Commit Graph

2381 Commits

Author SHA1 Message Date
Rob Crittenden
71047f68b5 Remove the option stop_certmonger from stop_tracking_*
This option was inconsistent between invocations and there is
no need to stop certmonger after stopping tracking. It was also
apparently causing dbus timeout errors, probably due to the amount
of work that certmonger does at startup.

https://pagure.io/freeipa/issue/8506
https://pagure.io/freeipa/issue/8533

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 17:13:53 +02:00
Rob Crittenden
3d2d06719f Add some logging around initial ACME deployment
From the upgrade log it was not possible to see the current
state of ACME which makes troubleshooting difficult.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

Related: https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-02-15 09:57:07 +02:00
Rob Crittenden
b1e72cb12e Add versions to the ACME config templates and update on upgrade
Put the ACME config files under normal IPA versioning so we
can more seamlessly do updates to them.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

https://pagure.io/freeipa/issue/8712

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-02-15 09:57:07 +02:00
Antonio Torres
5d8cb1dd1f ipa-cacert-manage: add prune option
Add prune option to ipa-cacert-manage, allowing
to remove all expired certificates from the certificate store.

Related: https://pagure.io/freeipa/issue/7404
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-12 14:08:11 -05:00
Rob Crittenden
1870c93354 Ensure IPA is running (ideally) before uninstalling the KRA
The KRA attempts to unregister itself from the security domain
which requires that IPA be running for this to succeed.

1. Move the KRA uninstall call prior to stopping all IPA
   services
2. Try to start IPA if it isn't running and a KRA is configured

It isn't mandatory that IPA be running for the KRA uninstall to
succeed but it will suppress a pretty scary backtrace and error
message.

https://pagure.io/freeipa/issue/8550

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-04 01:29:53 +01:00
Rob Crittenden
928ab51be6 ipactl: support script status 3, program is not running
Return status 3 if ipactl status can't start 389-ds or if
any of the expected services is not running.

https://pagure.io/freeipa/issue/8588

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-04 01:29:53 +01:00
Rob Crittenden
daf2ca3ead Use the new API introduced in PKI 10.8
https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-04 01:29:53 +01:00
Rob Crittenden
62521edcd1 Change CA profile migration message from info to debug
This is an informational message and clutters the installation
screen with no end-user benefit. Logging it as debug is
sufficient to know what is going on.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-04 01:29:53 +01:00
Rob Crittenden
75c1b7ed34 Provide more detailed logging around memory detection
This should make it easier to troubleshoot low memory installation
failures from the logs.

https://pagure.io/freeipa/issue/8404

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-02-01 10:35:16 -05:00
Christian Heimes
24a5d4d06b Ensure that KDC cert has SAN DNS entry
The dns parameter of request_and_wait_for_cert() must be a string of
hostnames.

* Enforce list/tuple type so that API misuse no longer passes silently.
* Add commonNameToSANDefaultImpl to KDCs_PKINIT_Certs profile
* Explicitly pass hostname for service certs

Fixes: https://pagure.io/freeipa/issue/8685
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-29 13:36:41 -05:00
Rob Crittenden
43222cb855 Ignore database errors when trying to extract ipaCert on upgrade
If NSSDatabase() throws a ValueError it means we can't open it
to look for an existing ipaCert to migrate. Chances are there is
no certificate to migrate at this point in Fedora so don't let
it blow up the entire installation/upgrade. Warn the user and let
them figure it out.

We have no real path forward on this and by proceeding it could
lead to more errors (like no RA) but it is extremely unlikely and
would require a user to upgrade from very old Fedora to very
new Fedora in one step.

https://pagure.io/freeipa/issue/8675

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2021-01-28 09:19:32 +01:00
Rob Crittenden
6518a600b4 Change FreeIPA references to IPA and Identity Management
In order to simplify the build process between upstream FreeIPA
and downstream builds (such as CentOS Stream) we are changing
some file references from FreeIPA to IPA (and Identity Management).

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-21 13:51:45 +01:00
Rob Crittenden
176fe83a01 Add support for cgroup v2 to the installer memory checker
Support both the case where there is a limit imposed on the
container and when there isn't.

https://pagure.io/freeipa/issue/8635

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-20 15:59:27 +01:00
Rob Crittenden
85d4f2d9c6 Revert "Remove test for minimum ACME support and rely on package deps"
This reverts commit 81c97bb992.

This is to make IPA installable again with older versions of dogtag
so it will install on CentOS 8 Stream.

ACME will not be deployed but on upgrade, if pki 10.10.x is available
then it will be.

https://pagure.io/freeipa/issue/8634

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-15 10:07:33 +01:00
Florence Blanc-Renaud
1a988ba96d ipa-cert-fix: do not fail when CSR is missing from CS.cfg
When the CSR for an expired cert is not found in
/etc/pki/pki-tomcat/{ca|kra}/CS.cfg, ipa-cert-fix fails to
renew the certificate and repair the installation.

