Use single Custodia instance in installers

Installers now pass a single CustodiaInstance object around, instead of creating new instances on demand. In case of replica promotion with CA, the instance gets all secrets from a master with CA present. Before, an installer created multiple instances and may have requested CA key material from a different machine than DM password hash. In case of Domain Level 1 and replica promotion, the CustodiaInstance no longer adds the keys to the local instance and waits for replication to other replica. Instead the installer directly uploads the new public keys to the remote 389-DS instance. Without promotion, new Custodia public keys are still added to local 389-DS over LDAPI. Fixes: https://pagure.io/freeipa/issue/7518 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-04-26 12:06:36 +02:00
parent 84e60e5f99
commit 994f71ac8a
8 changed files with 155 additions and 74 deletions
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -740,6 +740,7 @@ def install(installer):
    host_name = options.host_name
    ip_addresses = options.ip_addresses
    setup_ca = options.setup_ca
+    options.promote = False  # first master, no promotion

    # Installation has started. No IPA sysrestore items are restored in case of
    # failure to enable root cause investigation
@@ -821,6 +822,10 @@ def install(installer):
                      setup_pkinit=not options.no_pkinit,
                      subject_base=options.subject_base)

+    custodia = custodiainstance.get_custodia_instance(
+        options, custodiainstance.CustodiaModes.MASTER_PEER)
+    custodia.create_instance()
+
    if setup_ca:
        if not options.external_cert_files and options.external_ca:
            # stage 1 of external CA installation
@@ -835,7 +840,7 @@ def install(installer):
                          if n in options.__dict__}
            write_cache(cache_vars)

-        ca.install_step_0(False, None, options)
+        ca.install_step_0(False, None, options, custodia=custodia)
    else:
        # Put the CA cert where other instances expect it
        x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
@@ -855,15 +860,12 @@ def install(installer):
    ds.enable_ssl()

    if setup_ca:
-        ca.install_step_1(False, None, options)
+        ca.install_step_1(False, None, options, custodia=custodia)

    otpd = otpdinstance.OtpdInstance()
    otpd.create_instance('OTPD', host_name,
                         ipautil.realm_to_suffix(realm_name))

-    custodia = custodiainstance.CustodiaInstance(host_name, realm_name)
-    custodia.create_instance()
-
    # Create a HTTP instance
    http = httpinstance.HTTPInstance(fstore)
    if options.http_cert_files:
@@ -895,7 +897,7 @@ def install(installer):
    krb.restart()

    if options.setup_kra:
-        kra.install(api, None, options)
+        kra.install(api, None, options, custodia=custodia)

    if options.setup_dns:
        dns.install(False, False, options)
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1361,6 +1361,7 @@ def install(installer):
    fstore = installer._fstore
    sstore = installer._sstore
    config = installer._config
+    config.promote = installer.promote
    promote = installer.promote
    cafile = installer._ca_file
    dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info
@@ -1480,19 +1481,19 @@ def install(installer):
    otpd.create_instance('OTPD', config.host_name,
                         ipautil.realm_to_suffix(config.realm_name))

-    custodia = custodiainstance.CustodiaInstance(config.host_name,
-                                                 config.realm_name)
-    if promote:
-        custodia.create_replica(config.master_host_name)
+    if ca_enabled:
+        mode = custodiainstance.CustodiaModes.CA_PEER
    else:
-        custodia.create_instance()
+        mode = custodiainstance.CustodiaModes.MASTER_PEER
+    custodia = custodiainstance.get_custodia_instance(config, mode)
+    custodia.create_instance()

    if ca_enabled:
        options.realm_name = config.realm_name
        options.domain_name = config.domain_name
        options.host_name = config.host_name
        options.dm_password = config.dirman_password
-        ca.install(False, config, options)
+        ca.install(False, config, options, custodia=custodia)

    # configure PKINIT now that all required services are in place
    krb.enable_ssl()
@@ -1502,7 +1503,7 @@ def install(installer):
    ds.apply_updates()

    if kra_enabled:
-        kra.install(api, config, options)
+        kra.install(api, config, options, custodia=custodia)

    service.print_msg("Restarting the KDC")
    krb.restart()