replica, AKA "old way"
|
|
|
|
replica_prepare(master, replica)
|
|
|
|
replica_filename = get_replica_filename(replica)
|
|
|
|
args.append(replica_filename)
|
|
|
|
else:
|
|
|
|
# install client on a replica machine and then promote it to replica
|
|
|
|
install_client(master, replica)
|
|
|
|
fix_apache_semaphores(replica)
|
2013-05-28 06:31:37 -05:00
|
|
|
|
2015-11-02 04:51:34 -06:00
|
|
|
replica.run_command(args)
|
2013-05-28 06:31:37 -05:00
|
|
|
enable_replication_debugging(replica)
|
2014-04-09 06:38:07 -05:00
|
|
|
setup_sssd_debugging(replica)
|
2013-05-28 06:31:37 -05:00
|
|
|
|
2015-10-06 13:28:18 -05:00
|
|
|
if setup_kra:
|
|
|
|
assert setup_ca, "CA must be installed on replica with KRA"
|
|
|
|
args = [
|
|
|
|
"ipa-kra-install",
|
|
|
|
"-p", replica.config.dirman_password,
|
|
|
|
"-U",
|
|
|
|
]
|
2015-12-04 11:24:31 -06:00
|
|
|
if domainlevel(master) == DOMAIN_LEVEL_0:
|
2015-11-16 08:58:46 -06:00
|
|
|
args.append(replica_filename)
|
2015-10-06 13:28:18 -05:00
|
|
|
replica.run_command(args)
|
|
|
|
|
2013-06-27 03:44:02 -05:00
|
|
|
kinit_admin(replica)
|
2013-06-11 19:22:19 -05:00
|
|
|
|
2013-09-04 09:29:06 -05:00
|
|
|
|
2014-04-07 06:36:10 -05:00
|
|
|
def install_client(master, client, extra_args=()):
|
2014-05-29 07:47:17 -05:00
|
|
|
client.collect_log(paths.IPACLIENT_INSTALL_LOG)
|
2013-05-28 06:31:37 -05:00
|
|
|
|
2013-06-27 03:44:02 -05:00
|
|
|
apply_common_fixes(client)
|
2016-02-01 03:49:33 -06:00
|
|
|
allow_sync_ptr(master)
|
|
|
|
# Now, for the situations where a client resides in a different subnet from
|
|
|
|
# master, we need to explicitly tell master to create a reverse zone for
|
|
|
|
# the client and enable dynamic updates for this zone.
|
|
|
|
zone, error = prepare_reverse_zone(master, client.ip)
|
|
|
|
if not error:
|
|
|
|
master.run_command(["ipa", "dnszone-mod", zone,
|
|
|
|
"--dynamic-update=TRUE"])
|
2013-06-27 03:44:02 -05:00
|
|
|
|
|
|
|
client.run_command(['ipa-client-install', '-U',
|
|
|
|
'--domain', client.domain.name,
|
|
|
|
'--realm', client.domain.realm,
|
|
|
|
'-p', client.config.admin_name,
|
|
|
|
'-w', client.config.admin_password,
|
2014-04-07 06:36:10 -05:00
|
|
|
'--server', master.hostname]
|
2015-08-27 12:19:28 -05:00
|
|
|
+ list(extra_args))
|
2013-06-27 03:44:02 -05:00
|
|
|
|
2014-04-09 06:38:07 -05:00
|
|
|
setup_sssd_debugging(client)
|
2013-06-27 03:44:02 -05:00
|
|
|
kinit_admin(client)
|
|
|
|
|
|
|
|
|
2013-09-04 09:29:06 -05:00
|
|
|
def install_adtrust(host):
|
|
|
|
"""
|
|
|
|
Runs ipa-adtrust-install on the client and generates SIDs for the entries.
|
|
|
|
Configures the compat tree for the legacy clients.
|
|
|
|
"""
|
|
|
|
|
|
|
|
# ipa-adtrust-install appends to ipaserver-install.log
|
2014-05-29 07:47:17 -05:00
|
|
|
host.collect_log(paths.IPASERVER_INSTALL_LOG)
|
2013-09-04 09:29:06 -05:00
|
|
|
|
|
|
|
inst = host.domain.realm.replace('.', '-')
|
2014-05-29 07:47:17 -05:00
|
|
|
host.collect_log(paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst)
|
|
|
|
host.collect_log(paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst)
|
2013-09-04 09:29:06 -05:00
|
|
|
|
|
|
|
kinit_admin(host)
|
|
|
|
host.run_command(['ipa-adtrust-install', '-U',
|
|
|
|
'--enable-compat',
|
|
|
|
'--netbios-name', host.netbios,
|
|
|
|
'-a', host.config.admin_password,
|
|
|
|
'--add-sids'])
|
|
|
|
|
|
|
|
# Restart named because it lost connection to dirsrv
|
|
|
|
# (Directory server restarts during the ipa-adtrust-install)
|
2014-11-04 05:29:32 -06:00
|
|
|
# we use two services named and named-pkcs11,
|
|
|
|
# if named is masked restart named-pkcs11
|
|
|
|
result = host.run_command(['systemctl', 'is-enabled', 'named'],
|
|
|
|
raiseonerr=False)
|
|
|
|
if result.stdout_text.startswith("masked"):
|
|
|
|
host.run_command(['systemctl', 'restart', 'named-pkcs11'])
|
|
|
|
else:
|
|
|
|
host.run_command(['systemctl', 'restart', 'named'])
|
|
|
|
|
2013-09-04 09:29:06 -05:00
|
|
|
# Check that named is running and has loaded the information from LDAP
|
|
|
|
dig_command = ['dig', 'SRV', '+short', '@localhost',
|
2015-08-27 12:19:28 -05:00
|
|
|
'_ldap._tcp.%s' % host.domain.name]
|
2013-09-04 09:29:06 -05:00
|
|
|
dig_output = '0 100 389 %s.' % host.hostname
|
|
|
|
dig_test = lambda x: re.search(re.escape(dig_output), x)
|
|
|
|
|
|
|
|
util.run_repeatedly(host, dig_command, test=dig_test)
|
|
|
|
|
|
|
|
|
|
|
|
def configure_dns_for_trust(master, ad):
|
|
|
|
"""
|
|
|
|
This configures DNS on IPA master according to the relationship of the
|
|
|
|
IPA's and AD's domains.
