Backup ipa-custodia conf and keys

https://pagure.io/freeipa/issue/7247 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-01-26 16:16:31 -06:00 · 2017-11-08 15:15:30 +01:00 · 2017-11-08 15:15:30 +01:00 · 8bbeedc93f
commit 8bbeedc93f
parent 49c77d7781
6 changed files with 43 additions and 12 deletions
--- a/install/share/custodia.conf.template
+++ b/install/share/custodia.conf.template
@ -16,7 +16,7 @@ header = GSS_NAME
 handler = ipaserver.secrets.kem.IPAKEMKeys
 paths = /keys
 store = ipa
-server_keys = $IPA_CUSTODIA_CONF_DIR/server.keys
+server_keys = $IPA_CUSTODIA_KEYS

 [store:ipa]
 handler = ipaserver.secrets.store.IPASecStore
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@ -347,6 +347,7 @@ class BasePathNamespace(object):
    NETWORK_MANAGER_CONFIG_DIR = '/etc/NetworkManager/conf.d'
    IPA_CUSTODIA_CONF_DIR = '/etc/ipa/custodia'
    IPA_CUSTODIA_CONF = '/etc/ipa/custodia/custodia.conf'
+    IPA_CUSTODIA_KEYS = '/etc/ipa/custodia/server.keys'
    IPA_CUSTODIA_SOCKET = '/run/httpd/ipa-custodia.sock'
    IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
    IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@ -326,6 +326,25 @@ def write_tmp_file(txt):

    return fd

+
+def flush_sync(f):
+    """Flush and fsync file to disk
+
+    :param f: a file object with fileno and name
+    """
+    # flush file buffer to file descriptor
+    f.flush()
+    # flush Kernel buffer to disk
+    os.fsync(f.fileno())
+    # sync metadata in directory
+    dirname = os.path.dirname(os.path.abspath(f.name))
+    dirfd = os.open(dirname, os.O_RDONLY | os.O_DIRECTORY)
+    try:
+        os.fsync(dirfd)
+    finally:
+        os.close(dirfd)
+
+
 def shell_quote(string):
    if isinstance(string, str):
        return "'" + string.replace("'", "'\\''") + "'"
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@ -30,8 +30,7 @@ class CustodiaInstance(SimpleServiceInstance):
    def __init__(self, host_name=None, realm=None):
        super(CustodiaInstance, self).__init__("ipa-custodia")
        self.config_file = paths.IPA_CUSTODIA_CONF
-        self.server_keys = os.path.join(paths.IPA_CUSTODIA_CONF_DIR,
-                                        'server.keys')
+        self.server_keys = paths.IPA_CUSTODIA_KEYS
        self.ldap_uri = None
        self.fqdn = host_name
        self.realm = realm
@ -40,16 +39,19 @@ class CustodiaInstance(SimpleServiceInstance):
        template_file = os.path.basename(self.config_file) + '.template'
        template = os.path.join(paths.USR_SHARE_IPA_DIR, template_file)
        httpd_info = pwd.getpwnam(constants.HTTPD_USER)
-        sub_dict = dict(IPA_CUSTODIA_CONF_DIR=paths.IPA_CUSTODIA_CONF_DIR,
-                        IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
-                        IPA_CUSTODIA_AUDIT_LOG=paths.IPA_CUSTODIA_AUDIT_LOG,
-                        LDAP_URI=installutils.realm_to_ldapi_uri(self.realm),
-                        UID=httpd_info.pw_uid, GID=httpd_info.pw_gid)
+        sub_dict = dict(
+            IPA_CUSTODIA_CONF_DIR=paths.IPA_CUSTODIA_CONF_DIR,
+            IPA_CUSTODIA_KEYS=paths.IPA_CUSTODIA_KEYS,
+            IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
+            IPA_CUSTODIA_AUDIT_LOG=paths.IPA_CUSTODIA_AUDIT_LOG,
+            LDAP_URI=installutils.realm_to_ldapi_uri(self.realm),
+            UID=httpd_info.pw_uid,
+            GID=httpd_info.pw_gid
+        )
        conf = ipautil.template_file(template, sub_dict)
-        fd = open(self.config_file, "w+")
-        fd.write(conf)
-        fd.flush()
-        fd.close()
+        with open(self.config_file, "w") as f:
+            f.write(conf)
+            ipautil.flush_sync(f)

    def create_instance(self):
        suffix = ipautil.realm_to_suffix(self.realm)
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@ -189,6 +189,8 @@ class Backup(admintool.AdminTool):
        paths.DNSSEC_SOFTHSM_PIN_SO,
        paths.IPA_ODS_EXPORTER_KEYTAB,
        paths.IPA_DNSKEYSYNCD_KEYTAB,
+        paths.IPA_CUSTODIA_KEYS,
+        paths.IPA_CUSTODIA_CONF,
        paths.HOSTS,
    ) + tuple(
        os.path.join(paths.IPA_NSSDB_DIR, file)
--- a/ipatests/test_ipapython/test_ipautil.py
+++ b/ipatests/test_ipapython/test_ipautil.py
@ -25,6 +25,7 @@ Test the `ipapython/ipautil.py` module.
 import nose
 import pytest
 import six
+import tempfile

 from ipapython import ipautil

@ -470,3 +471,9 @@ def test_backcompat():
    assert rc is result.returncode
    assert out is result.output
    assert err is result.error_output
+
+
+def test_flush_sync():
+    with tempfile.NamedTemporaryFile('wb+') as f:
+        f.write(b'data')
+        ipautil.flush_sync(f)