diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2012-06-08 09:36:38 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-06-17 21:47:06 -0400 |
| commit | 3e0116491f701222bd3941d0ad58feb7fe670ac4 (patch) | |
| tree | 4cc283e562e1213d8c0b7319601124d06aa8454b /ipa-client/ipa-install/ipa-client-install | |
| parent | e94733f04d35a1cab167f2bc4280b22d414f0470 (diff) | |
| download | freeipa-3e0116491f701222bd3941d0ad58feb7fe670ac4.tar.gz freeipa-3e0116491f701222bd3941d0ad58feb7fe670ac4.tar.xz freeipa-3e0116491f701222bd3941d0ad58feb7fe670ac4.zip | |
Improve ipa-client-install debug output
The client does a fair bit of work when trying to validate the hostnames,
do discovery and verify that the server it gets back is an IPA server.
The debug logging around this was horrid with very little state information,
duplicate log messages or just nothing at all.
In many cases errors were printed only to stderr/stdout.
This patch makes the logging and output go through the IPA log manager.
It sets up logging so that INFO, WARNING, and ERROR messages show up on the
console. If -d is given, DEBUG messages are also printed.
All messages also go to the log file.
The only exception is user input: prompts are only printed to the console,
but if the user provides any information it is echoed in a DEBUG-level
message.
https://fedorahosted.org/freeipa/ticket/2553
Diffstat (limited to 'ipa-client/ipa-install/ipa-client-install')
| -rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 473 |
1 files changed, 276 insertions, 197 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index af3d7312c..8dfe1db68 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -141,13 +141,17 @@ def parse_options(): def logging_setup(options): log_file = "/var/log/ipaclient-install.log" + if options.uninstall: log_file = "/var/log/ipaclient-uninstall.log" - standard_logging_setup(log_file, debug=options.debug) + standard_logging_setup( + filename=log_file, verbose=True, debug=options.debug, + console_format='%(message)s') + def log_service_error(name, action, error): - root_logger.error("%s failed to %s: %s" % (name, action, str(error))) + root_logger.error("%s failed to %s: %s", name, action, str(error)) def nickname_exists(nickname): (sout, serr, returncode) = run(["/usr/bin/certutil", "-L", "-d", "/etc/pki/nssdb", "-n", nickname], raiseonerr=False) @@ -178,21 +182,17 @@ def nssldap_exists(): return (retval, files_found) -def emit_quiet(quiet, message): - if not quiet: - print message - root_logger.debug(message) - -def uninstall(options, env, quiet=False): +def uninstall(options, env): if not fstore.has_files(): - print "IPA client is not configured on this system." + root_logger.error("IPA client is not configured on this system.") return CLIENT_NOT_CONFIGURED server_fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') if server_fstore.has_files() and not options.on_master: - print "IPA client is configured as a part of IPA server on this system." - print "Refer to ipa-server-install for uninstallation." + root_logger.error( + "IPA client is configured as a part of IPA server on this system.") + root_logger.info("Refer to ipa-server-install for uninstallation.") return CLIENT_NOT_CONFIGURED hostname = None @@ -233,7 +233,8 @@ def uninstall(options, env, quiet=False): try: run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "IPA CA"]) except Exception, e: - emit_quiet(quiet, "Failed to remove IPA CA from /etc/pki/nssdb: %s" % str(e)) + root_logger.error( + "Failed to remove IPA CA from /etc/pki/nssdb: %s", str(e)) # Always start certmonger. We can't untrack something if it isn't # running @@ -252,13 +253,15 @@ def uninstall(options, env, quiet=False): try: certmonger.stop_tracking('/etc/pki/nssdb', nickname=client_nss_nickname) except (CalledProcessError, RuntimeError), e: - root_logger.error("%s failed to stop tracking certificate: %s" % (cmonger.service_name, str(e))) + root_logger.error("%s failed to stop tracking certificate: %s", + cmonger.service_name, str(e)) if nickname_exists(client_nss_nickname): try: run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", client_nss_nickname]) except Exception, e: - emit_quiet(quiet, "Failed to remove %s from /etc/pki/nssdb: %s" % (client_nss_nickname, str(e))) + root_logger.error("Failed to remove %s from /etc/pki/nssdb: %s", + client_nss_nickname, str(e)) try: cmonger.stop() @@ -271,21 +274,23 @@ def uninstall(options, env, quiet=False): try: cmonger.disable() except Exception, e: - emit_quiet(quiet, "Failed to disable automatic startup of the %s service" % (cmonger.service_name)) - root_logger.error("Failed to disable automatic startup of the %s service: %s" % (cmonger.service_name, str(e))) + root_logger.error( + "Failed to disable automatic startup of the %s service: %s", + cmonger.service_name, str(e)) if not options.on_master and os.path.exists('/etc/ipa/default.conf'): - emit_quiet(quiet, "Unenrolling client from IPA server") + root_logger.info("Unenrolling client from IPA server") join_args = ["/usr/sbin/ipa-join", "--unenroll", "-h", hostname] if options.debug: join_args.append("-d") env['XMLRPC_TRACE_CURL'] = 'yes' (stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env) if returncode != 0: - emit_quiet(quiet, "Unenrolling host failed: %s" % stderr) + root_logger.error("Unenrolling host failed: %s", stderr) if os.path.exists('/etc/ipa/default.conf'): - emit_quiet(quiet, "Removing Kerberos service principals from /etc/krb5.keytab") + root_logger.info( + "Removing Kerberos service principals from /etc/krb5.keytab") try: parser = RawConfigParser() fp = open('/etc/ipa/default.conf', 'r') @@ -294,10 +299,10 @@ def uninstall(options, env, quiet=False): realm = parser.get('global', 'realm') run(["/usr/sbin/ipa-rmkeytab", "-k", "/etc/krb5.keytab", "-r", realm]) except Exception, e: - emit_quiet(quiet, "Failed to clean up /etc/krb5.keytab") - root_logger.debug("Failed to remove Kerberos service principals: %s" % str(e)) + root_logger.error( + "Failed to remove Kerberos service principals: %s", str(e)) - emit_quiet(quiet, "Disabling client Kerberos and LDAP configurations") + root_logger.info("Disabling client Kerberos and LDAP configurations") was_sssd_installed = False was_sshd_configured = False if fstore.has_files(): @@ -329,49 +334,60 @@ def uninstall(options, env, quiet=False): auth_config.add_option("update") auth_config.execute() except Exception, e: - emit_quiet(quiet, "Failed to remove krb5/LDAP configuration. " +str(e)) + root_logger.error( + "Failed to remove krb5/LDAP configuration: %s", str(e)) return CLIENT_INSTALL_ERROR if fstore.has_files(): - emit_quiet(quiet, "Restoring client configuration files") + root_logger.info("Restoring client configuration files") fstore.restore_all_files() - old_hostname = statestore.restore_state('network','hostname') + old_hostname = statestore.restore_state('network', 'hostname') if old_hostname is not None and old_hostname != hostname: try: ipautil.run(['/bin/hostname', old_hostname]) except CalledProcessError, e: - print >>sys.stderr, "Failed to set this machine hostname to %s (%s)." % (old_hostname, str(e)) + root_logger.error( + "Failed to set this machine's hostname to %s (%s).", + old_hostname, str(e)) nscd = ipaservices.knownservices.nscd if nscd.is_installed(): try: nscd.restart() except: - emit_quiet(quiet, "Failed to restart the %s daemon" % (nscd.service_name)) + root_logger.warning( + "Failed to restart the %s daemon", nscd.service_name) try: nscd.enable() except: - emit_quiet(quiet, "Failed to configure automatic startup of the %s daemon" % (nscd.service_name)) + root_logger.warning( + "Failed to configure automatic startup of the %s daemon", + nscd.service_name) else: # this is optional service, just log - root_logger.info("%s daemon is not installed, skip configuration" % (nscd.service_name)) + root_logger.info("%s daemon is not installed, skip configuration", + nscd.service_name) nslcd = ipaservices.knownservices.nslcd if nslcd.is_installed(): try: nslcd.stop() except: - emit_quiet(quiet, "Failed to stop the %s daemon" % (nslcd.service_name)) + root_logger.warning( + "Failed to stop the %s daemon", nslcd.service_name) try: nslcd.disable() except: - emit_quiet(quiet, "Failed to disable automatic startup of the %s daemon" % (nslcd.service_name)) + root_logger.warning( + "Failed to disable automatic startup of the %s daemon", + nslcd.service_name) else: # this is optional service, just log - root_logger.info("%s daemon is not installed, skip configuration" % (nslcd.service_name)) + root_logger.info("%s daemon is not installed, skip configuration", + nslcd.service_name) ntp_configured = statestore.has_state('ntp') if ntp_configured: @@ -403,20 +419,27 @@ def uninstall(options, env, quiet=False): if was_sssd_installed and was_sssd_configured: # SSSD was installed before our installation, config now is restored, restart it - emit_quiet(quiet, "The original configuration of SSSD included other domains than IPA-based one.") - emit_quiet(quiet, "Original configuration file is restored, restarting SSSD service.") + root_logger.info( + "The original configuration of SSSD included other domains than " + + "the IPA-based one.") + root_logger.info( + "Original configuration file was restored, restarting SSSD " + + "service.") sssd = ipaservices.service('sssd') sssd.restart() if not options.unattended: - emit_quiet(quiet, "The original nsswitch.conf configuration has been restored.") - emit_quiet(quiet, "You may need to restart services or reboot the machine.") + root_logger.info( + "The original nsswitch.conf configuration has been restored.") + root_logger.info( + "You may need to restart services or reboot the machine.") if not options.on_master: if user_input("Do you want to reboot the machine?", False): try: run(["/sbin/reboot"]) except Exception, e: - emit_quiet(quiet, "Reboot command failed to exceute. " + str(e)) + root_logger.error( + "Reboot command failed to exceute: %s", str(e)) return CLIENT_UNINSTALL_ERROR # Remove the IPA configuration file @@ -425,6 +448,8 @@ def uninstall(options, env, quiet=False): except: pass + root_logger.info("Client uninstall complete.") + return 0 def configure_ipa_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server): @@ -483,8 +508,6 @@ def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d opts.append({'name':'empty', 'type':'empty'}) - ret = (0, None, None) - # Depending on the release and distribution this may exist in any # number of different file names, update what we find for filename in files: @@ -492,12 +515,13 @@ def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d fstore.backup_file(filename) ldapconf.newConf(filename, opts) except Exception, e: - print "Creation of %s: %s" % (filename, str(e)) + root_logger.error("Creation of %s failed: %s", filename, str(e)) return (1, 'LDAP', filename) if files: return (0, 'LDAP', ', '.join(files)) - return ret + + return 0, None, None def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, files): nslcdconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") @@ -528,7 +552,7 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, fstore.backup_file(filename) nslcdconf.newConf(filename, opts) except