|
|
|
|
"""
|
|
|
|
|
|
|
|
def is_subdomain(subdomain, domain):
|
|
|
|
subdomain_unpacked = subdomain.split('.')
|
|
|
|
domain_unpacked = domain.split('.')
|
|
|
|
|
|
|
|
subdomain_unpacked.reverse()
|
|
|
|
domain_unpacked.reverse()
|
|
|
|
|
|
|
|
subdomain = False
|
|
|
|
|
|
|
|
if len(subdomain_unpacked) > len(domain_unpacked):
|
|
|
|
subdomain = True
|
|
|
|
|
|
|
|
for subdomain_segment, domain_segment in zip(subdomain_unpacked,
|
|
|
|
domain_unpacked):
|
|
|
|
subdomain = subdomain and subdomain_segment == domain_segment
|
|
|
|
|
|
|
|
return subdomain
|
|
|
|
|
|
|
|
kinit_admin(master)
|
|
|
|
|
2014-06-26 06:00:32 -05:00
|
|
|
if is_subdomain(ad.domain.name, master.domain.name):
|
2013-09-04 09:29:06 -05:00
|
|
|
master.run_command(['ipa', 'dnsrecord-add', master.domain.name,
|
|
|
|
'%s.%s' % (ad.shortname, ad.netbios),
|
|
|
|
'--a-ip-address', ad.ip])
|
|
|
|
|
|
|
|
master.run_command(['ipa', 'dnsrecord-add', master.domain.name,
|
|
|
|
ad.netbios,
|
|
|
|
'--ns-hostname',
|
|
|
|
'%s.%s' % (ad.shortname, ad.netbios)])
|
|
|
|
|
|
|
|
master.run_command(['ipa', 'dnszone-mod', master.domain.name,
|
|
|
|
'--allow-transfer', ad.ip])
|
|
|
|
else:
|
2014-06-26 06:00:32 -05:00
|
|
|
master.run_command(['ipa', 'dnsforwardzone-add', ad.domain.name,
|
2013-09-04 09:29:06 -05:00
|
|
|
'--forwarder', ad.ip,
|
|
|
|
'--forward-policy', 'only',
|
2014-06-26 06:00:32 -05:00
|
|
|
])
|
2013-09-04 09:29:06 -05:00
|
|
|
|
|
|
|
|
|
|
|
def establish_trust_with_ad(master, ad, extra_args=()):
|
|
|
|
"""
|
|
|
|
Establishes trust with Active Directory. Trust type is detected depending
|
|
|
|
on the presence of SfU (Services for Unix) support on the AD.
|
|
|
|
|
|
|
|
Use extra arguments to pass extra arguments to the trust-add command, such
|
|
|
|
as --range-type="ipa-ad-trust" to enfroce a particular range type.
|
|
|
|
"""
|
|
|
|
|
|
|
|
# Force KDC to reload MS-PAC info by trying to get TGT for HTTP
|
2014-05-29 07:47:17 -05:00
|
|
|
master.run_command(['kinit', '-kt', paths.IPA_KEYTAB,
|
2013-09-04 09:29:06 -05:00
|
|
|
'HTTP/%s' % master.hostname])
|
|
|
|
master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
|
|
|
|
master.run_command(['kdestroy', '-A'])
|
|
|
|
|
|
|
|
kinit_admin(master)
|
|
|
|
master.run_command(['klist'])
|
|
|
|
master.run_command(['smbcontrol', 'all', 'debug', '100'])
|
|
|
|
util.run_repeatedly(master,
|
|
|
|
['ipa', 'trust-add',
|
2015-08-27 12:19:28 -05:00
|
|
|
'--type', 'ad', ad.domain.name,
|
|
|
|
'--admin', 'Administrator',
|
|
|
|
'--password'] + list(extra_args),
|
2013-09-04 09:29:06 -05:00
|
|
|
stdin_text=master.config.ad_admin_password)
|
|
|
|
master.run_command(['smbcontrol', 'all', 'debug', '1'])
|
|
|
|
clear_sssd_cache(master)
|
|
|
|
|
|
|
|
|
|
|
|
def remove_trust_with_ad(master, ad):
|
|
|
|
"""
|
|
|
|
Removes trust with Active Directory. Also removes the associated ID range.
