summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/server
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2015-06-10 08:22:30 +0000
committerJan Cholasta <jcholast@redhat.com>2015-06-10 16:17:34 +0000
commitcbcd86b5001039db468b46aefd83926a2b721eb5 (patch)
treedd2c5cbee19700eeb3cb7b41e42cc244a53bf684 /ipaserver/install/server
parent81729e22d35c5313e85081b6b3e8658b3d542af1 (diff)
downloadfreeipa-cbcd86b5001039db468b46aefd83926a2b721eb5.tar.gz
freeipa-cbcd86b5001039db468b46aefd83926a2b721eb5.tar.xz
freeipa-cbcd86b5001039db468b46aefd83926a2b721eb5.zip
install: Initialize API early in server and replica install
https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipaserver/install/server')
-rw-r--r--ipaserver/install/server/install.py90
-rw-r--r--ipaserver/install/server/replicainstall.py278
2 files changed, 191 insertions, 177 deletions
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 59a9d1e5e..89473dc02 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -301,6 +301,8 @@ def install_check(installer):
external_ca_file = installer._external_ca_file
http_ca_cert = installer._ca_cert
+ dogtag_constants = dogtag.install_constants
+
tasks.check_selinux_status()
if options.master_password:
@@ -550,6 +552,51 @@ def install_check(installer):
else:
admin_password = options.admin_password
+ # Configuration for ipalib, we will bootstrap and finalize later, after
+ # we are sure we have the configuration file ready.
+ cfg = dict(
+ context='installer',
+ in_server=True,
+ )
+
+ # Create the management framework config file and finalize api
+ target_fname = paths.IPA_DEFAULT_CONF
+ fd = open(target_fname, "w")
+ fd.write("[global]\n")
+ fd.write("host=%s\n" % host_name)
+ fd.write("basedn=%s\n" % ipautil.realm_to_suffix(realm_name))
+ fd.write("realm=%s\n" % realm_name)
+ fd.write("domain=%s\n" % domain_name)
+ fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % format_netloc(host_name))
+ fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
+ installutils.realm_to_serverid(realm_name))
+ if setup_ca:
+ fd.write("enable_ra=True\n")
+ fd.write("ra_plugin=dogtag\n")
+ fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION)
+ else:
+ fd.write("enable_ra=False\n")
+ fd.write("ra_plugin=none\n")
+ fd.write("mode=production\n")
+ fd.close()
+
+ # Must be readable for everyone
+ os.chmod(target_fname, 0644)
+
+ system_hostname = get_fqdn()
+ if host_name != system_hostname:
+ root_logger.debug("Chosen hostname (%s) differs from system hostname "
+ "(%s) - change it" % (host_name, system_hostname))
+ # update `api.env.ca_host` to correct hostname
+ # https://fedorahosted.org/freeipa/ticket/4936
+ api.env.ca_host = host_name
+
+ api.bootstrap(**cfg)
+ if setup_ca:
+ # ensure profile backend is available
+ import ipaserver.plugins.dogtag
+ api.finalize()
+
if setup_ca:
ca.install_check(False, None, options)
@@ -656,38 +703,6 @@ def install(installer):
# failure to enable root cause investigation
installer._installation_cleanup = False
- # Configuration for ipalib, we will bootstrap and finalize later, after
- # we are sure we have the configuration file ready.
- cfg = dict(
- context='installer',
- in_server=True,
- )
-
- # Create the management framework config file and finalize api
- target_fname = paths.IPA_DEFAULT_CONF
- fd = open(target_fname, "w")
- fd.write("[global]\n")
- fd.write("host=%s\n" % host_name)
- fd.write("basedn=%s\n" % ipautil.realm_to_suffix(realm_name))
- fd.write("realm=%s\n" % realm_name)
- fd.write("domain=%s\n" % domain_name)
- fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % format_netloc(host_name))
- fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
- installutils.realm_to_serverid(realm_name))
- if setup_ca:
- fd.write("enable_ra=True\n")
- fd.write("ra_plugin=dogtag\n")
- fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION)
- else:
- fd.write("enable_ra=False\n")
- fd.write("ra_plugin=none\n")
- fd.write("enable_kra=%s\n" % setup_kra)
- fd.write("mode=production\n")
- fd.close()
-
- # Must be readable for everyone
- os.chmod(target_fname, 0644)
-
if installer.interactive:
print ""
print "The following operations may take some minutes to complete."