Exception, e: - print "Creation of %s: %s" % (filename, str(e)) + root_logger.error("Creation of %s failed: %s", filename, str(e)) return (1, None, None) nslcd = ipaservices.knownservices.nslcd @@ -541,10 +565,12 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, try: nslcd.enable() except Exception, e: - print "Failed to configure automatic startup of the %s daemon" % (nslcd.service_name) - root_logger.error("Failed to enable automatic startup of the %s daemon: %s" % (nslcd.service_name, str(e))) + root_logger.error( + "Failed to enable automatic startup of the %s daemon: %s", + nslcd.service_name, str(e)) else: - root_logger.debug("%s daemon is not installed, skip configuration" % (nslcd.service_name)) + root_logger.debug("%s daemon is not installed, skip configuration", + nslcd.service_name) return (0, None, None) return (0, 'NSLCD', ', '.join(files)) @@ -581,7 +607,8 @@ def hardcode_ldap_server(cli_server): # Errors raised by this should be caught by the caller ldapconf.changeConf("/etc/ldap.conf", opts) - print "Changed configuration of /etc/ldap.conf to use hardcoded server name: " +cli_server + root_logger.info("Changed configuration of /etc/ldap.conf to use " + + "hardcoded server name: %s", cli_server) return @@ -637,8 +664,8 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, c opts.append({'name':'domain_realm', 'type':'section', 'value':dropts}) opts.append({'name':'empty', 'type':'empty'}) - root_logger.debug("Writing Kerberos configuration to %s:\n%s" - % (filename, krbconf.dump(opts))) + root_logger.debug("Writing Kerberos configuration to %s:", filename) + root_logger.debug("%s", krbconf.dump(opts)) krbconf.newConf(filename, opts) os.chmod(filename, 0644) @@ -676,17 +703,19 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options): try: cmonger.restart() except Exception, e: - print "Failed to start the %s daemon" % (cmonger.service_name) - print "Automatic certificate management will not be available" log_service_error(cmonger.service_name, 'restart', e) + root_logger.warning( + "Automatic certificate management will not be available") started = False try: cmonger.enable() except Exception, e: - print "Failed to configure automatic startup of the %s daemon" % (cmonger.service_name) - print "Automatic certificate management will not be available" - root_logger.error("Failed to disable automatic startup of the %s daemon: %s" % (cmonger.service_name, str(e))) + root_logger.error( + "Failed to configure automatic startup of the %s daemon: %s", + cmonger.service_name, str(e)) + root_logger.warning( + "Automatic certificate management will not be available") # Request our host cert if started: @@ -695,7 +724,8 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options): try: run(["ipa-getcert", "request", "-d", "/etc/pki/nssdb", "-n", client_nss_nickname, "-N", subject, "-K", principal]) except: - print "%s request for host certificate failed" % (cmonger.service_name) + root_logger.error( + "%s request for host certificate failed", cmonger.service_name) def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, client_hostname): try: @@ -706,9 +736,12 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie # SSSD config is in place but we are unable to read it # In addition, we are instructed to preserve it # This all means we can't use it and have to bail out - print "SSSD config exists but cannot be parsed: %s" % (str(e)) - print "Correct errors in /etc/sssd/sssd.conf and re-run installation" - root_logger.error("Failed to parse SSSD configuration and was instructed to preserve existing SSSD config: %s" % (str(e))) + root_logger.error( + "SSSD config exists but cannot be parsed: %s", str(e)) + root_logger.error( + "Was instructed to preserve existing SSSD config") + root_logger.info("Correct errors in /etc/sssd/sssd.conf and " + + "re-run installation") return 1 # SSSD configuration does not exist or we are not asked to preserve it, create new one @@ -717,25 +750,26 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie # error from older version which cannot be upgraded anymore, leaving sssdconfig # instance practically unusable # Note that we already backed up sssd.conf before going into this routine - if type(e) is IOError: - print "New SSSD config will be created." + if isinstance(e, IOError): + pass else: # It was not IOError so it must have been parsing error - print "Unable to parse existing SSSD config. As option --preserve-sssd was not specified, new config will override the old one." - print "The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall." - root_logger.error("Unable to parse existing SSSD config and --preserve-sssd was not specified: %s" % (str(e))) + root_logger.error("Unable to parse existing SSSD config. " + + "As option --preserve-sssd was not specified, new config " + + "will override the old one.") + root_logger.info("The old /etc/sssd/sssd.conf is backed up and " + + "will be restored during uninstall.") root_logger.info("New SSSD config will be created") - del sssdconfig sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.new_config() try: domain = sssdconfig.new_domain(cli_domain) except SSSDConfig.DomainAlreadyExistsError: - print "Domain %s is already configured in existing SSSD config, creating a new one." % cli_domain - print "The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall." - root_logger.debug("Domain %s is already configured in existing SSSD config, creating a new one." % cli_domain) - del sssdconfig + root_logger.info("Domain %s is already