Connection check program for replica installation

When connection between a master machine and future replica is not sane, the replica installation may fail unexpectedly with inconvenient error messages. One common problem is misconfigured firewall. This patch adds a program ipa-replica-conncheck which tests the connection using the following procedure: 1) Execute the on-replica check testing the connection to master 2) Open required ports on local machine 3) Ask user to run the on-master part of the check OR run it automatically: a) kinit to master as default admin user with given password b) run the on-master part using ssh 4) When master part is executed, it checks connection back to the replica and prints the check result This program is run by ipa-replica-install as mandatory part. It can, however, be skipped using --skip-conncheck option. ipa-replica-install now requires password for admin user to run the command on remote master. https://fedorahosted.org/freeipa/ticket/1107
2025-02-25 18:55:28 -06:00 · 2011-05-22 19:17:07 +02:00
parent 8077b7ab93
commit 241ee334de
9 changed files with 583 additions and 0 deletions
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -38,6 +38,7 @@ from ipapython.config import IPAOptionParser
 from ipapython import sysrestore

 CACERT="/etc/ipa/ca.crt"
+REPLICA_INFO_TOP_DIR=None

 class ReplicaConfig:
    def __init__(self):
@@ -58,6 +59,8 @@ def parse_options():
                      default=False, help="gather extra debugging information")
    parser.add_option("-p", "--password", dest="password", sensitive=True,
                      help="Directory Manager (existing master) password")
+    parser.add_option("-w", "--admin-password", dest="admin_password", sensitive=True,
+                      help="Admin user Kerberos password used for connection check")
    parser.add_option("--setup-dns", dest="setup_dns", action="store_true",
                      default=False, help="configure bind with our zone")
    parser.add_option("--forwarder", dest="forwarders", action="append",
@@ -71,6 +74,8 @@ def parse_options():
                      help="Do not use DNS for hostname lookup during installation")
    parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
                      default=True, help="disables pkinit setup steps")
+    parser.add_option("--skip-conncheck", dest="skip_conncheck", action="store_true",
+                      default=False, help="skip connection check to remote master")
    parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
                      default=False, help="unattended installation never prompts the user")

@@ -388,6 +393,8 @@ def main():

    try:
        top_dir, dir = expand_info(filename, dirman_password)
+        global REPLICA_INFO_TOP_DIR
+        REPLICA_INFO_TOP_DIR = top_dir
    except Exception, e:
        print "ERROR: Failed to decrypt or open the replica file."
        print "Verify you entered the correct Directory Manager password."
@@ -408,6 +415,32 @@ def main():
            sys.exit(0)
    config.dir = dir

+
+    # check connection
+    if not options.skip_conncheck:
+        print "Run connection check to master"
+        args = ["/usr/sbin/ipa-replica-conncheck", "--master", config.master_host_name,
+                "--auto-master-check", "--realm", config.realm_name,
+                "--principal", "admin",
+                "--hostname", config.host_name]
+
+        if options.admin_password:
+            args.extend(["--password", options.admin_password])
+
+        cafile = config.dir + "/cacert.p12"
+        if ipautil.file_exists(cafile): # with CA
+            args.append('--check-ca')
+        logging.debug("Running ipa-replica-conncheck with following arguments: %s" %
+                " ".join(args))
+        (stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False, capture_output=False)
+
+        if returncode != 0:
+            sys.exit("Connection check failed!" +
+                     "\nPlease fix your network settings according to error messages above." +
+                     "\nIf the check results are not valid it can be skipped with --skip-conncheck parameter.")
+        else:
+            print "Connection check OK"
+
    # Create the management framework config file
    # Note: We must do this before bootstraping and finalizing ipalib.api
    fd = open("/etc/ipa/default.conf", "w")
@@ -555,6 +588,13 @@ except Exception, e:
    logging.debug(message)
 except KeyboardInterrupt:
    print "Installation cancelled." 
+finally:
+    # always try to remove decrypted replica file
+    try:
+        if REPLICA_INFO_TOP_DIR:
+            shutil.rmtree(REPLICA_INFO_TOP_DIR)
+    except OSError:
+        pass

 print ""
 print "Your system may be partly configured."