|
|
|
|
"""
|
|
|
|
|
|
|
|
kinit_admin(master)
|
|
|
|
|
|
|
|
# Remove the trust
|
|
|
|
master.run_command(['ipa', 'trust-del', ad.domain.name])
|
|
|
|
|
|
|
|
# Remove the range
|
|
|
|
range_name = ad.domain.name.upper() + '_id_range'
|
|
|
|
master.run_command(['ipa', 'idrange-del', range_name])
|
|
|
|
|
|
|
|
|
|
|
|
def configure_auth_to_local_rule(master, ad):
|
|
|
|
"""
|
|
|
|
Configures auth_to_local rule in /etc/krb5.conf
|
|
|
|
"""
|
|
|
|
|
|
|
|
section_identifier = " %s = {" % master.domain.realm
|
|
|
|
line1 = (" auth_to_local = RULE:[1:$1@$0](^.*@%s$)s/@%s/@%s/"
|
|
|
|
% (ad.domain.realm, ad.domain.realm, ad.domain.name))
|
|
|
|
line2 = " auth_to_local = DEFAULT"
|
|
|
|
|
2014-05-29 07:47:17 -05:00
|
|
|
krb5_conf_content = master.get_file_contents(paths.KRB5_CONF)
|
2013-09-04 09:29:06 -05:00
|
|
|
krb5_lines = [line.rstrip() for line in krb5_conf_content.split('\n')]
|
|
|
|
realm_section_index = krb5_lines.index(section_identifier)
|
|
|
|
|
|
|
|
krb5_lines.insert(realm_section_index + 1, line1)
|
|
|
|
krb5_lines.insert(realm_section_index + 2, line2)
|
|
|
|
|
|
|
|
krb5_conf_new_content = '\n'.join(krb5_lines)
|
2014-05-29 07:47:17 -05:00
|
|
|
master.put_file_contents(paths.KRB5_CONF, krb5_conf_new_content)
|
2013-09-04 09:29:06 -05:00
|
|
|
|
|
|
|
master.run_command(['systemctl', 'restart', 'sssd'])
|
|
|
|
|
|
|
|
|
2014-04-09 06:38:07 -05:00
|
|
|
def setup_sssd_debugging(host):
|
|
|
|
"""
|
|
|
|
Sets debug level to 7 in each section of sssd.conf file.
|
|
|
|
"""
|
|
|
|
|
|
|
|
# Set debug level in each section of sssd.conf file to 7
|
|
|
|
# First, remove any previous occurences
|
|
|
|
host.run_command(['sed', '-i',
|
|
|
|
'/debug_level = 7/d',
|
2015-08-27 12:19:28 -05:00
|
|
|
paths.SSSD_CONF],
|
|
|
|
raiseonerr=False)
|
2014-04-09 06:38:07 -05:00
|
|
|
|
|
|
|
# Add the debug directive to each section
|
|
|
|
host.run_command(['sed', '-i',
|
|
|
|
'/\[*\]/ a\debug_level = 7',
|
2015-08-27 12:19:28 -05:00
|
|
|
paths.SSSD_CONF],
|
|
|
|
raiseonerr=False)
|
2014-04-09 06:38:07 -05:00
|
|
|
|
|
|
|
host.collect_log('/var/log/sssd/*')
|
|
|
|
|
|
|
|
# Clear the cache and restart SSSD
|
|
|
|
clear_sssd_cache(host)
|
|
|
|
|
|
|
|
|
2013-09-04 09:29:06 -05:00
|
|
|
def clear_sssd_cache(host):
|
|
|
|
"""
|
|
|
|
Clears SSSD cache by removing the cache files. Restarts SSSD.
|
|
|
|
"""
|
|
|
|
|
2014-05-29 07:47:17 -05:00
|
|
|
systemd_available = host.transport.file_exists(paths.SYSTEMCTL)
|
2013-10-30 04:07:22 -05:00
|
|
|
|
|
|
|
if systemd_available:
|
2014-02-05 05:07:26 -06:00
|
|
|
host.run_command(['systemctl', 'stop', 'sssd'])
|
2013-10-30 04:07:22 -05:00
|
|
|
else:
|
2014-05-29 07:47:17 -05:00
|
|
|
host.run_command([paths.SBIN_SERVICE, 'sssd', 'stop'])
|
2013-10-30 04:07:22 -05:00
|
|
|
|
|
|
|
host.run_command("find /var/lib/sss/db -name '*.ldb' | "
|
|
|
|
"xargs rm -fv")
|
2014-05-29 07:47:17 -05:00
|
|
|
host.run_command(['rm', '-fv', paths.SSSD_MC_GROUP])
|
|
|
|
host.run_command(['rm', '-fv', paths.SSSD_MC_PASSWD])
|
2013-10-30 04:07:22 -05:00
|
|
|
|
|
|
|
if systemd_available:
|
|
|
|
host.run_command(['systemctl', 'start', 'sssd'])
|
|
|
|
else:
|
2014-05-29 07:47:17 -05:00
|
|
|
host.run_command([paths.SBIN_SERVICE, 'sssd', 'start'])
|
2013-09-04 09:29:06 -05:00
|
|
|
|
2014-04-03 05:11:21 -05:00
|
|
|
# To avoid false negatives due to SSSD not responding yet
|
2014-04-08 06:14:13 -05:00
|
|
|
time.sleep(10)
|
2014-04-03 05:11:21 -05:00
|
|
|
|
2013-09-04 09:29:06 -05:00
|
|
|
|
|
|
|
def sync_time(host, server):
|
|
|
|
"""
|
|
|
|
Syncs the time with the remote server. Please note that this function
|
|
|
|
leaves ntpd stopped.