configured in existing SSSD " + + "config, creating a new one.", cli_domain) + root_logger.info("The old /etc/sssd/sssd.conf is backed up and will " + + "be restored during uninstall.") sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.new_config() domain = sssdconfig.new_domain(cli_domain) @@ -743,10 +777,11 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie try: sssdconfig.activate_service('ssh') except SSSDConfig.NoServiceError: - print "Unable to activate the SSH service in SSSD config." - print "Please make sure you have SSSD built with SSH support installed." - print "Configure SSH support manually in /etc/sssd/sssd.conf." - root_logger.debug("Unable to activate the SSH service in SSSD config.") + root_logger.error("Unable to activate the SSH service in SSSD config.") + root_logger.info( + "Please make sure you have SSSD built with SSH support installed.") + root_logger.info( + "Configure SSH support manually in /etc/sssd/sssd.conf.") domain.add_provider('ipa', 'id') @@ -804,7 +839,7 @@ def change_ssh_config(filename, changes, sections): try: f = open(filename, 'r') except IOError, e: - root_logger.error("Failed to open '%s': %s" % (filename, str(e))) + root_logger.error("Failed to open '%s': %s", filename, str(e)) return False lines = [] @@ -845,7 +880,7 @@ def change_ssh_config(filename, changes, sections): try: f = open(filename, 'w') except IOError, e: - root_logger.error("Failed to open '%s': %s" % (filename, str(e))) + root_logger.error("Failed to open '%s': %s", filename, str(e)) return False f.write(''.join(lines)) @@ -873,14 +908,15 @@ def configure_ssh(fstore, ssh_dir, options): changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts' change_ssh_config(ssh_config, changes, ['Host']) - print 'Configured', ssh_config + root_logger.info('Configured %s', ssh_config) if not options.conf_sshd: return sshd = ipaservices.knownservices.sshd if not sshd.is_installed(): - root_logger.debug("%s daemon is not installed, skip configuration" % (sshd.service_name)) + root_logger.info("%s daemon is not installed, skip configuration", + sshd.service_name) return fstore.backup_file(sshd_config) @@ -903,12 +939,13 @@ def configure_ssh(fstore, ssh_dir, options): changes['PubKeyAgent'] = '/usr/bin/sss_ssh_authorizedkeys %u' changes['PubkeyAgentRunAs'] = None else: - print "Warning: Installed OpenSSH server does not support dynamically loading" - print " authorized user keys. Public key authentication of IPA users" - print " will not be available." + root_logger.warning("Installed OpenSSH server does not " + + "support dynamically loading authorized user keys. " + + "Public key authentication of IPA users will not be " + + "available.") change_ssh_config(sshd_config, changes, ['Match']) - print 'Configured', sshd_config + root_logger.info('Configured %s', sshd_config) if sshd.is_running(): try: @@ -934,8 +971,8 @@ def resolve_ipaddress(server): return addr def do_nsupdate(update_txt): - root_logger.debug("Writing nsupdate commands to %s:\n%s" - % (UPDATE_FILE, update_txt)) + root_logger.debug("Writing nsupdate commands to %s:", UPDATE_FILE) + root_logger.debug("%s", update_txt) update_fd = file(UPDATE_FILE, "w") update_fd.write(update_txt) @@ -947,7 +984,7 @@ def do_nsupdate(update_txt): ipautil.run(['/usr/bin/nsupdate', '-g', UPDATE_FILE]) result = True except CalledProcessError, e: - root_logger.debug('nsupdate failed: %s' % str(e)) + root_logger.debug('nsupdate failed: %s', str(e)) try: os.remove(UPDATE_FILE) @@ -985,30 +1022,28 @@ def update_dns(server, hostname): ZONE='.'.join(hostname.split('.')[1:]) ) - template = None if len(ip.split('.')) == 4: template = UPDATE_TEMPLATE_A - elif len(ip.split(':')) > 1: + elif ':' in ip: template = UPDATE_TEMPLATE_AAAA - - if template is None: - print >>sys.stderr, "Failed to determine machine's ip address." - print >>sys.stderr, "Failed to update DNS A record." + else: + root_logger.info("Failed to determine this machine's ip address.") + root_logger.warning("Failed to update DNS A record.") return update_txt = ipautil.template_str(template, sub_dict) if do_nsupdate(update_txt): - print "DNS server record set to: %s -> %s" % (hostname, ip) + root_logger.info("DNS server record set to: %s -> %s", hostname, ip) else: - print >>sys.stderr, "Failed to update DNS records." + root_logger.error("Failed to update DNS records.") def client_dns(server, hostname, dns_updates=False): dns_ok = ipautil.is_host_resolvable(hostname) if not dns_ok: - print "Warning: Hostname (%s) not found in DNS" % hostname + root_logger.warning("Hostname (%s) not found in DNS", hostname) if dns_updates or not dns_ok: update_dns(server, hostname) @@ -1023,7 +1058,7 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): try: f = open(filename, 'r') except IOError, e: - root_logger.warning("Failed to open '%s': %s" % (filename, str(e))) + root_logger.warning("Failed to open '%s': %s", filename, str(e)) continue for line in f: @@ -1043,7 +1078,7 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): continue if parts[0] != algo: continue - root_logger.debug("Adding SSH public key from %s" % filename) + root_logger.info("Adding SSH public key from %s", filename) pubkeys.append(unicode(parts[1])) f.close() @@ -1053,9 +1088,8 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): except errors.EmptyModlist: pass except StandardError, e: - root_logger.warning("host_mod: %s" % str(e)) - print >>sys.stderr, "Failed to upload host SSH public keys." - root_logger.debug('Failed to upload host SSH public keys.') + root_logger.info("host_mod: %s", str(e)) + root_logger.warning("Failed to upload host SSH public keys.") return if create_sshfp: @@ -1071,7 +1105,7 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): update_txt += 'send\n' if not do_nsupdate(update_txt): - print "Warning: Could not update DNS SSHFP records." + root_logger.warning("Could not update DNS SSHFP records.") def install(options, env, fstore, statestore): dnsok = False @@ -1083,7 +1117,7 @@ def install(options, env, fstore, statestore): subject_base = None if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master: - print "One of password and principal are required." + root_logger.error("One of password and principal are required.") return CLIENT_INSTALL_ERROR if options.hostname: @@ -1091,17 +1125,19 @@ def install(options, env, fstore, statestore): else: hostname = socket.getfqdn() if hostname != hostname.lower(): - print 'Invalid hostname \'%s\', must be lower-case.' % hostname + root_logger.error( + "Invalid hostname '%s', must be lower-case.", hostname) return CLIENT_INSTALL_ERROR if (hostname == 'localhost') or (hostname == 'localhost.localdomain'): - print 'Invalid hostname, \'%s\' must not be used.' % hostname + root_logger.error("Invalid hostname, '%s' must not be used.", hostname) return CLIENT_INSTALL_ERROR # when installing with '--no-sssd' option, check whether nss-ldap is installed if not options.sssd: (nssldap_installed, nosssd_files) = nssldap_exists() if not nssldap_installed: - print "One of these packages must be installed: nss_ldap or nss-pam-ldapd" + root_logger.error("One of these packages must be installed: " + + "nss_ldap or nss-pam-ldapd") return CLIENT_INSTALL_ERROR # Create the discovery instance @@ -1110,11 +1146,11 @@ def install(options, env, fstore, statestore): ret = ds.search(domain=options.domain, server=options.server, hostname=hostname) if ret == ipadiscovery.BAD_HOST_CONFIG: - print >>sys.stderr, "Can't get the fully qualified name of this host" - print >>sys.stderr, "Check that the client is properly configured" + root_logger.error("Can't get the fully qualified name of this host") + root_logger.info("Check that the client is properly configured") return CLIENT_INSTALL_ERROR if ret == ipadiscovery.NOT_FQDN: - print >>sys.stderr, "%s is not a fully-qualified hostname" % hostname + root_logger.error("%s is not a fully-qualified hostname", hostname) return CLIENT_INSTALL_ERROR if ret in (ipadiscovery.NO_LDAP_SERVER, ipadiscovery.NOT_IPA_SERVER) \ or not ds.getDomainName(): @@ -1122,18 +1158,20 @@ def install(options, env, fstore, statestore): if options.domain: cli_domain = options.domain elif options.unattended: - print >>sys.stderr, "Unable to discover domain, not provided on command line" + root_logger.error( + "Unable to discover domain, not provided on command line") return CLIENT_INSTALL_ERROR else: - print "DNS discovery failed to determine your DNS domain" + root_logger.info( + "DNS discovery failed to determine your DNS domain") cli_domain = user_input("Provide the domain name of your IPA server (ex: example.com)", allow_empty = False) - root_logger.debug("will use domain: %s\n", cli_domain) + root_logger.debug("will use domain: %s", cli_domain) ret = ds.search(domain=cli_domain, server=options.server, hostname=hostname) if not cli_domain: if ds.getDomainName(): cli_domain = ds.getDomainName() - root_logger.debug("will use domain: %s\n", cli_domain) + root_logger.debug("will use domain: %s", cli_domain) client_domain = hostname[hostname.find(".")+1:] @@ -1143,71 +1181,77 @@ def install(options, env, fstore, statestore): if options.server: cli_server = options.server elif options.unattended: - print >>sys.stderr, "Unable to find IPA Server to join" + root_logger.error("Unable to find IPA Server to join") return CLIENT_INSTALL_ERROR else: - print "DNS discovery failed to find the IPA Server" + root_logger.debug("DNS discovery failed to find the IPA Server") cli_server = user_input("Provide your IPA server name (ex: ipa.example.com)", allow_empty = False) - root_logger.debug("will use server: %s\n", cli_server) + root_logger.debug("will use server: %s", cli_server) ret = ds.search(domain=cli_domain, server=cli_server, hostname=hostname) else: dnsok = True if not cli_server: if ds.getServerName(): cli_server = ds.getServerName() - root_logger.debug("will use server: %s\n", cli_server) + root_logger.debug("will use server: %s", cli_server) if ret == ipadiscovery.NOT_IPA_SERVER: - print >>sys.stderr, "%s is not an IPA v2 Server." % cli_server + root_logger.error("%s is not an IPA v2 Server.", cli_server) return CLIENT_INSTALL_ERROR if ret == ipadiscovery.NO_ACCESS_TO_LDAP: - print "Warning: Anonymous access to the LDAP server is disabled." - print "Proceeding without strict verification." - print "Note: This is not an error if anonymous access has been explicitly restricted." + root_logger.warning("Anonymous access to the LDAP server is disabled.") + root_logger.info("Proceeding without strict verification.") + root_logger.info("Note: This is not an error if anonymous access " + + "has been explicitly restricted.") ret = 0 if ret != 0: - print >>sys.stderr, "Failed to verify that "+cli_server+" is an IPA Server." - print >>sys.stderr, "This may mean that the remote server is not up or is not reachable" - print >>sys.stderr, "due to network or firewall settings." + root_logger.error("Failed to verify that %s is an IPA Server.", + cli_server) + root_logger.error("This may mean that the remote server is not up " + + "or is not reachable due to network or firewall settings.") return CLIENT_INSTALL_ERROR cli_kdc = ds.getKDCName() if dnsok and not cli_kdc: - print >>sys.stderr, "DNS domain '%s' is not configured for automatic KDC address lookup." % ds.getRealmName().lower() - print >>sys.stderr, "KDC address will be set to fixed value.