IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

install: Migrate ipa-replica-install to the install framework

Browse Source 
https://fedorahosted.org/freeipa/ticket/4468

Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
Jan Cholasta 2015-06-09 11:42:50 +00:00
parent 6f1ae05d8d
commit 46cbe26b51
3 changed files with 275 additions and 201 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

151
install/tools/ipa-replica-install
View File

@ -18,148 +18,19 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import os
from optparse import OptionGroup
from ipapython import ipautil
from ipaserver.install import installutils
from ipaserver.install import server
from ipapython import version
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import root_logger, standard_logging_setup
from ipapython.dn import DN
from ipapython.install import cli
from ipaplatform.paths import paths
log_file_name = paths.IPAREPLICA_INSTALL_LOG
DIRMAN_DN = DN(('cn', 'directory manager'))
REPLICA_INFO_TOP_DIR = None
from ipaserver.install.server import Replica
def parse_options():
usage = "%prog [options] REPLICA_FILE"
parser = IPAOptionParser(usage=usage, version=version.VERSION)
basic_group = OptionGroup(parser, "basic options")
basic_group.add_option("--setup-ca", dest="setup_ca", action="store_true",
default=False, help="configure a dogtag CA")
basic_group.add_option("--setup-kra", dest="setup_kra", action="store_true",
default=False, help="configure a dogtag KRA")
basic_group.add_option("--ip-address", dest="ip_addresses",
type="ip", ip_local=True, action="append", default=[],
help="Replica server IP Address. This option can be used multiple times", metavar="IP_ADDRESS")
basic_group.add_option("-p", "--password", dest="password", sensitive=True,
help="Directory Manager (existing master) password")
basic_group.add_option("-w", "--admin-password", dest="admin_password", sensitive=True,
help="Admin user Kerberos password used for connection check")
basic_group.add_option("--mkhomedir",
dest="mkhomedir",
action="store_true",
default=False,
help="create home directories for users "
"on their first login")
basic_group.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false",
help="do not configure ntp", default=True)
basic_group.add_option("--no-ui-redirect", dest="ui_redirect", action="store_false",
default=True, help="Do not automatically redirect to the Web UI")
basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true",
help="configure OpenSSH client to trust DNS SSHFP records")
basic_group.add_option("--no-ssh", dest="conf_ssh", default=True, action="store_false",
help="do not configure OpenSSH client")
basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
help="do not configure OpenSSH server")
basic_group.add_option("--skip-conncheck", dest="skip_conncheck", action="store_true",
default=False, help="skip connection check to remote master")
basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="gather extra debugging information")
basic_group.add_option("-U", "--unattended", dest="unattended", action="store_true",
default=False, help="unattended installation never prompts the user")
parser.add_option_group(basic_group)
cert_group = OptionGroup(parser, "certificate system options")
cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
default=True, help="disables pkinit setup steps")
cert_group.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true",
default=False, help="skip check for updated CA DS schema on the remote master")
parser.add_option_group(cert_group)
dns_group = OptionGroup(parser, "DNS options")
dns_group.add_option("--setup-dns", dest="setup_dns", action="store_true",
default=False, help="configure bind with our zone")
dns_group.add_option("--forwarder", dest="forwarders", action="append",
type="ip", help="Add a DNS forwarder. This option can be used multiple times")
dns_group.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
default=False, help="Do not add any DNS forwarders, use root servers instead")
dns_group.add_option("--reverse-zone", dest="reverse_zones", default=[],
action="append", help="The reverse DNS zone to use. This option can be used multiple times",
metavar="REVERSE_ZONE")
dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true",
default=False, help="Do not create new reverse DNS zone")
dns_group.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true",
default=False, help="Disable DNSSEC validation")
dns_group.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
default=False,
help="Do not use DNS for hostname lookup during installation")
dns_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false",
help="do not automatically create DNS SSHFP records")
parser.add_option_group(dns_group)
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
if len(args) != 1:
parser.error("you must provide a file generated by ipa-replica-prepare")
if not options.setup_dns:
if options.forwarders:
parser.error("You cannot specify a --forwarder option without the --setup-dns option")
if options.no_forwarders:
parser.error("You cannot specify a --no-forwarders option without the --setup-dns option")
if options.reverse_zones:
parser.error("You cannot specify a --reverse-zone option without the --setup-dns option")
if options.no_reverse:
parser.error("You cannot specify a --no-reverse option without the --setup-dns option")
if options.no_dnssec_validation:
parser.error("You cannot specify a --no-dnssec-validation option without the --setup-dns option")
elif options.forwarders and options.no_forwarders:
parser.error("You cannot specify a --forwarder option together with --no-forwarders")
elif not options.forwarders and not options.no_forwarders:
parser.error("You must specify at least one --forwarder option or --no-forwarders option")
elif options.reverse_zones and options.no_reverse:
parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
options.external_ca = None
options.external_cert_files = None
options.zonemgr = None
options.dnssec_master = False
return safe_options, options, args[0]
ReplicaInstall = cli.install_tool(
Replica,
command_name='ipa-replica-install',
positional_arguments='replica_file',
usage='%prog [options] REPLICA_FILE',
log_file_name=paths.IPAREPLICA_INSTALL_LOG,
debug_option=True,
)
def main():
safe_options, options, filename = parse_options()
if os.geteuid() != 0:
sys.exit("\nYou must be root to run this script.\n")
standard_logging_setup(log_file_name, debug=options.debug)
root_logger.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
if not ipautil.file_exists(filename):
sys.exit("Replica file %s does not exist" % filename)
server.replica_install_check(filename, options)
server.replica_install(filename, options)
fail_message = '''
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
'''
if __name__ == '__main__':
installutils.run_script(main, log_file_name=log_file_name,
operation_name='ipa-replica-install',
fail_message=fail_message)
ReplicaInstall.run_cli()

