diff options
author | Jan Cholasta <jcholast@redhat.com> | 2015-06-10 08:22:30 +0000 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-06-10 16:17:34 +0000 |
commit | cbcd86b5001039db468b46aefd83926a2b721eb5 (patch) | |
tree | dd2c5cbee19700eeb3cb7b41e42cc244a53bf684 /ipaserver | |
parent | 81729e22d35c5313e85081b6b3e8658b3d542af1 (diff) | |
download | freeipa-cbcd86b5001039db468b46aefd83926a2b721eb5.tar.gz freeipa-cbcd86b5001039db468b46aefd83926a2b721eb5.tar.xz freeipa-cbcd86b5001039db468b46aefd83926a2b721eb5.zip |
install: Initialize API early in server and replica install
https://fedorahosted.org/freeipa/ticket/4468
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/server/install.py | 90 | ||||
-rw-r--r-- | ipaserver/install/server/replicainstall.py | 278 |
2 files changed, 191 insertions, 177 deletions
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 59a9d1e5e..89473dc02 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -301,6 +301,8 @@ def install_check(installer): external_ca_file = installer._external_ca_file http_ca_cert = installer._ca_cert + dogtag_constants = dogtag.install_constants + tasks.check_selinux_status() if options.master_password: @@ -550,6 +552,51 @@ def install_check(installer): else: admin_password = options.admin_password + # Configuration for ipalib, we will bootstrap and finalize later, after + # we are sure we have the configuration file ready. + cfg = dict( + context='installer', + in_server=True, + ) + + # Create the management framework config file and finalize api + target_fname = paths.IPA_DEFAULT_CONF + fd = open(target_fname, "w") + fd.write("[global]\n") + fd.write("host=%s\n" % host_name) + fd.write("basedn=%s\n" % ipautil.realm_to_suffix(realm_name)) + fd.write("realm=%s\n" % realm_name) + fd.write("domain=%s\n" % domain_name) + fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % format_netloc(host_name)) + fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % + installutils.realm_to_serverid(realm_name)) + if setup_ca: + fd.write("enable_ra=True\n") + fd.write("ra_plugin=dogtag\n") + fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION) + else: + fd.write("enable_ra=False\n") + fd.write("ra_plugin=none\n") + fd.write("mode=production\n") + fd.close() + + # Must be readable for everyone + os.chmod(target_fname, 0644) + + system_hostname = get_fqdn() + if host_name != system_hostname: + root_logger.debug("Chosen hostname (%s) differs from system hostname " + "(%s) - change it" % (host_name, system_hostname)) + # update `api.env.ca_host` to correct hostname + # https://fedorahosted.org/freeipa/ticket/4936 + api.env.ca_host = host_name + + api.bootstrap(**cfg) + if setup_ca: + # ensure profile backend is available + import ipaserver.plugins.dogtag + api.finalize() + if setup_ca: ca.install_check(False, None, options) @@ -656,38 +703,6 @@ def install(installer): # failure to enable root cause investigation installer._installation_cleanup = False - # Configuration for ipalib, we will bootstrap and finalize later, after - # we are sure we have the configuration file ready. - cfg = dict( - context='installer', - in_server=True, - ) - - # Create the management framework config file and finalize api - target_fname = paths.IPA_DEFAULT_CONF - fd = open(target_fname, "w") - fd.write("[global]\n") - fd.write("host=%s\n" % host_name) - fd.write("basedn=%s\n" % ipautil.realm_to_suffix(realm_name)) - fd.write("realm=%s\n" % realm_name) - fd.write("domain=%s\n" % domain_name) - fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % format_netloc(host_name)) - fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % - installutils.realm_to_serverid(realm_name)) - if setup_ca: - fd.write("enable_ra=True\n") - fd.write("ra_plugin=dogtag\n") - fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION) - else: - fd.write("enable_ra=False\n") - fd.write("ra_plugin=none\n") - fd.write("enable_kra=%s\n" % setup_kra) - fd.write("mode=production\n") - fd.close() - - # Must be readable for everyone - os.chmod(target_fname, 0644) - if installer.interactive: print "" print "The following operations may take some minutes to complete." @@ -696,19 +711,8 @@ def install(installer): system_hostname = get_fqdn() if host_name != system_hostname: - root_logger.debug("Chosen hostname (%s) differs from system hostname " - "(%s) - change it" % (host_name, system_hostname)) # configure /etc/sysconfig/network to contain the custom hostname tasks.backup_and_replace_hostname(fstore, sstore, host_name) - # update `api.env.ca_host` to correct hostname - # https://fedorahosted.org/freeipa/ticket/4936 - api.env.ca_host = host_name - - api.bootstrap(**cfg) - if setup_ca: - # ensure profile backend is available - import ipaserver.plugins.dogtag - api.finalize() # Create DS user/group if it doesn't exist yet dsinstance.create_ds_user() diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 945511709..0429a4057 