Introduce ipa control script that reads configuration off ldap

This replace the former ipactl script, as well as replace the current way ipa components are started. Instead of enabling each service in the system init scripts, enable only the ipa script, and then let it start all components based on the configuration read from the LDAP tree. resolves: https://fedorahosted.org/freeipa/ticket/294
2025-02-25 18:55:28 -06:00 · 2010-12-04 15:42:14 -05:00 · 2010-12-04 15:42:14 -05:00 · 2efc08a6fc
commit 2efc08a6fc
parent ded15c72ff
10 changed files with 332 additions and 121 deletions
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@ -842,6 +842,10 @@ def main():
    except Exception, e:
        sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e))
    #Everything installed properly, activate ipa service.
    service.chkconfig_on('ipa')
    print "=============================================================================="
    print "Setup complete"
    print ""
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@ -1,6 +1,7 @@
-#!/bin/sh
+#!/usr/bin/env python
 # Authors: Simo Sorce <ssorce@redhat.com>
 #
-# Copyright (C) 2008  Red Hat
+# Copyright (C) 2008-2010  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or
@ -16,108 +17,207 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 #
 #
 # IPA control to start/stop the various services required for IPA in the
 # proper order
 # 
-# Set IFS so we can do space-embedded lists of services
+import sys
-IFS=";"
+try:
    from ipaserver.install import service
    from ipapython import config
    from ipalib import api, errors
    import logging
    import ldap
    import socket
    import syslog
 except ImportError:
    print >> sys.stderr, """\
 There was a problem importing one of the required Python modules. The
 error was:
-# start and stop are basically a reverse of each other
+    %s
-services_stop="ipa_kpasswd;httpd;krb5kdc;dirsrv;ntpd;named;pki-cad pki-ca"
+""" % sys.exc_value
-services_start="dirsrv;ntpd;krb5kdc;named;ipa_kpasswd;httpd;pki-cad pki-ca"
+    sys.exit(1)
-function is_running() {
+def parse_options():
-    # $1 = service to check on
+    usage = "%prog start|stop|restart|status\n"
-    # $2 = optional instance to check on, for dirsrv and pki-cad
+    parser = config.IPAOptionParser(usage=usage,
                                    formatter=config.IPAFormatter())
-    # Returns
+    parser.add_option("-d", "--debug", action="store_true", dest="debug",
-    #  0 - running
+                      help="Display debugging information")
    #  1 - pid but dead service
    #  2 - dead but locked subsys
    #  3 - stopped
    #  4 - no such service
    if [ "$#" = 2 ] ; then
        /sbin/service $1 status $2 > /dev/null 2>&1
    else
        out=`/sbin/service $1 status 2>&1`
    fi
    case "$?" in
        0)
            return 0;;
        1)
            x=`echo $out | grep -c exists`
            if [ $x -eq 1 ] ; then
                return 1
            else
                return 4
            fi
            ;;
        2)
            return 2;;
        3)
            return 3;;
    esac
 }
-function start() {
+    options, args = parser.parse_args()
-    for service in $services_start ; do
+    safe_options = parser.get_safe_opts(options)
        is_running $service
        case "$?" in
            0)  # running
                ;;
            4)  # no such service
                ;;
            *)  # otherwise not running
                /sbin/service $service start
                ;;
        esac
    done
 }
-function stop() {
+    return safe_options, options, args
    for service in $services_stop ; do
        is_running $service
        case "$?" in
            0)  # running
                /sbin/service $service stop
                ;;
            *)  # otherwise not running or doesn't exist
                ;;
        esac
    done
 }
-function status() {
+def emit_err(err):
-    for service in $services_start ; do
+    syslog.syslog(syslog.LOG_ERR, err)
-        is_running $service
+    print err
        case "$?" in
            4)
                ;;
            *)
                /sbin/service $service status
                ;;
        esac
    done
 }
-case "$1" in
+def get_config():
-restart)
+    base = "cn=%s,cn=masters,cn=ipa,cn=etc,%s" % (socket.gethostname(),
-    stop
+                                                  api.env.basedn)
-    start
+    srcfilter = '(ipaConfigString=enabledService)'
-    ;;
+    attrs = ['cn', 'ipaConfigString']
-start)
+
-    start
+    try:
-    ;;
+        con = ldap.initialize(api.env.ldap_uri)
-stop)
+        con.simple_bind()
-    stop
+        res = con.search_st(base,
-    ;;
+                            ldap.SCOPE_SUBTREE,
-status)
+                            filterstr=srcfilter,
-    status
+                            attrlist=attrs,
-    ;;
+                            timeout=10)
-*)
+    except e:
-    echo "Usage: ipactl {start|stop|restart|status}"
+        print "Error retrieving list of services %s" % e
-    exit 1
+        print "Is IPA installed ?"
