ipaplatform: Move all filesystem paths to ipaplatform.paths module

https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

install/migration/migration.py

@@ -30,6 +30,7 @@ from ipapython.ipautil import get_ipa_basedn
 from ipapython.dn import DN
 from ipapython.ipaldap import IPAdmin
 from ipalib import errors
+from ipaplatform.paths import paths
 
 
 def wsgi_redirect(start_response, loc):
@@ -89,7 +90,7 @@ def application(environ, start_response):
     if not form_data.has_key('username') or not form_data.has_key('password'):
         return wsgi_redirect(start_response, 'invalid.html')
 
-    slapd_sockets = glob.glob('/var/run/slapd-*.socket')
+    slapd_sockets = glob.glob(paths.ALL_SLAPD_INSTANCE_SOCKETS)
     if slapd_sockets:
         ldap_uri = 'ldapi://%s' % slapd_sockets[0].replace('/', '%2f')
     else:

install/wsgi/plugins.py

@@ -22,9 +22,10 @@ Plugin index generation script
 """
 
 import os
+from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import root_logger
 
-PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
+PLUGINS_DIR = paths.IPA_JS_PLUGINS_DIR
 
 def get_plugin_index():
 

ipa-client/ipaclient/ipadiscovery.py

@@ -26,6 +26,7 @@ from dns import resolver, rdatatype
 from dns.exception import DNSException
 from ipalib import errors
 from ipapython import ipaldap
+from ipaplatform.paths import paths
 from ipapython.ipautil import valid_ip, get_ipa_basedn, realm_to_suffix
 from ipapython.dn import DN
 
@@ -75,7 +76,7 @@ class IPADiscovery(object):
         domains = []
         domain = None
         try:
-            fp = open('/etc/resolv.conf', 'r')
+            fp = open(paths.RESOLV_CONF, 'r')
             lines = fp.readlines()
             fp.close()
 

ipa-client/ipaclient/ntpconf.py

@@ -22,6 +22,7 @@ import shutil
 import os
 from ipaplatform.tasks import tasks
 from ipaplatform import services
+from ipaplatform.paths import paths
 
 ntp_conf = """# Permit time synchronization with our time source, but do not
 # permit the source to query or modify the service on this system.
@@ -96,9 +97,9 @@ def __write_config(path, content):
     fd.close()
 
 def config_ntp(server_fqdn, fstore = None, sysstore = None):
-    path_step_tickers = "/etc/ntp/step-tickers"
+    path_step_tickers = paths.NTP_STEP_TICKERS
-    path_ntp_conf = "/etc/ntp.conf"
+    path_ntp_conf = paths.NTP_CONF
-    path_ntp_sysconfig = "/etc/sysconfig/ntpd"
+    path_ntp_sysconfig = paths.SYSCONFIG_NTPD
     sub_dict = { }
     sub_dict["SERVER"] = server_fqdn
 
@@ -142,7 +143,7 @@ def synconce_ntp(server_fqdn):
 
     Returns True if sync was successful
     """
-    ntpd = '/usr/sbin/ntpd'
+    ntpd = paths.NTPD
     if not os.path.exists(ntpd):
         return False
 

ipalib/constants.py

@@ -22,6 +22,7 @@
 All constants centralised in one file.
 """
 import socket
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipapython.version import VERSION, API_VERSION
 
@@ -34,7 +35,7 @@ except:
         FQDN = None
 
 # Path to CA certificate bundle
-CACERT = '/etc/ipa/ca.crt'
+CACERT = paths.IPA_CA_CRT
 
 # regular expression NameSpace member names must match:
 NAME_REGEX = r'^[a-z][_a-z0-9]*[a-z0-9]$|^[a-z]$'

ipalib/errors.py

@@ -105,6 +105,7 @@ current block assignments:
 from ipalib.text import ngettext as ungettext
 
 import messages
+from ipaplatform.paths import paths
 
 
 class PrivateError(StandardError):
@@ -142,7 +143,7 @@ class SubprocessError(PrivateError):
     The exit code of the sub-process is available via the ``returncode``
     instance attribute.  For example:
 
-    >>> e = SubprocessError(returncode=1, argv=('/bin/false',))
+    >>> e = SubprocessError(returncode=1, argv=(paths.BIN_FALSE,))
     >>> e.returncode
     1
     >>> e.argv  # argv is also available

ipalib/plugins/migration.py

@@ -33,6 +33,7 @@ from ipalib import _
 from ipapython.dn import DN
 from ipapython.ipautil import write_tmp_file
 import datetime
+from ipaplatform.paths import paths
 
 __doc__ = _("""
 Migration to IPA
@@ -185,13 +186,13 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs
     # fill in required attributes by IPA
     entry_attrs['ipauniqueid'] = 'autogenerate'
     if 'homedirectory' not in entry_attrs:
-        homes_root = config.get('ipahomesrootdir', ('/home', ))[0]
+        homes_root = config.get('ipahomesrootdir', (paths.HOME_DIR, ))[0]
         home_dir = '%s/%s' % (homes_root, pkey)
         home_dir = home_dir.replace('//', '/').rstrip('/')
         entry_attrs['homedirectory'] = home_dir
 
     if 'loginshell' not in entry_attrs:
-        default_shell = config.get('ipadefaultloginshell', ['/bin/sh'])[0]
+        default_shell = config.get('ipadefaultloginshell', [paths.SH])[0]
         entry_attrs.setdefault('loginshell', default_shell)
 
     # do not migrate all attributes

ipalib/plugins/user.py

@@ -31,6 +31,7 @@ from ipalib.plugins import baseldap
 from ipalib.request import context
 from ipalib import _, ngettext
 from ipalib import output
+from ipaplatform.paths import paths
 from ipapython.ipautil import ipa_generate_password
 from ipapython.ipavalidate import Email
 from ipalib.capabilities import client_has_capability
@@ -729,14 +730,14 @@ class user_add(LDAPCreate):
                         len = int(config.get('ipamaxusernamelength')[0])
                     )
                 )
-        default_shell = config.get('ipadefaultloginshell', ['/bin/sh'])[0]
+        default_shell = config.get('ipadefaultloginshell', [paths.SH])[0]
         entry_attrs.setdefault('loginshell', default_shell)
         # hack so we can request separate first and last name in CLI
         full_name = '%s %s' % (entry_attrs['givenname'], entry_attrs['sn'])
         entry_attrs.setdefault('cn', full_name)
         if 'homedirectory' not in entry_attrs:
             # get home's root directory from config
-            homes_root = config.get('ipahomesrootdir', ['/home'])[0]
+            homes_root = config.get('ipahomesrootdir', [paths.HOME_DIR])[0]
             # build user's home directory based on his uid
             entry_attrs['homedirectory'] = posixpath.join(homes_root, keys[-1])
         entry_attrs.setdefault('krbprincipalname', '%s@%s' % (entry_attrs['uid'], api.env.realm))

ipalib/rpc.py

@@ -59,6 +59,7 @@ from ipalib.util import get_current_principal
 from ipapython.ipa_log_manager import root_logger
 from ipapython import ipautil
 from ipapython import kernel_keyring
+from ipaplatform.paths import paths
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
@@ -482,7 +483,7 @@ class SSLTransport(LanguageAwareTransport):
             if self._connection and host == self._connection[0]:
                 return self._connection[1]
 
-        dbdir = '/etc/pki/nssdb'
+        dbdir = paths.NSS_DB_DIR
         no_init = self.__nss_initialized(dbdir)
         if sys.version_info < (2, 7):
             conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init)

ipalib/session.py

@@ -27,6 +27,7 @@ from text import _
 from ipapython.ipa_log_manager import *
 from ipalib import api, errors
 from ipalib import Command
+from ipaplatform.paths import paths
 from ipalib.krb_utils import *
 from ipapython.cookie import Cookie
 
@@ -795,7 +796,7 @@ class MemcacheSessionManager(SessionManager):
     session data (see `load_session_data()`)
     '''
 
-    memcached_socket_path = '/var/run/ipa_memcached/ipa_memcached'
+    memcached_socket_path = paths.VAR_RUN_IPA_MEMCACHED
     session_cookie_name = 'ipa_session'
     mc_server_stat_name_re = re.compile(r'(.+)\s+\((\d+)\)')
 
@@ -1208,7 +1209,7 @@ class MemcacheSessionManager(SessionManager):
 
 
 #-------------------------------------------------------------------------------
-krbccache_dir ='/var/run/ipa_memcached'
+krbccache_dir =paths.IPA_MEMCACHED_DIR
 krbccache_prefix = 'krbcc_'
 
 def _get_krbccache_pathname():

ipalib/x509.py

@@ -42,6 +42,7 @@ from ipalib import api
 from ipalib import _
 from ipalib import util
 from ipalib import errors
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 
 PEM = 0
@@ -99,7 +100,7 @@ def load_certificate(data, datatype=PEM, dbdir=None):
                 if api.env.in_tree:
                     dbdir = api.env.dot_ipa + os.sep + 'alias'
                 else:
-                    dbdir = "/etc/httpd/alias"
+                    dbdir = paths.HTTPD_ALIAS_DIR
                 nss.nss_init(dbdir)
             else:
                 nss.nss_init_nodb()

ipaplatform/base/paths.py

@@ -21,5 +21,229 @@
 This base platform module exports default filesystem paths.
 '''
 
-SVC_LIST_FILE = "/var/run/ipa/services.list"
+class BasePathNamespace(object):
-SYSTEMWIDE_CA_STORE = "/etc/pki/ca-trust/source/anchors/"
+    BASH = "/bin/bash"
+    BIN_FALSE = "/bin/false"
+    BIN_HOSTNAME = "/bin/hostname"
+    LS = "/bin/ls"
+    PKICREATE = "/bin/pkicreate"
+    PKISILENT = "/bin/pkisilent"
+    SH = "/bin/sh"
+    SYSTEMCTL = "/bin/systemctl"
+    TAR = "/bin/tar"
+    BIN_TRUE = "/bin/true"
+    DEV_NULL = "/dev/null"
+    DEV_STDIN = "/dev/stdin"
+    ETC_DIRSRV = "/etc/dirsrv"
+    DS_KEYTAB = "/etc/dirsrv/ds.keytab"
+    ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE = "/etc/dirsrv/slapd-%s"
+    ETC_SLAPD_PKI_IPA_DIR = "/etc/dirsrv/slapd-PKI-IPA"
+    ETC_FEDORA_RELEASE = "/etc/fedora-release"
+    GROUP = "/etc/group"
+    ETC_HOSTNAME = "/etc/hostname"
+    HOSTS = "/etc/hosts"
+    ETC_HTTPD_DIR = "/etc/httpd"
+    HTTPD_ALIAS_DIR = "/etc/httpd/alias"
+    ALIAS_PWDFILE_TXT = "/etc/httpd/alias/pwdfile.txt"
+    HTTPD_CONF_D_DIR = "/etc/httpd/conf.d/"
+    HTTPD_IPA_PKI_PROXY_CONF = "/etc/httpd/conf.d/ipa-pki-proxy.conf"
+    HTTPD_IPA_REWRITE_CONF = "/etc/httpd/conf.d/ipa-rewrite.conf"
+    HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
+    HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf"
+    HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
+    IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
+    HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf"
+    ETC_IPA = "/etc/ipa"
+    IPA_CA_CRT = "/etc/ipa/ca.crt"
+    IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
+    IPA_SMARTPROXY_CONF = "/etc/ipa/ipa-smartproxy.conf"
+    KRB5_CONF = "/etc/krb5.conf"
+    KRB5_KEYTAB = "/etc/krb5.keytab"
+    NAMED_CONF = "/etc/named.conf"
+    NAMED_KEYTAB = "/etc/named.keytab"
+    NAMED_RFC1912_ZONES = "/etc/named.rfc1912.zones"
+    NSSWITCH_CONF = "/etc/nsswitch.conf"
+    NTP_CONF = "/etc/ntp.conf"
+    NTP_STEP_TICKERS = "/etc/ntp/step-tickers"
+    OPENLDAP_LDAP_CONF = "/etc/openldap/ldap.conf"
+    PASSWD = "/etc/passwd"
+    ETC_PKI_CA_DIR = "/etc/pki-ca"
+    SYSTEMWIDE_CA_STORE = "/etc/pki/ca-trust/source/anchors/"
+    NSS_DB_DIR = "/etc/pki/nssdb"
+    NSSDB_CERT8_DB = "/etc/pki/nssdb/cert8.db"
+    NSSDB_KEY3_DB = "/etc/pki/nssdb/key3.db"
+    NSSDB_SECMOD_DB = "/etc/pki/nssdb/secmod.db"
+    PKI_TOMCAT = "/etc/pki/pki-tomcat"
+    PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
+    PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
+    ETC_REDHAT_RELEASE = "/etc/redhat-release"
+    RESOLV_CONF = "/etc/resolv.conf"
+    SAMBA_KEYTAB = "/etc/samba/samba.keytab"
+    SMB_CONF = "/etc/samba/smb.conf"
+    LIMITS_CONF = "/etc/security/limits.conf"
+    SSH_CONFIG = "/etc/ssh/ssh_config"
+    SSHD_CONFIG = "/etc/ssh/sshd_config"
+    SSSD_CONF = "/etc/sssd/sssd.conf"
+    ETC_SYSCONFIG_AUTHCONFIG = "/etc/sysconfig/authconfig"
+    SYSCONFIG_DIRSRV = "/etc/sysconfig/dirsrv"
+    SYSCONFIG_DIRSRV_INSTANCE = "/etc/sysconfig/dirsrv-%s"
+    SYSCONFIG_DIRSRV_PKI_IPA_DIR = "/etc/sysconfig/dirsrv-PKI-IPA"
+    SYSCONFIG_KRB5KDC_DIR = "/etc/sysconfig/krb5kdc"
+    SYSCONFIG_NTPD = "/etc/sysconfig/ntpd"
+    SYSCONFIG_PKI = "/etc/sysconfig/pki"
+    SYSCONFIG_PKI_CA_DIR = "/etc/sysconfig/pki-ca"
+    SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat"
+    SYSCONFIG_PKI_CA_PKI_CA_DIR = "/etc/sysconfig/pki/ca/pki-ca"
+    SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/sysconfig/pki/tomcat/pki-tomcat"
+    SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service"
+    SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service"
+    SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service"
+    SYSTEMD_PKI_TOMCAT_SERVICE = "/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service"
+    HOME_DIR = "/home"
+    ROOT_PKI = "/root/.pki"
+    CA_AGENT_P12 = "/root/ca-agent.p12"
+    CACERT_P12 = "/root/cacert.p12"
+    ROOT_TMP_CA_P12 = "/root/tmp-ca.p12"
+    IP = "/sbin/ip"
+    NOLOGIN = "/sbin/nologin"
+    SBIN_SERVICE = "/sbin/service"
+    TMP = "/tmp"
+    TMP_CA_P12 = "/tmp/ca.p12"
+    TMP_KRB5CC = "/tmp/krb5cc_%d"
+    USR_DIR = "/usr"
+    CERTMONGER_COMMAND_TEMPLATE = "/usr/%s/ipa/certmonger/%s"
+    PKCS12EXPORT = "/usr/bin/PKCS12Export"
+    CERTUTIL = "/usr/bin/certutil"
+    CHROMIUM_BROWSER = "/usr/bin/chromium-browser"
+    DS_NEWINST_PL = "/usr/bin/ds_newinst.pl"
+    FIREFOX = "/usr/bin/firefox"
+    GETCERT = "/usr/bin/getcert"
+    GPG = "/usr/bin/gpg"
+    GPG_AGENT = "/usr/bin/gpg-agent"
+    IPA_GETCERT = "/usr/bin/ipa-getcert"
+    KDESTROY = "/usr/bin/kdestroy"
+    KINIT = "/usr/bin/kinit"
+    LDAPMODIFY = "/usr/bin/ldapmodify"
+    LDAPPASSWD = "/usr/bin/ldappasswd"
+    NET = "/usr/bin/net"
+    OPENSSL = "/usr/bin/openssl"
+    PERL = "/usr/bin/perl"
+    PK12UTIL = "/usr/bin/pk12util"
+    PKICREATE = "/usr/bin/pkicreate"
+    PKIREMOVE = "/usr/bin/pkiremove"
+    PKISILENT = "/usr/bin/pkisilent"
+    SETPASSWD = "/usr/bin/setpasswd"
+    SIGNTOOL = "/usr/bin/signtool"
+    SSLGET = "/usr/bin/sslget"
+    ZIP = "/usr/bin/zip"
+    BIND_LDAP_SO = "/usr/lib/bind/ldap.so"
+    USR_LIB_DIRSRV = "/usr/lib/dirsrv"
+    USR_LIB_SLAPD_INSTANCE_TEMPLATE = "/usr/lib/dirsrv/slapd-%s"
+    USR_LIB_SLAPD_PKI_IPA_DIR = "/usr/lib/dirsrv/slapd-PKI-IPA"
+    LIB_FIREFOX = "/usr/lib/firefox"
+    BIND_LDAP_SO_64 = "/usr/lib64/bind/ldap.so"
+    USR_LIB_DIRSRV_64 = "/usr/lib64/dirsrv"
+    USR_LIB_DIRSRV_SLAPD_INSTANCE_DIR_TEMPLATE = "/usr/lib64/dirsrv/slapd-%s"
+    SLAPD_PKI_IPA = "/usr/lib64/dirsrv/slapd-PKI-IPA"
+    LIB64_FIREFOX = "/usr/lib64/firefox"
+    DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit"
+    GETSEBOOL = "/usr/sbin/getsebool"
+    GROUPADD = "/usr/sbin/groupadd"
+    HTTPD = "/usr/sbin/httpd"
+    IPA_REPLICA_CONNCHECK = "/usr/sbin/ipa-replica-conncheck"
+    NTPD = "/usr/sbin/ntpd"
+    PKIDESTROY = "/usr/sbin/pkidestroy"
+    PKISPAWN = "/usr/sbin/pkispawn"
+    RESTORECON = "/usr/sbin/restorecon"
+    SELINUXENABLED = "/usr/sbin/selinuxenabled"
+    SETSEBOOL = "/usr/sbin/setsebool"
+    SETUP_DS_PL = "/usr/sbin/setup-ds.pl"
+    SMBD = "/usr/sbin/smbd"
+    USERADD = "/usr/sbin/useradd"
+    USR_SHARE_IPA_DIR = "/usr/share/ipa/"
+    FFEXTENSION = "/usr/share/ipa/ffextension"
+    IPA_HTML_DIR = "/usr/share/ipa/html"
+    CA_CRT = "/usr/share/ipa/html/ca.crt"
+    CONFIGURE_JAR = "/usr/share/ipa/html/configure.jar"
+    KERBEROSAUTH_XPI = "/usr/share/ipa/html/kerberosauth.xpi"
+    KRB_CON = "/usr/share/ipa/html/krb.con"
+    KRB_JS = "/usr/share/ipa/html/krb.js"
+    HTML_KRB5_INI = "/usr/share/ipa/html/krb5.ini"
+    HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con"
+    PREFERENCES_HTML = "/usr/share/ipa/html/preferences.html"
+    IPA_PLUGINS = "/usr/share/ipa/plugins"
+    SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif"
+    IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
+    UPDATES_DIR = "/usr/share/ipa/updates/"
+    PKI_CONF_SERVER_XML = "/usr/share/pki/ca/conf/server.xml"
+    VAR_KRB5KDC_K5_REALM = "/var/kerberos/krb5kdc/.k5."
+    CACERT_PEM = "/var/kerberos/krb5kdc/cacert.pem"
+    KRB5KDC_KDC_CONF = "/var/kerberos/krb5kdc/kdc.conf"
+    KDC_PEM = "/var/kerberos/krb5kdc/kdc.pem"
+    VAR_LIB = "/var/lib"
+    AUTHCONFIG_LAST = "/var/lib/authconfig/last"
+    VAR_LIB_CERTMONGER_DIR = "/var/lib/certmonger"
+    CERTMONGER_CAS_DIR = "/var/lib/certmonger/cas/"
+    CERTMONGER_REQUESTS_DIR = "/var/lib/certmonger/requests/"
+    VAR_LIB_DIRSRV = "/var/lib/dirsrv"
+    DIRSRV_BOOT_LDIF = "/var/lib/dirsrv/boot.ldif"
+    VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE = "/var/lib/dirsrv/scripts-%s"
+    VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s"
+    SLAPD_INSTANCE_BACKUP_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/bak/%s"
+    IPACA_DIRSRV_INSTANCE_DB_TEMPLATE = "/var/lib/dirsrv/slapd-%s/db/ipaca"
+    SLAPD_INSTANCE_LDIF_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/ldif"
+    VAR_LIB_SLAPD_PKI_IPA_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-PKI-IPA"
+    VAR_LIB_IPA = "/var/lib/ipa"
+    IPA_CLIENT_SYSRESTORE = "/var/lib/ipa-client/sysrestore"
+    IPA_BACKUP_DIR = "/var/lib/ipa/backup"
+    PKI_CA_PUBLISH_DIR = "/var/lib/ipa/pki-ca/publish"
+    REPLICA_INFO_TEMPLATE = "/var/lib/ipa/replica-info-%s"
+    REPLICA_INFO_GPG_TEMPLATE = "/var/lib/ipa/replica-info-%s.gpg"
+    SYSRESTORE = "/var/lib/ipa/sysrestore"
+    STATEFILE_DIR = "/var/lib/ipa/sysupgrade"
+    VAR_LIB_PKI_DIR = "/var/lib/pki"
+    VAR_LIB_PKI_CA_DIR = "/var/lib/pki-ca"
+    PKI_ALIAS_CA_P12 = "/var/lib/pki-ca/alias/ca.p12"
+    VAR_LIB_PKI_TOMCAT_DIR = "/var/lib/pki/pki-tomcat"
+    CA_BACKUP_KEYS_P12 = "/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12"
+    SAMBA_DIR = "/var/lib/samba/"
+    SSSD_MC_GROUP = "/var/lib/sss/mc/group"
+    SSSD_MC_PASSWD = "/var/lib/sss/mc/passwd"
+    SSS_KRB5_INCLUDE_D = "/var/lib/sss/pubconf/krb5.include.d"
+    DIRSRV_LOCK_DIR = "/var/lock/dirsrv"
+    SLAPD_INSTANCE_LOCK_TEMPLATE = "/var/lock/dirsrv/slapd-%s"
+    VAR_LOG_DIRSRV_INSTANCE_TEMPLATE = "/var/log/dirsrv/slapd-%s"
+    SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/access"
+    SLAPD_INSTANCE_ERROR_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/errors"
+    VAR_LOG_SLAPD_PKI_IPA_DIR = "/var/log/dirsrv/slapd-PKI-IPA"
+    VAR_LOG_HTTPD_DIR = "/var/log/httpd"
+    IPABACKUP_LOG = "/var/log/ipabackup.log"
+    IPACLIENT_INSTALL_LOG = "/var/log/ipaclient-install.log"
+    IPACLIENT_UNINSTALL_LOG = "/var/log/ipaclient-uninstall.log"
+    IPAREPLICA_CONNCHECK_LOG = "/var/log/ipareplica-conncheck.log"
+    IPAREPLICA_INSTALL_LOG = "/var/log/ipareplica-install.log"
+    IPARESTORE_LOG = "/var/log/iparestore.log"
+    IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
+    IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log"
+    IPAUPGRADE_LOG = "/var/log/ipaupgrade.log"
+    KADMIND_LOG = "/var/log/kadmind.log"
+    MESSAGES = "/var/log/messages"
+    PKI_CA_LOG_DIR = "/var/log/pki-ca"
+    PKI_CA_INSTALL_LOG = "/var/log/pki-ca-install.log"
+    PKI_CA_UNINSTALL_LOG = "/var/log/pki-ca-uninstall.log"
+    VAR_LOG_PKI_DIR = "/var/log/pki/"
+    TOMCAT_TOPLEVEL_DIR = "/var/log/pki/pki-tomcat"
+    TOMCAT_CA_DIR = "/var/log/pki/pki-tomcat/ca"
+    TOMCAT_CA_ARCHIVE_DIR = "/var/log/pki/pki-tomcat/ca/archive"
+    TOMCAT_SIGNEDAUDIT_DIR = "/var/log/pki/pki-tomcat/ca/signedAudit"
+    LOG_SECURE = "/var/log/secure"
+    NAMED_RUN = "/var/named/data/named.run"
+    VAR_RUN_DIRSRV_DIR = "/var/run/dirsrv"
+    SVC_LIST_FILE = "/var/run/ipa/services.list"
+    IPA_MEMCACHED_DIR = "/var/run/ipa_memcached"
+    VAR_RUN_IPA_MEMCACHED = "/var/run/ipa_memcached/ipa_memcached"
+    KRB5CC_SAMBA = "/var/run/samba/krb5cc_samba"
+    SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
+    ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
+
+path_namespace = BasePathNamespace