\n" + root_logger.error("DNS domain '%s' is not configured for automatic " + + "KDC address lookup.", ds.getRealmName().lower()) + root_logger.error("KDC address will be set to fixed value.") if dnsok: - print "Discovery was successful!" + root_logger.info("Discovery was successful!") elif not options.unattended: - print "\nThe failure to use DNS to find your IPA server indicates that your" - print "resolv.conf file is not properly configured.\n" - print "Autodiscovery of servers for failover cannot work with this configuration.\n" - print "If you proceed with the installation, services will be configured to always" - print "access the discovered server for all operation and will not fail over to" - print "other servers in case of failure.\n" + root_logger.warning("The failure to use DNS to find your IPA server " + + "indicates that your resolv.conf file is not properly configured.") + root_logger.info("Autodiscovery of servers for failover cannot work " + + "with this configuration.") + root_logger.info("If you proceed with the installation, services " + + "will be configured to always access the discovered server for " + + "all operations and will not fail over to other servers in case " + + "of failure.") if not user_input("Proceed with fixed values and no DNS discovery?", False): return CLIENT_INSTALL_ERROR if options.realm_name and options.realm_name != ds.getRealmName(): - if not options.unattended: - print >>sys.stderr, "ERROR: The provided realm name: ["+options.realm_name+"] does not match with the discovered one: ["+ds.getRealmName()+"]\n" + root_logger.error( + "The provided realm name [%s] does not match discovered one [%s]", + options.realm_name, ds.getRealmName()) return CLIENT_INSTALL_ERROR cli_realm = ds.getRealmName() - root_logger.debug("will use cli_realm: %s\n", cli_realm) + root_logger.info("Will use cli_realm: %s", cli_realm) cli_basedn = ds.getBaseDN() - root_logger.debug("will use cli_basedn: %s\n", cli_basedn) + root_logger.info("will use cli_basedn: %s", cli_basedn) subject_base = "O=%s" % ds.getRealmName() - print "Hostname: "+hostname - print "Realm: "+cli_realm - print "DNS Domain: "+cli_domain - print "IPA Server: "+cli_server - print "BaseDN: "+cli_basedn + root_logger.info("Hostname: %s", hostname) + root_logger.info("Realm: %s", cli_realm) + root_logger.info("DNS Domain: %s", cli_domain) + root_logger.info("IPA Server: %s", cli_server) + root_logger.info("BaseDN: %s", cli_basedn) - print "\n" + print if not options.unattended and not user_input("Continue to configure the system with these values?", False): return CLIENT_INSTALL_ERROR @@ -1248,7 +1292,8 @@ def install(options, env, fstore, statestore): try: run(["/usr/bin/wget", "-O", "/etc/ipa/ca.crt", "http://%s/ipa/config/ca.crt" % ipautil.format_netloc(cli_server)]) except CalledProcessError, e: - print 'Retrieving CA from %s failed.\n%s' % (cli_server, str(e)) + root_logger.error( + 'Retrieving CA from %s failed: %s', cli_server, str(e)) return CLIENT_INSTALL_ERROR if not options.on_master: @@ -1258,22 +1303,23 @@ def install(options, env, fstore, statestore): # Attempt to sync time with IPA server. # We assume that NTP servers are discoverable through SRV records in the DNS # If that fails, we try to sync directly with IPA server, assuming it runs NTP - print 'Synchronizing time with KDC...' + root_logger.info('Synchronizing time with KDC...') ntp_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp', None, break_on_first=False) synced_ntp = False if ntp_servers: for s in ntp_servers: - synced_ntp = ipaclient.ntpconf.synconce_ntp(s, debug=True) - if synced_ntp: - break + synced_ntp = ipaclient.ntpconf.synconce_ntp(s, debug=True) + if synced_ntp: + break if not synced_ntp: synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server, debug=True) if not synced_ntp: - print "Unable to sync time with IPA NTP server, assuming the time is in sync." + root_logger.warning("Unable to sync time with IPA NTP " + + "server, assuming the time is in sync.") (krb_fd, krb_name) = tempfile.mkstemp() os.close(krb_fd) if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name, client_domain): - print "Test kerberos configuration failed" + root_logger.error("Test kerberos configuration failed") return CLIENT_INSTALL_ERROR env['KRB5_CONFIG'] = krb_name join_args = ["/usr/sbin/ipa-join", "-s", cli_server, "-b", realm_to_suffix(cli_realm)] @@ -1297,20 +1343,24 @@ def install(options, env, fstore, statestore): except EOFError: stdin = None if not stdin: - print "Password must be provided for %s. " % \ - principal + root_logger.error( + "Password must be provided for %s.", principal) return CLIENT_INSTALL_ERROR else: if sys.stdin.isatty(): - print "Password must be provided in non-interactive mode.