Commit Graph

36 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
3b007b7bba Always define the path DNSSEC_OPENSSL_CONF
The variable was None by default and set to /etc/ipa/dnssec/openssl.cnf
for fedora only because the code is specific to the support of pkcs11
engine for bind. As a consequence ipa-backup had a "None" value in the
list of files to backup and failed on Exception.

ipa-backup code is able to handle missing files, and the code using
the pkcs11 engine is called only when NAMED_OPENSSL_ENGINE is set
(only in fedora so far). It is safe to always define a value for
DNSSEC_OPENSSL_CONF even on os where it does not exist.

The fix also improves the method used to verify that a path exists.

Fixes: https://pagure.io/freeipa/issue/8597
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-11-30 15:52:19 +01:00
Christian Heimes
bc128cae47 Add User and Group to all ipaplatform.constants
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:23:18 -04:00
Stanislav Levin
721435cf7f named: Make use of 'pkcs11' OpenSSL engine for BIND on Fedora31
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
Christian Heimes
0451db9d3f Enable TLS 1.3 support on the server
urllib3 now supports post-handshake authentication with TLS 1.3. Enable
TLS 1.3 support for Apache HTTPd.

The update depends on bug fixes for TLS 1.3 PHA support in urllib3 and
Apache HTTPd. New builds are available in freeipa-master COPR and in
F30/F31.

Overwrite crypto-policy on Fedora only. Fedora 31 and earlier have TLS
1.0 and 1.1 still enabled by default.

Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-12-02 16:48:07 +01:00
Christian Heimes
d2c929270c Use nis-domainname.service on all RH platforms
RHEL 8 and Fedora >= 29 use "nis-domainname.service" as service name for
domainname service. Remove special code in ipaplatform.rhel and for Fedora
< 28. Only Fedora 29+ is supported by IPA 4.8.

Fixes: https://pagure.io/freeipa/issue/8004
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-04 10:43:51 +02:00
Christian Heimes
b553448884 Use system-wide crypto policy for TLS ciphers
IPA now uses the system-wide crypto policy for TLS ciphers on RHEL. It's
also now possible to keep the default policy by setting TLS_HIGH_CIPHERS
to None.

Fixes: https://pagure.io/freeipa/issue/7998
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-07-02 16:38:00 +02:00
François Cami
c69875c8af ipa-client-automount: handle NFS configuration file changes
nfs-utils in Fedora 30 and later switched its configuration
file from /etc/sysconfig/nfs to /etc/nfs.conf, providing a
conversion service (nfs-convert.service) for upgrades.
However, for new installs the original configuration file
is missing. This change:
* adds a tuple-based osinfo.version_number method to handle
  more kinds of OS versioning schemes
* detects RHEL and Fedora versions with the the new nfs-utils
  behavior
* avoids backing up the new NFS configuration file as we do
  not have to modify it.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1676981

Fixes: https://pagure.io/freeipa/issue/7868
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-27 21:42:39 +01:00
Christian Heimes
1c03181e78
Don't check for systemd service
ipaplatform no longer checks for the presence of a systemd service file
to detect the name of the domainname service. Instead it uses osinfo's
version to use the old name on Fedora 28 and the new name on Fedora 29.

This fixes a SELinux violation that prevented httpd from listing systemd
service files.

Fixes: https://pagure.io/freeipa/issue/7661
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-08-30 11:37:21 +02:00
Christian Heimes
f1c7d3c278
Start to deprecate Python 2 and 3.5
Python 2 will reach EOL in 18 months. Start to issue deprecation
warnings on Python 2.

No longer claim support for Python 3.5. Python 3.5 is untested.

NOTE: At first I tried to raise the deprecation warning from
ipalib.__init__. This caused some unforseen side-effects with
ipaplatform namespace package on Python 2. Eventually it was easier to
raise the deprecation warning in ipaplatform. RHEL and Debian platforms
don't raise the deprecation warning yet, because they use Python 2.

Fixes: https://pagure.io/freeipa/issue/7568
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-06-19 14:37:53 +02:00
Christian Heimes
907e164958 Fedora 29 renamed fedora-domainname.service
In Fedora 29, the fedora-domainname.service has been renamed to
nis-domainname.service like on RHEL. The ipaplatform service module for
Fedora now only renames the service, when it detects the presence of
fedora-domainname.service.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1588192
Fixes: https://pagure.io/freeipa/issue/7582
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-15 08:30:55 +02:00
Florence Blanc-Renaud
e442464509 Revert commit d705320ec1
Commit d705320 was temporarily disabling authconfig backup and restore
because of issue 7478.
With the migration to authselect this is not needed any more

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-27 14:01:33 +02:00
Stanislav Laznicka
b5bdd07bc5
Add absolute_import future imports
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-04-20 09:43:37 +02:00
Christian Heimes
d705320ec1 Temporarily disable authconfig backup and restore
The authconfig command from authselect-compat-0.3.2-1 does not support
backup and restore at all. Temporarily disable backup and restore of
auth config to fix broken ipa-backup.

Fixes: https://pagure.io/freeipa/issue/7478
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-03 08:07:46 +02:00
Christian Heimes
90a75f0d43 Use system-wide crypto-policies on Fedora
HTTPS connections from IPA framework and bind named instance now use
system-wide crypto-policies on Fedora.

For HTTPS the 'DEFAULT' crypto policy also includes unnecessary ciphers
for PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA,
they are explicitly excluded.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1179925
See: https://bugzilla.redhat.com/show_bug.cgi?id=1179220
Fixes: https://pagure.io/freeipa/issue/4853
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-20 17:01:52 +01:00
Christian Heimes
1785a3e17b Replace wsgi package conflict with config file
Instead of a package conflict, freeIPA now uses an Apache config file to
enforce the correct wsgi module. The workaround only applies to Fedora
since it is the only platform that permits parallel installation of
Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
Debian doesn't permit installation of both variants.

See: https://pagure.io/freeipa/issue/7161
Fixes: https://pagure.io/freeipa/issue/7394
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-09 08:28:11 +01:00
Christian Heimes
6409abf1a6 Break ipaplatform / ipalib import cycle of hell
Here is an attempt to break the import cycle of hell between ipaplatform
and ipalib. All services now pass an ipalib.api object to
services.service(). RedHatServices.__init__() still needs to do a local
import because it initializes its wellknown service dict with service
instances.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-24 16:30:32 +01:00
Christian Heimes
94a9dfb9d7 Don't modify redhat_system_units
ipaplatform.fedora.services used to modify the redhat_system_units dict.
It now creates a proper shallow copy.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-16 14:43:53 +01:00
Petr Spacek
c70a2873f8 Build: replace ipaplatform magic with symlinks generated by configure
The original approach with __path__ implemented
by 8f98fa1bd5 broke Pylint:
We decided to resort back to symlinks as it is easiest solution
which does not break pylint in weird ways.

This commit introduces configure --with-ipaplatform option.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-10-24 13:30:12 +02:00
Martin Basti
fba70a0346 Use module variables for timedate_services
Explicitly store timedate services in module variable is safer than
doind just unused import.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:57:55 +01:00
Tomas Babej
a487e42d3f ipaplatform: Add constants submodule
Introduce a ipaplatform/constants.py file to store platform related
constants, which are not paths.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-21 17:29:33 +02:00
Jan Cholasta
308d2dd406 Split off generic Red Hat-like platform code from Fedora platform code
https://fedorahosted.org/freeipa/ticket/4562

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-09 15:37:24 +02:00
Francesco Marella
f5b302be47 Refactor selinuxenabled check
Ticket: https://fedorahosted.org/freeipa/ticket/4571
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2014-09-30 19:03:40 +02:00
Jan Cholasta
734afdf936 Remove ipa-ca.crt from systemwide CA store on client uninstall and cert update
The file was used by previous versions of IPA to provide the IPA CA certificate
to p11-kit and has since been obsoleted by ipa.p11-kit, a file which contains
all the CA certificates and associated trust policy from the LDAP certificate
store.

Since p11-kit is hooked into /etc/httpd/alias, ipa-ca.crt must be removed to
prevent certificate import failures in installer code.

Also add ipa.p11-kit to the files owned by the freeipa-python package.

https://fedorahosted.org/freeipa/ticket/3259

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-09-30 10:01:38 +02:00
Petr Viktorin
c7d6fea06f Move setting SELinux booleans to platform code
Create a platform task for setting SELinux booleans.

Use an exception for the case when the booleans could not be set
(since this is an error if not handled).
Since ipaplatform should not depend on ipalib, create a new
errors module in ipapython for SetseboolError.

Handle uninstallation with the same task, which means
the booleans are now restored with a single call to
setsebool.

Preparation for: https://fedorahosted.org/freeipa/ticket/4157

Fixes: https://fedorahosted.org/freeipa/ticket/2934
Fixes: https://fedorahosted.org/freeipa/ticket/2519
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2014-09-26 12:12:59 +02:00
Jan Cholasta
55d3bab57b Get CA certs for system-wide store from cert store in ipa-client-install.
All of the certificates and associated key policy are now stored in
/etc/pki/ca-trust/source/ipa.p11-kit.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Tomas Babej
2a3c746dca ipaplatform: Drop the base authconfig class
As authconfig is a distro-specific tool there is no incentive for
implying that other platforms should implement any authconfig
implementation of their own.

Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 21:07:07 +02:00
Tomas Babej
e099ad4583 ipaplatform: Document the platform tasks API
Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 21:07:06 +02:00
Petr Viktorin
d868fc5566 Fix self argument in tasks
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
2014-06-16 19:48:21 +02:00
Tomas Babej
3b4ab8b4f2 ipaplatform: Move hardcoded paths from Fedora platform files to path namespace
Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:21 +02:00
Tomas Babej
8a5e2a8166 ipaplatform: Contain all the tasks in the TaskNamespace
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:21 +02:00
Tomas Babej
6906eed27e ipaplatform: Let fedora path module use PathNamespace class
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:20 +02:00
Tomas Babej
a7c2327a36 ipaplatform: Move Fedora-specific implementations of tasks to fedora base platform file
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:18 +02:00
Tomas Babej
5f31f2d35f ipaplatform: Do not require custom Authconfig implementations from platform modules
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:18 +02:00
Tomas Babej
6a4cd8a4e3 ipaplatform: Move restore_context and check_selinux_status implementations to base fedora platform tasks
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:18 +02:00
Tomas Babej
c465eb842f ipaplatform: Moved Fedora 16 service implementations and refactored them as base Fedora module service implementations
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:17 +02:00
Tomas Babej
c368aae048 ipaplatform: Add base fedora platform module
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:17 +02:00