|
|
|
|
"""
|
|
|
|
|
2014-01-20 02:41:32 -06:00
|
|
|
host.run_command(['systemctl', 'stop', 'ntpd'])
|
|
|
|
host.run_command(['ntpdate', server.hostname])
|
2013-09-04 09:29:06 -05:00
|
|
|
|
|
|
|
|
2016-02-01 04:34:11 -06:00
|
|
|
def connect_replica(master, replica, domain_level=None):
|
|
|
|
if domain_level is None:
|
|
|
|
domain_level = master.config.domain_level
|
|
|
|
if domain_level == DOMAIN_LEVEL_0:
|
|
|
|
replica.run_command(['ipa-replica-manage', 'connect', master.hostname])
|
|
|
|
else:
|
|
|
|
kinit_admin(master)
|
|
|
|
master.run_command(["ipa", "topologysegment-add", DOMAIN_SUFFIX_NAME,
|
|
|
|
"%s-to-%s" % (master.hostname, replica.hostname),
|
|
|
|
"--leftnode=%s" % master.hostname,
|
|
|
|
"--rightnode=%s" % replica.hostname
|
|
|
|
])
|
2013-06-27 03:44:02 -05:00
|
|
|
|
|
|
|
|
2016-02-01 04:34:11 -06:00
|
|
|
def disconnect_replica(master, replica, domain_level=None):
|
|
|
|
if domain_level is None:
|
|
|
|
domain_level = master.config.domain_level
|
|
|
|
if domain_level == DOMAIN_LEVEL_0:
|
|
|
|
replica.run_command(['ipa-replica-manage', 'disconnect', master.hostname])
|
|
|
|
else:
|
|
|
|
kinit_admin(master)
|
|
|
|
master.run_command(["ipa", "topologysegment-del", DOMAIN_SUFFIX_NAME,
|
|
|
|
"%s-to-%s" % (master.hostname, replica.hostname),
|
|
|
|
"--continue"
|
|
|
|
])
|
2013-06-27 03:44:02 -05:00
|
|
|
|
|
|
|
|
|
|
|
def kinit_admin(host):
|
|
|
|
host.run_command(['kinit', 'admin'],
|
2015-08-27 12:19:28 -05:00
|
|
|
stdin_text=host.config.admin_password)
|
2013-06-05 11:30:39 -05:00
|
|
|
|
|
|
|
|
2015-12-04 11:24:31 -06:00
|
|
|
def uninstall_master(host, ignore_topology_disconnect=True):
|
2014-05-29 07:47:17 -05:00
|
|
|
host.collect_log(paths.IPASERVER_UNINSTALL_LOG)
|
2015-12-04 11:24:31 -06:00
|
|
|
uninstall_cmd = ['ipa-server-install', '--uninstall', '-U']
|
2013-06-05 11:30:39 -05:00
|
|
|
|
2015-12-04 11:24:31 -06:00
|
|
|
host_domain_level = domainlevel(host)
|
|
|
|
|
|
|
|
if ignore_topology_disconnect and host_domain_level != DOMAIN_LEVEL_0:
|
|
|
|
uninstall_cmd.append('--ignore-topology-disconnect')
|
|
|
|
|
|
|
|
host.run_command(uninstall_cmd, raiseonerr=False)
|
2014-04-02 05:26:12 -05:00
|
|
|
host.run_command(['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'],
|
|
|
|
raiseonerr=False)
|
|
|
|
host.run_command(['rm', '-rf',
|
2014-05-29 07:47:17 -05:00
|
|
|
paths.TOMCAT_TOPLEVEL_DIR,
|
|
|
|
paths.SYSCONFIG_PKI_TOMCAT,
|
|
|
|
paths.SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR,
|
|
|
|
paths.VAR_LIB_PKI_TOMCAT_DIR,
|
2015-08-27 12:19:28 -05:00
|
|
|
paths.PKI_TOMCAT,
|
|
|
|
paths.REPLICA_INFO_GPG_TEMPLATE % host.hostname],
|
|
|
|
raiseonerr=False)
|
2013-06-05 11:30:39 -05:00
|
|
|
unapply_fixes(host)
|
|
|
|
|
|
|
|
|
2013-06-27 03:40:39 -05:00
|
|
|
def uninstall_client(host):
|
2014-05-29 07:47:17 -05:00
|
|
|
host.collect_log(paths.IPACLIENT_UNINSTALL_LOG)
|
2013-06-05 11:30:39 -05:00
|
|
|
|
|
|
|
host.run_command(['ipa-client-install', '--uninstall', '-U'],
|
|
|
|
raiseonerr=False)
|
|
|
|
unapply_fixes(host)
|
2013-06-27 08:28:13 -05:00
|
|
|
|
|
|
|
|
2015-08-27 12:19:28 -05:00
|
|
|
@check_arguments_are((0, 2), Host)
|
|
|
|
def clean_replication_agreement(master, replica):
|
|
|
|
"""
|
|
|
|
Performs `ipa-replica-manage del replica_hostname --force`.