\nThis can be done via echo password | ipa-client-install ... or\nwith the -w option." + root_logger.error("Password must be provided in " + + "non-interactive mode.") + root_logger.info("This can be done via " + + "echo password | ipa-client-install ... " + + "or with the -w option.") return CLIENT_INSTALL_ERROR else: stdin = sys.stdin.readline() (stderr, stdout, returncode) = run(["kinit", principal], raiseonerr=False, stdin=stdin, env=env) - print "" if returncode != 0: - print stdout + root_logger.error("Kerberos authentication failed") + root_logger.info("%s", stdout) return CLIENT_INSTALL_ERROR elif options.password: nolog = (options.password,) @@ -1318,14 +1368,15 @@ def install(options, env, fstore, statestore): join_args.append(options.password) elif options.prompt_password: if options.unattended: - print "Password must be provided in non-interactive mode" + root_logger.error( + "Password must be provided in non-interactive mode") return CLIENT_INSTALL_ERROR try: password = getpass.getpass("Password: ") except EOFError: password = None if not password: - print "Password must be provided." + root_logger.error("Password must be provided.") return CLIENT_INSTALL_ERROR join_args.append("-w") join_args.append(password) @@ -1335,12 +1386,13 @@ def install(options, env, fstore, statestore): (stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env, nolog=nolog) if returncode != 0: - print >>sys.stderr, "Joining realm failed: %s" % stderr, + root_logger.error("Joining realm failed: %s", stderr) if not options.force: return CLIENT_INSTALL_ERROR - print " Use ipa-getkeytab to obtain a host principal for this server." + root_logger.info("Use ipa-getkeytab to obtain a host " + + "principal for this server.") else: - print "Enrolled in IPA realm %s" % cli_realm + root_logger.info("Enrolled in IPA realm %s", cli_realm) start = stderr.find('Certificate subject base is: ') if start >= 0: @@ -1351,18 +1403,24 @@ def install(options, env, fstore, statestore): finally: if options.principal is not None: (stderr, stdout, returncode) = run(["kdestroy"], raiseonerr=False, env=env) - os.remove(krb_name) - os.remove(krb_name + ".ipabkp") + try: + os.remove(krb_name) + except OSError: + root_logger.error("Could not remove %s", krb_name) + try: + os.remove(krb_name + ".ipabkp") + except OSError: + root_logger.error("Could not remove %s.ipabkp", krb_name) # Configure ipa.conf if not options.on_master: configure_ipa_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server) - print "Created /etc/ipa/default.conf" + root_logger.info("Created /etc/ipa/default.conf") api.bootstrap(context='cli_installer', debug=options.debug) api.finalize() if 'config_loaded' not in api.env: - print >>sys.stderr, "Failed to initialize IPA API." + root_logger.error("Failed to initialize IPA API.") return CLIENT_INSTALL_ERROR # Always back up sssd.conf. It gets updated by authconfig --enablekrb5. @@ -1370,13 +1428,13 @@ def install(options, env, fstore, statestore): if options.sssd: if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, hostname): return CLIENT_INSTALL_ERROR - print "Configured /etc/sssd/sssd.conf" + root_logger.info("Configured /etc/sssd/sssd.conf") # Add the CA to the default NSS database and trust it try: run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"]) except CalledProcessError, e: - print >>sys.stderr, "Failed to add CA to the default NSS database." + root_logger.info("Failed to add CA to the default NSS database.") return CLIENT_INSTALL_ERROR # If on master assume kerberos is already configured properly. @@ -1386,13 +1444,14 @@ def install(options, env, fstore, statestore): if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, "/etc/krb5.conf", client_domain): return CLIENT_INSTALL_ERROR - print "Configured /etc/krb5.conf for IPA realm " + cli_realm + root_logger.info( + "Configured /etc/krb5.conf for IPA realm %s", cli_realm) os.environ['KRB5CCNAME'] = CCACHE_FILE try: ipautil.run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', 'host/%s@%s' % (hostname, cli_realm)]) except CalledProcessError, e: - print >>sys.stderr, "Failed to obtain host TGT." + root_logger.error("Failed to obtain host TGT.") # fail to obtain ticket makes it impossible to login and bind from sssd to LDAP, # abort installation and rollback changes return CLIENT_INSTALL_ERROR @@ -1401,23 +1460,28 @@ def install(options, env, fstore, statestore): try: api.Backend.xmlclient.connect() except errors.KerberosError, e: - root_logger.debug('Cannot connect to the server due to Kerberos error: %s' % str(e)) - root_logger.debug('Trying with delegate=True') + root_logger.info('Cannot connect to the server due to ' + + 'Kerberos error: %s. Trying with delegate=True', str(e)) try: api.Backend.xmlclient.connect(delegate=True) - root_logger.debug('Connection with delegate=True successful') + root_logger.info('Connection with delegate=True successful') # The remote server is not capable of Kerberos S4U2Proxy delegation # This features is implemented in IPA server version 2.2 and higher - print >>sys.stderr, "Target IPA server has a lower version that the enrolled client" - print >>sys.stderr, "Some capabilities including the ipa command capability may not be available" + root_logger.warning("Target IPA server has a lower version than " + + "the enrolled client") + root_logger.warning("Some capabilities including the ipa " + + "command capability may not be available") except errors.PublicError, e2: - root_logger.debug('Second connect with delegate=True also failed: %s' % str(e2)) - print >>sys.stderr, "Cannot connect to the IPA server XML-RPC interface: %s" % str(e2) + root_logger.warning( + 'Second connect with delegate=True also failed: %s', str(e2)) + root_logger.error( + "Cannot connect to the IPA server XML-RPC interface: %s", + str(e2)) return CLIENT_INSTALL_ERROR except errors.PublicError, e: - root_logger.debug('Cannot connect to the server due to generic error: %s' % str(e)) - print >>sys.stderr, "Cannot connect to the IPA server XML-RPC interface: %s" % str(e) + root_logger.error( + 'Cannot connect to the server due to generic error: %s', str(e)) return CLIENT_INSTALL_ERROR if not