@@ -696,19 +711,8 @@ def install(installer):
system_hostname = get_fqdn()
if host_name != system_hostname:
- root_logger.debug("Chosen hostname (%s) differs from system hostname "
- "(%s) - change it" % (host_name, system_hostname))
# configure /etc/sysconfig/network to contain the custom hostname
tasks.backup_and_replace_hostname(fstore, sstore, host_name)
- # update `api.env.ca_host` to correct hostname
- # https://fedorahosted.org/freeipa/ticket/4936
- api.env.ca_host = host_name
-
- api.bootstrap(**cfg)
- if setup_ca:
- # ensure profile backend is available
- import ipaserver.plugins.dogtag
- api.finalize()
# Create DS user/group if it doesn't exist yet
dsinstance.create_ds_user()
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 945511709..0429a4057 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -355,6 +355,143 @@ def install_check(installer):
config.setup_ca = options.setup_ca
config.setup_kra = options.setup_kra
+ # Create the management framework config file
+ # Note: We must do this before bootstraping and finalizing ipalib.api
+ old_umask = os.umask(022) # must be readable for httpd
+ try:
+ fd = open(paths.IPA_DEFAULT_CONF, "w")
+ fd.write("[global]\n")
+ fd.write("host=%s\n" % config.host_name)
+ fd.write("basedn=%s\n" %
+ str(ipautil.realm_to_suffix(config.realm_name)))
+ fd.write("realm=%s\n" % config.realm_name)
+ fd.write("domain=%s\n" % config.domain_name)
+ fd.write("xmlrpc_uri=https://%s/ipa/xml\n" %
+ ipautil.format_netloc(config.host_name))
+ fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
+ installutils.realm_to_serverid(config.realm_name))
+ if ipautil.file_exists(config.dir + "/cacert.p12"):
+ fd.write("enable_ra=True\n")
+ fd.write("ra_plugin=dogtag\n")
+ fd.write("dogtag_version=%s\n" %
+ dogtag.install_constants.DOGTAG_VERSION)
+ else:
+ fd.write("enable_ra=False\n")
+ fd.write("ra_plugin=none\n")
+
+ fd.write("enable_kra=%s\n" % config.setup_kra)
+
+ fd.write("mode=production\n")
+ fd.close()
+ finally:
+ os.umask(old_umask)
+
+ api.bootstrap(in_server=True, context='installer')
+ api.finalize()
+
+ installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
+
+ cafile = config.dir + "/ca.crt"
+
+ ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
+ remote_api = create_api(mode=None)
+ remote_api.bootstrap(in_server=True, context='installer',
+ ldap_uri=ldapuri)
+ remote_api.finalize()
+ conn = remote_api.Backend.ldap2
+ replman = None
+ try:
+ # Try out the password
+ conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password,
+ tls_cacertfile=cafile)
+ replman = ReplicationManager(config.realm_name,
+ config.master_host_name,
+ config.dirman_password)
+
+ # Check that we don't already have a replication agreement
+ try:
+ (agreement_cn, agreement_dn) = replman.agreement_dn(
+ config.host_name)
+ entry = conn.get_entry(agreement_dn, ['*'])
+ except errors.NotFound:
+ pass
+ else:
+ root_logger.info('Error: A replication agreement for this '
+ 'host already exists.')
+ print('A replication agreement for this host already exists. '
+ 'It needs to be removed.')
