diff options
author | Karl MacMillan <kmacmill@redhat.com> | 2007-11-05 14:42:11 -0500 |
---|---|---|
committer | Karl MacMillan <kmacmill@redhat.com> | 2007-11-05 14:42:11 -0500 |
commit | 8e48393c61397e80f7d8d29d5b48d97988aa6c84 (patch) | |
tree | 06f0868a03db8d2554acf926a61e4d3555c029a2 /ipa-server/ipaserver/httpinstance.py | |
parent | 957a70e560c2109d9cd788327fa18918294c29d7 (diff) | |
download | freeipa-8e48393c61397e80f7d8d29d5b48d97988aa6c84.tar.gz freeipa-8e48393c61397e80f7d8d29d5b48d97988aa6c84.tar.xz freeipa-8e48393c61397e80f7d8d29d5b48d97988aa6c84.zip |
Introduce service base class and clean up ipa-server-install
1) Add a base class for all of the instance objects.
2) Normalize usage of logging.
3) General cleanups of ipa-server-install.
4) Make better use of httpinstance.
5) Add webguiinstance.
6) Improve progress reporting during installation.
Works Here (TM), but it would be nice to get someone else
to test since this moves code around a bit.
Diffstat (limited to 'ipa-server/ipaserver/httpinstance.py')
-rw-r--r-- | ipa-server/ipaserver/httpinstance.py | 102 |
1 files changed, 83 insertions, 19 deletions
diff --git a/ipa-server/ipaserver/httpinstance.py b/ipa-server/ipaserver/httpinstance.py index 818682785..0433025b2 100644 --- a/ipa-server/ipaserver/httpinstance.py +++ b/ipa-server/ipaserver/httpinstance.py @@ -20,17 +20,26 @@ import subprocess import string import tempfile -import shutil import logging import pwd -from ipa.ipautil import * import fileinput import sys +import time + +import service +from ipa.ipautil import * HTTPD_DIR = "/etc/httpd" SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf" NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf" +selinux_warning = """WARNING: could not set selinux boolean httpd_can_network_connect to true. +The web interface may not function correctly until this boolean is +successfully change with the command: + /usr/sbin/setsebool -P httpd_can_network_connect true +Try updating the policycoreutils and selinux-policy packages. +""" + def update_file(filename, orig, subst): if os.path.exists(filename): pattern = "%s" % re.escape(orig) @@ -42,35 +51,90 @@ def update_file(filename, orig, subst): sys.stdout.write(p.sub(subst, line)) fileinput.close() -class HTTPInstance: +class HTTPInstance(service.Service): def __init__(self): - pass + service.Service.__init__(self, "httpd") - def create_instance(self): + def create_instance(self, realm, fqdn): + self.sub_dict = { "REALM" : realm } + self.fqdn = fqdn + self.realm = realm + + self.start_creation(6, "Configuring the web interface") + self.__disable_mod_ssl() self.__set_mod_nss_port() + self.__configure_http() + self.__create_http_keytab() + + self.step("restarting httpd") + self.restart() + + self.step("configuring httpd to start on boot") + self.chkconfig_on() + + self.done_creation() + + def __selinux_config(self): + self.step("configuring SELinux for httpd") + selinux=0 try: - self.restart() - except: - # TODO: roll back here? - print "Failed to restart httpd" + if (os.path.exists('/usr/sbin/selinuxenabled')): + run(["/usr/sbin/selinuxenabled"]) + selinux=1 + except subprocess.CalledProcessError: + # selinuxenabled returns 1 if not enabled + pass + + if selinux: + # Allow apache to connect to the turbogears web gui + # This can still fail even if selinux is enabled + try: + run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"]) + except: + self.print_msg(selinux_warning) + + def __create_http_keytab(self): + self.step("creating a keytab for httpd") + try: + if file_exists("/etc/httpd/conf/ipa.keytab"): + os.remove("/etc/httpd/conf/ipa.keytab") + except os.error: + print "Failed to remove /etc/httpd/conf/ipa.keytab." + (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") + kwrite.write("addprinc -randkey HTTP/"+self.fqdn+"@"+self.realm+"\n") + kwrite.flush() + kwrite.write("ktadd -k /etc/httpd/conf/ipa.keytab HTTP/"+self.fqdn+"@"+self.realm+"\n") + kwrite.flush() + kwrite.close() + kread.close() + kerr.close() + + # give kadmin time to actually write the file before we go on + retry = 0 + while not file_exists("/etc/httpd/conf/ipa.keytab"): + time.sleep(1) + retry += 1 + if retry > 15: + print "Error timed out waiting for kadmin to finish operations\n" + sys.exit(1) - def stop(self): - run(["/sbin/service", "httpd", "stop"]) + pent = pwd.getpwnam("apache") + os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) - def start(self): - run(["/sbin/service", "httpd", "start"]) + def __configure_http(self): + self.step("configuring httpd") + http_txt = template_file(SHARE_DIR + "ipa.conf", self.sub_dict) + http_fd = open("/etc/httpd/conf.d/ipa.conf", "w") + http_fd.write(http_txt) + http_fd.close() - def restart(self): - run(["/sbin/service", "httpd", "restart"]) def __disable_mod_ssl(self): - logging.debug("disabling mod_ssl in httpd") + self.step("disabling mod_ssl in httpd") if os.path.exists(SSL_CONF): os.rename(SSL_CONF, "%s.moved_by_ipa" % SSL_CONF) - logging.debug("done disabling mod_ssl") def __set_mod_nss_port(self): - logging.debug("Setting mod_nss port to 443") + self.step("Setting mod_nss port to 443") update_file(NSS_CONF, '8443', '443') - logging.debug("done setting mod_nss port") |