Make dogtag an optional (and default un-) installed component in a replica.

A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251
2025-02-25 18:55:28 -06:00 · 2011-06-17 16:47:39 -04:00
parent cbffe1d65d
commit 8a32bb3746
12 changed files with 437 additions and 133 deletions
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -20,6 +20,7 @@
 import time, logging

 import os
+import sys
 import ldap
 from ipaserver import ipaldap
 from ipaserver.install.service import restart
@@ -27,6 +28,7 @@ import installutils
 from ldap import modlist
 from ipalib import util
 from ipalib import errors
+from ipapython import ipautil

 DIRMAN_CN = "cn=directory manager"
 CACERT = "/etc/ipa/ca.crt"
@@ -40,6 +42,37 @@ TIMEOUT = 120
 IPA_REPLICA = 1
 WINSYNC = 2

+def replica_conn_check(master_host, host_name, realm, check_ca,
+                       admin_password=None):
+    """
+    Check the ports used by the replica both locally and remotely to be sure
+    that replication will work.
+
+    Does not return a value, will sys.exit() on failure.
+    """
+    print "Run connection check to master"
+    args = ["/usr/sbin/ipa-replica-conncheck", "--master", master_host,
+            "--auto-master-check", "--realm", realm,
+            "--principal", "admin",
+            "--hostname", host_name]
+
+    if admin_password:
+        args.extend(["--password", admin_password])
+
+    if check_ca:
+        args.append('--check-ca')
+    logging.debug("Running ipa-replica-conncheck with following arguments: %s" %
+            " ".join(args))
+    (stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False, capture_output=False)
+
+    if returncode != 0:
+        sys.exit("Connection check failed!" +
+                 "\nPlease fix your network settings according to error messages above." +
+                 "\nIf the check results are not valid it can be skipped with --skip-conncheck parameter.")
+    else:
+        print "Connection check OK"
+
+
 def check_replication_plugin():
    """
    Confirm that the 389-ds replication is installed.