+ print "Run this on the master that generated the info file:"
+ print(" %% ipa-replica-manage del %s --force" %
+ config.host_name)
+ sys.exit(3)
+
+ # Detect the current domain level
+ try:
+ current = remote_api.Command['domainlevel_get']()['result']
+ except errors.NotFound:
+ # If we're joining an older master, domain entry is not
+ # available
+ current = 0
+
+ # Detect if current level is out of supported range
+ # for this IPA version
+ under_lower_bound = current < constants.MIN_DOMAIN_LEVEL
+ above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
+
+ if under_lower_bound or above_upper_bound:
+ message = ("This version of FreeIPA does not support "
+ "the Domain Level which is currently set for "
+ "this domain. The Domain Level needs to be "
+ "raised before installing a replica with "
+ "this version is allowed to be installed "
+ "within this domain.")
+ root_logger.error(message)
+ print(message)
+ sys.exit(3)
+
+ # Check pre-existing host entry
+ try:
+ entry = conn.find_entries(u'fqdn=%s' % config.host_name,
+ ['fqdn'], DN(api.env.container_host,
+ api.env.basedn))
+ except errors.NotFound:
+ pass
+ else:
+ root_logger.info('Error: Host %s already exists on the master '
+ 'server.' % config.host_name)
+ print('The host %s already exists on the master server.' %
+ config.host_name)
+ print "You should remove it before proceeding:"
+ print " %% ipa host-del %s" % config.host_name
+ sys.exit(3)
+
+ dns_masters = remote_api.Object['dnsrecord'].get_dns_masters()
+ if dns_masters:
+ if not options.no_host_dns:
+ master = config.master_host_name
+ root_logger.debug('Check forward/reverse DNS resolution')
+ resolution_ok = (
+ check_dns_resolution(master, dns_masters) and
+ check_dns_resolution(config.host_name, dns_masters))
+ if not resolution_ok and installer.interactive:
+ if not ipautil.user_input("Continue?", False):
+ sys.exit(0)
+ else:
+ root_logger.debug('No IPA DNS servers, '
+ 'skipping forward/reverse resolution check')
+
+ except errors.ACIError:
+ sys.exit("\nThe password provided is incorrect for LDAP server "
+ "%s" % config.master_host_name)
+ except errors.LDAPError:
+ sys.exit("\nUnable to connect to LDAP server %s" %
+ config.master_host_name)
+ finally:
+ if replman and replman.conn:
+ replman.conn.unbind()
+ if conn.isconnected():
+ conn.disconnect()
+
if options.setup_ca:
options.realm_name = config.realm_name
options.host_name = config.host_name
@@ -369,8 +506,6 @@ def install_check(installer):
print str(e)
sys.exit(1)
- installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
-
if options.setup_dns:
dns.install_check(False, True, options, config.host_name)
else:
@@ -384,11 +519,11 @@ def install_check(installer):
config.master_host_name, config.host_name, config.realm_name,
options.setup_ca, config.ca_ds_port, options.admin_password)
- cafile = config.dir + "/ca.crt"
if not ipautil.file_exists(cafile):
raise RuntimeError("CA cert file is not available. Please run "
"ipa-replica-prepare to create a new replica file.")
