freeipa/ipaplatform
Florence Blanc-Renaud ce0592bd47 client uninstall: handle uninstall with authconfig
If the client was installed with authconfig, with
automount configured to use ldap (--no-sssd), and later
updated to a version using authselect, the uninstaller
tries to disable the authselect feature with-custom-automount
but fails because there is no authselect profile in use.

(Upgrade of a client does not transform authconfig settings
into authselect settings because we don't have any client
upgrader, as opposed to the ipa-server-upgrade for the
servers).

To avoid uninstallation failure, ignore the error and log a
warning.

The second part of the commit leverages the "complete" state
stored in the statestore, in order to fix issues when
a client installation fails and the installation is reverted
by the ipa-client-install tool itself.
The fix checks if the statestore shows an incomplete
installation. If the install was incomplete and failed before
any attempt to configure authselect, then unconfigure doesn't
need to do anything. In the other cases, unconfigure needs
to revert to the pre-ipa state.

Fixes: https://pagure.io/freeipa/issue/9147
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-05-13 16:15:59 -04:00
..
base Remove the --no-sssd option from ipa-client-automount 2022-03-18 09:40:37 +01:00
debian Remove the --no-sssd option from ipa-client-automount 2022-03-18 09:40:37 +01:00
fedora freeipa.spec: depend on bind-dnssec-utils 2021-11-25 16:49:00 +01:00
fedora_container allow overriding systemd-tmpfiles program 2022-03-14 13:06:17 -04:00
redhat client uninstall: handle uninstall with authconfig 2022-05-13 16:15:59 -04:00
rhel rhel platform: add a named crypto-policy support 2021-07-16 15:38:53 +02:00
rhel_container allow overriding systemd-tmpfiles program 2022-03-14 13:06:17 -04:00
suse BIND: Setup logging 2021-05-25 10:45:49 +03:00
__init__.py Make ipaplatform a regular top-level package 2020-05-05 11:47:16 +02:00
_importhook.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
constants.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00
Makefile.am Use namespace-aware meta importer for ipaplatform 2017-11-15 14:17:24 +01:00
osinfo.py Allow to override ipaplatform with env var 2020-07-30 11:38:25 +02:00
override.py.in Use namespace-aware meta importer for ipaplatform 2017-11-15 14:17:24 +01:00
paths.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00
README.md Don't configure authselect in containers 2020-08-06 14:20:54 +02:00
services.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Add ipaplatform for Fedora and RHEL container 2020-07-30 11:38:25 +02:00
tasks.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00

IPA platform abstraction

The ipaplatform package provides an abstraction layer for supported Linux distributions and flavors. The package contains constants, paths to commands and config files, services, and tasks.

  • base abstract base platform
  • debian Debian- and Ubuntu-like
  • redhat abstract base for Red Hat platforms
  • fedora Fedora
  • fedora_container freeipa-container on Fedora
  • rhel RHEL and CentOS
  • rhel_container freeipa-container on RHEL and CentOS
  • suse OpenSUSE and SLES
[base]
  ├─ debian
  ├─[redhat]
  │   ├─ fedora
  │   │   └─ fedora_container
  │   └─ rhel
  │       └─ rhel_container
  └─ suse

(Note: Debian and SUSE use some definitions from Red Hat namespace.)

freeipa-container platform

The fedora_container and rhel_container platforms are flavors of the fedora and rhel platforms. These platform definitions are specifically designed for freeipa-container. The FreeIPA server container implements a read-only container. Paths like /etc, /usr, and /var are mounted read-only and cannot be modified. The image uses symlinks to store all variable data like config files and LDAP database in /data.

  • Some commands don't write through dangling symlinks. The IPA platforms for containers prefix some paths with /data.
  • ipa-server-upgrade verifies that the platform does not change between versions. To allow upgrades of old containers, sysupgrade maps $distro_container to $distro platform.
  • The container images come with authselect pre-configured with sssd with-sudo option. The tasks modify_nsswitch_pam_stack and migrate_auth_configuration are no-ops. ipa-restore does not restore authselect settings. ipa-backup still stores authselect settings in backup data.
  • The --mkhomedir option is not supported.