ipapython/certmonger.py

@@ -27,9 +27,10 @@ import re
 import time
 from ipapython import ipautil
 from ipapython import dogtag
+from ipaplatform.paths import paths
 
-REQUEST_DIR='/var/lib/certmonger/requests/'
+REQUEST_DIR=paths.CERTMONGER_REQUESTS_DIR
-CA_DIR='/var/lib/certmonger/cas/'
+CA_DIR=paths.CERTMONGER_CAS_DIR
 
 # Normalizer types for critera in get_request_id()
 NPATH = 1
@@ -176,7 +177,7 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
     """
     Execute certmonger to request a server certificate
     """
-    args = ['/usr/bin/ipa-getcert',
+    args = [paths.IPA_GETCERT,
             'request',
             '-d', nssdb,
             '-n', nickname,
@@ -202,7 +203,7 @@ def cert_exists(nickname, secdir):
     a database that doesn't exist and a nickname that doesn't exist within
     the database.
     """
-    args = ["/usr/bin/certutil", "-L",
+    args = [paths.CERTUTIL, "-L",
            "-d", os.path.abspath(secdir),
            "-n", nickname
           ]
@@ -227,7 +228,7 @@ def start_tracking(nickname, secdir, password_file=None, command=None):
     """
     if not cert_exists(nickname, os.path.abspath(secdir)):
         raise RuntimeError('Nickname "%s" doesn\'t exist in NSS database "%s"' % (nickname, secdir))
-    args = ["/usr/bin/ipa-getcert", "start-tracking",
+    args = [paths.IPA_GETCERT, "start-tracking",
             "-d", os.path.abspath(secdir),
             "-n", nickname]
     if password_file:
@@ -261,7 +262,7 @@ def stop_tracking(secdir, request_id=None, nickname=None):
             # Fall back to trying to stop tracking using nickname
             pass
 
-    args = ['/usr/bin/getcert',
+    args = [paths.GETCERT,
             'stop-tracking',
     ]
     if request_id:
@@ -390,7 +391,7 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
     if not cert_exists(nickname, os.path.abspath(secdir)):
         raise RuntimeError('Nickname "%s" doesn\'t exist in NSS database "%s"' % (nickname, secdir))
 
-    args = ["/usr/bin/getcert", "start-tracking",
+    args = [paths.GETCERT, "start-tracking",
             "-d", os.path.abspath(secdir),
             "-n", nickname,
             "-c", ca,
@@ -402,7 +403,7 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
                 libpath = 'lib64'
             else:
                 libpath = 'lib'
-            pre_command = '/usr/%s/ipa/certmonger/%s' % (libpath, pre_command)
+            pre_command = paths.CERTMONGER_COMMAND_TEMPLATE % (libpath, pre_command)
         args.append("-B")
         args.append(pre_command)
 
@@ -412,7 +413,7 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
                 libpath = 'lib64'
             else:
                 libpath = 'lib'
-            post_command = '/usr/%s/ipa/certmonger/%s' % (libpath, post_command)
+            post_command = paths.CERTMONGER_COMMAND_TEMPLATE % (libpath, post_command)
         args.append("-C")
         args.append(post_command)
 
@@ -446,7 +447,7 @@ def check_state(dirs):
     return reqids
 
 if __name__ == '__main__':
-    request_id = request_cert("/etc/httpd/alias", "Test", "cn=tiger.example.com,O=IPA", "HTTP/tiger.example.com@EXAMPLE.COM")
+    request_id = request_cert(paths.HTTPD_ALIAS_DIR, "Test", "cn=tiger.example.com,O=IPA", "HTTP/tiger.example.com@EXAMPLE.COM")
     csr = get_request_value(request_id, 'csr')
     print csr
     stop_tracking(request_id)

ipapython/config.py

@@ -23,6 +23,7 @@ from copy import copy
 from dns import resolver, rdatatype
 from dns.exception import DNSException
 from ipapython.dn import DN
+from ipaplatform.paths import paths
 import dns.name
 
 import socket
@@ -152,7 +153,7 @@ config = IPAConfig()
 
 def __parse_config(discover_server = True):
     p = ConfigParser.SafeConfigParser()
-    p.read("/etc/ipa/default.conf")
+    p.read(paths.IPA_DEFAULT_CONF)
 
     try:
         if not config.default_realm:

ipapython/dogtag.py

@@ -30,6 +30,7 @@ from ipalib import api, errors
 from ipalib.errors import NetworkError, CertificateOperationError
 from ipalib.text import _
 from ipapython import nsslib, ipautil
+from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import *
 
 # IPA can use either Dogtag version 9 or 10.
@@ -50,17 +51,17 @@ class Dogtag10Constants(object):
     DS_PORT = 389
     DS_SECURE_PORT = 636
 
-    SPAWN_BINARY = '/usr/sbin/pkispawn'
+    SPAWN_BINARY = paths.PKISPAWN
-    DESTROY_BINARY = '/usr/sbin/pkidestroy'
+    DESTROY_BINARY = paths.PKIDESTROY
 
-    SERVER_ROOT = '/var/lib/pki'
+    SERVER_ROOT = paths.VAR_LIB_PKI_DIR
     PKI_INSTANCE_NAME = 'pki-tomcat'
     PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
-    CRL_PUBLISH_PATH = '/var/lib/ipa/pki-ca/publish'
+    CRL_PUBLISH_PATH = paths.PKI_CA_PUBLISH_DIR
     CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT
     PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
     SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT
-    ALIAS_DIR = '/etc/pki/pki-tomcat/alias'
+    ALIAS_DIR = paths.PKI_TOMCAT_ALIAS_DIR.rstrip('/')
 
     SERVICE_NAME = 'pki_tomcatd'
 
@@ -82,13 +83,13 @@ class Dogtag9Constants(object):
     DS_PORT = 7389
     DS_SECURE_PORT = 7636
 
-    SPAWN_BINARY = '/bin/pkicreate'
+    SPAWN_BINARY = paths.PKICREATE
-    DESTROY_BINARY = '/bin/pkisilent'
+    DESTROY_BINARY = paths.PKISILENT
 
-    SERVER_ROOT = '/var/lib'
+    SERVER_ROOT = paths.VAR_LIB
     PKI_INSTANCE_NAME = 'pki-ca'
     PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
-    CRL_PUBLISH_PATH = '/var/lib/ipa/pki-ca/publish'
+    CRL_PUBLISH_PATH = paths.PKI_CA_PUBLISH_DIR
     CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT
     PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
     SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT
@@ -108,7 +109,7 @@ class Dogtag9Constants(object):
     DS_USER = "pkisrv"
     DS_NAME = "PKI-IPA"
 
-if os.path.exists('/usr/sbin/pkispawn'):
+if os.path.exists(paths.PKISPAWN):
     install_constants = Dogtag10Constants
 else:
     install_constants = Dogtag9Constants
@@ -124,7 +125,7 @@ def _get_configured_version(api):
         return int(api.env.dogtag_version)
     else:
         p = ConfigParser.SafeConfigParser()
-        p.read("/etc/ipa/default.conf")
+        p.read(paths.IPA_DEFAULT_CONF)
         try:
             version = p.get('global', 'dogtag_version')
         except (ConfigParser.NoOptionError, ConfigParser.NoSectionError):

ipapython/ipautil.py

@@ -17,13 +17,6 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
-SHARE_DIR = "/usr/share/ipa/"
-PLUGINS_SHARE_DIR = "/usr/share/ipa/plugins"
-
-GEN_PWD_LEN = 12
-
-IPA_BASEDN_INFO = 'ipa v2.0'
-
 import string
 import tempfile
 import subprocess
@@ -49,8 +42,16 @@ from dns.exception import DNSException
 from ipapython.ipa_log_manager import *
 from ipapython import ipavalidate
 from ipapython import config
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 
+SHARE_DIR = paths.USR_SHARE_IPA_DIR
+PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
+
+GEN_PWD_LEN = 12
+
+IPA_BASEDN_INFO = 'ipa v2.0'
+
 try:
     from subprocess import CalledProcessError
 except ImportError:
@@ -143,7 +144,7 @@ class CheckedIPAddress(netaddr.IPAddress):
             elif addr.version == 6:
                 family = 'inet6'
 
-            ipresult = run(['/sbin/ip', '-family', family, '-oneline', 'address', 'show'])
+            ipresult = run([paths.IP, '-family', family, '-oneline', 'address', 'show'])
             lines = ipresult[0].split('\n')
             for line in lines:
                 fields = line.split()
@@ -261,7 +262,7 @@ def run(args, stdin=None, raiseonerr=True,
 
         Example:
         We have a command
-            ['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser']
+            [paths.SETPASSWD, '--password', 'Secret123', 'someuser']
         and we don't want to log the password so nolog would be set to:
         ('Secret123',)
         The resulting log output would be:
@@ -296,7 +297,7 @@ def run(args, stdin=None, raiseonerr=True,
     if stdin:
         p_in = subprocess.PIPE
     if skip_output:
-        p_out = p_err = open('/dev/null', 'w')
+        p_out = p_err = open(paths.DEV_NULL, 'w')
     elif capture_output:
         p_out = subprocess.PIPE
         p_err = subprocess.PIPE
@@ -411,7 +412,7 @@ def encrypt_file(source, dest, password, workdir = None):
             #give gpg a fake dir so that we can leater remove all
             #the cruft when we clean up the tempdir
             os.mkdir(gpgdir)
-            args = ['/usr/bin/gpg-agent', '--batch', '--homedir', gpgdir, '--daemon', '/usr/bin/gpg', '--batch', '--homedir', gpgdir, '--passphrase-fd', '0', '--yes', '--no-tty', '-o', dest, '-c', source]
+            args = [paths.GPG_AGENT, '--batch', '--homedir', gpgdir, '--daemon', paths.GPG, '--batch', '--homedir', gpgdir, '--passphrase-fd', '0', '--yes', '--no-tty', '-o', dest, '-c', source]
             run(args, password, skip_output=True)
         except:
             raise
@@ -441,7 +442,7 @@ def decrypt_file(source, dest, password, workdir = None):
             #give gpg a fake dir so that we can leater remove all
             #the cruft when we clean up the tempdir
             os.mkdir(gpgdir)
-            args = ['/usr/bin/gpg-agent', '--batch', '--homedir', gpgdir, '--daemon', '/usr/bin/gpg', '--batch', '--homedir', gpgdir, '--passphrase-fd', '0', '--yes', '--no-tty', '-o', dest, '-d', source]
+            args = [paths.GPG_AGENT, '--batch', '--homedir', gpgdir, '--daemon', paths.GPG, '--batch', '--homedir', gpgdir, '--passphrase-fd', '0', '--yes', '--no-tty', '-o', dest, '-d', source]
             run(args, password, skip_output=True)
         except:
             raise
@@ -1234,6 +1235,6 @@ def restore_hostname(statestore):
     system_hostname = socket.gethostname()
     if old_hostname is not None and old_hostname != system_hostname:
         try:
-            run(['/bin/hostname', old_hostname])
+            run([paths.BIN_HOSTNAME, old_hostname])
         except CalledProcessError, e:
             print >>sys.stderr, "Failed to set this machine hostname back to %s: %s" % (old_hostname, str(e))

ipapython/nsslib.py

@@ -29,6 +29,7 @@ import nss.io as io
 import nss.nss as nss
 import nss.ssl as ssl
 import nss.error as error
+from ipaplatform.paths import paths
 
 def auth_certificate_callback(sock, check_sig, is_server, certdb):
     cert_is_valid = False
@@ -309,7 +310,7 @@ if __name__ == "__main__":
     root_logger.info("Start")
 
     if False:
-        conn = NSSConnection("www.verisign.com", 443, dbdir="/etc/pki/nssdb")
+        conn = NSSConnection("www.verisign.com", 443, dbdir=paths.NSS_DB_DIR)
         conn.set_debuglevel(1)
         conn.connect()
         conn.request("GET", "/")
@@ -322,7 +323,7 @@ if __name__ == "__main__":
         conn.close()
 
     if True:
-        h = NSSHTTPS("www.verisign.com", 443, dbdir="/etc/pki/nssdb")
+        h = NSSHTTPS("www.verisign.com", 443, dbdir=paths.NSS_DB_DIR)
         h.connect()
         h.putrequest('GET', '/')
         h.endheaders()

ipapython/platform/base/__init__.py

@@ -1,4 +1,5 @@
 # Authors: Alexander Bokovoy <abokovoy@redhat.com>
+from ipaplatform.paths import paths
 #
 # Copyright (C) 2011  Red Hat
 # see file 'COPYING' for use and warranty information
@@ -17,8 +18,8 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # Firefox paths
-FIREFOX_EXEC = "/usr/bin/firefox"
+FIREFOX_EXEC = paths.FIREFOX
-FIREFOX_INSTALL_DIRS = ["/usr/lib64/firefox", "/usr/lib/firefox"]
+FIREFOX_INSTALL_DIRS = [paths.LIB64_FIREFOX, paths.LIB_FIREFOX]
 # /firefox/install/dir/FIREFOX_PREFERENCES_REL_PATH
 FIREFOX_PREFERENCES_REL_PATH = "browser/defaults/preferences"
 

ipapython/platform/fedora16/selinux.py

@@ -1,4 +1,5 @@
 # Author: Alexander Bokovoy <abokovoy@redhat.com>
+from ipaplatform.paths import paths
 #
 # Copyright (C) 2011   Red Hat
 # see file 'COPYING' for use and warranty information
@@ -19,8 +20,8 @@
 
 from ipapython.platform import redhat
 
-def restore_context(filepath, restorecon='/usr/sbin/restorecon'):
+def restore_context(filepath, restorecon=paths.RESTORECON):
     return redhat.restore_context(filepath, restorecon)
 
-def check_selinux_status(restorecon='/usr/sbin/restorecon'):
+def check_selinux_status(restorecon=paths.RESTORECON):
     return redhat.check_selinux_status(restorecon)

ipapython/sysrestore.py

@@ -33,8 +33,9 @@ import string
 
 from ipapython import ipautil
 from ipaplatform.tasks import tasks
+from ipaplatform.paths import paths
 
-SYSRESTORE_PATH = "/tmp"
+SYSRESTORE_PATH = paths.TMP
 SYSRESTORE_INDEXFILE = "sysrestore.index"
 SYSRESTORE_STATEFILE = "sysrestore.state"
 

ipaserver/dcerpc.py

@@ -55,6 +55,7 @@ from dns import resolver, rdatatype
 from dns.exception import DNSException
 import pysss_nss_idmap
 import pysss
+from ipaplatform.paths import paths
 
 __doc__ = _("""
 Classes to manage trust joins using DCE-RPC calls
@@ -474,13 +475,13 @@ class DomainValidator(object):
         realm = api.env.realm
         hostname = api.env.host
         principal = 'HTTP/%s@%s' % (hostname, realm)
-        keytab = '/etc/httpd/conf/ipa.keytab'
+        keytab = paths.IPA_KEYTAB
 
         # Destroy the contents of the ccache
         root_logger.debug('Destroying the contents of the separate ccache')
 
         (stdout, stderr, returncode) = ipautil.run(
-            ['/usr/bin/kdestroy', '-A', '-c', ccache_path],
+            [paths.KDESTROY, '-A', '-c', ccache_path],
             env={'KRB5CCNAME': ccache_path},
             raiseonerr=False)
 
@@ -489,7 +490,7 @@ class DomainValidator(object):
                           'service principal with MS-PAC attached.')
 
         (stdout, stderr, returncode) = ipautil.run(
-            ['/usr/bin/kinit', '-kt', keytab, principal],
+            [paths.KINIT, '-kt', keytab, principal],
             env={'KRB5CCNAME': ccache_path},
             raiseonerr=False)
 

ipaserver/install/adtrustinstance.py

@@ -40,6 +40,7 @@ from ipapython.ipa_log_manager import *
 
 import ipaclient.ipachangeconf
 from ipaplatform import services
+from ipaplatform.paths import paths
 
 
 ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits
@@ -60,7 +61,7 @@ and re-run ipa-adtrust-instal again afterwards.
 """
 
 def check_inst():
-    for smbfile in ['/usr/sbin/smbd', '/usr/bin/net']:
+    for smbfile in [paths.SMBD, paths.NET]:
         if not os.path.exists(smbfile):
             print "%s was not found on this system" % smbfile
             print "Please install the 'samba' packages and " \
@@ -73,7 +74,7 @@ def check_inst():
 
 def ipa_smb_conf_exists():
     try:
-        conf_fd = open('/etc/samba/smb.conf', 'r')
+        conf_fd = open(paths.SMB_CONF, 'r')
     except IOError, err:
         if err.errno == errno.ENOENT:
             return False
@@ -134,7 +135,7 @@ class ADTRUSTInstance(service.Service):
         if fstore:
             self.fstore = fstore
         else:
-            self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+            self.fstore = sysrestore.FileStore(paths.SYSRESTORE)
 
         self.__setup_default_attributes()
 
@@ -145,8 +146,8 @@ class ADTRUSTInstance(service.Service):
         """
 
         # Constants
-        self.smb_conf = "/etc/samba/smb.conf"
+        self.smb_conf = paths.SMB_CONF
-        self.samba_keytab = "/etc/samba/samba.keytab"
+        self.samba_keytab = paths.SAMBA_KEYTAB
         self.selinux_booleans = ["samba_portmapper"]
         self.cifs_hosts = []
 
@@ -485,7 +486,7 @@ class ADTRUSTInstance(service.Service):
         os.write(tmp_fd, conf)
         os.close(tmp_fd)
 
-        args = ["/usr/bin/net", "conf", "import", tmp_name]
+        args = [paths.NET, "conf", "import", tmp_name]
 
         try:
             ipautil.run(args)
@@ -608,8 +609,8 @@ class ADTRUSTInstance(service.Service):
     def __configure_selinux_for_smbd(self):
         selinux = False
         try:
-            if (os.path.exists('/usr/sbin/selinuxenabled')):
+            if (os.path.exists(paths.SELINUXENABLED)):
-                ipautil.run(["/usr/sbin/selinuxenabled"])
+                ipautil.run([paths.SELINUXENABLED])
                 selinux = True
         except ipautil.CalledProcessError:
             # selinuxenabled returns 1 if not enabled
@@ -620,7 +621,7 @@ class ADTRUSTInstance(service.Service):
             sebools = []
             for var in self.selinux_booleans:
                 try:
-                    (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool", var])
+                    (stdout, stderr, returncode) = ipautil.run([paths.GETSEBOOL, var])
                     if stdout and not stderr and returncode == 0:
                         self.backup_state(var, stdout.split()[2])
                         sebools.append(var)
@@ -629,7 +630,7 @@ class ADTRUSTInstance(service.Service):
 
             if sebools:
                 bools = [var + "=true" for var in sebools]
-                args = ["/usr/sbin/setsebool", "-P"]
+                args = [paths.SETSEBOOL, "-P"]
                 args.extend(bools);
                 try:
                     ipautil.run(args)
@@ -665,7 +666,7 @@ class ADTRUSTInstance(service.Service):
                 {'name':'realms', 'type':'section', 'action':'set',
                  'value':ropts}]
 
-        krbconf.changeConf("/etc/krb5.conf", opts)
+        krbconf.changeConf(paths.KRB5_CONF, opts)
 
     def __update_krb5_conf(self):
         """
@@ -673,7 +674,7 @@ class ADTRUSTInstance(service.Service):
         """
 
         try:
-            krb5conf = open("/etc/krb5.conf", 'r')
+            krb5conf = open(paths.KRB5_CONF, 'r')
         except IOError, e:
             self.print_msg("Cannot open /etc/krb5.conf (%s)\n" % str(e))
             return
@@ -908,20 +909,20 @@ class ADTRUSTInstance(service.Service):
             sebool_state = self.restore_state(var)
             if not sebool_state is None:
                 try:
-                    ipautil.run(["/usr/sbin/setsebool",
+                    ipautil.run([paths.SETSEBOOL,
                                  "-P", var, sebool_state])
                 except Exception:
                     self.print_msg(SELINUX_WARNING % dict(var=var))
 
         # Remove samba's credentials cache
-        krb5cc_samba = '/var/run/samba/krb5cc_samba'
+        krb5cc_samba = paths.KRB5CC_SAMBA
         installutils.remove_file(krb5cc_samba)
 
         # Remove samba's configuration file
         installutils.remove_file(self.smb_conf)
 
         # Remove samba's persistent and temporary tdb files
-        tdb_files = [tdb_file for tdb_file in os.listdir("/var/lib/samba/")
+        tdb_files = [tdb_file for tdb_file in os.listdir(paths.SAMBA_DIR)
                                            if tdb_file.endswith(".tdb")]
         for tdb_file in tdb_files:
             installutils.remove_file(tdb_file)

ipaserver/install/bindinstance.py

@@ -35,13 +35,14 @@ from ipapython.ipa_log_manager import *
 from ipapython.dn import DN
 import ipalib
 from ipalib import api, errors
+from ipaplatform.paths import paths
 from ipalib.util import (validate_zonemgr_str, normalize_zonemgr,
         get_dns_forward_zone_update_policy, get_dns_reverse_zone_update_policy,
         normalize_zone, get_reverse_zone_default, zone_is_reverse)
 from ipalib.constants import CACERT
 
-NAMED_CONF = '/etc/named.conf'
+NAMED_CONF = paths.NAMED_CONF
-RESOLV_CONF = '/etc/resolv.conf'
+RESOLV_CONF = paths.RESOLV_CONF
 
 named_conf_section_ipa_start_re = re.compile('\s*dynamic-db\s+"ipa"\s+{')
 named_conf_section_options_start_re = re.compile('\s*options\s+{')
@@ -55,14 +56,14 @@ def check_inst(unattended):
     has_bind = True
     # So far this file is always present in both RHEL5 and Fedora if all the necessary
     # bind packages are installed (RHEL5 requires also the pkg: caching-nameserver)
-    if not os.path.exists('/etc/named.rfc1912.zones'):
+    if not os.path.exists(paths.NAMED_RFC1912_ZONES):
         print "BIND was not found on this system"
         print "Please install the 'bind' package and start the installation again"
         has_bind = False
 
     # Also check for the LDAP BIND plug-in
-    if not os.path.exists('/usr/lib/bind/ldap.so') and \
+    if not os.path.exists(paths.BIND_LDAP_SO) and \
-       not os.path.exists('/usr/lib64/bind/ldap.so'):
+       not os.path.exists(paths.BIND_LDAP_SO_64):
         print "The BIND LDAP plug-in was not found on this system"
         print "Please install the 'bind-dyndb-ldap' package and start the installation again"
         has_bind = False
@@ -458,7 +459,7 @@ class BindInstance(service.Service):
         if fstore:
             self.fstore = fstore
         else:
-            self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+            self.fstore = sysrestore.FileStore(paths.SYSRESTORE)
 
     suffix = ipautil.dn_attribute_property('_suffix')
 
@@ -758,8 +759,8 @@ class BindInstance(service.Service):
         installutils.kadmin_addprinc(dns_principal)
 
         # Store the keytab on disk
-        self.fstore.backup_file("/etc/named.keytab")
+        self.fstore.backup_file(paths.NAMED_KEYTAB)
-        installutils.create_keytab("/etc/named.keytab", dns_principal)
+        installutils.create_keytab(paths.NAMED_KEYTAB, dns_principal)
         p = self.move_service(dns_principal)
         if p is None:
             # the service has already been moved, perhaps we're doing a DNS reinstall
@@ -770,8 +771,8 @@ class BindInstance(service.Service):
 
         # Make sure access is strictly reserved to the named user
         pent = pwd.getpwnam(self.named_user)
-        os.chown("/etc/named.keytab", pent.pw_uid, pent.pw_gid)
+        os.chown(paths.NAMED_KEYTAB, pent.pw_uid, pent.pw_gid)
-        os.chmod("/etc/named.keytab", 0400)
+        os.chmod(paths.NAMED_KEYTAB, 0400)
 
         # modify the principal so that it is marked as an ipa service so that
         # it can host the memberof attribute, then also add it to the

ipaserver/install/cainstance.py

@@ -59,8 +59,9 @@ from ipaserver.install.installutils import stopped_service
 from ipaserver.plugins import ldap2
 from ipapython.ipa_log_manager import *
 from ipaplatform import services
+from ipaplatform.paths import paths
 
-HTTPD_CONFD = "/etc/httpd/conf.d/"
+HTTPD_CONFD = paths.HTTPD_CONF_D_DIR
 DEFAULT_DSPORT = dogtag.install_constants.DS_PORT
 
 PKI_USER = "pkiuser"
@@ -99,7 +100,7 @@ def check_inst():
         return False
 
     # This is the template tomcat file for a CA
-    if not os.path.exists('/usr/share/pki/ca/conf/server.xml'):
+    if not os.path.exists(paths.PKI_CONF_SERVER_XML):
         return False
 
     return True
@@ -132,7 +133,7 @@ def get_preop_pin(instance_root, instance_name):
 
 def import_pkcs12(input_file, input_passwd, cert_database,
                   cert_passwd):
-    ipautil.run(["/usr/bin/pk12util", "-d", cert_database,
+    ipautil.run([paths.PK12UTIL, "-d", cert_database,
                  "-i", input_file,
                  "-k", cert_passwd,
                  "-w", input_passwd])
@@ -322,7 +323,7 @@ def stop_tracking_certificates(dogtag_constants):
                 "certmonger failed to stop tracking certificate: %s" % str(e))
 
     try:
-        certmonger.stop_tracking('/etc/httpd/alias', nickname='ipaCert')
+        certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname='ipaCert')
     except (ipautil.CalledProcessError, RuntimeError), e:
         root_logger.error(
             "certmonger failed to stop tracking certificate: %s" % str(e))
@@ -444,7 +445,7 @@ class CAInstance(service.Service):
         if self.dogtag_constants.DOGTAG_VERSION >= 10:
             self.step("configuring certificate server instance", self.__spawn_instance)
         else:
-            if not ipautil.dir_exists("/var/lib/pki-ca"):
+            if not ipautil.dir_exists(paths.VAR_LIB_PKI_CA_DIR):
                 self.step("creating pki-ca instance", self.create_instance)
             self.step("configuring certificate server instance", self.__configure_instance)
         self.step("stopping certificate server instance to update CS.cfg", self.__stop)
@@ -526,7 +527,7 @@ class CAInstance(service.Service):
         config.set("CA", "pki_admin_nickname", "ipa-ca-agent")
         config.set("CA", "pki_admin_subject_dn",
             str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
-        config.set("CA", "pki_client_admin_cert_p12", "/root/ca-agent.p12")
+        config.set("CA", "pki_client_admin_cert_p12", paths.CA_AGENT_P12)
 
         # Directory server
         config.set("CA", "pki_ds_ldap_port", str(self.ds_port))
@@ -555,9 +556,9 @@ class CAInstance(service.Service):
 
         if (self.clone):
             cafile = self.pkcs12_info[0]
-            shutil.copy(cafile, "/tmp/ca.p12")
+            shutil.copy(cafile, paths.TMP_CA_P12)
             pent = pwd.getpwnam(PKI_USER)
-            os.chown("/tmp/ca.p12", pent.pw_uid, pent.pw_gid)
+            os.chown(paths.TMP_CA_P12, pent.pw_uid, pent.pw_gid)
 
             # Security domain registration
             config.set("CA", "pki_security_domain_hostname", self.master_host)
@@ -567,7 +568,7 @@ class CAInstance(service.Service):
 
             # Clone
             config.set("CA", "pki_clone", "True")
-            config.set("CA", "pki_clone_pkcs12_path", "/tmp/ca.p12")
+            config.set("CA", "pki_clone_pkcs12_path", paths.TMP_CA_P12)
             config.set("CA", "pki_clone_pkcs12_password", self.dm_password)
             config.set("CA", "pki_clone_replication_security", "TLS")
             config.set("CA", "pki_clone_replication_master_port", str(self.master_replication_port))
@@ -593,7 +594,7 @@ class CAInstance(service.Service):
         # Define the things we don't want logged
         nolog = (self.admin_password, self.dm_password,)
 
-        args = ["/usr/sbin/pkispawn", "-s", "CA", "-f", cfg_file ]
+        args = [paths.PKISPAWN, "-s", "CA", "-f", cfg_file ]
 
         with open(cfg_file) as f:
             root_logger.debug(
@@ -613,8 +614,8 @@ class CAInstance(service.Service):
             print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
             sys.exit(0)
         else:
-            shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \
+            shutil.move(paths.CA_BACKUP_KEYS_P12, \
-                        "/root/cacert.p12")
+                        paths.CACERT_P12)
 
         root_logger.debug("completed creating ca instance")
 
@@ -624,8 +625,8 @@ class CAInstance(service.Service):
         """
         # Only used for Dogtag 9
 
-        args = ['/usr/bin/pkicreate',
+        args = [paths.PKICREATE,
-                '-pki_instance_root', '/var/lib',
+                '-pki_instance_root', paths.VAR_LIB,
                 '-pki_instance_name',
                         self.dogtag_constants.PKI_INSTANCE_NAME,
                 '-subsystem_type', 'ca',
@@ -660,9 +661,9 @@ class CAInstance(service.Service):
             root_logger.debug("ca user %s exists" % PKI_USER)
         except KeyError:
             root_logger.debug("adding ca user %s" % PKI_USER)
-            args = ["/usr/sbin/useradd", "-c", "CA System User",
+            args = [paths.USERADD, "-c", "CA System User",
-                                         "-d", "/var/lib",
+                                         "-d", paths.VAR_LIB,
-                                         "-s", "/sbin/nologin",
+                                         "-s", paths.NOLOGIN,
                                          "-M", "-r", PKI_USER]
             try:
                 ipautil.run(args)
@@ -676,7 +677,7 @@ class CAInstance(service.Service):
             self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME)
 
         try:
-            args = ["/usr/bin/perl", "/usr/bin/pkisilent",  "ConfigureCA",
+            args = [paths.PERL, paths.PKISILENT,  "ConfigureCA",
                     "-cs_hostname", self.fqdn,
                     "-cs_port", str(self.dogtag_constants.ADMIN_SECURE_PORT),
                     "-client_certdb_dir", self.ca_agent_db,
@@ -731,9 +732,9 @@ class CAInstance(service.Service):
                 """
                 # The install wizard expects the file to be here.
                 cafile = self.pkcs12_info[0]
-                shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12")
+                shutil.copy(cafile, paths.PKI_ALIAS_CA_P12)
                 pent = pwd.getpwnam(PKI_USER)
-                os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid )
+                os.chown(paths.PKI_ALIAS_CA_P12, pent.pw_uid, pent.pw_gid )
                 args.append("-clone")
                 args.append("true")
                 args.append("-clone_p12_file")
@@ -773,8 +774,8 @@ class CAInstance(service.Service):
 
         # pkisilent makes a copy of the CA PKCS#12 file for us but gives
         # it a lousy name.
-        if ipautil.file_exists("/root/tmp-ca.p12"):
+        if ipautil.file_exists(paths.ROOT_TMP_CA_P12):
-            shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
+            shutil.move(paths.ROOT_TMP_CA_P12, paths.CACERT_P12)
 
         root_logger.debug("completed creating ca instance")
 
@@ -805,7 +806,7 @@ class CAInstance(service.Service):
 
         # Look thru the cert chain to get all the certs we need to add
         # trust for
-        p = subprocess.Popen(["/usr/bin/certutil", "-d", self.ca_agent_db,
+        p = subprocess.Popen([paths.CERTUTIL, "-d", self.ca_agent_db,
                               "-O", "-n", "ipa-ca-agent"], stdout=subprocess.PIPE)
 
         chain = p.stdout.read()
@@ -836,7 +837,7 @@ class CAInstance(service.Service):
         # to use the final RA agent database when issuing certs for DS and
         # mod_nss.
         args = [
-            '/usr/bin/sslget',
+            paths.SSLGET,
             '-v',
             '-n', 'ipa-ca-agent',
             '-p', self.admin_password,
@@ -857,7 +858,7 @@ class CAInstance(service.Service):
 
         # Now issue the RA certificate.
         args = [
-            '/usr/bin/sslget',
+            paths.SSLGET,
             '-v',
             '-n', 'ipa-ca-agent',
             '-p', self.admin_password,
@@ -951,7 +952,7 @@ class CAInstance(service.Service):
             database = self.ra_agent_db
         if not pwd_file:
             pwd_file = self.ra_agent_pwd
-        new_args = ["/usr/bin/certutil", "-d", database, "-f", pwd_file]
+        new_args = [paths.CERTUTIL, "-d", database, "-f", pwd_file]
         new_args = new_args + args
         return ipautil.run(new_args, stdin, nolog=(pwd_file,))
 
@@ -987,9 +988,9 @@ class CAInstance(service.Service):
         os.write(pwd_fd, self.admin_password)
         os.close(pwd_fd)
         try:
-            ipautil.run(["/usr/bin/pk12util",
+            ipautil.run([paths.PK12UTIL,
                          "-n", "ipa-ca-agent",
-                         "-o", "/root/ca-agent.p12",
+                         "-o", paths.CA_AGENT_P12,
                          "-d", self.ca_agent_db,
                          "-k", pwd_name,
                          "-w", pwd_name])
@@ -1008,7 +1009,7 @@ class CAInstance(service.Service):
         # makes openssl throw up.
         data = base64.b64decode(chain)
 
-        (certlist, stderr, returncode) = ipautil.run(["/usr/bin/openssl",
+        (certlist, stderr, returncode) = ipautil.run([paths.OPENSSL,
              "pkcs7",
              "-inform",
              "DER",
@@ -1318,11 +1319,11 @@ class CAInstance(service.Service):
 
         try:
             if self.dogtag_constants.DOGTAG_VERSION >= 10:
-                ipautil.run(["/usr/sbin/pkidestroy", "-i",
+                ipautil.run([paths.PKIDESTROY, "-i",
                                 self.dogtag_constants.PKI_INSTANCE_NAME,
                              "-s", "CA"])
             else:
-                ipautil.run(["/usr/bin/pkiremove",
+                ipautil.run([paths.PKIREMOVE,
                              "-pki_instance_root=/var/lib",
                              "-pki_instance_name=%s" %
                                 self.dogtag_constants.PKI_INSTANCE_NAME,
@@ -1401,7 +1402,7 @@ class CAInstance(service.Service):
         if not path:
             iface.add_known_ca(
                 'dogtag-ipa-ca-renew-agent',
-                '/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit', [])
+                paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT, [])
 
     def configure_agent_renewal(self):
         try:
@@ -1409,8 +1410,8 @@ class CAInstance(service.Service):
                 ca='dogtag-ipa-ca-renew-agent',
                 nickname='ipaCert',
                 pin=None,
-                pinfile='/etc/httpd/alias/pwdfile.txt',
+                pinfile=paths.ALIAS_PWDFILE_TXT,
-                secdir='/etc/httpd/alias',
+                secdir=paths.HTTPD_ALIAS_DIR,
                 pre_command=None,
                 post_command='renew_ra_cert')
         except (ipautil.CalledProcessError, RuntimeError), e:
@@ -1802,5 +1803,5 @@ if __name__ == "__main__":
     standard_logging_setup("install.log")
     ds = dsinstance.DsInstance()
 
-    ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias")
+    ca = CAInstance("EXAMPLE.COM", paths.HTTPD_ALIAS_DIR)
     ca.configure_instance("catest.example.com", "example.com", "password", "password")

ipaserver/install/certs.py

@@ -42,10 +42,11 @@ from ipalib import pkcs10, x509, api
 from ipalib.errors import CertificateOperationError
 from ipalib.text import _
 from ipaplatform import services
+from ipaplatform.paths import paths
 
 # Apache needs access to this database so we need to create it
 # where apache can reach
-NSS_DIR = "/etc/httpd/alias"
+NSS_DIR = paths.HTTPD_ALIAS_DIR
 
 def find_cert_from_txt(cert, start=0):
     """
@@ -114,7 +115,7 @@ class NSSDatabase(object):
         self.close()
 
     def run_certutil(self, args, stdin=None):
-        new_args = ["/usr/bin/certutil", "-d", self.secdir]
+        new_args = [paths.CERTUTIL, "-d", self.secdir]
         new_args = new_args + args
         return ipautil.run(new_args, stdin)
 
@@ -177,12 +178,12 @@ class NSSDatabase(object):
 
     def import_pkcs12(self, pkcs12_filename, db_password_filename,
                       pkcs12_passwd=None):
-        args = ["/usr/bin/pk12util", "-d", self.secdir,
+        args = [paths.PK12UTIL, "-d", self.secdir,
                 "-i", pkcs12_filename,
                 "-k", db_password_filename, '-v']
         if pkcs12_passwd is not None:
             pkcs12_passwd = pkcs12_passwd + '\n'
-            args = args + ["-w", "/dev/stdin"]
+            args = args + ["-w", paths.DEV_STDIN]
         try:
             ipautil.run(args, stdin=pkcs12_passwd)
         except ipautil.CalledProcessError, e:
@@ -298,7 +299,7 @@ class CertDB(object):
         self.cacert_fname = self.secdir + "/cacert.asc"
         self.pk12_fname = self.secdir + "/cacert.p12"
         self.pin_fname = self.secdir + "/pin.txt"
-        self.pwd_conf = "/etc/httpd/conf/password.conf"
+        self.pwd_conf = paths.HTTPD_PASSWORD_CONF
         self.reqdir = None
         self.certreq_fname = None
         self.certder_fname = None
@@ -328,7 +329,7 @@ class CertDB(object):
         if fstore:
             self.fstore = fstore
         else:
-            self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+            self.fstore = sysrestore.FileStore(paths.SYSRESTORE)
 
     subject_base = ipautil.dn_attribute_property('_subject_base')
 
@@ -351,7 +352,7 @@ class CertDB(object):
         if self.reqdir is not None:
             return
 
-        self.reqdir = tempfile.mkdtemp('', 'ipa-', '/var/lib/ipa')
+        self.reqdir = tempfile.mkdtemp('', 'ipa-', paths.VAR_LIB_IPA)
         self.certreq_fname = self.reqdir + "/tmpcertreq"
         self.certder_fname = self.reqdir + "/tmpcert.der"
 
@@ -379,7 +380,7 @@ class CertDB(object):
     def run_signtool(self, args, stdin=None):
         with open(self.passwd_fname, "r") as f:
             password = f.readline()
-        new_args = ["/usr/bin/signtool", "-d", self.secdir, "-p", password]
+        new_args = [paths.SIGNTOOL, "-d", self.secdir, "-p", password]
 
         new_args = new_args + args
         ipautil.run(new_args, stdin)
@@ -446,7 +447,7 @@ class CertDB(object):
         os.chmod(self.cacert_fname, stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
         if create_pkcs12:
             ipautil.backup_file(self.pk12_fname)
-            ipautil.run(["/usr/bin/pk12util", "-d", self.secdir,
+            ipautil.run([paths.PK12UTIL, "-d", self.secdir,
                          "-o", self.pk12_fname,
                          "-n", self.cacert_name,
                          "-w", self.passwd_fname,
@@ -508,7 +509,7 @@ class CertDB(object):
                 libpath = 'lib64'
             else:
                 libpath = 'lib'
-            command = '/usr/%s/ipa/certmonger/%s' % (libpath, command)
+            command = paths.CERTMONGER_COMMAND_TEMPLATE % (libpath, command)
         cmonger = services.knownservices.certmonger
         cmonger.enable()
         services.knownservices.messagebus.start()
@@ -779,7 +780,7 @@ class CertDB(object):
         if nickname is None:
             nickname = get_ca_nickname(api.env.realm)
 
-        ipautil.run(["/usr/bin/pk12util", "-d", self.secdir,
+        ipautil.run([paths.PK12UTIL, "-d", self.secdir,
                      "-o", pkcs12_fname,
                      "-n", nickname,
                      "-k", self.passwd_fname,
@@ -787,7 +788,7 @@ class CertDB(object):
 
     def export_pem_p12(self, pkcs12_fname, pkcs12_pwd_fname,
                        nickname, pem_fname):
-        ipautil.run(["/usr/bin/openssl", "pkcs12",
+        ipautil.run([paths.OPENSSL, "pkcs12",
                      "-export", "-name", nickname,
                      "-in", pem_fname, "-out", pkcs12_fname,
                      "-passout", "file:" + pkcs12_pwd_fname])
@@ -857,7 +858,7 @@ class CertDB(object):
 
     def install_pem_from_p12(self, p12_fname, p12_passwd, pem_fname):
         pwd = ipautil.write_tmp_file(p12_passwd)
-        ipautil.run(["/usr/bin/openssl", "pkcs12", "-nodes",
+        ipautil.run([paths.OPENSSL, "pkcs12", "-nodes",
                      "-in", p12_fname, "-out", pem_fname,
                      "-passin", "file:" + pwd.name])
 

ipaserver/install/dsinstance.py

@@ -43,9 +43,10 @@ from ipaplatform.tasks import tasks
 from ipalib.constants import CACERT
 from ipapython.dn import DN
 from ipaplatform import services
+from ipaplatform.paths import paths
 
-SERVER_ROOT_64 = "/usr/lib64/dirsrv"
+SERVER_ROOT_64 = paths.USR_LIB_DIRSRV_64
-SERVER_ROOT_32 = "/usr/lib/dirsrv"
+SERVER_ROOT_32 = paths.USR_LIB_DIRSRV
 
 DS_USER = 'dirsrv'
 DS_GROUP = 'dirsrv'
@@ -75,32 +76,32 @@ def realm_to_serverid(realm_name):
     return "-".join(realm_name.split("."))
 
 def config_dirname(serverid):
-    return "/etc/dirsrv/slapd-" + serverid + "/"
+    return (paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % serverid) + "/"
 
 def schema_dirname(serverid):
     return config_dirname(serverid) + "/schema/"
 
 def erase_ds_instance_data(serverid):
-    installutils.rmtree("/etc/dirsrv/slapd-%s" % serverid)
+    installutils.rmtree(paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % serverid)
 
-    installutils.rmtree("/usr/lib/dirsrv/slapd-%s" % serverid)
+    installutils.rmtree(paths.USR_LIB_SLAPD_INSTANCE_TEMPLATE % serverid)
 
-    installutils.rmtree("/usr/lib64/dirsrv/slapd-%s" % serverid)
+    installutils.rmtree(paths.USR_LIB_DIRSRV_SLAPD_INSTANCE_DIR_TEMPLATE % serverid)
 
-    installutils.rmtree("/var/lib/dirsrv/slapd-%s" % serverid)
+    installutils.rmtree(paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % serverid)
 
-    installutils.rmtree("/var/lock/dirsrv/slapd-%s" % serverid)
+    installutils.rmtree(paths.SLAPD_INSTANCE_LOCK_TEMPLATE % serverid)
 
-    installutils.remove_file("/var/run/slapd-%s.socket" % serverid)
+    installutils.remove_file(paths.SLAPD_INSTANCE_SOCKET_TEMPLATE % serverid)
 
-    installutils.rmtree("/var/lib/dirsrv/scripts-%s" % serverid)
+    installutils.rmtree(paths.VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE % serverid)
 
-    installutils.remove_file("/etc/dirsrv/ds.keytab")
+    installutils.remove_file(paths.DS_KEYTAB)
 
-    installutils.remove_file("/etc/sysconfig/dirsrv-%s" % serverid)
+    installutils.remove_file(paths.SYSCONFIG_DIRSRV_INSTANCE % serverid)
 
 #    try:
-#        shutil.rmtree("/var/log/dirsrv/slapd-%s" % serverid)
+#        shutil.rmtree(paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % serverid)
 #    except:
 #        pass
 
@@ -112,7 +113,7 @@ def get_ds_instances():
     matches 389ds behavior.
     '''
 
-    dirsrv_instance_dir='/etc/dirsrv'
+    dirsrv_instance_dir=paths.ETC_DIRSRV
     instance_prefix = 'slapd-'
 
     instances = []
@@ -158,11 +159,11 @@ def create_ds_user():
     except KeyError:
         root_logger.debug('Adding DS user %s', DS_USER)
         args = [
-            '/usr/sbin/useradd',
+            paths.USERADD,
             '-g', DS_GROUP,
             '-c', 'DS System User',
-            '-d', '/var/lib/dirsrv',
+            '-d', paths.VAR_LIB_DIRSRV,
-            '-s', '/sbin/nologin',
+            '-s', paths.NOLOGIN,
             '-M', '-r', DS_USER
         ]
         try:
@@ -184,7 +185,7 @@ def create_ds_group():
     except KeyError:
         group_exists = False
         root_logger.debug('Adding DS group %s', DS_GROUP)
-        args = ['/usr/sbin/groupadd', '-r', DS_GROUP]
+        args = [paths.GROUPADD, '-r', DS_GROUP]
         try:
             ipautil.run(args)
             root_logger.debug('Done adding DS group')
@@ -251,7 +252,7 @@ class DsInstance(service.Service):
         if fstore:
             self.fstore = fstore
         else:
-            self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+            self.fstore = sysrestore.FileStore(paths.SYSRESTORE)
 
 
     subject_base = ipautil.dn_attribute_property('_subject_base')
@@ -433,13 +434,13 @@ class DsInstance(service.Service):
         pent = pwd.getpwnam(DS_USER)
 
         self.backup_state("serverid", self.serverid)
-        self.fstore.backup_file("/etc/sysconfig/dirsrv")
+        self.fstore.backup_file(paths.SYSCONFIG_DIRSRV)
 
         self.sub_dict['BASEDC'] = self.realm.split('.')[0].lower()
         base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict)
         root_logger.debug(base_txt)
 
-        target_fname = '/var/lib/dirsrv/boot.ldif'
+        target_fname = paths.DIRSRV_BOOT_LDIF
         base_fd = open(target_fname, "w")
         base_fd.write(base_txt)
         base_fd.close()
@@ -453,11 +454,11 @@ class DsInstance(service.Service):
         inf_fd = ipautil.write_tmp_file(inf_txt)
         inf_txt = re.sub(r"RootDNPwd=.*\n", "", inf_txt)
         root_logger.debug(inf_txt)
-        if ipautil.file_exists("/usr/sbin/setup-ds.pl"):
+        if ipautil.file_exists(paths.SETUP_DS_PL):
-            args = ["/usr/sbin/setup-ds.pl", "--silent", "--logfile", "-", "-f", inf_fd.name]
+            args = [paths.SETUP_DS_PL, "--silent", "--logfile", "-", "-f", inf_fd.name]
             root_logger.debug("calling setup-ds.pl")
         else:
-            args = ["/usr/bin/ds_newinst.pl", inf_fd.name]
+            args = [paths.DS_NEWINST_PL, inf_fd.name]
             root_logger.debug("calling ds_newinst.pl")
         try:
             ipautil.run(args)
@@ -476,7 +477,7 @@ class DsInstance(service.Service):
             print "failed to restart ds instance", e
             root_logger.debug("failed to restart ds instance %s" % e)
         inf_fd.close()
-        os.remove("/var/lib/dirsrv/boot.ldif")
+        os.remove(paths.DIRSRV_BOOT_LDIF)
 
     def __add_default_schemas(self):
         pent = pwd.getpwnam(DS_USER)
@@ -560,7 +561,7 @@ class DsInstance(service.Service):
 
     def __enable_compat_plugin(self):
         ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, sub_dict=self.sub_dict)
-        rv = ld.update(['/usr/share/ipa/schema_compat.uldif'])
+        rv = ld.update([paths.SCHEMA_COMPAT_ULDIF])
         if not rv:
             raise RuntimeError("Enabling compatibility plugin failed")
 
@@ -591,8 +592,8 @@ class DsInstance(service.Service):
 
     def configure_dirsrv_ccache(self):
         pent = pwd.getpwnam("dirsrv")
-        ccache = '/tmp/krb5cc_%d' % pent.pw_uid
+        ccache = paths.TMP_KRB5CC % pent.pw_uid
-        filepath = '/etc/sysconfig/dirsrv'
+        filepath = paths.SYSCONFIG_DIRSRV
         if not os.path.exists(filepath):
             # file doesn't exist; create it with correct ownership & mode
             open(filepath, 'a').close()
@@ -753,15 +754,15 @@ class DsInstance(service.Service):
         admpwdfile = ""
 
         try:
-            (dmpwdfd, dmpwdfile) = tempfile.mkstemp(dir='/var/lib/ipa')
+            (dmpwdfd, dmpwdfile) = tempfile.mkstemp(dir=paths.VAR_LIB_IPA)
             os.write(dmpwdfd, self.dm_password)
             os.close(dmpwdfd)
 
-            (admpwdfd, admpwdfile) = tempfile.mkstemp(dir='/var/lib/ipa')
+            (admpwdfd, admpwdfile) = tempfile.mkstemp(dir=paths.VAR_LIB_IPA)
             os.write(admpwdfd, password)
             os.close(admpwdfd)
 
-            args = ["/usr/bin/ldappasswd", "-h", self.fqdn,
+            args = [paths.LDAPPASSWD, "-h", self.fqdn,
                     "-ZZ", "-x", "-D", str(DN(('cn', 'Directory Manager'))),
                     "-y", dmpwdfile, "-T", admpwdfile,
                     str(DN(('uid', 'admin'), ('cn', 'users'), ('cn', 'accounts'), self.suffix))]
@@ -790,8 +791,8 @@ class DsInstance(service.Service):
         running = self.restore_state("running")
 
         try:
-            self.fstore.restore_file("/etc/security/limits.conf")
+            self.fstore.restore_file(paths.LIMITS_CONF)
-            self.fstore.restore_file("/etc/sysconfig/dirsrv")
+            self.fstore.restore_file(paths.SYSCONFIG_DIRSRV)
         except ValueError, error:
             root_logger.debug(error)
             pass

ipaserver/install/httpinstance.py

@@ -35,19 +35,9 @@ from ipapython.ipa_log_manager import *
 from ipaserver.install import sysupgrade
 from ipalib import api
 from ipaplatform.tasks import tasks
+from ipaplatform.paths import paths
 from ipalib.constants import CACERT
 
-HTTPD_DIR = "/etc/httpd"
-SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
-NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf"
-
-selinux_warning = """
-WARNING: could not set selinux boolean(s) %(var)s to true.  The web
-interface may not function correctly until this boolean is successfully
-change with the command:
-   /usr/sbin/setsebool -P %(var)s true
-Try updating the policycoreutils and selinux-policy packages.
-"""
 
 def httpd_443_configured():
     """
@@ -58,7 +48,7 @@ def httpd_443_configured():
     False otherwise.
     """
     try:
-        (stdout, stderr, rc) = ipautil.run(['/usr/sbin/httpd', '-t', '-D', 'DUMP_VHOSTS'])
+        (stdout, stderr, rc) = ipautil.run([paths.HTTPD, '-t', '-D', 'DUMP_VHOSTS'])
     except ipautil.CalledProcessError, e:
         service.print_msg("WARNING: cannot check if port 443 is already configured")
         service.print_msg("httpd returned error when checking: %s" % e)
@@ -84,7 +74,7 @@ class HTTPInstance(service.Service):
         if fstore:
             self.fstore = fstore
         else:
-            self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+            self.fstore = sysrestore.FileStore(paths.SYSRESTORE)
 
         self.cert_nickname = cert_nickname
 
@@ -151,15 +141,15 @@ class HTTPInstance(service.Service):
             else:
                 updates = ["%s=%s" % update for update in changes.iteritems()]
 
-            args = ["/usr/sbin/setsebool", "-P"]
+            args = [paths.SETSEBOOL, "-P"]
             args.extend(updates)
 
             return args
 
         selinux = False
         try:
-            if (os.path.exists('/usr/sbin/selinuxenabled')):
+            if (os.path.exists(paths.SELINUXENABLED)):
-                ipautil.run(["/usr/sbin/selinuxenabled"])
+                ipautil.run([paths.SELINUXENABLED])
                 selinux = True
         except ipautil.CalledProcessError:
             # selinuxenabled returns 1 if not enabled
@@ -173,7 +163,7 @@ class HTTPInstance(service.Service):
                                  ("httpd_manage_ipa", "on"))
             for setting, state in required_settings:
                 try:
-                    (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool", setting])
+                    (stdout, stderr, returncode) = ipautil.run([paths.GETSEBOOL, setting])
                     original_state = stdout.split()[2]
                     self.backup_state(setting, original_state)
 
@@ -208,12 +198,12 @@ class HTTPInstance(service.Service):
 
     def __create_http_keytab(self):
         installutils.kadmin_addprinc(self.principal)
-        installutils.create_keytab("/etc/httpd/conf/ipa.keytab", self.principal)
+        installutils.create_keytab(paths.IPA_KEYTAB, self.principal)
         self.move_service(self.principal)
         self.add_cert_to_service()
 
         pent = pwd.getpwnam("apache")
-        os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)
+        os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
 
     def remove_httpd_ccache(self):
         # Clean up existing ccache
@@ -222,17 +212,17 @@ class HTTPInstance(service.Service):
         ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={})
 
     def __configure_http(self):
-        target_fname = '/etc/httpd/conf.d/ipa.conf'
+        target_fname = paths.HTTPD_IPA_CONF
         http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
-        self.fstore.backup_file("/etc/httpd/conf.d/ipa.conf")
+        self.fstore.backup_file(paths.HTTPD_IPA_CONF)
         http_fd = open(target_fname, "w")
         http_fd.write(http_txt)
         http_fd.close()
         os.chmod(target_fname, 0644)
 
-        target_fname = '/etc/httpd/conf.d/ipa-rewrite.conf'
+        target_fname = paths.HTTPD_IPA_REWRITE_CONF
         http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict)
-        self.fstore.backup_file("/etc/httpd/conf.d/ipa-rewrite.conf")
+        self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF)
         http_fd = open(target_fname, "w")
         http_fd.write(http_txt)
         http_fd.close()
@@ -249,28 +239,28 @@ class HTTPInstance(service.Service):
         #
         # Remove the workaround.
         if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
-            installutils.set_directive(NSS_CONF, 'Listen', '443', quotes=False)
+            installutils.set_directive(paths.HTTPD_NSS_CONF, 'Listen', '443', quotes=False)
             sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
 
     def __set_mod_nss_port(self):
-        self.fstore.backup_file(NSS_CONF)
+        self.fstore.backup_file(paths.HTTPD_NSS_CONF)
-        if installutils.update_file(NSS_CONF, '8443', '443') != 0:
+        if installutils.update_file(paths.HTTPD_NSS_CONF, '8443', '443') != 0:
-            print "Updating port in %s failed." % NSS_CONF
+            print "Updating port in %s failed." % paths.HTTPD_NSS_CONF
 
     def __set_mod_nss_nickname(self, nickname):
-        installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
+        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname)
 
     def enable_mod_nss_renegotiate(self):
-        installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on', False)
+        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
-        installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
+        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
     def __set_mod_nss_passwordfile(self):
-        installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
+        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
 
     def __add_include(self):
         """This should run after __set_mod_nss_port so is already backed up"""
-        if installutils.update_file(NSS_CONF, '</VirtualHost>', 'Include conf.d/ipa-rewrite.conf\n</VirtualHost>') != 0:
+        if installutils.update_file(paths.HTTPD_NSS_CONF, '</VirtualHost>', 'Include conf.d/ipa-rewrite.conf\n</VirtualHost>') != 0:
-            print "Adding Include conf.d/ipa-rewrite to %s failed." % NSS_CONF
+            print "Adding Include conf.d/ipa-rewrite to %s failed." % paths.HTTPD_NSS_CONF
 
     def __setup_ssl(self):
         fqdn = self.fqdn
@@ -321,7 +311,7 @@ class HTTPInstance(service.Service):
         tasks.restore_context(certs.NSS_DIR + "/key3.db")
 
     def __setup_autoconfig(self):
-        target_fname = '/usr/share/ipa/html/preferences.html'
+        target_fname = paths.PREFERENCES_HTML
         ipautil.copy_template_file(
             ipautil.SHARE_DIR + "preferences.html.template",
             target_fname, self.sub_dict)
@@ -335,8 +325,8 @@ class HTTPInstance(service.Service):
         # Setup configure.jar
         if db.has_nickname('Signing-Cert'):
             tmpdir = tempfile.mkdtemp(prefix="tmp-")
-            target_fname = '/usr/share/ipa/html/configure.jar'
+            target_fname = paths.CONFIGURE_JAR
-            shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir)
+            shutil.copy(paths.PREFERENCES_HTML, tmpdir)
             db.run_signtool(["-k", "Signing-Cert",
                             "-Z", target_fname,
                             "-e", ".html", "-p", pwd,
@@ -356,7 +346,7 @@ class HTTPInstance(service.Service):
         ``force`` is true.
         """
 
-        target_fname = '/usr/share/ipa/html/krb.js'
+        target_fname = paths.KRB_JS
         if os.path.exists(target_fname) and not force:
             root_logger.info(
                 '%s exists, skipping install of Firefox extension',
@@ -375,8 +365,8 @@ class HTTPInstance(service.Service):
         # Setup extension
         tmpdir = tempfile.mkdtemp(prefix="tmp-")
         extdir = tmpdir + "/ext"
-        target_fname = "/usr/share/ipa/html/kerberosauth.xpi"
+        target_fname = paths.KERBEROSAUTH_XPI
-        shutil.copytree("/usr/share/ipa/ffextension", extdir)
+        shutil.copytree(paths.FFEXTENSION, extdir)
         if db.has_nickname('Signing-Cert'):
             db.run_signtool(["-k", "Signing-Cert",
                                 "-p", pwd,
@@ -386,14 +376,14 @@ class HTTPInstance(service.Service):
             root_logger.warning('Object-signing certificate was not found. '
                 'Creating unsigned Firefox configuration extension.')
             filenames = os.listdir(extdir)
-            ipautil.run(['/usr/bin/zip', '-r', target_fname] + filenames,
+            ipautil.run([paths.ZIP, '-r', target_fname] + filenames,
                 cwd=extdir)
         shutil.rmtree(tmpdir)
         os.chmod(target_fname, 0644)
 
     def __publish_ca_cert(self):
         ca_db = certs.CertDB(self.realm)
-        ca_db.publish_ca_cert("/usr/share/ipa/html/ca.crt")
+        ca_db.publish_ca_cert(paths.CA_CRT)
 
     def uninstall(self):
         if self.is_configured():
@@ -409,7 +399,7 @@ class HTTPInstance(service.Service):
         if not enabled is None and not enabled:
             self.disable()
 
-        for f in ["/etc/httpd/conf.d/ipa.conf", SSL_CONF, NSS_CONF]:
+        for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_NSS_CONF]:
             try:
                 self.fstore.restore_file(f)
             except ValueError, error:
@@ -417,15 +407,15 @@ class HTTPInstance(service.Service):
                 pass
 
         # Remove the configuration files we create
-        installutils.remove_file("/etc/httpd/conf.d/ipa-rewrite.conf")
+        installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)
-        installutils.remove_file("/etc/httpd/conf.d/ipa.conf")
+        installutils.remove_file(paths.HTTPD_IPA_CONF)
-        installutils.remove_file("/etc/httpd/conf.d/ipa-pki-proxy.conf")
+        installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
 
         for var in ["httpd_can_network_connect", "httpd_manage_ipa"]:
             sebool_state = self.restore_state(var)
             if not sebool_state is None:
                 try:
-                    ipautil.run(["/usr/sbin/setsebool", "-P", var, sebool_state])
+                    ipautil.run([paths.SETSEBOOL, "-P", var, sebool_state])
                 except ipautil.CalledProcessError, e:
                     self.print_msg("Cannot restore SELinux boolean '%s' back to '%s': %s" \
                             % (var, sebool_state, e))

ipaserver/install/installutils.py

@@ -43,6 +43,7 @@ from ipalib import errors
 from ipapython.dn import DN
 from ipaserver.install import certs, service
 from ipaplatform import services
+from ipaplatform.paths import paths
 
 # Used to determine install status
 IPA_MODULES = [
@@ -172,7 +173,7 @@ def verify_fqdn(host_name, no_host_dns=False, local_hostname=True):
             raise HostReverseLookupError("The host name %s does not match the reverse lookup %s" % (host_name, revname))
         verified.add(address)
 
-def record_in_hosts(ip, host_name=None, file="/etc/hosts"):
+def record_in_hosts(ip, host_name=None, file=paths.HOSTS):
     """
     Search record in /etc/hosts - static table lookup for hostnames
 
@@ -209,7 +210,7 @@ def record_in_hosts(ip, host_name=None, file="/etc/hosts"):
 
     return None
 
-def add_record_to_hosts(ip, host_name, file="/etc/hosts"):
+def add_record_to_hosts(ip, host_name, file=paths.HOSTS):
     hosts_fd = open(file, 'r+')
     hosts_fd.seek(0, 2)
     hosts_fd.write(ip+'\t'+host_name+' '+host_name.split('.')[0]+'\n')
@@ -488,7 +489,7 @@ def get_server_ip_address(host_name, fstore, unattended, options):
     if hosts_record is None:
         if ip_add_to_hosts:
             print "Adding ["+ip_address+" "+host_name+"] to your /etc/hosts file"
-            fstore.backup_file("/etc/hosts")
+            fstore.backup_file(paths.HOSTS)
             add_record_to_hosts(ip_address, host_name)
     else:
         primary_host = hosts_record[1][0]
@@ -566,7 +567,7 @@ def check_server_configuration():
     Most convenient use case for the function is in install tools that require
     configured IPA for its function.
     """
-    server_fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+    server_fstore = sysrestore.FileStore(paths.SYSRESTORE)
     if not server_fstore.has_files():
         raise RuntimeError("IPA is not configured on this system.")
 
@@ -597,8 +598,8 @@ def is_ipa_configured():
     """
     installed = False
 
-    sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore')
+    sstore = sysrestore.StateFile(paths.SYSRESTORE)
-    fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+    fstore = sysrestore.FileStore(paths.SYSRESTORE)
 
     for module in IPA_MODULES:
         if sstore.has_state(module):

ipaserver/install/ipa_backup.py

@@ -25,6 +25,7 @@ import time
 import pwd
 from optparse import OptionGroup
 from ConfigParser import SafeConfigParser
+from ipaplatform.paths import paths
 from ipaplatform import services
 
 from ipalib import api, errors
@@ -62,14 +63,14 @@ EOF
       --keyring /root/backup.pub --list-secret-keys
 """
 
-BACKUP_DIR = '/var/lib/ipa/backup'
+BACKUP_DIR = paths.IPA_BACKUP_DIR
 
 
 def encrypt_file(filename, keyring, remove_original=True):
     source = filename
     dest = filename + '.gpg'
 
-    args = ['/usr/bin/gpg',
+    args = [paths.GPG,
             '--batch',
             '--default-recipient-self',
             '-o', dest]
@@ -96,91 +97,91 @@ def encrypt_file(filename, keyring, remove_original=True):
 
 class Backup(admintool.AdminTool):
     command_name = 'ipa-backup'
-    log_file_name = '/var/log/ipabackup.log'
+    log_file_name = paths.IPABACKUP_LOG
 
     usage = "%prog [options]"
 
     description = "Back up IPA files and databases."
 
-    dirs = ('/usr/share/ipa/html',
+    dirs = (paths.IPA_HTML_DIR,
-        '/root/.pki',
+        paths.ROOT_PKI,
-        '/etc/pki-ca',
+        paths.ETC_PKI_CA_DIR,
-        '/etc/pki/pki-tomcat',
+        paths.PKI_TOMCAT,
-        '/etc/sysconfig/pki',
+        paths.SYSCONFIG_PKI,
-        '/etc/httpd/alias',
+        paths.HTTPD_ALIAS_DIR,
-        '/var/lib/pki',
+        paths.VAR_LIB_PKI_DIR,
-        '/var/lib/pki-ca',
+        paths.VAR_LIB_PKI_CA_DIR,
-        '/var/lib/ipa/sysrestore',
+        paths.SYSRESTORE,
-        '/var/lib/ipa-client/sysrestore',
+        paths.IPA_CLIENT_SYSRESTORE,
-        '/var/lib/sss/pubconf/krb5.include.d',
+        paths.SSS_KRB5_INCLUDE_D,
-        '/var/lib/authconfig/last',
+        paths.AUTHCONFIG_LAST,
-        '/var/lib/certmonger',
+        paths.VAR_LIB_CERTMONGER_DIR,
-        '/var/lib/ipa',
+        paths.VAR_LIB_IPA,
-        '/var/run/dirsrv',
+        paths.VAR_RUN_DIRSRV_DIR,
-        '/var/lock/dirsrv',
+        paths.DIRSRV_LOCK_DIR,
     )
 
     files = (
-        '/etc/named.conf',
+        paths.NAMED_CONF,
-        '/etc/named.keytab',
+        paths.NAMED_KEYTAB,
-        '/etc/resolv.conf',
+        paths.RESOLV_CONF,
-        '/etc/sysconfig/pki-ca',
+        paths.SYSCONFIG_PKI_CA_DIR,
-        '/etc/sysconfig/pki-tomcat',
+        paths.SYSCONFIG_PKI_TOMCAT,
-        '/etc/sysconfig/dirsrv',
+        paths.SYSCONFIG_DIRSRV,
-        '/etc/sysconfig/ntpd',
+        paths.SYSCONFIG_NTPD,
-        '/etc/sysconfig/krb5kdc',
+        paths.SYSCONFIG_KRB5KDC_DIR,
-        '/etc/sysconfig/pki/ca/pki-ca',
+        paths.SYSCONFIG_PKI_CA_PKI_CA_DIR,
-        '/etc/sysconfig/authconfig',
+        paths.ETC_SYSCONFIG_AUTHCONFIG,
-        '/etc/pki/nssdb/cert8.db',
+        paths.NSSDB_CERT8_DB,
-        '/etc/pki/nssdb/key3.db',
+        paths.NSSDB_KEY3_DB,
-        '/etc/pki/nssdb/secmod.db',
+        paths.NSSDB_SECMOD_DB,
-        '/etc/nsswitch.conf',
+        paths.NSSWITCH_CONF,
-        '/etc/krb5.keytab',
+        paths.KRB5_KEYTAB,
-        '/etc/sssd/sssd.conf',
+        paths.SSSD_CONF,
-        '/etc/openldap/ldap.conf',
+        paths.OPENLDAP_LDAP_CONF,
-        '/etc/security/limits.conf',
+        paths.LIMITS_CONF,
-        '/etc/httpd/conf/password.conf',
+        paths.HTTPD_PASSWORD_CONF,
-        '/etc/httpd/conf/ipa.keytab',
+        paths.IPA_KEYTAB,
-        '/etc/httpd/conf.d/ipa-pki-proxy.conf',
+        paths.HTTPD_IPA_PKI_PROXY_CONF,
-        '/etc/httpd/conf.d/ipa-rewrite.conf',
+        paths.HTTPD_IPA_REWRITE_CONF,
-        '/etc/httpd/conf.d/nss.conf',
+        paths.HTTPD_NSS_CONF,
-        '/etc/httpd/conf.d/ipa.conf',
+        paths.HTTPD_IPA_CONF,
-        '/etc/ssh/sshd_config',
+        paths.SSHD_CONFIG,
-        '/etc/ssh/ssh_config',
+        paths.SSH_CONFIG,
-        '/etc/krb5.conf',
+        paths.KRB5_CONF,
-        '/etc/group',
+        paths.GROUP,
-        '/etc/passwd',
+        paths.PASSWD,
         CACERT,
-        '/etc/ipa/default.conf',
+        paths.IPA_DEFAULT_CONF,
-        '/etc/dirsrv/ds.keytab',
+        paths.DS_KEYTAB,
-        '/etc/ntp.conf',
+        paths.NTP_CONF,
-        '/etc/samba/smb.conf',
+        paths.SMB_CONF,
-        '/etc/samba/samba.keytab',
+        paths.SAMBA_KEYTAB,
-        '/root/ca-agent.p12',
+        paths.CA_AGENT_P12,
-        '/root/cacert.p12',
+        paths.CACERT_P12,
-        '/var/kerberos/krb5kdc/kdc.conf',
+        paths.KRB5KDC_KDC_CONF,
-        '/etc/systemd/system/multi-user.target.wants/ipa.service',
+        paths.SYSTEMD_IPA_SERVICE,
-        '/etc/systemd/system/multi-user.target.wants/sssd.service',
+        paths.SYSTEMD_SSSD_SERVICE,
-        '/etc/systemd/system/multi-user.target.wants/certmonger.service',
+        paths.SYSTEMD_CERTMONGER_SERVICE,
-        '/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service',
+        paths.SYSTEMD_PKI_TOMCAT_SERVICE,
-        '/var/run/ipa/services.list',
+        paths.SVC_LIST_FILE,
     )
 
     logs=(
-      '/var/log/pki-ca',
+      paths.PKI_CA_LOG_DIR,
-      '/var/log/pki/',
+      paths.VAR_LOG_PKI_DIR,
-      '/var/log/dirsrv/slapd-PKI-IPA',
+      paths.VAR_LOG_SLAPD_PKI_IPA_DIR,
-      '/var/log/httpd',
+      paths.VAR_LOG_HTTPD_DIR,
-      '/var/log/ipaserver-install.log',
+      paths.IPASERVER_INSTALL_LOG,
-      '/var/log/kadmind.log',
+      paths.KADMIND_LOG,
-      '/var/log/pki-ca-install.log',
+      paths.PKI_CA_INSTALL_LOG,
-      '/var/log/messages',
+      paths.MESSAGES,
-      '/var/log/ipaclient-install.log',
+      paths.IPACLIENT_INSTALL_LOG,
-      '/var/log/secure',
+      paths.LOG_SECURE,
-      '/var/log/ipaserver-uninstall.log',
+      paths.IPASERVER_UNINSTALL_LOG,
-      '/var/log/pki-ca-uninstall.log',
+      paths.PKI_CA_UNINSTALL_LOG,
-      '/var/log/ipaclient-uninstall.log',
+      paths.IPACLIENT_UNINSTALL_LOG,
-      '/var/named/data/named.run',
+      paths.NAMED_RUN,
     )
 
     def __init__(self, options, args):
@@ -277,8 +278,8 @@ class Backup(admintool.AdminTool):
                 run(['ipactl', 'stop'])
 
             for instance in [realm_to_serverid(api.env.realm), 'PKI-IPA']:
-                if os.path.exists('/var/lib/dirsrv/slapd-%s' % instance):
+                if os.path.exists(paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % instance):
-                    if os.path.exists('/var/lib/dirsrv/slapd-%s/db/ipaca' % instance):
+                    if os.path.exists(paths.IPACA_DIRSRV_INSTANCE_DB_TEMPLATE % instance):
                         self.db2ldif(instance, 'ipaca', online=options.online)
                     self.db2ldif(instance, 'userRoot', online=options.online)
                     self.db2bak(instance, online=options.online)
@@ -310,26 +311,26 @@ class Backup(admintool.AdminTool):
               instance.
         '''
         for dir in [
-                '/etc/dirsrv/slapd-%s' % realm_to_serverid(api.env.realm),
+                paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % realm_to_serverid(api.env.realm),
-                '/var/lib/dirsrv/scripts-%s' % realm_to_serverid(api.env.realm),
+                paths.VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE % realm_to_serverid(api.env.realm),
-                '/var/lib/dirsrv/slapd-%s' % realm_to_serverid(api.env.realm),
+                paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % realm_to_serverid(api.env.realm),
-                '/usr/lib64/dirsrv/slapd-PKI-IPA',
+                paths.VAR_LIB_SLAPD_PKI_IPA_DIR_TEMPLATE,
-                '/usr/lib/dirsrv/slapd-PKI-IPA',
+                paths.USR_LIB_SLAPD_PKI_IPA_DIR,
-                '/etc/dirsrv/slapd-PKI-IPA',
+                paths.ETC_SLAPD_PKI_IPA_DIR,
-                '/var/lib/dirsrv/slapd-PKI-IPA',
+                paths.VAR_LIB_SLAPD_PKI_IPA_DIR_TEMPLATE,
                 self.__find_scripts_dir('PKI-IPA'),
             ]:
             if os.path.exists(dir):
                 self.dirs.append(dir)
 
         for file in [
-                '/etc/sysconfig/dirsrv-%s' % realm_to_serverid(api.env.realm),
+                paths.SYSCONFIG_DIRSRV_INSTANCE % realm_to_serverid(api.env.realm),
-                '/etc/sysconfig/dirsrv-PKI-IPA']:
+                paths.SYSCONFIG_DIRSRV_PKI_IPA_DIR]:
             if os.path.exists(file):
                 self.files.append(file)
 
         for log in [
-              '/var/log/dirsrv/slapd-%s' % realm_to_serverid(api.env.realm),]:
+              paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % realm_to_serverid(api.env.realm),]:
             self.logs.append(log)
 
 
@@ -372,7 +373,7 @@ class Backup(admintool.AdminTool):
 
         ldifname = '%s-%s.ldif' % (instance, backend)
         ldiffile = os.path.join(
-            '/var/lib/dirsrv/slapd-%s/ldif' % instance,
+            paths.SLAPD_INSTANCE_LDIF_DIR_TEMPLATE % instance,
             ldifname)
 
         if online:
@@ -421,7 +422,7 @@ class Backup(admintool.AdminTool):
         cn = time.strftime('backup_%Y_%m_%d_%H_%M_%S')
         dn = DN(('cn', cn), ('cn', 'backup'), ('cn', 'tasks'), ('cn', 'config'))
 
-        bakdir = os.path.join('/var/lib/dirsrv/slapd-%s/bak/%s' % (instance, instance))
+        bakdir = os.path.join(paths.SLAPD_INSTANCE_BACKUP_DIR_TEMPLATE % (instance, instance))
 
         if online:
             conn = self.get_connection()
@@ -560,10 +561,10 @@ class Backup(admintool.AdminTool):
         does so we need to probe for it.
         """
         if instance != 'PKI-IPA':
-            return os.path.join('/var/lib/dirsrv', 'scripts-%s' % instance)
+            return os.path.join(paths.VAR_LIB_DIRSRV, 'scripts-%s' % instance)
         else:
             if sys.maxsize > 2**32L:
                 libpath = 'lib64'
             else:
                 libpath = 'lib'
-            return os.path.join('/usr', libpath, 'dirsrv', 'slapd-PKI-IPA')
+            return os.path.join(paths.USR_DIR, libpath, 'dirsrv', 'slapd-PKI-IPA')

ipaserver/install/ipa_ldap_updater.py

@@ -30,6 +30,7 @@ import krbV
 
 from ipalib import api
 from ipapython import ipautil, admintool
+from ipaplatform.paths import paths
 from ipaserver.install import installutils, dsinstance, schemaupdate
 from ipaserver.install.ldapupdate import LDAPUpdate, UPDATES_DIR
 from ipaserver.install.upgradeinstance import IPAUpgrade
@@ -94,7 +95,7 @@ class LDAPUpdater(admintool.AdminTool):
             except RuntimeError, e:
                 print unicode(e)
                 sys.exit(1)
-        elif not os.path.exists('/etc/ipa/default.conf'):
+        elif not os.path.exists(paths.IPA_DEFAULT_CONF):
             print "IPA is not configured on this system."
             sys.exit(1)
 
@@ -124,7 +125,7 @@ class LDAPUpdater(admintool.AdminTool):
 
 
 class LDAPUpdater_Upgrade(LDAPUpdater):
-    log_file_name = '/var/log/ipaupgrade.log'
+    log_file_name = paths.IPAUPGRADE_LOG
 
     def validate_options(self):
         if os.getegid() != 0:
@@ -154,7 +155,7 @@ class LDAPUpdater_Upgrade(LDAPUpdater):
 
 
 class LDAPUpdater_NonUpgrade(LDAPUpdater):
-    log_file_name = '/var/log/ipaupgrade.log'
+    log_file_name = paths.IPAUPGRADE_LOG
 
     def validate_options(self):
         super(LDAPUpdater_NonUpgrade, self).validate_options()

ipaserver/install/ipa_replica_prepare.py

@@ -34,6 +34,7 @@ from ipapython.dn import DN
 from ipapython import version
 from ipalib import api
 from ipalib import errors
+from ipaplatform.paths import paths
 from ipalib.constants import CACERT
 
 
@@ -60,7 +61,7 @@ class ReplicaPrepare(admintool.AdminTool):
         parser.add_option("--no-pkinit", dest="setup_pkinit",
             action="store_false", default=True,
             help="disables pkinit setup steps")
-        parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12",
+        parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12,
             metavar="FILE",
             help="location of CA PKCS#12 file, default /root/cacert.p12")
 
@@ -358,16 +359,16 @@ class ReplicaPrepare(admintool.AdminTool):
         self.log.info("Copying additional files")
 
         self.copy_info_file(CACERT, "ca.crt")
-        preferences_filename = "/usr/share/ipa/html/preferences.html"
+        preferences_filename = paths.PREFERENCES_HTML
         if ipautil.file_exists(preferences_filename):
             self.copy_info_file(preferences_filename, "preferences.html")
-            self.copy_info_file("/usr/share/ipa/html/krb.js", "krb.js")
+            self.copy_info_file(paths.KRB_JS, "krb.js")
             self.copy_info_file(
-                "/usr/share/ipa/html/kerberosauth.xpi", "kerberosauth.xpi")
+                paths.KERBEROSAUTH_XPI, "kerberosauth.xpi")
-        jar_filename = "/usr/share/ipa/html/configure.jar"
+        jar_filename = paths.CONFIGURE_JAR
         if ipautil.file_exists(jar_filename):
             self.copy_info_file(jar_filename, "configure.jar")
-        cacert_filename = "/var/kerberos/krb5kdc/cacert.pem"
+        cacert_filename = paths.CACERT_PEM
         if ipautil.file_exists(cacert_filename):
             self.copy_info_file(cacert_filename, "cacert.pem")
 
@@ -387,12 +388,12 @@ class ReplicaPrepare(admintool.AdminTool):
             config.write(fd)
 
     def package_replica_file(self):
-        replicafile = "/var/lib/ipa/replica-info-%s" % self.replica_fqdn
+        replicafile = paths.REPLICA_INFO_TEMPLATE % self.replica_fqdn
         encfile = "%s.gpg" % replicafile
 
         self.log.info("Packaging replica information into %s", encfile)
         ipautil.run(
-            ["/bin/tar", "cf", replicafile, "-C", self.top_dir, "realm_info"])
+            [paths.TAR, "cf", replicafile, "-C", self.top_dir, "realm_info"])
         ipautil.encrypt_file(
             replicafile, encfile, self.dirman_password, self.top_dir)
 
@@ -546,7 +547,7 @@ class ReplicaPrepare(admintool.AdminTool):
         dm_pwd_fd = ipautil.write_tmp_file(self.dirman_password)
 
         keydb_pwd = ''
-        with open('/etc/pki/pki-tomcat/password.conf') as f:
+        with open(paths.PKI_TOMCAT_PASSWORD_CONF) as f:
             for line in f.readlines():
                 key, value = line.strip().split('=')
                 if key == 'internal':
@@ -556,8 +557,8 @@ class ReplicaPrepare(admintool.AdminTool):
         keydb_pwd_fd = ipautil.write_tmp_file(keydb_pwd)
 
         ipautil.run([
-            '/usr/bin/PKCS12Export',
+            paths.PKCS12EXPORT,
-            '-d', '/etc/pki/pki-tomcat/alias/',
+            '-d', paths.PKI_TOMCAT_ALIAS_DIR,
             '-p', keydb_pwd_fd.name,
             '-w', dm_pwd_fd.name,
             '-o', ca_file

ipaserver/install/ipa_restore.py

@@ -40,6 +40,7 @@ from ipapython import ipaldap
 from ipaplatform.tasks import tasks
 from ipaserver.install.ipa_backup import BACKUP_DIR
 from ipaplatform import services
+from ipaplatform.paths import paths
 
 
 def recursive_chown(path, uid, gid):
@@ -65,7 +66,7 @@ def decrypt_file(tmpdir, filename, keyring):
     dest = os.path.basename(dest)
     dest = os.path.join(tmpdir, dest)
 
-    args = ['/usr/bin/gpg',
+    args = [paths.GPG,
             '--batch',
             '-o', dest]
 
@@ -88,7 +89,7 @@ def decrypt_file(tmpdir, filename, keyring):
 
 class Restore(admintool.AdminTool):
     command_name = 'ipa-restore'
-    log_file_name = '/var/log/iparestore.log'
+    log_file_name = paths.IPARESTORE_LOG
 
     usage = "%prog [options] backup"
 
@@ -180,7 +181,7 @@ class Restore(admintool.AdminTool):
         if not options.instance:
             instances = []
             for instance in [realm_to_serverid(api.env.realm), 'PKI-IPA']:
-                if os.path.exists('/var/lib/dirsrv/slapd-%s' % instance):
+                if os.path.exists(paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % instance):
                     instances.append(instance)
         else:
             instances = [options.instance]
@@ -277,10 +278,10 @@ class Restore(admintool.AdminTool):
             # have a unified instance we need to restore both userRoot and
             # ipaca.
             for instance in instances:
-                if os.path.exists('/var/lib/dirsrv/slapd-%s' % instance):
+                if os.path.exists(paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % instance):
                     if options.backend is None:
                         self.ldif2db(instance, 'userRoot', online=options.online)
-                        if os.path.exists('/var/lib/dirsrv/slapd-%s/db/ipaca' % instance):
+                        if os.path.exists(paths.IPACA_DIRSRV_INSTANCE_DB_TEMPLATE % instance):
                             self.ldif2db(instance, 'ipaca', online=options.online)
                     else:
                         self.ldif2db(instance, options.backend, online=options.online)
@@ -589,13 +590,13 @@ class Restore(admintool.AdminTool):
         does so we need to probe for it.
         """
         if instance != 'PKI-IPA':
-            return os.path.join('/var/lib/dirsrv', 'scripts-%s' % instance)
+            return os.path.join(paths.VAR_LIB_DIRSRV, 'scripts-%s' % instance)
         else:
             if sys.maxsize > 2**32L:
                 libpath = 'lib64'
             else:
                 libpath = 'lib'
-            return os.path.join('/usr', libpath, 'dirsrv', 'slapd-PKI-IPA')
+            return os.path.join(paths.USR_DIR, libpath, 'dirsrv', 'slapd-PKI-IPA')
 
     def __create_dogtag_log_dirs(self):
         """
@@ -606,16 +607,16 @@ class Restore(admintool.AdminTool):
         or a d10-based installation. We can tell based on whether there is
         a PKI-IPA 389-ds instance.
         """
-        if os.path.exists('/etc/dirsrv/slapd-PKI-IPA'): # dogtag 9
+        if os.path.exists(paths.ETC_SLAPD_PKI_IPA_DIR): # dogtag 9
-            topdir = '/var/log/pki-ca'
+            topdir = paths.PKI_CA_LOG_DIR
             dirs = [topdir,
                     '/var/log/pki-ca/signedAudit,']
         else: # dogtag 10
-            topdir = '/var/log/pki/pki-tomcat'
+            topdir = paths.TOMCAT_TOPLEVEL_DIR
             dirs = [topdir,
-                    '/var/log/pki/pki-tomcat/ca',
+                    paths.TOMCAT_CA_DIR,
-                    '/var/log/pki/pki-tomcat/ca/archive',
+                    paths.TOMCAT_CA_ARCHIVE_DIR,
-                    '/var/log/pki/pki-tomcat/ca/signedAudit',]
+                    paths.TOMCAT_SIGNEDAUDIT_DIR,]
 
         if os.path.exists(topdir):
             return

ipaserver/install/ipa_server_certinstall.py

@@ -24,6 +24,7 @@ import os.path
 import pwd
 import optparse
 
+from ipaplatform.paths import paths
 from ipapython import admintool
 from ipapython.dn import DN
 from ipapython.ipautil import user_input, write_tmp_file
@@ -132,14 +133,14 @@ class ServerCertInstall(admintool.AdminTool):
     def install_http_cert(self):
         dirname = certs.NSS_DIR
 
-        old_cert = installutils.get_directive(httpinstance.NSS_CONF,
+        old_cert = installutils.get_directive(paths.HTTPD_NSS_CONF,
                                               'NSSNickname')
 
         server_cert = self.import_cert(dirname, self.options.pin,
                                        old_cert, 'HTTP/%s' % api.env.host,
                                        'restart_httpd')
 
-        installutils.set_directive(httpinstance.NSS_CONF,
+        installutils.set_directive(paths.HTTPD_NSS_CONF,
                                    'NSSNickname', server_cert)
 
         # Fix the database permissions

ipaserver/install/krbinstance.py

@@ -45,6 +45,7 @@ import struct
 import certs
 from distutils import version
 from ipaplatform.tasks import tasks
+from ipaplatform.paths import paths
 
 def update_key_val_in_file(filename, key, val):
     if os.path.exists(filename):
@@ -88,7 +89,7 @@ class KrbInstance(service.Service):
         if fstore:
             self.fstore = fstore
         else:
-            self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+            self.fstore = sysrestore.FileStore(paths.SYSRESTORE)
 
     suffix = ipautil.dn_attribute_property('_suffix')
     subject_base = ipautil.dn_attribute_property('_subject_base')
@@ -345,11 +346,11 @@ class KrbInstance(service.Service):
             print "Failed to initialize the realm container"
 
     def __configure_instance(self):
-        self.__template_file("/var/kerberos/krb5kdc/kdc.conf", chmod=None)
+        self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None)
-        self.__template_file("/etc/krb5.conf")
+        self.__template_file(paths.KRB5_CONF)
-        self.__template_file("/usr/share/ipa/html/krb5.ini")
+        self.__template_file(paths.HTML_KRB5_INI)
-        self.__template_file("/usr/share/ipa/html/krb.con")
+        self.__template_file(paths.KRB_CON)
-        self.__template_file("/usr/share/ipa/html/krbrealm.con")
+        self.__template_file(paths.HTML_KRBREALM_CON)
 
         MIN_KRB5KDC_WITH_WORKERS = "1.9"
         cpus = os.sysconf('SC_NPROCESSORS_ONLN')
@@ -367,10 +368,10 @@ class KrbInstance(service.Service):
         appendvars = {}
         if workers and cpus > 1:
             appendvars = {'KRB5KDC_ARGS': "'-w %s'" % str(cpus)}
-        ipautil.backup_config_and_replace_variables(self.fstore, "/etc/sysconfig/krb5kdc",
+        ipautil.backup_config_and_replace_variables(self.fstore, paths.SYSCONFIG_KRB5KDC_DIR,
                                                     replacevars=replacevars,
                                                     appendvars=appendvars)
-        tasks.restore_context("/etc/sysconfig/krb5kdc")
+        tasks.restore_context(paths.SYSCONFIG_KRB5KDC_DIR)
 
     def __write_stash_from_ds(self):
         try:
@@ -390,7 +391,7 @@ class KrbInstance(service.Service):
         format = '=hi%ss' % len(keydata)
         s = struct.pack(format, keytype, len(keydata), keydata)
         try:
-            fd = open("/var/kerberos/krb5kdc/.k5."+self.realm, "w")
+            fd = open(paths.VAR_KRB5KDC_K5_REALM+self.realm, "w")
             fd.write(s)
             fd.close()
         except os.error, e:
@@ -406,23 +407,23 @@ class KrbInstance(service.Service):
         installutils.kadmin_addprinc(ldap_principal)
         self.move_service(ldap_principal)
 
-        self.fstore.backup_file("/etc/dirsrv/ds.keytab")
+        self.fstore.backup_file(paths.DS_KEYTAB)
-        installutils.create_keytab("/etc/dirsrv/ds.keytab", ldap_principal)
+        installutils.create_keytab(paths.DS_KEYTAB, ldap_principal)
 
-        update_key_val_in_file("/etc/sysconfig/dirsrv", "KRB5_KTNAME", "/etc/dirsrv/ds.keytab")
+        update_key_val_in_file(paths.SYSCONFIG_DIRSRV, "KRB5_KTNAME", paths.DS_KEYTAB)
         pent = pwd.getpwnam(dsinstance.DS_USER)
-        os.chown("/etc/dirsrv/ds.keytab", pent.pw_uid, pent.pw_gid)
+        os.chown(paths.DS_KEYTAB, pent.pw_uid, pent.pw_gid)
 
     def __create_host_keytab(self):
         host_principal = "host/" + self.fqdn + "@" + self.realm
         installutils.kadmin_addprinc(host_principal)
 
-        self.fstore.backup_file("/etc/krb5.keytab")
+        self.fstore.backup_file(paths.KRB5_KEYTAB)
-        installutils.create_keytab("/etc/krb5.keytab", host_principal)
+        installutils.create_keytab(paths.KRB5_KEYTAB, host_principal)
 
         # Make sure access is strictly reserved to root only for now
-        os.chown("/etc/krb5.keytab", 0, 0)
+        os.chown(paths.KRB5_KEYTAB, 0, 0)
-        os.chmod("/etc/krb5.keytab", 0600)
+        os.chmod(paths.KRB5_KEYTAB, 0600)
 
         self.move_service_to_host(host_principal)
 
@@ -433,13 +434,13 @@ class KrbInstance(service.Service):
         if self.pkcs12_info:
             ca_db.install_pem_from_p12(self.pkcs12_info[0],
                                        self.pkcs12_info[1],
-                                       "/var/kerberos/krb5kdc/kdc.pem")
+                                       paths.KDC_PEM)
         else:
             raise RuntimeError("PKI not supported yet\n")
 
         # Finally copy the cacert in the krb directory so we don't
         # have any selinux issues with the file context
-        shutil.copyfile(CACERT, "/var/kerberos/krb5kdc/cacert.pem")
+        shutil.copyfile(CACERT, paths.CACERT_PEM)
 
     def __add_anonymous_pkinit_principal(self):
         princ = "WELLKNOWN/ANONYMOUS"
@@ -472,7 +473,7 @@ class KrbInstance(service.Service):
         except:
             pass
 
-        for f in ["/var/kerberos/krb5kdc/kdc.conf", "/etc/krb5.conf"]:
+        for f in [paths.KRB5KDC_KDC_CONF, paths.KRB5_CONF]:
             try:
                 self.fstore.restore_file(f)
             except ValueError, error:

ipaserver/install/ldapupdate.py

@@ -22,8 +22,6 @@
 # TODO
 # save undo files?
 
-UPDATES_DIR="/usr/share/ipa/updates/"
-
 import sys
 import uuid
 import platform
@@ -41,11 +39,14 @@ from ipaserver.install import installutils
 from ipapython import ipautil, ipaldap
 from ipalib import errors
 from ipalib import api
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import *
 from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE
 from ipaserver.plugins import ldap2
 
+UPDATES_DIR=paths.UPDATES_DIR
+
 
 def connect(ldapi=False, realm=None, fqdn=None, dm_password=None, pw_name=None):
     """Create a connection for updates"""

ipaserver/install/ntpinstance.py

@@ -21,6 +21,7 @@
 import service
 from ipapython import sysrestore
 from ipapython import ipautil
+from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import *
 
 class NTPInstance(service.Service):
@@ -30,20 +31,20 @@ class NTPInstance(service.Service):
         if fstore:
             self.fstore = fstore
         else:
-            self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+            self.fstore = sysrestore.FileStore(paths.SYSRESTORE)
 
     def __write_config(self):
 
-        self.fstore.backup_file("/etc/ntp.conf")
+        self.fstore.backup_file(paths.NTP_CONF)
-        self.fstore.backup_file("/etc/sysconfig/ntpd")
+        self.fstore.backup_file(paths.SYSCONFIG_NTPD)
 
         # We use the OS variable to point it towards either the rhel
         # or fedora pools. Other distros should be added in the future
         # or we can get our own pool.
         os = ""
-        if ipautil.file_exists("/etc/fedora-release"):
+        if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
             os = "fedora"
-        elif ipautil.file_exists("/etc/redhat-release"):
+        elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
             os = "rhel"
 
         srv_vals = []
@@ -57,7 +58,7 @@ class NTPInstance(service.Service):
         file_changed = False
         fudge_present = False
         ntpconf = []
-        fd = open("/etc/ntp.conf", "r")
+        fd = open(paths.NTP_CONF, "r")
         for line in fd:
             opt = line.split()
             if len(opt) < 1:
@@ -85,7 +86,7 @@ class NTPInstance(service.Service):
             ntpconf.append(line)
 
         if file_changed or len(srv_vals) != 0 or not fudge_present:
-            fd = open("/etc/ntp.conf", "w")
+            fd = open(paths.NTP_CONF, "w")
             for line in ntpconf:
                 fd.write(line)
             fd.write("\n### Added by IPA Installer ###\n")
@@ -99,7 +100,7 @@ class NTPInstance(service.Service):
         #read in memory, find OPTIONS, check/change it, then overwrite file
         needopts = [ {'val':'-x', 'need':True},
                      {'val':'-g', 'need':True} ]
-        fd = open("/etc/sysconfig/ntpd", "r")
+        fd = open(paths.SYSCONFIG_NTPD, "r")
         lines = fd.readlines()
         fd.close()
         for line in lines:
@@ -118,7 +119,7 @@ class NTPInstance(service.Service):
 
         done = False
         if newopts:
-            fd = open("/etc/sysconfig/ntpd", "w")
+            fd = open(paths.SYSCONFIG_NTPD, "w")
             for line in lines:
                 if not done:
                     sline = line.strip()
@@ -167,7 +168,7 @@ class NTPInstance(service.Service):
             self.stop()
 
         try:
-            self.fstore.restore_file("/etc/ntp.conf")
+            self.fstore.restore_file(paths.NTP_CONF)
         except ValueError, error:
             root_logger.debug(error)
             pass

ipaserver/install/plugins/ca_renewal_master.py

@@ -22,6 +22,7 @@ from ipaserver.install import installutils, certs, cainstance
 from ipalib import errors
 from ipalib.plugable import Registry
 from ipapython import certmonger, dogtag
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 
 register = Registry()
@@ -52,7 +53,7 @@ class update_ca_renewal_master(PostUpdate):
             return (False, False, [])
 
         criteria = (
-            ('cert_storage_location', '/etc/httpd/alias', certmonger.NPATH),
+            ('cert_storage_location', paths.HTTPD_ALIAS_DIR, certmonger.NPATH),
             ('cert_nickname', 'ipaCert', None),
         )
         request_id = certmonger.get_request_id(criteria)

ipaserver/install/plugins/updateclient.py

@@ -22,6 +22,7 @@ from ipaserver.install.ldapupdate import LDAPUpdate
 from ipapython.ipautil import wait_for_open_socket
 from ipalib import api
 from ipalib import backend
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 
 class updateclient(backend.Executioner):
@@ -143,7 +144,7 @@ class updateclient(backend.Executioner):
 
     def restart(self, dm_password, live_run):
         dsrestart = DSRestart()
-        socket_name = '/var/run/slapd-%s.socket' % \
+        socket_name = paths.SLAPD_INSTANCE_SOCKET_TEMPLATE % \
             api.env.realm.replace('.','-')
         if live_run:
             self.destroy_context()

ipaserver/install/replication.py

@@ -30,6 +30,7 @@ from ipapython.ipa_log_manager import *
 from ipapython import ipautil, dogtag, ipaldap
 from ipapython.dn import DN
 from ipaplatform import services
+from ipaplatform.paths import paths
 
 # the default container used by AD for user entries
 WIN_USER_CONTAINER = DN(('cn', 'Users'))
@@ -68,7 +69,7 @@ def replica_conn_check(master_host, host_name, realm, check_ca,
     Does not return a value, will sys.exit() on failure.
     """
     print "Run connection check to master"
-    args = ["/usr/sbin/ipa-replica-conncheck", "--master", master_host,
+    args = [paths.IPA_REPLICA_CONNCHECK, "--master", master_host,
             "--auto-master-check", "--realm", realm,
             "--principal", "admin",
             "--hostname", host_name]

ipaserver/install/service.py

@@ -29,6 +29,7 @@ from ipapython.dn import DN
 from ipapython.ipa_log_manager import *
 from ipalib import errors
 from ipaplatform import services
+from ipaplatform.paths import paths
 
 # Autobind modes
 AUTO = 1
@@ -88,7 +89,7 @@ class Service(object):
         if sstore:
             self.sstore = sstore
         else:
-            self.sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore')
+            self.sstore = sysrestore.StateFile(paths.SYSRESTORE)
 
         self.realm = None
         self.suffix = DN()
@@ -155,7 +156,7 @@ class Service(object):
             if 'RANDOM_PASSWORD' in sub_dict:
                 nologlist.append(sub_dict['RANDOM_PASSWORD'])
 
-        args = ["/usr/bin/ldapmodify", "-v", "-f", path]
+        args = [paths.LDAPMODIFY, "-v", "-f", path]
 
         # As we always connect to the local host,
         # use URI of admin connection

ipaserver/install/sysupgrade.py

@@ -21,9 +21,10 @@ import os
 import os.path
 
 from ipapython import sysrestore
+from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import *
 
-STATEFILE_DIR = '/var/lib/ipa/sysupgrade'
+STATEFILE_DIR = paths.STATEFILE_DIR
 STATEFILE_FILE = 'sysupgrade.state'
 
 _sstore = sysrestore.StateFile(STATEFILE_DIR, STATEFILE_FILE)

ipaserver/install/upgradeinstance.py

@@ -22,6 +22,7 @@ import sys
 import shutil
 import random
 import traceback
+from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import *
 
 from ipaserver.install import installutils
@@ -30,7 +31,7 @@ from ipaserver.install import schemaupdate
 from ipaserver.install import ldapupdate
 from ipaserver.install import service
 
-DSBASE = '/etc/dirsrv/slapd-'
+DSBASE = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE
 DSE = 'dse.ldif'
 
 class IPAUpgrade(service.Service):
@@ -53,8 +54,8 @@ class IPAUpgrade(service.Service):
             ext += h
         service.Service.__init__(self, "dirsrv")
         serverid = dsinstance.realm_to_serverid(realm_name)
-        self.filename = '%s%s/%s' % (DSBASE, serverid, DSE)
+        self.filename = '%s/%s' % (DSBASE % serverid, DSE)
-        self.savefilename = '%s%s/%s.ipa.%s' % (DSBASE, serverid, DSE, ext)
+        self.savefilename = '%s/%s.ipa.%s' % (DSBASE % serverid, DSE, ext)
         self.live_run = live_run
         self.files = files
         self.modified = False

ipaserver/plugins/dogtag.py

@@ -1212,6 +1212,7 @@ from ipalib.constants import TYPE_ERROR
 from ipalib.util import cachedproperty
 from ipapython import dogtag
 from ipalib import _
+from ipaplatform.paths import paths
 
 class ra(rabase.rabase):
     """
@@ -1222,8 +1223,8 @@ class ra(rabase.rabase):
             self.sec_dir = api.env.dot_ipa + os.sep + 'alias'
             self.pwd_file = self.sec_dir + os.sep + '.pwd'
         else:
-            self.sec_dir = "/etc/httpd/alias"
+            self.sec_dir = paths.HTTPD_ALIAS_DIR
-            self.pwd_file = "/etc/httpd/alias/pwdfile.txt"
+            self.pwd_file = paths.ALIAS_PWDFILE_TXT
         self.noise_file = self.sec_dir + os.sep + '.noise'
         self.ipa_key_size = "2048"
         self.ipa_certificate_nickname = "ipaCert"

ipaserver/plugins/rabase.py

@@ -35,6 +35,7 @@ from ipalib import Backend
 from ipalib import errors
 from ipaserver.install import certs
 import os
+from ipaplatform.paths import paths
 
 class rabase(Backend):
     """
@@ -45,8 +46,8 @@ class rabase(Backend):
             self.sec_dir = api.env.dot_ipa + os.sep + 'alias'
             self.pwd_file = self.sec_dir + os.sep + '.pwd'
         else:
-            self.sec_dir = "/etc/httpd/alias"
+            self.sec_dir = paths.HTTPD_ALIAS_DIR
-            self.pwd_file = "/etc/httpd/alias/pwdfile.txt"
+            self.pwd_file = paths.ALIAS_PWDFILE_TXT
         super(rabase, self).__init__()
 
 

ipaserver/rpcserver.py

@@ -51,6 +51,7 @@ from ipalib.krb_utils import (
     KRB5_CCache, krb_ticket_expiration_threshold, krb5_format_principal_name,
     krb5_format_service_principal_name)
 from ipapython import ipautil
+from ipaplatform.paths import paths
 from ipapython.version import VERSION
 from ipalib.text import _
 
@@ -977,7 +978,7 @@ class login_password(Backend, KerberosSession, HTTP_Status):
         # get http service ccache as an armor for FAST to enable OTP authentication
         armor_principal = krb5_format_service_principal_name(
             'HTTP', self.api.env.host, realm)
-        keytab = '/etc/httpd/conf/ipa.keytab'
+        keytab = paths.IPA_KEYTAB
         armor_name = "%sA_%s" % (krbccache_prefix, user)
         armor_path = os.path.join(krbccache_dir, armor_name)
 
@@ -985,7 +986,7 @@ class login_password(Backend, KerberosSession, HTTP_Status):
                    armor_principal, keytab, armor_path)
 
         (stdout, stderr, returncode) = ipautil.run(
-            ['/usr/bin/kinit', '-kt', keytab, armor_principal],
+            [paths.KINIT, '-kt', keytab, armor_principal],
             env={'KRB5CCNAME': armor_path}, raiseonerr=False)
 
         if returncode != 0:
@@ -995,7 +996,7 @@ class login_password(Backend, KerberosSession, HTTP_Status):
         principal = krb5_format_principal_name(user, realm)
 
         (stdout, stderr, returncode) = ipautil.run(
-            ['/usr/bin/kinit', principal, '-T', armor_path],
+            [paths.KINIT, principal, '-T', armor_path],
             env={'KRB5CCNAME': ccache_name}, stdin=password, raiseonerr=False)
 
         self.debug('kinit: principal=%s returncode=%s, stderr="%s"',
@@ -1003,7 +1004,7 @@ class login_password(Backend, KerberosSession, HTTP_Status):
 
         self.debug('Cleanup the armor ccache')
         ipautil.run(
-            ['/usr/bin/kdestroy', '-A', '-c', armor_path],
+            [paths.KDESTROY, '-A', '-c', armor_path],
             env={'KRB5CCNAME': armor_path},
             raiseonerr=False)
 

ipatests/beakerlib_plugin.py

@@ -31,6 +31,7 @@ import nose
 from nose.plugins import Plugin
 
 from ipapython import ipautil
+from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import log_mgr
 
 LINK_RE = re.compile(r'https?://[^\s]+')
@@ -63,8 +64,8 @@ class BeakerLibProcess(object):
         # Set up the Bash process
         self.bash = subprocess.Popen(['bash'],
                                      stdin=subprocess.PIPE,
-                                     stdout=open('/dev/null', 'w'),
+                                     stdout=open(paths.DEV_NULL, 'w'),
-                                     stderr=open('/dev/null', 'w'))
+                                     stderr=open(paths.DEV_NULL, 'w'))
         source_path = os.path.join(self.env['BEAKERLIB'], 'beakerlib.sh')
         self.run_beakerlib_command(['.', source_path])
 

ipatests/test_cmdline/cmdline.py

@@ -28,6 +28,7 @@ import os
 
 from ipalib import api
 from ipalib import errors
+from ipaplatform.paths import paths
 from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
 from ipaserver.plugins.ldap2 import ldap2
 
@@ -49,7 +50,7 @@ class cmdline_test(XMLRPC_test):
     Base class for all command-line tests
     """
     # some reasonable default command
-    command = '/bin/ls'
+    command = paths.LS
 
     def setUp(self):
         # Find the executable in $PATH

ipatests/test_install/test_updates.py

@@ -30,6 +30,7 @@ from ipalib import errors
 from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax
 from ipaserver.install import installutils
 from ipapython import ipautil, ipaldap
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 
 """
@@ -123,7 +124,7 @@ class test_update(unittest.TestCase):
         for item in ('top', 'person', 'posixaccount', 'krbprincipalaux', 'inetuser'):
             self.assertTrue(item in objectclasses)
 
-        self.assertEqual(entry.single_value['loginshell'], '/bin/bash')
+        self.assertEqual(entry.single_value['loginshell'], paths.BASH)
         self.assertEqual(entry.single_value['sn'], 'User')
         self.assertEqual(entry.single_value['uid'], 'tuser')
         self.assertEqual(entry.single_value['cn'], 'Test User')
@@ -307,7 +308,7 @@ class test_update(unittest.TestCase):
         for item in ('top', 'person', 'posixaccount', 'krbprincipalaux', 'inetuser'):
             self.assertTrue(item in objectclasses)
 
-        self.assertEqual(entry.single_value['loginshell'], '/bin/bash')
+        self.assertEqual(entry.single_value['loginshell'], paths.BASH)
         self.assertEqual(entry.single_value['sn'], 'User')
         self.assertEqual(entry.single_value['uid'], 'tuser')
         self.assertEqual(entry.single_value['cn'], 'Test User')

ipatests/test_integration/tasks.py

@@ -30,6 +30,7 @@ import StringIO
 from ldif import LDIFWriter
 
 from ipapython import ipautil
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import log_mgr
 from ipatests.test_integration import util
@@ -75,8 +76,8 @@ def backup_file(host, filename):
 
 
 def fix_etc_hosts(host):
-    backup_file(host, '/etc/hosts')
+    backup_file(host, paths.HOSTS)
-    contents = host.get_file_contents('/etc/hosts')
+    contents = host.get_file_contents(paths.HOSTS)
     # Remove existing mentions of the host's FQDN, short name, and IP
     contents = re.sub('\s%s(\s|$)' % re.escape(host.hostname), ' ', contents,
                       flags=re.MULTILINE)
@@ -87,12 +88,12 @@ def fix_etc_hosts(host):
     # Add the host's info again
     contents += '\n%s %s %s\n' % (host.ip, host.hostname, host.shortname)
     log.debug('Writing the following to /etc/hosts:\n%s', contents)
-    host.put_file_contents('/etc/hosts', contents)
+    host.put_file_contents(paths.HOSTS, contents)
 
 
 def fix_hostname(host):
-    backup_file(host, '/etc/hostname')
+    backup_file(host, paths.ETC_HOSTNAME)
-    host.put_file_contents('/etc/hostname', host.hostname + '\n')
+    host.put_file_contents(paths.ETC_HOSTNAME, host.hostname + '\n')
     host.run_command(['hostname', host.hostname])
 
     backupname = os.path.join(host.config.test_dir, 'backup_hostname')
@@ -100,24 +101,24 @@ def fix_hostname(host):
 
 
 def fix_resolv_conf(host):
-    backup_file(host, '/etc/resolv.conf')
+    backup_file(host, paths.RESOLV_CONF)
-    lines = host.get_file_contents('/etc/resolv.conf').splitlines()
+    lines = host.get_file_contents(paths.RESOLV_CONF).splitlines()
     lines = ['#' + l if l.startswith('nameserver') else l for l in lines]
     for other_host in host.domain.hosts:
         if other_host.role in ('master', 'replica'):
             lines.append('nameserver %s' % other_host.ip)
     contents = '\n'.join(lines)
     log.debug('Writing the following to /etc/resolv.conf:\n%s', contents)
-    host.put_file_contents('/etc/resolv.conf', contents)
+    host.put_file_contents(paths.RESOLV_CONF, contents)
 
 
 def fix_apache_semaphores(master):
-    systemd_available = master.transport.file_exists('/bin/systemctl')
+    systemd_available = master.transport.file_exists(paths.SYSTEMCTL)
 
     if systemd_available:
         master.run_command(['systemctl', 'stop', 'httpd'], raiseonerr=False)
     else:
-        master.run_command(['/sbin/service', 'httpd', 'stop'], raiseonerr=False)
+        master.run_command([paths.SBIN_SERVICE, 'httpd', 'stop'], raiseonerr=False)
 
     master.run_command('for line in `ipcs -s | grep apache | cut -d " " -f 2`; '
                        'do ipcrm -s $line; done', raiseonerr=False)
@@ -184,11 +185,11 @@ def enable_replication_debugging(host):
 
 
 def install_master(host):
-    host.collect_log('/var/log/ipaserver-install.log')
+    host.collect_log(paths.IPASERVER_INSTALL_LOG)
-    host.collect_log('/var/log/ipaclient-install.log')
+    host.collect_log(paths.IPACLIENT_INSTALL_LOG)
     inst = host.domain.realm.replace('.', '-')
-    host.collect_log('/var/log/dirsrv/slapd-%s/errors' % inst)
+    host.collect_log(paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst)
-    host.collect_log('/var/log/dirsrv/slapd-%s/access' % inst)
+    host.collect_log(paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst)
 
     apply_common_fixes(host)
     fix_apache_semaphores(host)
@@ -207,8 +208,8 @@ def install_master(host):
 
 
 def install_replica(master, replica, setup_ca=True):
-    replica.collect_log('/var/log/ipareplica-install.log')
+    replica.collect_log(paths.IPAREPLICA_INSTALL_LOG)
-    replica.collect_log('/var/log/ipareplica-conncheck.log')
+    replica.collect_log(paths.IPAREPLICA_CONNCHECK_LOG)
 
     apply_common_fixes(replica)
     fix_apache_semaphores(replica)
@@ -218,7 +219,7 @@ def install_replica(master, replica, setup_ca=True):
                         '--ip-address', replica.ip,
                         replica.hostname])
     replica_bundle = master.get_file_contents(
-        '/var/lib/ipa/replica-info-%s.gpg' % replica.hostname)
+        paths.REPLICA_INFO_TEMPLATE_GPG % replica.hostname)
     replica_filename = os.path.join(replica.config.test_dir,
                                     'replica-info.gpg')
     replica.put_file_contents(replica_filename, replica_bundle)
@@ -239,7 +240,7 @@ def install_replica(master, replica, setup_ca=True):
 
 
 def install_client(master, client, extra_args=()):
-    client.collect_log('/var/log/ipaclient-install.log')
+    client.collect_log(paths.IPACLIENT_INSTALL_LOG)
 
     apply_common_fixes(client)
 
@@ -262,11 +263,11 @@ def install_adtrust(host):
     """
 
     # ipa-adtrust-install appends to ipaserver-install.log
-    host.collect_log('/var/log/ipaserver-install.log')
+    host.collect_log(paths.IPASERVER_INSTALL_LOG)
 
     inst = host.domain.realm.replace('.', '-')
-    host.collect_log('/var/log/dirsrv/slapd-%s/errors' % inst)
+    host.collect_log(paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst)
-    host.collect_log('/var/log/dirsrv/slapd-%s/access' % inst)
+    host.collect_log(paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst)
 
     kinit_admin(host)
     host.run_command(['ipa-adtrust-install', '-U',
@@ -354,7 +355,7 @@ def establish_trust_with_ad(master, ad, extra_args=()):
     """
 
     # Force KDC to reload MS-PAC info by trying to get TGT for HTTP
-    master.run_command(['kinit', '-kt', '/etc/httpd/conf/ipa.keytab',
+    master.run_command(['kinit', '-kt', paths.IPA_KEYTAB,
                         'HTTP/%s' % master.hostname])
     master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
     master.run_command(['kdestroy', '-A'])
@@ -397,7 +398,7 @@ def configure_auth_to_local_rule(master, ad):
              % (ad.domain.realm, ad.domain.realm, ad.domain.name))
     line2 = "  auth_to_local = DEFAULT"
 
-    krb5_conf_content = master.get_file_contents('/etc/krb5.conf')
+    krb5_conf_content = master.get_file_contents(paths.KRB5_CONF)
     krb5_lines = [line.rstrip() for line in krb5_conf_content.split('\n')]
     realm_section_index = krb5_lines.index(section_identifier)
 
@@ -405,7 +406,7 @@ def configure_auth_to_local_rule(master, ad):
     krb5_lines.insert(realm_section_index + 2, line2)
 
     krb5_conf_new_content = '\n'.join(krb5_lines)
-    master.put_file_contents('/etc/krb5.conf', krb5_conf_new_content)
+    master.put_file_contents(paths.KRB5_CONF, krb5_conf_new_content)
 
     master.run_command(['systemctl', 'restart', 'sssd'])
 
@@ -419,13 +420,13 @@ def setup_sssd_debugging(host):
     # First, remove any previous occurences
     host.run_command(['sed', '-i',
                       '/debug_level = 7/d',
-                      '/etc/sssd/sssd.conf'
+                      paths.SSSD_CONF
                      ], raiseonerr=False)
 
     # Add the debug directive to each section
     host.run_command(['sed', '-i',
                       '/\[*\]/ a\debug_level = 7',
-                      '/etc/sssd/sssd.conf'
+                      paths.SSSD_CONF
                      ], raiseonerr=False)
 
 
@@ -440,22 +441,22 @@ def clear_sssd_cache(host):
     Clears SSSD cache by removing the cache files. Restarts SSSD.
     """
 
-    systemd_available = host.transport.file_exists('/bin/systemctl')
+    systemd_available = host.transport.file_exists(paths.SYSTEMCTL)
 
     if systemd_available:
         host.run_command(['systemctl', 'stop', 'sssd'])
     else:
-        host.run_command(['/sbin/service', 'sssd', 'stop'])
+        host.run_command([paths.SBIN_SERVICE, 'sssd', 'stop'])
 
     host.run_command("find /var/lib/sss/db -name '*.ldb' | "
                      "xargs rm -fv")
-    host.run_command(['rm', '-fv', '/var/lib/sss/mc/group'])
+    host.run_command(['rm', '-fv', paths.SSSD_MC_GROUP])
-    host.run_command(['rm', '-fv', '/var/lib/sss/mc/passwd'])
+    host.run_command(['rm', '-fv', paths.SSSD_MC_PASSWD])
 
     if systemd_available:
         host.run_command(['systemctl', 'start', 'sssd'])
     else:
-        host.run_command(['/sbin/service', 'sssd', 'start'])
+        host.run_command([paths.SBIN_SERVICE, 'sssd', 'start'])
 
     # To avoid false negatives due to SSSD not responding yet
     time.sleep(10)
@@ -487,24 +488,24 @@ def kinit_admin(host):
 
 
 def uninstall_master(host):
-    host.collect_log('/var/log/ipaserver-uninstall.log')
+    host.collect_log(paths.IPASERVER_UNINSTALL_LOG)
 
     host.run_command(['ipa-server-install', '--uninstall', '-U'],
                      raiseonerr=False)
     host.run_command(['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'],
                      raiseonerr=False)
     host.run_command(['rm', '-rf',
-                      '/var/log/pki/pki-tomcat',
+                      paths.TOMCAT_TOPLEVEL_DIR,
-                      '/etc/sysconfig/pki-tomcat',
+                      paths.SYSCONFIG_PKI_TOMCAT,
-                      '/etc/sysconfig/pki/tomcat/pki-tomcat',
+                      paths.SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR,
-                      '/var/lib/pki/pki-tomcat',
+                      paths.VAR_LIB_PKI_TOMCAT_DIR,
-                      '/etc/pki/pki-tomcat'],
+                      paths.PKI_TOMCAT],
                       raiseonerr=False)
     unapply_fixes(host)
 
 
 def uninstall_client(host):
-    host.collect_log('/var/log/ipaclient-uninstall.log')
+    host.collect_log(paths.IPACLIENT_UNINSTALL_LOG)
 
     host.run_command(['ipa-client-install', '--uninstall', '-U'],
                      raiseonerr=False)

ipatests/test_integration/test_caless.py

@@ -27,6 +27,7 @@ import nose
 
 from ipalib import x509
 from ipapython import ipautil
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.test_integration import tasks
@@ -113,7 +114,7 @@ class CALessBase(IntegrationTest):
 
         # Remove CA cert in /etc/pki/nssdb, in case of failed (un)install
         for host in cls.get_all_hosts():
-            cls.master.run_command(['certutil', '-d', '/etc/pki/nssdb', '-D',
+            cls.master.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
                                     '-n', 'External CA cert'],
                                    raiseonerr=False)
 
@@ -145,11 +146,11 @@ class CALessBase(IntegrationTest):
         for filename in set(files_to_copy):
             cls.copy_cert(host, filename)
 
-        cls.collect_log(host, '/var/log/ipaserver-install.log')
+        cls.collect_log(host, paths.IPASERVER_INSTALL_LOG)
-        cls.collect_log(host, '/var/log/ipaclient-install.log')
+        cls.collect_log(host, paths.IPACLIENT_INSTALL_LOG)
         inst = host.domain.realm.replace('.', '-')
-        cls.collect_log(host, '/var/log/dirsrv/slapd-%s/errors' % inst)
+        cls.collect_log(host, paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst)
-        cls.collect_log(host, '/var/log/dirsrv/slapd-%s/access' % inst)
+        cls.collect_log(host, paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst)
 
         args = [
             'ipa-server-install',
@@ -216,11 +217,11 @@ class CALessBase(IntegrationTest):
                 os.path.join(self.cert_dir, filename),
                 os.path.join(master.config.test_dir, filename))
 
-        self.collect_log(replica, '/var/log/ipareplica-install.log')
+        self.collect_log(replica, paths.IPAREPLICA_INSTALL_LOG)
-        self.collect_log(replica, '/var/log/ipaclient-install.log')
+        self.collect_log(replica, paths.IPACLIENT_INSTALL_LOG)
         inst = replica.domain.realm.replace('.', '-')
-        self.collect_log(replica, '/var/log/dirsrv/slapd-%s/errors' % inst)
+        self.collect_log(replica, paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst)
-        self.collect_log(replica, '/var/log/dirsrv/slapd-%s/access' % inst)
+        self.collect_log(replica, paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst)
 
         args = [
             'ipa-replica-prepare',
@@ -244,7 +245,7 @@ class CALessBase(IntegrationTest):
 
         if result.returncode == 0:
             replica_bundle = master.get_file_contents(
-                '/var/lib/ipa/replica-info-%s.gpg' % replica.hostname)
+                paths.REPLICA_INFO_TEMPLATE_GPG % replica.hostname)
             replica.put_file_contents(self.get_replica_filename(replica),
                                       replica_bundle)
         else:
@@ -327,7 +328,7 @@ class CALessBase(IntegrationTest):
 
         for host in self.get_all_hosts():
             # Check the cert PEM file
-            remote_cacrt = host.get_file_contents('/etc/ipa/ca.crt')
+            remote_cacrt = host.get_file_contents(paths.IPA_CA_CRT)
             self.log.debug('%s:/etc/ipa/ca.crt contents:\n%s',
                            host, remote_cacrt)
             binary_cacrt = base64.b64decode(x509.strip_header(remote_cacrt))
@@ -344,7 +345,7 @@ class TestServerInstall(CALessBase):
 
         # Remove CA cert in /etc/pki/nssdb, in case of failed (un)install
         for host in self.get_all_hosts():
-            self.master.run_command(['certutil', '-d', '/etc/pki/nssdb', '-D',
+            self.master.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
                                      '-n', 'External CA cert'],
                                     raiseonerr=False)
 
@@ -768,11 +769,11 @@ class TestReplicaInstall(CALessBase):
         self.master.run_command(['ipa', 'host-del', replica.hostname],
                                 raiseonerr=False)
 
-        replica.run_command(['certutil', '-d', '/etc/pki/nssdb', '-D',
+        replica.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
                              '-n', 'External CA cert'], raiseonerr=False)
 
         self.uninstall_server()
-        self.master.run_command(['certutil', '-d', '/etc/pki/nssdb', '-D',
+        self.master.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
                                  '-n', 'External CA cert'], raiseonerr=False)
 
     def test_no_certs(self):

ipatests/test_integration/test_forced_client_reenrollment.py

@@ -18,11 +18,12 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import os
 import subprocess
+from ipaplatform.paths import paths
 
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.test_integration import tasks
 
-CLIENT_KEYTAB = '/etc/krb5.keytab'
+CLIENT_KEYTAB = paths.KRB5_KEYTAB
 
 
 class TestForcedClientReenrollment(IntegrationTest):
@@ -274,9 +275,9 @@ class TestForcedClientReenrollment(IntegrationTest):
         """
         Put server's ip address at the top of resolv.conf
         """
-        contents = client.get_file_contents('/etc/resolv.conf')
+        contents = client.get_file_contents(paths.RESOLV_CONF)
         nameserver = 'nameserver %s\n' % server.ip
 
         if not contents.startswith(nameserver):
             contents = nameserver + contents.replace(nameserver, '')
-            client.put_file_contents('/etc/resolv.conf', contents)
+            client.put_file_contents(paths.RESOLV_CONF, contents)

ipatests/test_integration/test_legacy_clients.py

@@ -21,6 +21,7 @@ import os
 import re
 
 import nose
+from ipaplatform.paths import paths
 
 from ipatests.test_integration import tasks
 
@@ -40,7 +41,7 @@ class BaseTestLegacyClient(object):
                     '/etc/openldap/cacerts',
                     '/etc/openldap/ldap.conf',
                     '/etc/nsswitch.conf',
-                    '/etc/sssd/sssd.conf']
+                    paths.SSSD_CONF]
 
     # Actual test classes need to override these attributes to set the expected
     # values on the UID and GID results, since this varies with the usage of the
@@ -88,7 +89,7 @@ class BaseTestLegacyClient(object):
                                                  advice_path])
 
         # Restart SSHD to load new PAM configuration
-        self.legacy_client.run_command(['/sbin/service', 'sshd', 'restart'])
+        self.legacy_client.run_command([paths.SBIN_SERVICE, 'sshd', 'restart'])
 
     def clear_sssd_caches(self):
         tasks.clear_sssd_cache(self.master)

ipatests/test_ipalib/test_config.py

@@ -32,6 +32,7 @@ from ipatests.util import TempDir, TempHome
 from ipalib.constants import TYPE_ERROR, OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
 from ipalib.constants import NAME_REGEX, NAME_ERROR
 from ipalib import config, constants, base
+from ipaplatform.paths import paths
 
 
 # Valid environment variables in (key, raw, value) tuples:
@@ -448,8 +449,8 @@ class test_Env(ClassChecker):
         assert o.dot_ipa == home.join('.ipa')
         assert o.in_tree is False
         assert o.context == 'default'
-        assert o.confdir == '/etc/ipa'
+        assert o.confdir == paths.ETC_IPA
-        assert o.conf == '/etc/ipa/default.conf'
+        assert o.conf == paths.IPA_DEFAULT_CONF
         assert o.conf_default == o.conf
 
         # Test overriding values created by _bootstrap()
@@ -461,11 +462,11 @@ class test_Env(ClassChecker):
         assert o.in_tree is False
         assert o.context == 'default'
         assert o.conf == '/my/wacky/whatever.conf'
-        assert o.conf_default == '/etc/ipa/default.conf'
+        assert o.conf_default == paths.IPA_DEFAULT_CONF
         (o, home) = self.bootstrap(conf_default='/my/wacky/default.conf')
         assert o.in_tree is False
         assert o.context == 'default'
-        assert o.conf == '/etc/ipa/default.conf'
+        assert o.conf == paths.IPA_DEFAULT_CONF
         assert o.conf_default == '/my/wacky/default.conf'
 
         # Test various overrides and types conversion

ipatests/test_ipalib/test_errors.py

@@ -26,6 +26,7 @@ import inspect
 
 from ipatests.util import assert_equal, raises
 from ipalib import errors, text
+from ipaplatform.paths import paths
 from ipalib.constants import TYPE_ERROR
 
 
@@ -102,9 +103,9 @@ class test_SubprocessError(PrivateExceptionTester):
         """
         Test the `ipalib.errors.SubprocessError.__init__` method.
         """
-        inst = self.new(returncode=1, argv=('/bin/false',))
+        inst = self.new(returncode=1, argv=(paths.BIN_FALSE,))
         assert inst.returncode == 1
-        assert inst.argv == ('/bin/false',)
+        assert inst.argv == (paths.BIN_FALSE,)
         assert str(inst) == "return code 1 from ('/bin/false',)"
         assert inst.message == str(inst)
 

ipatests/test_ipalib/test_plugable.py

@@ -26,6 +26,7 @@ from ipatests.util import raises, no_set, no_del, read_only
 from ipatests.util import getitem, setitem, delitem
 from ipatests.util import ClassChecker, create_test_api
 from ipalib import plugable, errors, text
+from ipaplatform.paths import paths
 
 
 class test_SetProxy(ClassChecker):
@@ -277,10 +278,10 @@ class test_Plugin(ClassChecker):
         Test the `ipalib.plugable.Plugin.call` method.
         """
         o = self.cls()
-        o.call('/bin/true') is None
+        o.call(paths.BIN_TRUE) is None
-        e = raises(errors.SubprocessError, o.call, '/bin/false')
+        e = raises(errors.SubprocessError, o.call, paths.BIN_FALSE)
         assert e.returncode == 1
-        assert e.argv == ('/bin/false',)
+        assert e.argv == (paths.BIN_FALSE,)
 
 
 def test_Registrar():

ipatests/test_ipaserver/test_ldap.py

@@ -36,6 +36,7 @@ from ipalib.plugins.service import service, service_show
 from ipalib.plugins.host import host
 from ipalib import api, x509, create_api, errors
 from ipapython import ipautil
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 
 class test_ldap(object):
@@ -46,7 +47,7 @@ class test_ldap(object):
     def setUp(self):
         self.conn = None
         self.ldapuri = 'ldap://%s' % ipautil.format_netloc(api.env.host)
-        self.ccache = '/tmp/krb5cc_%d' % os.getuid()
+        self.ccache = paths.TMP_KRB5CC % os.getuid()
         nss.nss_init_nodb()
         self.dn = DN(('krbprincipalname','ldap/%s@%s' % (api.env.host, api.env.realm)),
                      ('cn','services'),('cn','accounts'),api.env.basedn)

ipatests/test_webui/ui_driver.py

@@ -53,6 +53,7 @@ try:
 except ImportError:
     NO_YAML = True
 from urllib2 import URLError
+from ipaplatform.paths import paths
 
 ENV_MAP = {
     'MASTER': 'ipa_server',
@@ -186,7 +187,7 @@ class UI_driver(object):
 
         if browser == 'chromium':
             options = ChromeOptions()
-            options.binary_location = '/usr/bin/chromium-browser'
+            options.binary_location = paths.CHROMIUM_BROWSER
 
         if driver_type == 'remote':
             if not 'host' in self.config:

ipatests/test_xmlrpc/test_automount_plugin.py

@@ -32,6 +32,7 @@ from ipapython.dn import DN
 
 from nose.tools import raises, assert_raises  # pylint: disable=E0611
 from xmlrpc_test import XMLRPC_test, assert_attr_equal
+from ipaplatform.paths import paths
 from ipatests.util import assert_deepequal
 
 

ipatests/test_xmlrpc/test_cert_plugin.py

@@ -33,6 +33,7 @@ import tempfile
 from ipapython import ipautil
 import nose
 import base64
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 
 # So we can save the cert from issuance and compare it later
@@ -78,7 +79,7 @@ class test_cert(XMLRPC_test):
         is_db_configured()
 
     def run_certutil(self, args, stdin=None):
-        new_args = ["/usr/bin/certutil", "-d", self.reqdir]
+        new_args = [paths.CERTUTIL, "-d", self.reqdir]
         new_args = new_args + args
         return ipautil.run(new_args, stdin)
 
@@ -105,7 +106,7 @@ class test_cert(XMLRPC_test):
     def generateCSR(self, subject):
         self.run_certutil(["-R", "-s", subject,
                            "-o", self.reqfile,
-                           "-z", "/etc/group",
+                           "-z", paths.GROUP,
                            "-f", self.pwname,
                            "-a",
                            ])

ipatests/test_xmlrpc/testcert.py

@@ -31,6 +31,7 @@ import shutil
 from ipalib import api, x509
 from ipaserver.plugins import rabase
 from ipapython import ipautil
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 
 _testcert = None
@@ -52,7 +53,7 @@ def run_certutil(reqdir, args, stdin=None):
     """
     Run an NSS certutil command
     """
-    new_args = ["/usr/bin/certutil", "-d", reqdir]
+    new_args = [paths.CERTUTIL, "-d", reqdir]
     new_args = new_args + args
     return ipautil.run(new_args, stdin)
 
@@ -64,7 +65,7 @@ def generate_csr(reqdir, pwname, subject):
     req_path = os.path.join(reqdir, 'req')
     run_certutil(reqdir, ["-R", "-s", subject,
                           "-o", req_path,
-                          "-z", "/etc/group",
+                          "-z", paths.GROUP,
                           "-f", pwname,
                           "-a"])
     with open(req_path, "r") as fp:

smartproxy/ipa-smartproxy.py

@@ -28,6 +28,7 @@ import traceback as tb_internal
 from cherrypy import response
 from ipalib import api
 from ipalib import errors
+from ipaplatform.paths import paths
 from ipalib.request import context
 from ipalib.rpc import json_encode_binary
 from ipapython.version import VERSION, API_VERSION
@@ -391,8 +392,8 @@ wsgi_config = {'environment': 'embedded',
                'engine.autoreload_on': False
 }
 
-api.bootstrap(context='ipasmartproxy', log='/dev/null')
+api.bootstrap(context='ipasmartproxy', log=paths.DEV_NULL)
 api.finalize()
 
 cherrypy.config.update(wsgi_config)
-start(['/etc/ipa/ipa-smartproxy.conf'])
+start([paths.IPA_SMARTPROXY_CONF])