+ installer._remote_api = remote_api
installer._fstore = fstore
installer._sstore = sstore
installer._config = config
@@ -403,144 +538,19 @@ def install(installer):
dogtag_constants = dogtag.install_constants
- # Create the management framework config file
- # Note: We must do this before bootstraping and finalizing ipalib.api
- old_umask = os.umask(022) # must be readable for httpd
- try:
- fd = open(paths.IPA_DEFAULT_CONF, "w")
- fd.write("[global]\n")
- fd.write("host=%s\n" % config.host_name)
- fd.write("basedn=%s\n" %
- str(ipautil.realm_to_suffix(config.realm_name)))
- fd.write("realm=%s\n" % config.realm_name)
- fd.write("domain=%s\n" % config.domain_name)
- fd.write("xmlrpc_uri=https://%s/ipa/xml\n" %
- ipautil.format_netloc(config.host_name))
- fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
- installutils.realm_to_serverid(config.realm_name))
- if ipautil.file_exists(config.dir + "/cacert.p12"):
- fd.write("enable_ra=True\n")
- fd.write("ra_plugin=dogtag\n")
- fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION)
- else:
- fd.write("enable_ra=False\n")
- fd.write("ra_plugin=none\n")
-
- fd.write("enable_kra=%s\n" % config.setup_kra)
-
- fd.write("mode=production\n")
- fd.close()
- finally:
- os.umask(old_umask)
-
- api.bootstrap(in_server=True, context='installer')
- api.finalize()
-
# Create DS user/group if it doesn't exist yet
dsinstance.create_ds_user()
cafile = config.dir + "/ca.crt"
- ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
- remote_api = create_api(mode=None)
- remote_api.bootstrap(in_server=True, context='installer',
- ldap_uri=ldapuri, basedn=DN())
- remote_api.finalize()
+ remote_api = installer._remote_api
conn = remote_api.Backend.ldap2
- replman = None
try:
- try:
- # Try out the password
- conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password,
- tls_cacertfile=cafile)
- replman = ReplicationManager(config.realm_name,
- config.master_host_name,
- config.dirman_password)
-
- # Check that we don't already have a replication agreement
- try:
- (agreement_cn, agreement_dn) = replman.agreement_dn(
- config.host_name)
- entry = conn.get_entry(agreement_dn, ['*'])
- except errors.NotFound:
- pass
- else:
- root_logger.info('Error: A replication agreement for this '
- 'host already exists.')
- print('A replication agreement for this host already exists. '
- 'It needs to be removed.')
- print "Run this on the master that generated the info file:"
- print(" %% ipa-replica-manage del %s --force" %
- config.host_name)
- sys.exit(3)
-
- # Detect the current domain level
- try:
- current = remote_api.Command['domainlevel_get']()['result']
- except errors.NotFound:
- # If we're joining an older master, domain entry is not
- # available
- current = 0
-
- # Detect if current level is out of supported range
- # for this IPA version
- under_lower_bound = current < constants.MIN_DOMAIN_LEVEL
- above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
-
- if under_lower_bound or above_upper_bound:
- message = ("This version of FreeIPA does not support "
- "the Domain Level which is currently set for "
- "this domain. The Domain Level needs to be "
- "raised before installing a replica with "
- "this version is allowed to be installed "
- "within this domain.")
- root_logger.error(message)
- print(message)
- sys.exit(3)
-
- # Check pre-existing host entry
- try:
- entry = conn.find_entries(u'fqdn=%s' % config.host_name,
- ['fqdn'], DN(api.env.container_host,
- api.env.basedn))
- except errors.NotFound:
- pass
- else:
- root_logger.info('Error: Host %s already exists on the master '
- 'server.' % config.host_name)
- print('The host %s already exists on the master server.' %
- config.host_name)
- print "You should remove it before proceeding:"
- print " %% ipa host-del %s" % config.host_name
- sys.exit(3)
-
- # Install CA cert so that we can do SSL connections with ldap
- install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
-
- dns_masters = remote_api.Object['dnsrecord'].get_dns_masters()
- if dns_masters:
- if not options.no_host_dns:
- master = config.master_host_name
- root_logger.debug('Check forward/reverse DNS resolution')
- resolution_ok = (
- check_dns_resolution(master, dns_masters) and
- check_dns_resolution(config.host_name, dns_masters))
- if not resolution_ok and installer.interactive:
- if not ipautil.user_input("Continue?", False):
- sys.exit(0)
- else:
- root_logger.debug('No IPA DNS servers, '
- 'skipping forward/reverse resolution check')
-
- except errors.ACIError:
- sys.exit("\nThe password provided is incorrect for LDAP server "
- "%s" % config.master_host_name)
- except errors.LDAPError:
- sys.exit("\nUnable to connect to LDAP server %s" %
- config.master_host_name)
- finally:
- if replman and replman.conn:
- replman.conn.unbind()
+ conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password,
+ tls_cacertfile=cafile)
+
+ # Install CA cert so that we can do SSL connections with ldap
+ install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
# Configure ntpd
if not options.no_ntp: