Commit Graph

26 Commits

Author SHA1 Message Date
Timo Aaltonen
ed84963927 convert the base platform modules into packages 2013-01-14 14:39:54 +01:00
Martin Kosek
211f6c9046 Stop and disable conflicting time&date services
Fedora 16 introduced chrony as default client time&date synchronization
service:
http://fedoraproject.org/wiki/Features/ChronyDefaultNTP
Thus, there may be people already using chrony as their time and date
synchronization service before installing IPA.

However, installing IPA server or client on such machine may lead to
unexpected behavior, as the IPA installer would configure ntpd and leave
the machine with both ntpd and chronyd enabled. However, since the OS
does not allow both chronyd and ntpd to be running concurrently and chronyd
has the precedence, ntpd would not be run on that system at all.

Make sure, that user is warned when trying to install IPA on such
system and is given a possibility to either not to let IPA configure
ntpd at all or to let the installer stop and disable chronyd.

https://fedorahosted.org/freeipa/ticket/2974
2012-12-07 13:07:36 -05:00
Rob Crittenden
62e7053a12 Only update the list of running services in the installer or ipactl.
The file is only present in the case of a server installation.

It should only be touched by the server installer and ipactl.

https://fedorahosted.org/freeipa/ticket/3277
2012-12-05 10:44:44 -05:00
Martin Kosek
3896bf370a Change network configuration file
Fedora+systemd changed deprecated /etc/sysconfig/network which was
used by IPA to store static hostname for the IPA machine. See
https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details.

Change Fedora platform files to store the hostname to /etc/hostname
instead.

https://fedorahosted.org/freeipa/ticket/3279
2012-12-05 13:30:31 +01:00
Simo Sorce
5713279712 Save service name on service startup/shutdown
This is done as a default action of the ancestor class so that no matter what
platform is currently used this code is always the same and the name is the
wellknown service name.
This information will be used by ipactl to stop only and all the services that
have been started by any ipa tool/install script
2012-11-01 14:24:41 -04:00
Simo Sorce
895b2e2b43 Revert "Save service name on service startup"
This reverts commit 1ef651e7f9.

This was an olde version of the patch, next commit will put in the acked
version.
2012-11-01 14:23:38 -04:00
Simo Sorce
1ef651e7f9 Save service name on service startup
This is done as a default action of the ancestor class so that no matter what
platform is currently used this code is always the same and the name is the
wellknown service name.
This information will be used by ipacl to stop only and all the services that
have been started by any ipa tool/install script
2012-11-01 10:58:19 -04:00
Simo Sorce
09dbc1f36b Preserve original service_name in services
This is needed to be able to reference stuff always wth the same name.
The platform specific private name must be kept in a platform specific
variable.
In the case of systemd we store it in systemd_name
For the redhat platform wellknown names and service name are the same so
currently no special name is needed.
2012-11-01 10:58:19 -04:00
Petr Viktorin
d6fbbd530e Make sure the CA is running when starting services
- Provide a function for determinig the CA status using Dogtag 10's new
  getStatus endpoint.
  This must be done over HTTPS, but since our client certificate may not be set
  up yet, we need HTTPS without client authentication.
  Rather than copying from the existing http_request and https_request
  function, shared code is factored out to a common helper.
- Call the new function when restarting the CA service. Since our Service
  can only be extended in platform-specific code, do this for Fedora only.
  Also, the status is only checked with Dogtag 10+.
- When a restart call in cainstance failed, users were refered to the
  installation log, but no info was actually logged. Log the exception.

https://fedorahosted.org/freeipa/ticket/3084
2012-10-23 22:02:21 -04:00
Martin Kosek
9126b18d8b Add fallback for httpd restarts on sysV platforms
httpd init script on sysV based platforms cannot guarantee that two
consecutive httpd service restarts succeed when run in a small
time distance.

Add fallback procedure that adds additional waiting time after such
failed restart attempt, and then try to stop and start the service
again.

https://fedorahosted.org/freeipa/ticket/2965
2012-10-18 20:53:42 -04:00
Petr Viktorin
9c0426c3ed Wait for secure Dogtag ports when starting the pki services
Dogtag opens not only the insecure port (8080 or 9180, for d10 and
d9 respectively), but also secure ports (8443 or 9443&9444).
Wait for them when starting.

Part of the fix for https://fedorahosted.org/freeipa/ticket/3084
2012-10-03 17:38:42 +02:00
Petr Viktorin
4f76c143d2 Use Dogtag 10 only when it is available
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.

Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.

This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
2012-09-17 18:43:59 -04:00
Ade Lee
3dd31a8756 Modifications to install scripts for dogtag 10
Dogtag 10 uses a new installer, new directory layout and new default
ports.  This patch changes the ipa install code to integrate these changes.

https://fedorahosted.org/freeipa/ticket/2846
2012-09-17 18:43:36 -04:00
Petr Viktorin
c8abd24ebe Create /etc/sysconfig/network if it doesn't exist
When the --hostname option is given to ipa-client-install, we
write HOSTNAME to /etc/sysconfig/network. When that file didn't exist,
the installer crashed.

Create the file if it doesn't exist and we need to write to it.

https://fedorahosted.org/freeipa/ticket/2840
2012-08-03 12:09:56 +02:00
Rob Crittenden
03837bfd6d Use certmonger to renew CA subsystem certificates
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803
2012-07-30 13:39:08 +02:00
Rob Crittenden
e5b6260008 Centralize timeout for waiting for servers to start.
All service start/restart currently go through ipapython/platform so
move the "wait for service to start" code there as well.

A dictionary of known services and ports to wait on is defined in base.py
This is referenced by the platforms by instance name to determine what
to wait for. For the case of dirsrv if we get that as a plain name
(no specific instance) it is assumed to be the main IPA service.

https://fedorahosted.org/freeipa/ticket/2375
https://fedorahosted.org/freeipa/ticket/2610
2012-07-02 17:08:58 -04:00
Rob Crittenden
f4d2f2a65b Configure automount using autofs or sssd.
This script edits nsswitch.conf to use either ldap (autofs) or
sss (sssd) to find automount maps.

NFSv4 services are started so Kerberos encryption and/or integrity can
be used on the maps.

https://fedorahosted.org/freeipa/ticket/1233
https://fedorahosted.org/freeipa/ticket/2193
2012-06-25 17:24:34 -04:00
Rob Crittenden
9e877585e2 If SELinux is enabled ensure we also have restorecon.
We don't have a specific requires on the policycoreutils package. It
gets pulled in as a dependency on the server anyway, but checking
there is like a belt and suspenders.

On the client we don't require SELinux at all. If SELinux is enabled
however we need to set things up properly. This is provided by the
policycoreutils package so fail if that isn't available.

https://fedorahosted.org/freeipa/ticket/2368
2012-05-31 14:07:05 +02:00
Rob Crittenden
e9ed7f7ca1 Don't run restorecon if SELinux is disabled or not present.
Also check for the existence of restorecon. This may be overkill but
it will prevent a client installation from failing for no good reason.

https://fedorahosted.org/freeipa/ticket/2368
2012-02-27 17:37:08 +01:00
Jan Cholasta
e5c0750806 Add SSH service to platform-specific services.
Add method for getting configuration directory path of a service,
so that a different SSH configuration directory can be specified on
different platforms.

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:21:54 -05:00
Alexander Bokovoy
8bba212c80 Handle upgrade issues with systemd in Fedora 16 and above
Since 389-ds-base-1.2.10-0.8.a7 Directory Server's systemd settings are
configured via /etc/sysconfig/dirsrv.systemd. It means logic change in
systemd/fedora16 platform of FreeIPA.

Additionally, existing installs need to be handled during upgrade.

Fixes:
    https://fedorahosted.org/freeipa/ticket/2117
    https://fedorahosted.org/freeipa/ticket/2300
2012-02-08 20:11:20 -05:00
Alexander Bokovoy
25d5d7ed93 Add support for systemd environments and use it to support Fedora 16
https://fedorahosted.org/freeipa/ticket/1192
2011-10-24 15:10:11 +02:00
Rob Crittenden
77fdf6f7c7 Save the value of hostname even if it doesn't appear in /etc/sysconfig/network
https://fedorahosted.org/freeipa/ticket/1871
2011-10-13 01:01:44 -04:00
Alexander Bokovoy
8badce286f Refactor backup_and_replace_hostname() into a flexible config modification tool
backup_and_replace_hostname() was doing three things:
    1. Given config file in 'key=value' style, replace value for a
       specified key (HOSTNAME)
    2. Backup original file and install a replacement
    3. Restore original security context after editing

We have several more places where parts of the functionality are needed,
thus making two tools in ipapython.ipautil:

    1. config_replace_variables(filepath, replacevars=dict(),
                                appendvars=dict())
       Replaces or appends values to specified keys, adding new key=value
       pairs if key was absent

    2. backup_config_and_replace_variables(fstore, filepath,
                                           replacevars=dict(),
                                           appendvars=dict())
       Backups config file and calls config_replace_variables()

A caller must handle security context after using these two tools.

In addition, as before, there is
ipapython.services.backup_and_replace_hostname() that uses
these common tools and restores security context after editing.

The code will be used extensively for systemd integration for Fedora 16.

Fixes:
    https://fedorahosted.org/freeipa/ticket/1871
2011-10-11 18:21:41 -04:00
Rob Crittenden
1d8a891844 The return value of restorecon is not reliable, ignore it.
https://fedorahosted.org/freeipa/ticket/1816
2011-09-20 08:54:05 +02:00
Alexander Bokovoy
1362202653 Introduce platform-specific adaptation for services used by FreeIPA.
Refactor FreeIPA code to allow abstracting all calls to external processes and
dependencies on modification of system-wide configuration. A platform provider
would give its own implementation of those methods and FreeIPA would use it
based on what's built in packaging process.

https://fedorahosted.org/freeipa/ticket/1605
2011-09-13 11:25:58 +02:00