|
|
|
|
"""
|
|
|
|
master.run_command(['ipa-replica-manage',
|
|
|
|
'del',
|
|
|
|
replica.hostname,
|
|
|
|
'--force'])
|
|
|
|
|
|
|
|
|
|
|
|
@check_arguments_are((0, 3), Host)
|
|
|
|
def create_segment(master, leftnode, rightnode):
|
|
|
|
"""
|
|
|
|
creates a topology segment. The first argument is a node to run the command
|
|
|
|
:returns: a hash object containing segment's name, leftnode, rightnode
|
|
|
|
information and an error string.
|
|
|
|
"""
|
|
|
|
kinit_admin(master)
|
|
|
|
lefthost = leftnode.hostname
|
|
|
|
righthost = rightnode.hostname
|
|
|
|
segment_name = "%s-to-%s" % (lefthost, righthost)
|
2015-11-27 10:00:23 -06:00
|
|
|
result = master.run_command(["ipa", "topologysegment-add", DOMAIN_SUFFIX_NAME,
|
2015-08-27 12:19:28 -05:00
|
|
|
segment_name,
|
|
|
|
"--leftnode=%s" % lefthost,
|
|
|
|
"--rightnode=%s" % righthost], raiseonerr=False)
|
|
|
|
if result.returncode == 0:
|
|
|
|
return {'leftnode': lefthost,
|
|
|
|
'rightnode': righthost,
|
|
|
|
'name': segment_name}, ""
|
|
|
|
else:
|
|
|
|
return {}, result.stderr_text
|
|
|
|
|
|
|
|
|
|
|
|
def destroy_segment(master, segment_name):
|
|
|
|
"""
|
|
|
|
Destroys topology segment.
|
|
|
|
:param master: reference to master object of class Host
|
|
|
|
:param segment_name: name of the segment to be created
|
|
|
|
"""
|
|
|
|
assert isinstance(master, Host), "master should be an instance of Host"
|
|
|
|
kinit_admin(master)
|
|
|
|
command = ["ipa",
|
|
|
|
"topologysegment-del",
|
2015-11-27 10:00:23 -06:00
|
|
|
DOMAIN_SUFFIX_NAME,
|
2015-08-27 12:19:28 -05:00
|
|
|
segment_name]
|
|
|
|
result = master.run_command(command, raiseonerr=False)
|
|
|
|
return result.returncode, result.stderr_text
|
|
|
|
|
|
|
|
|
2013-06-27 08:28:13 -05:00
|
|
|
def get_topo(name_or_func):
|
|
|
|
"""Get a topology function by name
|
|
|
|
|
|
|
|
A topology function receives a master and list of replicas, and yields
|
|
|
|
(parent, child) pairs, where "child" should be installed from "parent"
|
|
|
|
(or just connected if already installed)
|
|
|
|
|
|
|
|
If a callable is given instead of name, it is returned directly
|
|
|
|
"""
|
|
|
|
if callable(name_or_func):
|
|
|
|
return name_or_func
|
|
|
|
return topologies[name_or_func]
|
|
|
|
|
|
|
|
|
|
|
|
def _topo(name):
|
|
|
|
"""Decorator that registers a function in topologies under a given name"""
|
|
|
|
def add_topo(func):
|
|
|
|
topologies[name] = func
|
|
|
|
return func
|
|
|
|
return add_topo
|
|
|
|
topologies = collections.OrderedDict()
|
|
|
|
|
|
|
|
|
|
|
|
@_topo('star')
|
|
|
|
def star_topo(master, replicas):
|
|
|
|
r"""All replicas are connected to the master
|
|
|
|
|
|
|
|
Rn R1 R2
|
|
|
|
\ | /
|
|
|
|
R7-- M -- R3
|
|
|
|
/ | \
|
|
|
|
R6 R5 R4
|
|
|
|
"""
|
|
|
|
for replica in replicas:
|
|
|
|
yield master, replica
|
|
|
|
|
|
|
|
|
|
|
|
@_topo('line')
|
|
|
|
def line_topo(master, replicas):
|
|
|
|
r"""Line topology
|
|
|
|
|
|
|
|
M
|
|
|
|
\
|
|
|
|
R1
|
|
|
|
\
|
|
|
|
R2
|
|
|
|
\
|
|
|
|
R3
|
|
|
|
\
|
|
|
|
...