The CSR can be found using certmonger as it is stored in
/var/lib/certmonger/requests/<ID> in the "csr" attribute.
Prior to calling pki-server cert-fix, make sure that the
CSR is present in CS.cfg, or update CS.cfg with the content
found using certmonger.

Fixes: https://pagure.io/freeipa/issue/8618

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-07 16:21:16 +01:00
Alexander Bokovoy
4c4f16fc9c odsexporterinstance: use late binding for UID/GID resolution
Move actual resolution of UID/GID values for 'ods' entities to the code
that needs them. This prevents failures when uninstalling IPA server set
up without DNS feature. In particular, 'ods' user and group are created
when 'opendnssec' package is installed and if 'opendnssec' package is
not installed, uninstall fails in OpenDNSSEC Exporter instance
constructor.

We use common pattern of checking the service during uninstall:

 svc = SVCClass()
 if svc.is_configured():
    svc.uninstall()

Thus, service class constructor must not do UID/GID resolution

Fixes: https://pagure.io/freeipa/issue/8630

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-12-22 14:05:13 +02:00
Alexander Bokovoy
b6a645338c dnskeysyncinstance: use late binding for UID/GID resolution
Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.

We use common pattern for all services during uninstall:

 svc = SVCClass(..)
 if svc.is_configured()
     svc.uninstall()

This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.

Fixes: https://pagure.io/freeipa/issue/8630

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-12-22 14:05:13 +02:00
Alexander Bokovoy
8e16a1d169 opendnssecinstance: use late binding for UID/GID resolution
Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.

We use common pattern for all services during uninstall:

 svc = SVCClass(..)
 if svc.is_configured()
     svc.uninstall()

This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.

Fixes: https://pagure.io/freeipa/issue/8630

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-12-22 14:05:13 +02:00
Christian Heimes
a297097bc2 Change mkdir logic in DNSSEC
- Create /var/named/dyndb-ldap/ipa/master/ early
- Assume that /var/named/dyndb-ldap/ipa/master/ exists in BINDMgr.sync()

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-18 20:40:36 +02:00
Alexander Bokovoy
f841ccb352 upgrade: ensure service state is synchronized with the server state
Convert configuredService to either enabledService or hiddenService
depending on the state of the server role.  This is to fix situations
when deployment has happened before introduction of hidden replicas
as those services will stay as configuredService and will not get
started after upgrade, rendering the system non-functioning.

Fixes: https://pagure.io/freeipa/issue/8623

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-12-18 13:33:44 +02:00
Alexander Bokovoy
fccceaa2d9 upgrade: do not overshadow service module in upgrade_configuration
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-12-18 13:33:44 +02:00
Alexander Bokovoy
b7c00f2a1f service: handle empty list of services to update their state
When there are no services in LDAP that have specified states, we don't
need to update their state.

Fixes: https://pagure.io/freeipa/issue/8623

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-12-18 13:33:44 +02:00
Alexander Bokovoy
38a86e3367 systemd: enforce en_US.UTF-8 locale in systemd units
Python code does detection of the system encoding based on the locale
settings. On RHEL 8.4 development images we somehow get LANG=en_US which
defaults to iso8859-1 _inside_ the systemd-started service, even though
the whole environment defaults to LANG=en_US.UTF-8.

When instrumented with ExecStartPre=/usr/bin/locale, the following
output can be seen:

locale[45481]: LANG=en_US
locale[45481]: LC_CTYPE="en_US"
locale[45481]: LC_NUMERIC="en_US"
locale[45481]: LC_TIME="en_US"
locale[45481]: LC_COLLATE="en_US"
locale[45481]: LC_MONETARY="en_US"
locale[45481]: LC_MESSAGES="en_US"
locale[45481]: LC_PAPER="en_US"
locale[45481]: LC_NAME="en_US"
locale[45481]: LC_ADDRESS="en_US"
locale[45481]: LC_TELEPHONE="en_US"
locale[45481]: LC_MEASUREMENT="en_US"
locale[45481]: LC_IDENTIFICATION="en_US"
locale[45481]: LC_ALL=
ipactl[45483]: Unexpected error
ipactl[45483]: SystemEncodingError: System encoding must be UTF-8, 'iso8859-1' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE

Set the environment to explicit LC_ALL=C.UTF-8 to please the Python
code. FreeIPA server side only cares about actual encoding, not the
language itself. We already use LC_ALL=C.UTF-8 in httpd service snippet.

Fixes: https://pagure.io/freeipa/issue/8617
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2020-12-10 14:38:05 +02:00
Alexander Bokovoy
07fa32a0a5 upgrade: provide DOMAIN to the server upgrade dictionary
Rules in ipa-rewrite.conf use $DOMAIN variable but it is not available
in the dictionary. Regression was introduced with
e731b2725a.