-    ;;
+        return
-esac
+
    svc_list = []
    for entry in res:
        name = entry[1]['cn'][0]
        for p in entry[1]['ipaConfigString']:
            if p.startswith('startOrder '):
                order = p.split()[1]
        svc_list.append((order, name))
    return svc_list
 def ipa_start():
    try:
        print "Starting Directory Service"
        service.start('dirsrv')
    except:
        emit_err("Failed to start Directory Service")
        return
    svc_list = get_config()
    for (order, svc) in sorted(svc_list):
        svc_name = service.SERVICE_LIST[svc][0]
        try:
            print "Starting %s Service" % svc
            service.start(svc_name)
        except:
            emit_err("Failed to start %s Service" % svc)
            emit_err("Shutting down")
            for (order, svc) in sorted(svc_list):
                svc_name = service.SERVICE_LIST[svc][0]
                try:
                    service.stop(svc_name)
                except:
                    pass
            try:
                service.stop('dirsrv')
            except:
                pass
            return
 def ipa_stop():
    svc_list = get_config()
    for (order, svc) in sorted(svc_list, reverse=True):
        svc_name = service.SERVICE_LIST[svc][0]
        try:
            print "Stopping %s Service" % svc
            service.stop(svc_name)
        except:
            emit_err("Failed to stop %s Service" % svc)
    try:
        print "Stopping Directory Service"
        service.stop('dirsrv')
    except:
        emit_err("Failed to stop Directory Service")
        return
 def ipa_restart():
    try:
        print "Restarting Directory Service"
        service.restart('dirsrv')
    except:
        emit_err("Failed to restart Directory Service")
        return
    svc_list = get_config()
    for (order, svc) in sorted(svc_list):
        svc_name = service.SERVICE_LIST[svc][0]
        try:
            print "Restarting %s Service" % svc
            service.restart(svc_name)
        except:
            emit_err("Failed to restart %s Service" % svc)
            emit_err("Shutting down")
            for (order, svc) in sorted(svc_list):
                svc_name = service.SERVICE_LIST[svc][0]
                try:
                    service.stop(svc_name)
                except:
                    pass
            try:
                service.stop('dirsrv')
            except:
                pass
            return
 def ipa_status():
    try:
        if service.is_running('dirsrv'):
            print "Directory Service: RUNNING"
        else:
            print "Directory Service: STOPPED"
    except:
        print "Failed to get Directory Service status"
        return
    svc_list = get_config()
    for (order, svc) in sorted(svc_list):
        svc_name = service.SERVICE_LIST[svc][0]
        try:
            if service.is_running(svc_name):
                print "%s Service: RUNNING" % svc
            else:
                print "%s Service: STOPPED" % svc
        except:
            print "Failed to get %s Service status" % svc
 def main():
    safe_options, options, args = parse_options()
    if len(args) != 1:
        sys.exit("You must specify one action")
    elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
        sys.exit("Unrecognized action [" + args[0] + "]")
    api.bootstrap(context='cli', debug=options.debug)
    api.finalize()
    syslog.openlog('ipa', syslog.LOG_NDELAY, syslog.LOG_DAEMON)
    if args[0].lower() == "start":
        ipa_start()
    elif args[0].lower() == "stop":
        ipa_stop()
    elif args[0].lower() == "restart":
        ipa_restart()
    elif args[0].lower() == "status":
        ipa_status()
    syslog.closelog()
 try:
    if __name__ == "__main__":
        sys.exit(main())
 except RuntimeError, e:
    print "%s" % e
    sys.exit(1)
 except SystemExit, e:
    sys.exit(e)
 except KeyboardInterrupt, e:
    sys.exit(1)
--- a/ipa.init
+++ b/ipa.init
@ -0,0 +1,45 @@
 #!/bin/sh
 #
 # ipa    This starts and stops ipa
 #
 # chkconfig:   - 21 79
 # description: IPA Server
 # processname: /usr/sbin/ns-slapd
 # configdir:   /etc/ipa/
 # piddir:      /var/run/dirsrv
 #
 # Source function library.
 if [ -f /etc/rc.d/init.d/functions ] ; then
 . /etc/rc.d/init.d/functions
 fi
 # Source networking configuration.
 if [ -f /etc/sysconfig/network ] ; then
 . /etc/sysconfig/network
 fi
 # Check that networking is up.
 if [ "${NETWORKING}" = "no" ]
 then
    echo "Networking is down"
    exit 0
 fi
 # Lockfile
 if [ -d "/var/lock/subsys" ] ; then
    lockfile="/var/lock/subsys/dirsrv"
 else
    lockfile="/var/lock/dirsrv/lock"
 fi
 case "$1" in
    start|stop|restart|status)
        /usr/sbin/ipactl $1
        ;;
    condrestart)
        [ ! -f $lockfile ] || /usr/sbin/ipactl restart
        ;;
    *)
        echo "Usage: $0 {start|stop|status|restart|condrestart}"
        exit 2
 esac
--- a/ipa.spec.in
+++ b/ipa.spec.in
@ -94,6 +94,8 @@ Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.15
 Requires: pki-ca >= 1.3.6
 Requires: pki-silent >= 1.3.4
 Requires(preun):  python initscripts chkconfig
 Requires(postun): python initscripts chkconfig
 %description server
 IPA is an integrated solution to provide centrally managed Identity (machine,
@ -280,7 +282,9 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/
 /bin/touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/ipa.conf
 /bin/touch $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
 install -m755 ipa.init $RPM_BUILD_ROOT%{_initrddir}/ipa
 %endif
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/ipa/
 /bin/touch $RPM_BUILD_ROOT%{_sysconfdir}/ipa/default.conf
 mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
@ -296,6 +300,7 @@ rm -rf %{buildroot}
 %if ! %{ONLY_CLIENT}
 %post server
 if [ $1 = 1 ]; then
    /sbin/chkconfig --add ipa
    /sbin/chkconfig --add ipa_kpasswd
 fi
 if [ -e /usr/share/ipa/serial ]; then
@ -305,15 +310,14 @@ fi
 %preun server
 if [ $1 = 0 ]; then
    /sbin/chkconfig --del ipa
    /sbin/chkconfig --del ipa_kpasswd
-    /sbin/service ipa_kpasswd stop >/dev/null 2>&1 || :
+    /sbin/service ipa stop >/dev/null 2>&1 || :
 fi
 %postun server
 if [ "$1" -ge "1" ]; then
-    /sbin/service ipa_kpasswd condrestart >/dev/null 2>&1 || :
+    /sbin/service ipa condrestart >/dev/null 2>&1 || :
    /sbin/service httpd condrestart >/dev/null 2>&1 || :
    /sbin/service dirsrv condrestart >/dev/null 2>&1 || :
 fi
 %pre server-selinux
@ -373,6 +377,7 @@ fi
 %{_sbindir}/ipa_kpasswd
 %{_sbindir}/ipactl
 %{_sbindir}/ipa-upgradeconfig
 %attr(755,root,root) %{_initrddir}/ipa
 %attr(755,root,root) %{_initrddir}/ipa_kpasswd
 %{python_sitelib}/ipaserver/*
 %dir %{_usr}/share/ipa
@ -503,6 +508,9 @@ fi
 %endif
 %changelog
 * Tue Dec  7 2010 Simo Sorce <ssorce@redhat.com> - 1.99-33
 - Add ipa init script
 * Fri Nov 19 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-32
 - Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@ -275,7 +275,10 @@ class BindInstance(service.Service):
    def __enable(self):
        self.backup_state("enabled", self.is_running())
-        self.chkconfig_on()
+        # We do not let the system start IPA components on its own,
        # Instead we reply on the IPA init script to start only enabled
        # components as found in our LDAP configuration tree
        self.ldap_enable('DNS', self.fqdn, self.dm_password, self.suffix)
    def __setup_sub_dict(self):
        if self.forwarders:
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -242,7 +242,6 @@ class CADSInstance(service.Service):
        self.step("creating directory server user", self.__create_ds_user)
        self.step("creating directory server instance", self.__create_instance)
        self.step("configuring directory to start on boot", self.__enable)
        self.step("restarting directory server", self.__restart_instance)
        self.start_creation("Configuring directory server for the CA", 30)
@ -255,13 +254,6 @@ class CADSInstance(service.Service):
                             SERVER_ROOT=server_root, DOMAIN=self.domain,
                             TIME=int(time.time()), DSPORT=self.ds_port)
    def __enable(self):
        name = self.service_name
        self.service_name="dirsrv"
        self.backup_state("enabled", self.is_enabled())
        self.chkconfig_on()
        self.service_name = name
    def __create_ds_user(self):
        user_exists = True
        try:
@ -483,7 +475,11 @@ class CAInstance(service.Service):
    def __enable(self):
        self.backup_state("enabled", self.is_enabled())
-        self.chkconfig_on()
+        # We do not let the system start IPA components on its own,
        # Instead we reply on the IPA init script to start only enabled
        # components as found in our LDAP configuration tree
        suffix = util.realm_to_suffix(self.realm)
        self.ldap_enable('CA', self.fqdn, self.dm_password, suffix)
