freeipa/ipaplatform
Florence Blanc-Renaud ed001c97ee ipa config: add --enable-sid option
Add new options to ipa config-mod, allowing to enable
SID generation on upgraded servers:
ipa config-mod --enable-sid --add-sids --netbios-name NAME

The new option uses Dbus to launch an oddjob command,
org.freeipa.server.config-enable-sid
that runs the installation steps related to SID generation.

--add-sids is optional and triggers the sid generation task that
populates SID for existing users / groups.
--netbios-name is optional and allows to specify the NetBIOS Name.
When not provided, the NetBIOS name is generated based on the leading
component of the DNS domain name.

This command can be run multiple times.

Fixes: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
..
base ipa config: add --enable-sid option 2021-11-02 10:11:28 +01:00
debian BIND: Setup logging 2021-05-25 10:45:49 +03:00
fedora Always define the path DNSSEC_OPENSSL_CONF 2020-11-30 15:52:19 +01:00
fedora_container BIND: Setup logging 2021-05-25 10:45:49 +03:00
redhat On redhat-based platforms rely on authselect to enable sudo 2021-10-28 16:24:06 -04:00
rhel rhel platform: add a named crypto-policy support 2021-07-16 15:38:53 +02:00
rhel_container BIND: Setup logging 2021-05-25 10:45:49 +03:00
suse BIND: Setup logging 2021-05-25 10:45:49 +03:00
__init__.py Make ipaplatform a regular top-level package 2020-05-05 11:47:16 +02:00
_importhook.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
constants.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00
Makefile.am Use namespace-aware meta importer for ipaplatform 2017-11-15 14:17:24 +01:00
osinfo.py Allow to override ipaplatform with env var 2020-07-30 11:38:25 +02:00
override.py.in Use namespace-aware meta importer for ipaplatform 2017-11-15 14:17:24 +01:00
paths.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00
README.md Don't configure authselect in containers 2020-08-06 14:20:54 +02:00
services.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Add ipaplatform for Fedora and RHEL container 2020-07-30 11:38:25 +02:00
tasks.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00

IPA platform abstraction

The ipaplatform package provides an abstraction layer for supported Linux distributions and flavors. The package contains constants, paths to commands and config files, services, and tasks.

  • base abstract base platform
  • debian Debian- and Ubuntu-like
  • redhat abstract base for Red Hat platforms
  • fedora Fedora
  • fedora_container freeipa-container on Fedora
  • rhel RHEL and CentOS
  • rhel_container freeipa-container on RHEL and CentOS
  • suse OpenSUSE and SLES
[base]
  ├─ debian
  ├─[redhat]
  │   ├─ fedora
  │   │   └─ fedora_container
  │   └─ rhel
  │       └─ rhel_container
  └─ suse

(Note: Debian and SUSE use some definitions from Red Hat namespace.)

freeipa-container platform

The fedora_container and rhel_container platforms are flavors of the fedora and rhel platforms. These platform definitions are specifically designed for freeipa-container. The FreeIPA server container implements a read-only container. Paths like /etc, /usr, and /var are mounted read-only and cannot be modified. The image uses symlinks to store all variable data like config files and LDAP database in /data.

  • Some commands don't write through dangling symlinks. The IPA platforms for containers prefix some paths with /data.
  • ipa-server-upgrade verifies that the platform does not change between versions. To allow upgrades of old containers, sysupgrade maps $distro_container to $distro platform.
  • The container images come with authselect pre-configured with sssd with-sudo option. The tasks modify_nsswitch_pam_stack and migrate_auth_configuration are no-ops. ipa-restore does not restore authselect settings. ipa-backup still stores authselect settings in backup data.
  • The --mkhomedir option is not supported.