Fixes: https://pagure.io/freeipa/issue/8615
Related: https://pagure.io/freeipa/issue/8595

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-12-10 13:47:16 +02:00
Florence Blanc-Renaud
930453b65e Improve PKI subsystem detection
The dogtaginstance.is_installed() method currently relies on
the presence of the directory /var/lib/pki/pki-tomcat/{ca|kra},
even if it is empty.
An unwanted consequence is ipa-server-upgrade wrongly assuming the KRA
is installed and crashing when trying to upgrade a not-installed
component.

The fix relies on the command "pki-server subsystem-show {ca|kra}" to
detect if a subsystem is installed. The command does not require PKI
to be running (hence can be called anytime) and is delivered by
the pki-server package which is already required by ipa server pkg.

Fixes: https://pagure.io/freeipa/issue/8596
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-09 09:54:58 +01:00
Rob Crittenden
ba9b9502e4 Move where the restore state is marked during IPA server upgrade
There is still some exposure to killing in a bad place. This was
reproduced by killing the process in the parser.parse() call within
__restore_config (line 230) so the values were restored from the
backup but the new dse.ldif never written or copied. But the values
had already been restored from the state file.

I'm not sure this can ever be 100% bullet-proof since it can be
externally killed but if rather than calling restore_state() on the
values in __restore_config we use get_state() which will peek at the
values in the state file without removing them. Then the last step
is to pop upgrade-in-progress and then the rest.

If the values have been restored and the new ldif written and copied
then it's only upgrade-in-progress that really matters. The rest will
be overwritten.

https://pagure.io/freeipa/issue/7534

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-02 14:08:51 +02:00
Rob Crittenden
2068c7c472 Reorder when ACME is enabled to fix failure on upgrade
On upgrading a server without ACME to one with ACME
the RA Agent DN needs to be added as a member of the
ACME Enterprise Users group. This was previously
done as part of the creation of that entry.

So on upgrade the RA Agent wouldn't be a member so
ipa-acme-manage didn't have access to operate against
the CA REST API.

In order to add the RA Agent to this group during installation
the ACME provisioning has to come after that step so it is
moved from the middle of an installation to the end and
the group addition moved into the setup_acme() method.

https://pagure.io/freeipa/issue/8603

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-12-02 14:07:39 +02:00
Rob Crittenden
81c97bb992 Remove test for minimum ACME support and rely on package deps
This method was added temporarily while the required packages
were still under development and not available in stable
repositories.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-12-02 14:07:39 +02:00
Rob Crittenden
b691850cc9 Change KRA profiles in certmonger tracking so they can renew
Internal profiles were assigned which prevented rewewals.

dogtag is providing a new profile for the audit signing cert,
caAuditSigningCert.

There are existing profiles for the transport (caTransportCert)
and storage (caStorageCert) certificates.

https://pagure.io/freeipa/issue/8545

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-12-01 12:56:03 +01:00
Mark Reynolds
daddcf6ec6 Accept 389-ds JSON replication status messages
389-ds now stores a replication agreement status message in a JSON
string in a new attribute:

                  replicaLastInitStatusJSON
                  replicaLastUpdateStatusJSON

The original status attributes' values are not changing at this time,
but there are plans to do so eventually as the old status format is
confusing.

http://www.port389.org/docs/389ds/design/repl-agmt-status-design.html

Fixes: https://pagure.io/freeipa/issue/7975

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-12-01 08:45:07 +01:00
Florence Blanc-Renaud
3b007b7bba Always define the path DNSSEC_OPENSSL_CONF
The variable was None by default and set to /etc/ipa/dnssec/openssl.cnf
for fedora only because the code is specific to the support of pkcs11
engine for bind. As a consequence ipa-backup had a "None" value in the
list of files to backup and failed on Exception.

ipa-backup code is able to handle missing files, and the code using
the pkcs11 engine is called only when NAMED_OPENSSL_ENGINE is set
(only in fedora so far). It is safe to always define a value for
DNSSEC_OPENSSL_CONF even on os where it does not exist.

The fix also improves the method used to verify that a path exists.

Fixes: https://pagure.io/freeipa/issue/8597
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-11-30 15:52:19 +01:00
Alexander Bokovoy
935a461582 ipa-acme-manage: user a cookie created for the communication with dogtag REST endpoints
The cookie in ACME processing was supposed to be passed as a part of the
REST request but we did not pass those additional headers. Pylint on
Rawhide noticed that headers objects were left unused.

2020-11-13T11:26:46.1038078Z Please wait ...
2020-11-13T11:26:46.1038385Z
2020-11-13T11:28:02.8563776Z ************* Module ipaserver.install.ipa_acme_manage
2020-11-13T11:28:02.8565974Z ipaserver/install/ipa_acme_manage.py:50: [W0612(unused-variable), acme_state.__exit__] Unused variable 'headers')
2020-11-13T11:28:02.8567071Z ipaserver/install/ipa_acme_manage.py:57: [W0612(unused-variable), acme_state.enable] Unused variable 'headers')
2020-11-13T11:28:02.8568031Z ipaserver/install/ipa_acme_manage.py:63: [W0612(unused-variable), acme_state.disable] Unused variable 'headers')

Fixes: https://pagure.io/freeipa/issue/8584
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Rob Crittenden
69b42f0c80 Catch EmptyResult exception in update_idranges
If no results are returned then find_entries will raise
EmptyResult and not NotFound. NotFound is returned if
the search base doesn't exist.