options.on_master: @@ -1442,9 +1506,11 @@ def install(options, env, fstore, statestore): nscd_service_action = 'restart' nscd.restart() except: - print >>sys.stderr, "Failed to %s the %s daemon" % (nscd_service_action, nscd.service_name) + root_logger.warning("Failed to %s the %s daemon", + nscd_service_action, nscd.service_name) if not options.sssd: - print >>sys.stderr, "Caching of users/groups will not be available" + root_logger.warning( + "Caching of users/groups will not be available") try: if options.sssd: @@ -1453,15 +1519,21 @@ def install(options, env, fstore, statestore): nscd.enable() except: if not options.sssd: - print >>sys.stderr, "Failed to configure automatic startup of the %s daemon" % (nscd.service_name) - print >>sys.stderr, "Caching of users/groups will not be available after reboot" + root_logger.warning( + "Failed to configure automatic startup of the %s daemon", + nscd.service_name) + root_logger.info("Caching of users/groups will not be " + + "available after reboot") else: - print >>sys.stderr, "Failed to disable %s daemon. Disable it manually." % (nscd.service_name) + root_logger.warning( + "Failed to disable %s daemon. Disable it manually.", + nscd.service_name) else: # this is optional service, just log if not options.sssd: - root_logger.info("%s daemon is not installed, skip configuration" % (nscd.service_name)) + root_logger.info("%s daemon is not installed, skip configuration", + nscd.service_name) retcode, conf, filename = (0, None, None) @@ -1487,7 +1559,7 @@ def install(options, env, fstore, statestore): auth_config.add_option("update") auth_config.execute() - print message + root_logger.info("%s", message) if not options.sssd: #Modify pam to add pam_krb5 only when sssd is not in use @@ -1497,20 +1569,22 @@ def install(options, env, fstore, statestore): add_option("update").\ add_option("nostart") auth_config.execute() - print "Kerberos 5 enabled" + root_logger.info("Kerberos 5 enabled") # Update non-SSSD LDAP configuration after authconfig calls as it would # change its configuration otherways if not options.sssd: for configurer in [configure_ldap_conf, configure_nslcd_conf]: - (retcode, conf, filename) = configurer(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, nosssd_files[configurer.__name__]) + (retcode, conf, filenames) = configurer(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, nosssd_files[configurer.__name__]) if retcode: return CLIENT_INSTALL_ERROR if conf: - print "%s configured using configuration file(s) %s" % (conf, filename) + root_logger.info( + "%s configured using configuration file(s) %s", + conf, filenames) configure_openldap_conf(fstore, cli_basedn, cli_server) - print "Configured /etc/openldap/ldap.conf" + root_logger.info("Configured /etc/openldap/ldap.conf") #Check that nss is working properly if not options.on_master: @@ -1528,16 +1602,19 @@ def install(options, env, fstore, statestore): n = n + 1 if not found: - print "Unable to find 'admin' user with 'getent passwd admin'!" + root_logger.error( + "Unable to find 'admin' user with 'getent passwd admin'!") if conf: - print "Recognized configuration: %s" % (conf) + root_logger.info("Recognized configuration: %s", conf) else: - print "Unable to reliably detect configuration. Check NSS setup manually." + root_logger.error("Unable to reliably detect " + + "configuration. Check NSS setup manually.") try: hardcode_ldap_server(cli_server) except Exception, e: - print "Adding hardcoded server name to /etc/ldap.conf failed: " + str(e) + root_logger.error("Adding hardcoded server name to " + + "/etc/ldap.conf failed: %s", str(e)) if options.conf_ntp and not options.on_master: if options.ntp_server: @@ -1545,12 +1622,11 @@ def install(options, env, fstore, statestore): else: ntp_server = cli_server ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore) - print "NTP enabled" + root_logger.info("NTP enabled") configure_ssh(fstore, ipaservices.knownservices.sshd.get_config_dir(), options) - print "Client configuration complete." - root_logger.debug('Client configuration complete.') + root_logger.info('Client configuration complete.') return 0 @@ -1561,8 +1637,9 @@ def main(): sys.exit("\nYou must be root to run ipa-client-install.\n") ipaservices.check_selinux_status() logging_setup(options) - root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) - root_logger.debug("missing options might be asked for interactively later\n") + root_logger.debug( + '%s was invoked with options: %s', sys.argv[0], safe_options) + root_logger.debug("missing options might be asked for interactively later") env={"PATH":"/bin:/sbin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/bin:/usr/sbin"} @@ -1576,18 +1653,20 @@ def main(): return uninstall(options, env) if fstore.has_files(): - print "IPA client is already configured on this system.\n" \ - "If you want to reinstall the IPA client, uninstall it first." + root_logger.error("IPA client is already configured on this system.") + root_logger.info( + "If you want to reinstall the IPA client, uninstall it first.") return CLIENT_ALREADY_CONFIGURED rval = install(options, env, fstore, statestore) if rval == CLIENT_INSTALL_ERROR: if options.force: - print "Installation failed. Force set so not rolling back changes." + root_logger.warning( + "Installation failed. Force set so not rolling back changes.") else: - print "Installation failed. Rolling back changes." + root_logger.error("Installation failed. Rolling back changes.") options.unattended = True - uninstall(options, env, quiet=True) + uninstall(options, env) return rval |