|
|
|
|
"""
|
|
|
|
for replica in replicas:
|
|
|
|
yield master, replica
|
|
|
|
master = replica
|
|
|
|
|
|
|
|
|
|
|
|
@_topo('complete')
|
|
|
|
def complete_topo(master, replicas):
|
|
|
|
r"""Each host connected to each other host
|
|
|
|
|
|
|
|
M--R1
|
|
|
|
|\/|
|
|
|
|
|/\|
|
|
|
|
R2-R3
|
|
|
|
"""
|
|
|
|
for replica in replicas:
|
|
|
|
yield master, replica
|
|
|
|
for replica1, replica2 in itertools.combinations(replicas, 2):
|
|
|
|
yield replica1, replica2
|
|
|
|
|
|
|
|
|
|
|
|
@_topo('tree')
|
|
|
|
def tree_topo(master, replicas):
|
|
|
|
r"""Binary tree topology
|
|
|
|
|
|
|
|
M
|
|
|
|
/ \
|
|
|
|
/ \
|
|
|
|
R1 R2
|
|
|
|
/ \ / \
|
|
|
|
R3 R4 R5 R6
|
|
|
|
/
|
|
|
|
R7 ...
|
|
|
|
|
|
|
|
"""
|
|
|
|
replicas = list(replicas)
|
|
|
|
|
|
|
|
def _masters():
|
|
|
|
for host in [master] + replicas:
|
|
|
|
yield host
|
|
|
|
yield host
|
|
|
|
|
|
|
|
for parent, child in zip(_masters(), replicas):
|
|
|
|
yield parent, child
|
|
|
|
|
|
|
|
|
|
|
|
@_topo('tree2')
|
|
|
|
def tree2_topo(master, replicas):
|
|
|
|
r"""First replica connected directly to master, the rest in a line
|
|
|
|
|
|
|
|
M
|
|
|
|
/ \
|
|
|
|
R1 R2
|
|
|
|
\
|
|
|
|
R3
|
|
|
|
\
|
|
|
|
R4
|
|
|
|
\
|
|
|
|
...
|
|
|
|
|
|
|
|
"""
|
|
|
|
if replicas:
|
|
|
|
yield master, replicas[0]
|
|
|
|
for replica in replicas[1:]:
|
|
|
|
yield master, replica
|
|
|
|
master = replica
|
|
|
|
|
2016-02-18 02:52:55 -06:00
|
|
|
|
2016-02-09 08:45:45 -06:00
|
|
|
@_topo('2-connected')
|
|
|
|
def two_connected_topo(master, replicas):
|
|
|
|
r"""No replica has more than 4 agreements and at least two
|
|
|
|
replicas must fail to disconnect the topology.
|
|
|
|
|
|
|
|
. . . .
|
|
|
|
. . . .
|
|
|
|
. . . .
|
|
|
|
... R --- R R --- R ...
|
|
|
|
\ / \ / \ /
|
|
|
|
\ / \ / \ /
|
|
|
|
... R R R ...
|
|
|
|
\ / \ /
|
|
|
|
\ / \ /
|
|
|
|
M0 -- R2
|
|
|
|
| |
|
|
|
|
| |
|
|
|
|
R1 -- R3
|
|
|
|
. \ / .
|
|
|
|
. \ / .
|
|
|
|
. R .
|
|
|
|
. .
|
|
|
|
. .
|
|
|
|
. .
|
|
|
|
"""
|
|
|
|
grow = []
|
|
|
|
pool = [master] + replicas
|
|
|
|
|
|
|
|
try:
|
|
|
|
v0 = pool.pop(0)
|
|
|
|
v1 = pool.pop(0)
|
|
|
|
yield v0, v1
|
|
|
|
|
|
|
|
v2 = pool.pop(0)
|
|
|
|
yield v0, v2
|
2016-02-18 02:52:55 -06:00
|
|
|
grow.append((v0, v2))
|
2016-02-09 08:45:45 -06:00
|
|
|
|
|
|
|
v3 = pool.pop(0)
|
|
|
|
yield v2, v3
|
|
|
|
yield v1, v3
|
2016-02-18 02:52:55 -06:00
|
|
|
grow.append((v1, v3))
|
2016-02-09 08:45:45 -06:00
|
|
|
|
2016-02-18 02:52:55 -06:00
|
|
|
for (r, s) in grow:
|
2016-02-09 08:45:45 -06:00
|
|
|
t = pool.pop(0)
|
|
|
|
|
2016-02-18 02:52:55 -06:00
|
|
|
for (u, v) in [(r, t), (s, t)]:
|
2016-02-09 08:45:45 -06:00
|
|
|
yield u, v
|
|
|
|
w = pool.pop(0)
|
|
|
|
yield u, w
|
|
|
|
x = pool.pop(0)
|
|
|
|
yield v, x
|
|
|
|
yield w, x
|
2016-02-18 02:52:55 -06:00
|
|
|
grow.append((w, x))
|
2016-02-09 08:45:45 -06:00
|
|
|
|
|
|
|
except IndexError:
|
|
|
|
return
|
|
|
|
|
2013-06-27 08:28:13 -05:00
|
|
|
|
|
|
|
def install_topo(topo, master, replicas, clients,
|
|
|
|
skip_master=False, setup_replica_cas=True):
|
|
|
|
"""Install IPA servers and clients in the given topology"""
|
|
|
|
replicas = list(replicas)
|
|
|
|
installed = {master}
|
|
|
|
if not skip_master:
|
|
|
|
install_master(master)
|
2014-01-22 06:33:41 -06:00
|
|
|
|
|
|
|
add_a_records_for_hosts_in_master_domain(master)
|
|
|
|
|
2013-06-27 08:28:13 -05:00
|
|
|
for parent, child in get_topo(topo)(master, replicas):