The test for not entries can be removed as well since this
is the EmptyResult case. In case of a NotFound this will
be handled by the ExecutionError clause.

Found with https://pagure.io/freeipa/issue/8555

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-11-06 16:29:41 -05:00
Rob Crittenden
b60d2d975d Add ipwpwdpolicy objectclass to all policies on upgrade
ipapwdpolicy is the objectclass which defines the libpwquality
attributes. For older sytems it isn't strictly necessary (or
visible) but not having it included will result in policies
not being visible with pwpolicy-find.

https://pagure.io/freeipa/issue/8555

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-11-06 16:29:41 -05:00
Rob Crittenden
e0ff82c884 Change the return codes of ipa-acme-manage
Traditionally in IPA 0 = success, 1 = error and then
specific error messages follow from that. Shift the
ipa-acme-manage return codes for "not installed" and
"not a CA" up by one.

https://pagure.io/freeipa/issue/8498

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 14:01:05 -05:00
Rob Crittenden
2768b0dbaf Require an ipa-ca SAN on 3rd party certs if ACME is enabled
ACME requires an ipa-ca SAN to have a fixed URL to connect to.
If the Apache certificate is replaced by a 3rd party cert then
it must provide this SAN otherwise it will break ACME.

https://pagure.io/freeipa/issue/8498

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 14:01:05 -05:00
Mark Reynolds
9c4785f042 Reorder creation of the CA mapping tree and database backend
New validation efforts in 389-ds-base require that the backend entry for
a database be created before the mapping tree entry. This enforces that
the mapping tree entry (the suffix) actually belongs to an existing backend.

For IPA we simply need to reverse the order of the backend vs mapping tree
creation in cainstance.py -> __create_ds_db()

Fixes: https://pagure.io/freeipa/issue/8558
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-02 13:42:37 -05:00
Rob Crittenden
69ae48c8b6 Add a status option to ipa-acme-manage
It's handy in general and good for testing to be able to
detect the current ACME status without having to revert
to using curl.

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 10:43:57 -05:00
Rob Crittenden
92c3ea4e29 Don't install ACME if full support is not available
The initial ACME support required that each server individually
enable/disable the service. PKI 10.10.0 stores this state in LDAP
so global enable/disable is available and the IPA code relies on
this.

Parse the VERSION file shipped with PKI to determine the version.

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 10:43:57 -05:00
Rob Crittenden
c0d55ce6de Centralize enable/disable of the ACME service
The initial implementation of ACME in dogtag and IPA required
that ACME be manually enabled on each CA.

dogtag added a REST API that can be access directly or through
the `pki acme` CLI tool to enable or disable the service.

It also abstracted the database connection and introduced the
concept of a realm which defines the DIT for ACME users and
groups, the URL and the identity. This is configured in realm.conf.

A new group was created, Enterprise ACME Administrators, that
controls the users allowed to modify ACME configuration.

The IPA RA is added to this group for the ipa-acme-manage tool
to authenticate to the API to enable/disable ACME.

Related dogtag installation documentation:
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Database.md
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Installing_PKI_ACME_Responder.md

ACME REST API:
https://github.com/dogtagpki/pki/wiki/PKI-ACME-Enable-REST-API

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 10:43:57 -05:00
Rob Crittenden
2ef53196c6 Enable importing LDIF files not shipped by IPA
This is to be able to import ACME schema provided by dogtag.

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 10:43:57 -05:00
Rob Crittenden
2f8eb73f58 Use a state to determine if a 389-ds upgrade is in progress
When applying update files to 389 the listeners are disabled.
There is a large try/except around this so that if a failure
happens then the configuration should be automatically
restored.

We've seen multiple cases where this doesn't occur. Best guess
is that users are killing or ^C breaking out of the script.

What happens in that case is that when the next upgrade is run
the configuration is backed up again overwriting the original
values. This leaves dirsrv with no listener on 389.

Add a new state, upgrade-in-progress, so that the backup of the
config information can be skipped when the upgrader is executed
again after a failure.

The idea behind using a new state value is that if additional
attributes are ever backed up we don't need to remember to update
the list of possible saved values to check to decide if the
upgrade is in progress.

https://pagure.io/freeipa/issue/7534

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-27 15:50:19 -04:00
Christian Heimes
e28ec76898 Unify access to FQDN
FreeIPA's Python and C code used different approaches to get the FQDN of
the host. Some places assumed that gethostname() returns a FQDN. Other
code paths used glibc's resolver to resolve the current node name to a
FQDN.

Python code now uses the ipalib.constants.FQDN where a fully qualified
domain name is expected. The variable is initialized only once and avoids
potential DNS lookups.

C code uses a new helper function ipa_gethostfqdn() in util package. The
function implements similar logic as gethostfqdn() except it uses more
modern getaddrinfo(). The result is cached as well.

Fixes: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Rob Crittenden
139d60d747 Don't restart certmonger after stopping tracking in uninstall
certmonger was later restarted to remove the custom CA entries
and the startup delay sometimes caused uninstallation to fail.

certmonger is stopped in cainstance.py::uninstall() so it will
still be stopped post-install.

https://pagure.io/freeipa/issue/8533

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-19 12:56:22 -04:00
Christian Heimes
fa58071221 Reuse main LDAP connection
cainstance and krainstance now reuse the main LDAP connection
api.Backend.ldap2 in all helper functions. Some functions used to create
and tear down their own LDAP connection. This was a remnant of the old
CA LDAP instance in FreeIPA 3.x.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-19 09:53:29 +02:00
Christian Heimes
a9d34c8e66 Speed up cainstance.migrate_profiles_to_ldap
The ra_certprofile API is slow. It takes ~200ms to migrate and enable a
profile even when the profile already available. The migration step
slows down the installer and upgrader by about 12 to 15 seconds.

Skip all profiles that have been imported by Dogtag already.

Related: https://pagure.io/freeipa/issue/8522
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-19 09:53:29 +02:00
Christian Heimes
731c5b2110 Lookup ipa-ca record with NSS
DNS data management now uses NSS's getaddrinfo() instead of direct DNS
queries to resolve the ipa-ca record. This fixes missing ipa-ca records
when the current hostname is not resolvable in DNS but has correct
records in /etc/hosts.

Reduce timeout to 15 seconds and tighten timeout loop.

The changeset can speed up installation by almost 60 seconds.
ipa-server-install without built-in DNS calls into DNS data management
twice with a timeout of 30 seconds for each call.

Fixes: https://pagure.io/freeipa/issue/8529
Related: https://pagure.io/freeipa/issue/8521
Related: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-10 12:54:06 +02:00
Christian Heimes
a3abae825c Simplify update code
resolve_ip_addresses_nss(host) is equivalent to
get_server_ip_address(api.env.host, True, False, []). The function
get_server_ip_address() is designed to perform interactive checks that
should not be triggered in automatic upgrade code.

Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-08 08:32:08 +02:00
Christian Heimes
814328ea3c Don't add 127.0.0.1 to resolv.conf twice
On systems with multiple IP addresses the update code could add
::1 and 127.0.0.1 multiple times.

Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-08 08:32:08 +02:00
Christian Heimes
6860c63760 Use separate install logs for AD and DNS instance
ipa-dns-install and ipa-adtrust-install no longer overwrite
ipaserver-install.log. Instead they use a separate log file.

Add AD-Trust, DNS, KRA, and replica log files to backups.

Fixes: https://pagure.io/freeipa/issue/8528
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-10-06 15:35:35 +02:00
Christian Heimes
942fe07eb5 Spawn PKI: Execute more steps early
Move several steps to an earlier phase of CA spawn. RA and ACME agent
ACLs are now configured while the server is down. This avoids yet
another restart and saves between 11 and 50 seconds per installation.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-10-05 15:04:43 +02:00
Christian Heimes
8882680ee1 Dogtag: Remove set_audit_renewal step
The step set_audit_renewal modifies Dogtag's caSignedLogCert.cfg to bump
renewal to 2 years. The problem was fixed in Dogtag upstream in 2012 before
Dogtag 10.0 came out, see
f5b8ea5b08

The update step would also no longer work. Profiles have been migrated
to LDAP several FreeIPA releases ago. pkispawn populates LDAP with all
of Dogtag's default profiles. FreeIPA does not overwrite any existing
profiles.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-10-05 15:04:43 +02:00
Christian Heimes
9eccaf6269 Skip offline dse.ldif patching by default
The installer now stop and patches dse.ldif only when the option
--dirsrv-config-file is used. LDBM nsslapd-db-locks are increased in a
new step.

This speeds up installer by 4 or more seconds on a fast system.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-10-05 15:02:14 +02:00
Christian Heimes
daec804961 Remove magic sleep from create_index_task
11 years ago 5ad91a0781 added a magic sleep to work around a rare deadlock
bug in memberOf plugin. Thierry is not aware of any outstanding issues
with memberOf plugin that could lead to a deadlock.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-10-05 15:02:14 +02:00
Christian Heimes
37a0af6a8c Remove root-autobind configuration
The new lib389-based installer configured 389-DS with LDAPI support and
autobind for root. nsslapd-ldapiautobind is enabled by lib389.

cn=root-autobind,cn=config entry is no longer needed.

nsslapd-ldapimaptoentries is kept enabled for future use.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-10-05 15:02:14 +02:00
Christian Heimes
e46c3792f3 Use single update LDIF for indices
Index definitions were split across four files. indices.ldif contained
the initial subset of indices. Three update files partly duplicated the
indices and partly added new indices.

All indices are now defined in a single update file that is sorted
alphanumerically.

The changeset avoids two additional index tasks and reduces installation
time by 5 to 10 seconds.

Fixes: https://pagure.io/freeipa/issue/8493
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-29 12:05:20 +02:00
Christian Heimes
ced1dcb1d9 Also backup DNS config drop-ins
/etc/NetworkManager/conf.d and /etc/systemd/resolved.conf.d drop-in
files were not backed up.

Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-28 14:33:15 +02:00
Alexander Bokovoy
2c393c09e0 Pre-populate IP addresses for the name server upgrades
Setting up resolv.conf in BIND instance expects IP addresses of the
server to be provided. This is done wiht BindInstance.setup() method
call. However, when reusing resolver setup during upgrade BIND instance
has no IP addresses configured and fails with an assert in
tasks.configure_dns_resolver().

Pass through the server's IP addresses during upgrade.

Fixes: https://pagure.io/freeipa/issue/8518

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-09-28 08:47:31 +02:00
Christian Heimes
69ebe41525 Fix nsslapd-db-lock tuning of BDB backend
nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config
entry to cn=bdb subentry. Manual patching of dse.ldif was no longer
working. Installations with 389-DS 1.4.3 and newer are affected.

Low lock count can affect performance during high load, e.g. mass-import
of users or lots of concurrent connections.

Bump minimal DS version to 1.4.3. Fedora 32 and RHEL 8.3 have 1.4.3.

Fixes: https://pagure.io/freeipa/issue/8515
See: https://pagure.io/freeipa/issue/5914
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-09-24 17:03:00 +02:00
Rob Crittenden
b47ddb0186 Reduce the memory requirement from 1.6 to 1.2 GB
We know from practical experience in PR-CI and Azure that 1.2
is the absolute minimum necessary for a base installation.

https://pagure.io/freeipa/issue/8404

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-09-24 08:20:48 +02:00
Christian Heimes
79b9982b86 Create systemd-resolved configuration on update
Create systemd-resolved drop-in and restart the service when the drop-in
config file is missing and /etc/resolv.conf points to stub resolver
config file.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-23 16:44:26 +02:00
Christian Heimes
528c519cb5 Use new API for auto-forwarders
Auto-forwarders and manual configuration now use the new API to get a
list of DNS servers. Manual installer refuses loopback, too.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-23 16:44:26 +02:00
Christian Heimes
e64f27fdf8 Configure NetworkManager to use systemd-resolved
zzz-ipa.conf now enables NetworkManager's systemd-resolved plugin when
systemd-resolved is detected.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-23 16:44:26 +02:00
Christian Heimes
80fca8d701 Delay import of psutil to avoid AVC
Commit cfad7af35d added a check to ensure a
system has sufficient amount of memory. The feature uses psutil to get
available memory. On import psutil opens files in /proc which can result in
an SELinux violations and Python exception.

     PermissionError: [Errno 13] Permission denied: '/proc/stat'

Fixes: https://pagure.io/freeipa/issue/8512
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-23 14:49:15 +02:00
Rob Crittenden
cc5d9a8c9d Clean up entire /run/ipa/ccaches directory not just files
If there are any sub-directories in the ccaches directory
then cleaning it up will fail.

Instead remove the whole directory and allow systemd-tmpfiles
to re-create it.

https://pagure.io/freeipa/issue/8248

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-09-23 14:48:29 +02:00
Christian Heimes
b19d20e2db Use new classes for run_command and Service
User and Group now return unmodified instance when they are called with
an instance of themselves: User(user) is user.

run_command() and Service class accept either names or User object.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:23:18 -04:00
Christian Heimes
72fb4e60c8 Add user and group wrappers
New classes for user and group names provide a convenient way to access
the uid and primary gid of a user / gid of a group. The classes also
provide chown() and chgrp() methods to simplify common operations.

The wrappers are subclasses of builtin str type and behave like ordinary
strings with additional features. The pwd and grp structs are retrieved
once and then cached.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:23:18 -04:00
Christian Heimes
99a40cbbe9 Simplify LDAPUpdater
- drop unused dm_password and ldapi arguments
- remove online feature that was never implemented
- allow passing of api object that is used to populate substitution
  dictionary
- simplify substitution dictionary updates
- remove unused instances vars

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:21:00 -04:00
Christian Heimes
87cf2a3c78 Add ldap_update() helper to service class
The new _ldap_update() helper methods makes it easier to apply LDAP
update files from a service instance.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:21:00 -04:00
Christian Heimes
3c86baf0ad Don't create DS SSCA and self-signed cert
Instruct lib389 to not create its self-signed CA and temporary
self-signed certificate. FreeIPA uses local connections and Unix socket
for bootstrapping.

Fixes: https://pagure.io/freeipa/issue/8502
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-21 18:13:51 -04:00
Christian Heimes
b606fa6cca Duplicate CA CRT: ignore expected cert
When search for duplicate CA certs ignore the one expected entry.

Related: https://pagure.io/freeipa/issue/7125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-09-18 14:20:08 -04:00
François Cami
be7bf98b3b dogtaginstance.py: add --debug to pkispawn
Since commits:
0102d836f4
de217557a6
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.

Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-17 15:59:00 +02:00
Rob Crittenden
cfad7af35d Require at least 1.6Gb of available RAM to install the server
Verify that there is at least 1.6Gb of usable RAM on the system. Swap
is not considered. While swap would allow a user to minimally install
IPA it would not be a great experience.

Using any proc-based method to check for available RAM does not
work in containers unless /proc is re-mounted so use cgroups
instead. This also handles the case if the container has memory
constraints on it (-m).

There are envs which mount 'proc' with enabled hidepid option 1
so don't assume that is readable.

Add a switch to skip this memory test if the user is sure they
know what they are doing.

is_hidepid() contributed by Stanislav Levin <slev@altlinux.org>

https://pagure.io/freeipa/issue/8404

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-09-14 09:17:33 +03:00
Christian Heimes
0a2b6ca6ee Only restart DS when duplicate cacrt was found
The update_fix_duplicate_cacrt_in_ldap plugin no longer restarts DS when
CA is disabled or no duplicate cacrt entry was dedected.

Related: https://pagure.io/freeipa/issue/7125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-09-11 13:22:42 -04:00
Rob Crittenden
f249c51bf4 Set the certmonger subject with a string, not an object
ipa-server-certinstall goes through a slightly different code path
if the replacement certificate is issued by IPA. This was setting
the subject using cert.subject which is a Name object and not the
string representation of that object. This was failing in the
dbus call to certmonger.

https://pagure.io/freeipa/issue/8204

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-09-10 09:21:25 +02:00
Fraser Tweedale
9094dfc294 install: simplify host name verification
Perform a small refactor to the installer code that chooses and
verifies the hostname.  In particular:

- choice of hostname is separate from validation
- read_host_name no longer performs validation
- verify_fqdn is now called from one place
- if/else branches are now "balanced"

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-03 13:58:59 +02:00
Fraser Tweedale
b54d936487 delete unused subroutine get_host_name()
Commit a42a711394, from September
2018, removed the only call site of installutils.get_host_name().
Delete the definition.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-03 13:56:45 +02:00
Stanislav Levin
49e643783d dnspython: Add compatibility shim
`dnspython` 2.0.0 has many changes and several deprecations like:

```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.

> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```

The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
  system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
  to spend trying to get an answer to the question)

Fixes: https://pagure.io/freeipa/issue/8383
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
e2030b8cad named: Include crypto policy in openssl config
On platforms which have system-wide crypto policy the latter has
to be included in openssl config.

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
Stanislav Levin
ecfaf897b9 named: Don't override custom command line options for named
Custom options can be supplied by a vendor via 'OPTIONS' env
variable(platform specific) and IPA installer will override them
in this case. Thus, at least, the base parsing of existing options
is required.

Current named command line options:
NS_MAIN_ARGS "46A:c:C:d:D:E:fFgi:lL:MⓂ️n:N:p:P:sS:t:T:U:u:vVx:X:"

If there are several same options the last passed wins.

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
Stanislav Levin
8716881fc4 service: Allow service to clean up its state
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
Stanislav Levin
85ed106d78 upgrade: Handle migration of BIND OpenSSL engine
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
Stanislav Levin
bed09b7f85 DNSKeySyncInstance: Populate named/ods uid/gid on instantiation
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
Stanislav Levin
5c907e34ae named: Allow using of a custom OpenSSL engine for BIND
For now Debian, Fedora, RHEL, etc. build BIND with 'native PKCS11'
support. Till recently, that was the strict requirement of DNSSEC.
The problem is that this restricts cross-platform features of FreeIPA.

With the help of libp11, which provides `pkcs11` engine plugin for
the OpenSSL library for accessing PKCS11 modules in a semi-
transparent way, FreeIPA could utilize OpenSSL version of BIND.

BIND in turn provides ability to specify the OpenSSL engine on the
command line of `named` and all the BIND `dnssec-*` tools by using
the `-E engine_name`.

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
Mark Reynolds
c08c7e1156 Increase replication changelog trimming to 30 days
A long time ago the DS team recommended that the changelog trimming interval be set to 7 days.  However, more recently we tend to see more time skews on certain platforms, and issues where it appears changes were trimmed too early (which can break replication).

It would be better to set the trimming interval to 30 days.  This still prevents the changelog from getting too large, and it should help with some of the other issues we are now seeing.

Fixes: https://pagure.io/freeipa/issue/8464

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-08-19 14:02:27 -04:00
Rob Crittenden
2bdb18d56f Use is_ipa_configured from ipalib.facts
A couple of places still used the deprecated installutils version.

https://pagure.io/freeipa/issue/8458

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-08-18 11:11:26 +02:00
Rob Crittenden
a8d5e6bbfe Fall back to old server installation detection when needed
If there is no installation section the the install pre-dated
this new method of detecting a successful installation, fall back
to that.

https://pagure.io/freeipa/issue/8458

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-08-18 11:11:26 +02:00
Stanislav Levin
5c1e448300 uninstall: Clean up no longer used flag
The `_server_trust_ad_installed` was added as a flag which
indicates that `freeipa-server-trust-ad` package is installed.
Later, `ipaserver/install/adtrustinstance.py` module was moved out
into `freeipa-server` package and the import became unconditionally
successful.

Fixes: https://pagure.io/freeipa/issue/8461
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-17 10:46:23 +02:00
Stanislav Levin
89d86dac0a uninstall: Don't fail on missing /var/lib/samba
On some distros freeipa-server package may not depend on
`/var/lib/samba` directory. In this case an uninstallation of
ipaserver fails.

Fixes: https://pagure.io/freeipa/issue/8461
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-17 10:46:23 +02:00
Mark Reynolds
b9ae7c45b8 Issue 8456 - Add new aci's for the new replication changelog entries
Description:  We need a read and a write aci for the new changelog location,
              which was moved from cn=changelog5,cn=config to
              cn=changelog,cn=BACKEND,cn=ldbm database,cn=plguins,cn=config

              The read aci allows the replica hostgroup entry to find and
              read the changelog confguration, and the write allows the replica
              to update the changelog with a proper trimming settings.

Fixes: https://pagure.io/freeipa/issue/8456

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-17 10:44:03 +02:00
Christian Heimes
e89b400713 Treat container subplatforms like main platform
ipa-server-upgrade does not like platform mismatches. Upgrade from an
old container to recent container fails with error message:

```
  IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
  ("Unable to execute IPA upgrade: platform mismatch (expected 'fedora', current 'fedora_container')", 1)
```

Upgrade state now treats a container subplatform like its main platform.
``fedora_container`` is really a ``fedora`` platform with some paths
redirected to ``/data`` partition.

The patch also enhances debug logging for installer and upgrader.

Related: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-07 17:54:06 +03:00
Rob Crittenden
5e02713481 Don't use the has_files() to know if client/server is configured
Use the is_ipa_configure() and is_ipa_client_configured() utilities
instead which are much more robust.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-06 14:11:27 +02:00
Rob Crittenden
d7a4756dac Create a common place to retrieve facts about an IPA installation
This is common to both client and server. Start with whether the
client or server is configured.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-06 14:11:27 +02:00
Rob Crittenden
0fa8686918 Simplify determining if an IPA server installation is complete
When asking the quesiton "is my IPA server configured?" right now
we look at whether the installation backed up any files and set
any state. This isn't exactly precise.

Instead set a new state, installation, to True as soon as IPA
is restarted at the end of the installer.

On upgrades existing installations will automatically get this
state.

This relies on the fact that get_state returns None if no state
at all is set. This indicates that this "new" option isn't available
and when upgrading an existing installation we can assume the
install at least partly works.

The value is forced to False at the beginning of a fresh install
so if it fails, or is in a transient state like with an external
CA, we know that the installation is not complete.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-06 14:11:27 +02:00
Rob Crittenden
ec367aa479 Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations
It was previously being set to 0444 which triggered a warning
in freeipa-healthcheck.

Even root needs DAC_OVERRIDE capability to write to a 0o444 file
which may not be available in some environments.

https://pagure.io/freeipa/issue/8441

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-06 12:49:51 +02:00
Stanislav Levin
c81cac70ac pylint: Fix warning and error
- fixed W0612(unused-variable)
- added missing dependency on python-yaml

Fixes: https://pagure.io/freeipa/issue/8442
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-08-04 13:47:28 -04:00
Mark Reynolds
44259e8e68 Issue 8407 - Support changelog integration into main database
Description: Add support for both the old and new replication changelogs.
             First try to get and update the new entry, if it's not found
             then we know we need to update the old global changelog entry.

Fixes: https://pagure.io/freeipa/issue/8407

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>

Fix missing self, and missing arg

Fix copy/paste error

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-04 10:54:57 +03:00
Florence Blanc-Renaud
9335bd9299 CAless installation: set the perms on KDC cert file
In CA less installation, the KDC certificate file does not have
the expected 644 permissions. As a consequence, WebUI login
fails.

The fix makes sure that the KDC cert file is saved with 644 perms.

Fixes: https://pagure.io/freeipa/issue/8440
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-08-03 18:00:08 -04:00
Peter Keresztes Schmidt
cf8ef6fd2d ipa-backup/restore: remove remaining chdir calls
Closes: https://pagure.io/freeipa/issue/7416
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-07-31 17:38:39 -04:00
Christian Heimes
64b20aad28 Write state dir to smb.conf
smb.conf now sets state and cache directory, then includes the registry.
This also allows us to write the final smb.conf before importing
remaining settings into the Samba registry.

Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-07-30 11:38:25 +02:00