3
ipaserver/install/server/__init__.py
View File

@ -3,7 +3,6 @@
#
from .install import Server
from .replicainstall import Replica
from .replicainstall import install_check as replica_install_check
from .replicainstall import install as replica_install
from .upgrade import upgrade_check, upgrade

322
ipaserver/install/server/replicainstall.py
View File

@ -14,6 +14,9 @@ import tempfile
from ipapython import dogtag, ipautil, sysrestore
from ipapython.dn import DN
from ipapython.install import common, core
from ipapython.install.common import step
from ipapython.install.core import Knob
from ipapython.ipa_log_manager import root_logger
from ipaplatform import services
from ipaplatform.tasks import tasks
@ -28,7 +31,6 @@ from ipaserver.install.replication import (
ReplicationManager, replica_conn_check)
DIRMAN_DN = DN(('cn', 'directory manager'))
REPLICA_INFO_TOP_DIR = None
def get_dirman_password():
@ -162,7 +164,7 @@ def install_dns_records(config, options, remote_api):
config.realm_name,
config.domain_name,
reverse_zone,
options.conf_ntp,
not options.no_ntp,
options.setup_ca)
except errors.NotFound, e:
root_logger.debug('Replica DNS records could not be added '
@ -276,60 +278,38 @@ def check_dns_resolution(host_name, dns_servers):
return no_errors
def remove_replica_info_dir():
def remove_replica_info_dir(installer):
# always try to remove decrypted replica file
try:
if REPLICA_INFO_TOP_DIR:
shutil.rmtree(REPLICA_INFO_TOP_DIR)
if installer._top_dir is not None:
shutil.rmtree(installer._top_dir)
except OSError:
pass
def init_private_ccache():
global original_ccache
global temp_ccache
(desc, temp_ccache) = tempfile.mkstemp(prefix='krbcc')
os.close(desc)
original_ccache = os.environ.get('KRB5CCNAME')
os.environ['KRB5CCNAME'] = temp_ccache
def destroy_private_ccache():
global original_ccache
global temp_ccache
if original_ccache is not None:
os.environ['KRB5CCNAME'] = original_ccache
else:
os.environ.pop('KRB5CCNAME', None)
if os.path.exists(temp_ccache):
os.remove(temp_ccache)
def common_cleanup(func):
def decorated(*args, **kwargs):
def decorated(installer):
try:
try:
func(*args, **kwargs)
func(installer)
except BaseException:
destroy_private_ccache()
remove_replica_info_dir()
remove_replica_info_dir(installer)
raise
except KeyboardInterrupt:
sys.exit(1)
except Exception:
print(
"Your system may be partly configured.\n"
"Run /usr/sbin/ipa-server-install --uninstall to clean up.\n")
raise
return decorated
@common_cleanup
def install_check(filename, options):
global config
init_private_ccache()
def install_check(installer):
options = installer
filename = installer.replica_file
tasks.check_selinux_status()
@ -339,10 +319,8 @@ def install_check(filename, options):
"Please uninstall it first before configuring the replica, "
"using 'ipa-client-install --uninstall'.")
global sstore
sstore = sysrestore.StateFile(paths.SYSRESTORE)
global fstore
fstore = sysrestore.FileStore(paths.SYSRESTORE)
# Check to see if httpd is already configured to listen on 443
@ -351,7 +329,7 @@ def install_check(filename, options):
check_dirsrv()
if options.conf_ntp:
if not options.no_ntp:
try:
ipaclient.ntpconf.check_timedate_services()
except ipaclient.ntpconf.NTPConflictingService, e:
@ -373,8 +351,7 @@ def install_check(filename, options):
sys.exit("Directory Manager password required")
config = create_replica_config(dirman_password, filename, options)
global REPLICA_INFO_TOP_DIR
REPLICA_INFO_TOP_DIR = config.top_dir
installer._top_dir = config.top_dir
config.setup_ca = options.setup_ca
config.setup_kra = options.setup_kra
@ -398,7 +375,7 @@ def install_check(filename, options):
dns.install_check(False, True, options, config.host_name)
else:
installutils.get_server_ip_address(config.host_name, fstore,
options.unattended, False,
not installer.interactive, False,
options.ip_addresses)
# check connection
@ -407,18 +384,22 @@ def install_check(filename, options):
config.master_host_name, config.host_name, config.realm_name,
options.setup_ca, config.ca_ds_port, options.admin_password)
# Automatically disable pkinit w/ dogtag until that is supported
options.setup_pkinit = False
cafile = config.dir + "/ca.crt"
if not ipautil.file_exists(cafile):
raise RuntimeError("CA cert file is not available. Please run "
"ipa-replica-prepare to create a new replica file.")
installer._fstore = fstore
installer._sstore = sstore
installer._config = config
@common_cleanup
def install(filename, options):
global config
def install(installer):
options = installer
fstore = installer._fstore
sstore = installer._sstore
config = installer._config
dogtag_constants = dogtag.install_constants
@ -544,7 +525,7 @@ def install(filename, options):
resolution_ok = (
check_dns_resolution(master, dns_masters) and
check_dns_resolution(config.host_name, dns_masters))
if not resolution_ok and not options.unattended:
if not resolution_ok and installer.interactive:
if not ipautil.user_input("Continue?", False):
sys.exit(0)
else:
@ -562,7 +543,7 @@ def install(filename, options):
replman.conn.unbind()
# Configure ntpd
if options.conf_ntp:
if not options.no_ntp:
ipaclient.ntpconf.force_ntpd(sstore)
ntp = ntpinstance.NTPInstance()
ntp.create_instance()
@ -584,8 +565,8 @@ def install(filename, options):
ca.install(False, config, options)
krb = install_krb(config, setup_pkinit=options.setup_pkinit)
http = install_http(config, auto_redirect=options.ui_redirect)
krb = install_krb(config, setup_pkinit=not options.no_pkinit)
http = install_http(config, auto_redirect=not options.no_ui_redirect)
otpd = otpdinstance.OtpdInstance()
otpd.create_instance('OTPD', config.host_name, config.dirman_password,
@ -625,13 +606,13 @@ def install(filename, options):
args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended",
"--domain", config.domain_name, "--server", config.host_name,
"--realm", config.realm_name]
if not options.create_sshfp:
if options.no_dns_sshfp:
args.append("--no-dns-sshfp")
if options.trust_sshfp:
if options.ssh_trust_dns:
args.append("--ssh-trust-dns")
if not options.conf_ssh:
if options.no_ssh:
args.append("--no-ssh")
if not options.conf_sshd:
if options.no_sshd:
args.append("--no-sshd")
if options.mkhomedir:
args.append("--mkhomedir")
@ -646,5 +627,228 @@ def install(filename, options):
# Everything installed properly, activate ipa service.
services.knownservices.ipa.enable()
destroy_private_ccache()
remove_replica_info_dir()
remove_replica_info_dir(installer)
class ReplicaCA(common.Installable, core.Group, core.Composite):
description = "certificate system"
no_pkinit = Knob(
bool, False,
description="disables pkinit setup steps",
)
skip_schema_check = Knob(
bool, False,
description="skip check for updated CA DS schema on the remote master",
)
class ReplicaDNS(common.Installable, core.Group, core.Composite):
description = "DNS"
setup_dns = Knob(
bool, False,
description="configure bind with our zone",
)
forwarders = Knob(
(list, 'ip'), None,
description=("Add a DNS forwarder. This option can be used multiple "
"times"),
cli_name='forwarder',
)
no_forwarders = Knob(
bool, False,
description="Do not add any DNS forwarders, use root servers instead",
)
reverse_zones = Knob(
(list, str), [],
description=("The reverse DNS zone to use. This option can be used "
"multiple times"),
cli_name='reverse-zone',
)
no_reverse = Knob(
bool, False,
description="Do not create new reverse DNS zone",
)
no_dnssec_validation = Knob(
bool, False,
description="Disable DNSSEC validation",
)
no_host_dns = Knob(
bool, False,
description="Do not use DNS for hostname lookup during installation",
)
no_dns_sshfp = Knob(
bool, False,
description="do not automatically create DNS SSHFP records",
)
class Replica(common.Installable, common.Interactive, core.Composite):
replica_file = Knob(
str, None,
description="a file generated by ipa-replica-prepare",
)
setup_ca = Knob(
bool, False,
initializable=False,
description="configure a dogtag CA",
)
setup_kra = Knob(
bool, False,
initializable=False,
description="configure a dogtag KRA",
)
ip_addresses = Knob(
(list, 'ip-local'), None,
description=("Replica server IP Address. This option can be used "
"multiple times"),
cli_name='ip-address',
)
password = Knob(
str, None,
sensitive=True,
description="Directory Manager (existing master) password",
cli_short_name='p',
)
master_password = Knob(
str, None,
sensitive=True,
deprecated=True,
description="kerberos master password (normally autogenerated)",
cli_short_name='P',
)
admin_password = Knob(
str, None,
sensitive=True,
description="Admin user Kerberos password used for connection check",
cli_short_name='w',
)
mkhomedir = Knob(
bool, False,
description="create home directories for users on their first login",
)
no_ntp = Knob(
bool, False,
description="do not configure ntp",
)
no_ui_redirect = Knob(
bool, False,
description="Do not automatically redirect to the Web UI",
)
ssh_trust_dns = Knob(
bool, False,
description="configure OpenSSH client to trust DNS SSHFP records",
)
no_ssh = Knob(
bool, False,
description="do not configure OpenSSH client",
)
no_sshd = Knob(
bool, False,
description="do not configure OpenSSH server",
)
skip_conncheck = Knob(
bool, False,
description="skip connection check to remote master",
)
def __init__(self, **kwargs):
super(Replica, self).__init__(**kwargs)
self._top_dir = None
self._config = None
#pylint: disable=no-member
if self.replica_file is None:
raise RuntimeError(
"you must provide a file generated by ipa-replica-prepare")
if not ipautil.file_exists(self.replica_file):
raise RuntimeError(
"Replica file %s does not exist" % self.replica_file)
if not self.dns.setup_dns:
if self.dns.forwarders:
raise RuntimeError(
"You cannot specify a --forwarder option without the "
"--setup-dns option")
if self.dns.no_forwarders:
raise RuntimeError(
"You cannot specify a --no-forwarders option without the "
"--setup-dns option")
if self.dns.reverse_zones:
raise RuntimeError(
"You cannot specify a --reverse-zone option without the "
"--setup-dns option")
if self.dns.no_reverse:
raise RuntimeError(
"You cannot specify a --no-reverse option without the "
"--setup-dns option")
if self.dns.no_dnssec_validation:
raise RuntimeError(
"You cannot specify a --no-dnssec-validation option "
"without the --setup-dns option")
elif self.dns.forwarders and self.dns.no_forwarders:
raise RuntimeError(
"You cannot specify a --forwarder option together with "
"--no-forwarders")
elif not self.dns.forwarders and not self.dns.no_forwarders:
raise RuntimeError(
"You must specify at least one --forwarder option or "
"--no-forwarders option")
elif self.dns.reverse_zones and self.dns.no_reverse:
raise RuntimeError(
"You cannot specify a --reverse-zone option together with "
"--no-reverse")
# Automatically disable pkinit w/ dogtag until that is supported
self.ca.no_pkinit = True
self.external_ca = False
self.external_cert_files = None
self.no_pkinit = self.ca.no_pkinit
self.skip_schema_check = self.ca.skip_schema_check
self.setup_dns = self.dns.setup_dns
self.forwarders = self.dns.forwarders
self.no_forwarders = self.dns.no_forwarders
self.reverse_zones = self.dns.reverse_zones
self.no_reverse = self.dns.no_reverse
self.no_dnssec_validation = self.dns.no_dnssec_validation
self.dnssec_master = False
self.zonemgr = None
self.no_host_dns = self.dns.no_host_dns
self.no_dns_sshfp = self.dns.no_dns_sshfp
self.unattended = not self.interactive
@step()
def main(self):
install_check(self)
yield
install(self)
ca = core.Component(ReplicaCA)
dns = core.Component(ReplicaDNS)