|
|
|
|
if child in installed:
|
|
|
|
log.info('Connecting replica %s to %s' % (parent, child))
|
|
|
|
connect_replica(parent, child)
|
|
|
|
else:
|
|
|
|
log.info('Installing replica %s from %s' % (parent, child))
|
|
|
|
install_replica(parent, child, setup_ca=setup_replica_cas)
|
|
|
|
installed.add(child)
|
|
|
|
install_clients([master] + replicas, clients)
|
|
|
|
|
|
|
|
|
|
|
|
def install_clients(servers, clients):
|
|
|
|
"""Install IPA clients, distributing them among the given servers"""
|
|
|
|
for server, client in itertools.izip(itertools.cycle(servers), clients):
|
|
|
|
log.info('Installing client %s on %s' % (server, client))
|
|
|
|
install_client(server, client)
|
2013-07-17 07:28:05 -05:00
|
|
|
|
|
|
|
|
|
|
|
def _entries_to_ldif(entries):
|
|
|
|
"""Format LDAP entries as LDIF"""
|
|
|
|
lines = []
|
2015-09-14 07:52:48 -05:00
|
|
|
io = StringIO()
|
2013-07-17 07:28:05 -05:00
|
|
|
writer = LDIFWriter(io)
|
|
|
|
for entry in entries:
|
2013-11-01 09:17:46 -05:00
|
|
|
writer.unparse(str(entry.dn), dict(entry))
|
2013-07-17 07:28:05 -05:00
|
|
|
return io.getvalue()
|
|
|
|
|
|
|
|
|
|
|
|
def wait_for_replication(ldap, timeout=30):
|
|
|
|
"""Wait until updates on all replication agreements are done (or failed)
|
|
|
|
|
|
|
|
:param ldap: LDAP client
|
|
|
|
autenticated with necessary rights to read the mapping tree
|
|
|
|
:param timeout: Maximum time to wait, in seconds
|
|
|
|
|
|
|
|
Note that this waits for updates originating on this host, not those
|
|
|
|
coming from other hosts.
|
|
|
|
"""
|
|
|
|
log.debug('Waiting for replication to finish')
|
|
|
|
for i in range(timeout):
|
|
|
|
time.sleep(1)
|
|
|
|
status_attr = 'nsds5replicaLastUpdateStatus'
|
|
|
|
progress_attr = 'nsds5replicaUpdateInProgress'
|
|
|
|
entries = ldap.get_entries(
|
|
|
|
DN(('cn', 'mapping tree'), ('cn', 'config')),
|
|
|
|
filter='(objectclass=nsds5replicationagreement)',
|
|
|
|
attrs_list=[status_attr, progress_attr])
|
|
|
|
log.debug('Replication agreements: \n%s', _entries_to_ldif(entries))
|
2013-09-10 05:20:24 -05:00
|
|
|
if any(not e.single_value[status_attr].startswith('0 ')
|
2013-07-17 07:28:05 -05:00
|
|
|
for e in entries):
|
|
|
|
log.error('Replication error')
|
2013-09-04 06:44:57 -05:00
|
|
|
continue
|
2013-09-10 05:20:24 -05:00
|
|
|
if any(e.single_value[progress_attr] == 'TRUE' for e in entries):
|
2013-07-17 07:28:05 -05:00
|
|
|
log.debug('Replication in progress (waited %s/%ss)',
|
|
|
|
i, timeout)
|
|
|
|
else:
|
|
|
|
log.debug('Replication finished')
|
|
|
|
break
|
|
|
|
else:
|
|
|
|
log.error('Giving up wait for replication to finish')
|
2014-01-22 06:33:41 -06:00
|
|
|
|
|
|
|
|
|
|
|
def add_a_records_for_hosts_in_master_domain(master):
|
|
|
|
for host in master.domain.hosts:
|
|
|
|
# We don't need to take care of the zone creation since it is master
|
|
|
|
# domain
|
2016-01-06 09:18:17 -06:00
|
|
|
try:
|
|
|
|
verify_host_resolvable(host.hostname, log)
|
|
|
|
log.debug("The host (%s) is resolvable." % host.domain.name)
|
|
|
|
except errors.DNSNotARecordError:
|
|
|
|
log.debug("Hostname (%s) does not have A/AAAA record. Adding new one.",
|
|
|
|
master.hostname)
|
|
|
|
add_a_record(master, host)
|
2014-01-22 06:33:41 -06:00
|
|
|
|
|
|
|
|
|
|
|
def add_a_record(master, host):
|
|
|
|
# Find out if the record is already there
|
|
|
|
cmd = master.run_command(['ipa',
|
2015-11-02 09:02:35 -06:00