    def __create_ca_user(self):
        user_exists = True
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@ -295,7 +295,10 @@ class DsInstance(service.Service):
    def __enable(self):
        self.backup_state("enabled", self.is_enabled())
-        self.chkconfig_on()
+        # At the end of the installation ipa-server-install will enable the
        # 'ipa' service wich takes care of starting/stopping dirsrv
        # self.chkconfig_on()
        self.chkconfig_off()
    def __setup_sub_dict(self):
        server_root = find_server_root()
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -91,7 +91,10 @@ class HTTPInstance(service.Service):
    def __enable(self):
        self.backup_state("enabled", self.is_running())
-        self.chkconfig_on()
+        # We do not let the system start IPA components on its own,
        # Instead we reply on the IPA init script to start only enabled
        # components as found in our LDAP configuration tree
        self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix)
    def __selinux_config(self):
        selinux=0
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@ -203,8 +203,7 @@ class KrbInstance(service.Service):
        self.start_creation("Configuring Kerberos KDC", 30)
        self.kpasswd = KpasswdInstance()
-
+        self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix)
        self.kpasswd.create_instance()
    def create_replica(self, ds_user, realm_name, host_name,
                       domain_name, admin_password,
@ -233,7 +232,7 @@ class KrbInstance(service.Service):
        self.start_creation("Configuring Kerberos KDC", 30)
        self.kpasswd = KpasswdInstance()
-        self.kpasswd.create_instance()
+        self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix)
    def __copy_ldap_passwd(self, filename):
        self.fstore.backup_file("/var/kerberos/krb5kdc/ldappwd")
@ -258,7 +257,10 @@ class KrbInstance(service.Service):
    def __enable(self):
        self.backup_state("enabled", self.is_enabled())
-        self.chkconfig_on()
+        # We do not let the system start IPA components on its own,
        # Instead we reply on the IPA init script to start only enabled
        # components as found in our LDAP configuration tree
        self.ldap_enable('KDC', self.fqdn, self.admin_password, self.suffix)
    def __start_instance(self):
        try:
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@ -29,6 +29,13 @@ import base64
 import time
 import datetime
 SERVICE_LIST = {
    'KDC':('krb5kdc', 10),
    'KPASSWD':('ipa_kpasswd', 20),
    'DNS':('named', 30),
    'HTTP':('httpd', 40),
    'CA':('pki_cad', 50)
 }
 def stop(service_name, instance_name=""):
    ipautil.run(["/sbin/service", service_name, "stop", instance_name])
@ -263,8 +270,44 @@ class Service:
        self.steps = []
    def __get_conn(self, dm_password):
        try:
            conn = ipaldap.IPAdmin("127.0.0.1")
            conn.simple_bind_s("cn=directory manager", dm_password)
        except Exception, e:
            logging.critical("Could not connect to the Directory Server on %s: %s" % (self.fqdn, str(e)))
            raise e
        return conn
    def ldap_enable(self, name, fqdn, dm_password, ldap_suffix):
        self.chkconfig_off()
        conn = self.__get_conn(dm_password)
        entry_name = "cn=%s,cn=%s,%s,%s" % (name, fqdn,
                                            "cn=masters,cn=ipa,cn=etc",
                                            ldap_suffix)
        order = SERVICE_LIST[name][1]
        entry = ipaldap.Entry(entry_name)
        entry.setValues("objectclass",
                        "nsContainer", "ipaConfigObject")
        entry.setValues("cn", name)
        entry.setValues("ipaconfigstring",
                        "enabledService", "startOrder " + str(order))
        try:
            conn.add_s(entry)
        except ldap.ALREADY_EXISTS:
            logging.critical("failed to add %s Service startup entry" % name)
            raise e
 class SimpleServiceInstance(Service):
-    def create_instance(self):
+    def create_instance(self, gensvc_name=None, fqdn=None, dm_password=None, ldap_suffix=None):
        self.gensvc_name = gensvc_name
        self.fqdn = fqdn
        self.dm_password = dm_password
        self.suffix = ldap_suffix
        self.step("starting %s " % self.service_name, self.__start)
        self.step("configuring %s to start on boot" % self.service_name, self.__enable)
        self.start_creation("Configuring %s" % self.service_name)
@ -276,7 +319,11 @@ class SimpleServiceInstance(Service):
    def __enable(self):
        self.chkconfig_add()
        self.backup_state("enabled", self.is_enabled())
-        self.chkconfig_on()
+        if self.gensvc_name == None:
            self.chkconfig_on()
        else:
            self.ldap_enable(self.gensvc_name, self.fqdn,
                             self.dm_password, self.suffix)
    def uninstall(self):
        if self.is_configured():