|
|
|
'dnsrecord-show',
|
2014-01-22 06:33:41 -06:00
|
|
|
master.domain.name,
|
2015-11-02 09:02:35 -06:00
|
|
|
host.hostname + "."],
|
2014-01-22 06:33:41 -06:00
|
|
|
raiseonerr=False)
|
|
|
|
|
|
|
|
# If not, add it
|
|
|
|
if cmd.returncode != 0:
|
|
|
|
master.run_command(['ipa',
|
|
|
|
'dnsrecord-add',
|
|
|
|
master.domain.name,
|
2015-11-02 09:02:35 -06:00
|
|
|
host.hostname + ".",
|
2014-01-22 06:33:41 -06:00
|
|
|
'--a-rec', host.ip])
|
2015-09-08 06:08:31 -05:00
|
|
|
|
|
|
|
|
|
|
|
def resolve_record(nameserver, query, rtype="SOA", retry=True, timeout=100):
|
|
|
|
"""Resolve DNS record
|
|
|
|
:retry: if resolution failed try again until timeout is reached
|
|
|
|
:timeout: max period of time while method will try to resolve query
|
|
|
|
(requires retry=True)
|
|
|
|
"""
|
|
|
|
res = dns.resolver.Resolver()
|
|
|
|
res.nameservers = [nameserver]
|
|
|
|
res.lifetime = 10 # wait max 10 seconds for reply
|
|
|
|
|
|
|
|
wait_until = time.time() + timeout
|
|
|
|
|
|
|
|
while time.time() < wait_until:
|
|
|
|
try:
|
|
|
|
ans = res.query(query, rtype)
|
|
|
|
return ans
|
|
|
|
except dns.exception.DNSException:
|
|
|
|
if not retry:
|
|
|
|
raise
|
|
|
|
time.sleep(1)
|
2015-12-04 10:12:05 -06:00
|
|
|
|
|
|
|
|
2016-01-07 01:50:53 -06:00
|
|
|
def ipa_backup(master):
|
|
|
|
result = master.run_command(["ipa-backup"])
|
|
|
|
path_re = re.compile("^Backed up to (?P<backup>.*)$", re.MULTILINE)
|
|
|
|
matched = path_re.search(result.stdout_text + result.stderr_text)
|
|
|
|
return matched.group("backup")
|
|
|
|
|
|
|
|
|
|
|
|
def ipa_restore(master, backup_path):
|
|
|
|
master.run_command(["ipa-restore", "-U",
|
|
|
|
"-p", master.config.dirman_password,
|
|
|
|
backup_path])
|
|
|
|
|
|
|
|
|
2015-12-04 10:12:05 -06:00
|
|
|
def install_kra(host, domain_level=None, first_instance=False, raiseonerr=True):
|
2016-01-07 01:50:53 -06:00
|
|
|
if domain_level is None:
|
|
|
|
domain_level = domainlevel(host)
|
2016-01-14 03:23:11 -06:00
|
|
|
command = ["ipa-kra-install", "-U", "-p", host.config.dirman_password]
|
2015-12-04 10:12:05 -06:00
|
|
|
if domain_level == DOMAIN_LEVEL_0 and not first_instance:
|
|
|
|
replica_file = get_replica_filename(host)
|
|
|
|
command.append(replica_file)
|
|
|
|
return host.run_command(command, raiseonerr=raiseonerr)
|
|
|
|
|
|
|
|
|
|
|
|
def install_ca(host, domain_level=None, first_instance=False, raiseonerr=True):
|
2016-01-07 01:50:53 -06:00
|
|
|
if domain_level is None:
|
|
|
|
domain_level = domainlevel(host)
|
2015-12-04 10:12:05 -06:00
|
|
|
command = ["ipa-ca-install", "-U", "-p", host.config.dirman_password,
|
|
|
|
"-P", 'admin', "-w", host.config.admin_password]
|
|
|
|
if domain_level == DOMAIN_LEVEL_0 and not first_instance:
|
|
|
|
replica_file = get_replica_filename(host)
|
|
|
|
command.append(replica_file)
|
|
|
|
return host.run_command(command, raiseonerr=raiseonerr)
|
|
|
|
|
|
|
|
|
|
|
|
def install_dns(host, raiseonerr=True):
|
|
|
|
args = [
|
|
|
|
"ipa-dns-install",
|
|
|
|
"--forwarder", host.config.dns_forwarder,
|
|
|
|
"-U",
|
|
|
|
]
|
|
|
|
return host.run_command(args, raiseonerr=raiseonerr)
|
2016-01-07 01:50:53 -06:00
|
|
|
|
|
|
|
|
|
|
|
def uninstall_replica(master, replica):
|
|
|
|
master.run_command(["ipa-replica-manage", "del", "--force",
|
|
|
|
"-p", master.config.dirman_password,
|
|
|
|
replica.hostname], raiseonerr=False)
|
|
|
|
uninstall_master(replica)
|