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -355,6 +355,143 @@ def install_check(installer): config.setup_ca = options.setup_ca config.setup_kra = options.setup_kra + # Create the management framework config file + # Note: We must do this before bootstraping and finalizing ipalib.api + old_umask = os.umask(022) # must be readable for httpd + try: + fd = open(paths.IPA_DEFAULT_CONF, "w") + fd.write("[global]\n") + fd.write("host=%s\n" % config.host_name) + fd.write("basedn=%s\n" % + str(ipautil.realm_to_suffix(config.realm_name))) + fd.write("realm=%s\n" % config.realm_name) + fd.write("domain=%s\n" % config.domain_name) + fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % + ipautil.format_netloc(config.host_name)) + fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % + installutils.realm_to_serverid(config.realm_name)) + if ipautil.file_exists(config.dir + "/cacert.p12"): + fd.write("enable_ra=True\n") + fd.write("ra_plugin=dogtag\n") + fd.write("dogtag_version=%s\n" % + dogtag.install_constants.DOGTAG_VERSION) + else: + fd.write("enable_ra=False\n") + fd.write("ra_plugin=none\n") + + fd.write("enable_kra=%s\n" % config.setup_kra) + + fd.write("mode=production\n") + fd.close() + finally: + os.umask(old_umask) + + api.bootstrap(in_server=True, context='installer') + api.finalize() + + installutils.verify_fqdn(config.master_host_name, options.no_host_dns) + + cafile = config.dir + "/ca.crt" + + ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) + remote_api = create_api(mode=None) + remote_api.bootstrap(in_server=True, context='installer', + ldap_uri=ldapuri) + remote_api.finalize() + conn = remote_api.Backend.ldap2 + replman = None + try: + # Try out the password + conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password, + tls_cacertfile=cafile) + replman = ReplicationManager(config.realm_name, + config.master_host_name, + config.dirman_password) + + # Check that we don't already have a replication agreement + try: + (agreement_cn, agreement_dn) = replman.agreement_dn( + config.host_name) + entry = conn.get_entry(agreement_dn, ['*']) + except errors.NotFound: + pass + else: + root_logger.info('Error: A replication agreement for this ' + 'host already exists.') + print('A replication agreement for this host already exists. ' + 'It needs to be removed.') + print "Run this on the master that generated the info file:" + print(" %% ipa-replica-manage del %s --force" % + config.host_name) + sys.exit(3) + + # Detect the current domain level + try: + current = remote_api.Command['domainlevel_get']()['result'] + except errors.NotFound: + # If we're joining an older master, domain entry is not + # available + current = 0 + + # Detect if current level is out of supported range + # for this IPA version + under_lower_bound = current < constants.MIN_DOMAIN_LEVEL + above_upper_bound = current > constants.MAX_DOMAIN_LEVEL + + if under_lower_bound or above_upper_bound: + message = ("This version of FreeIPA does not support " + "the Domain Level which is currently set for " + "this domain. The Domain Level needs to be " + "raised before installing a replica with " + "this version is allowed to be installed " + "within this domain.") + root_logger.error(message) + print(message) + sys.exit(3) + + # Check pre-existing host entry + try: + entry = conn.find_entries(u'fqdn=%s' % config.host_name, + ['fqdn'], DN(api.env.container_host, + api.env.basedn)) + except errors.NotFound: + pass + else: + root_logger.info('Error: Host %s already exists on the master ' + 'server.' % config.host_name) + print('The host %s already exists on the master server.' % + config.host_name) + print "You should remove it before proceeding:" + print " %% ipa host-del %s" % config.host_name + sys.exit(3) + + dns_masters = remote_api.Object['dnsrecord'].get_dns_masters() + if dns_masters: + if not options.no_host_dns: + master = config.master_host_name + root_logger.debug('Check forward/reverse DNS resolution') + resolution_ok = ( + check_dns_resolution(master, dns_masters) and + check_dns_resolution(config.host_name, dns_masters)) + if not resolution_ok and installer.interactive: + if not ipautil.user_input("Continue?", False): + sys.exit(0) + else: + root_logger.debug('No IPA DNS servers, ' + 'skipping forward/reverse resolution check') + + except errors.ACIError: + sys.exit("\nThe password provided is incorrect for LDAP server " + "%s" % config.master_host_name) + except errors.LDAPError: + sys.exit("\nUnable to connect to LDAP server %s" % + config.master_host_name) + finally: + if replman and replman.conn: + replman.conn.unbind() + if conn.isconnected(): + conn.disconnect() + if options.setup_ca: options.realm_name = config.realm_name options.host_name = config.host_name @@ -369,8 +506,6 @@ def install_check(installer): print str(e) sys.exit(1) - installutils.verify_fqdn(config.master_host_name, options.no_host_dns) - if options.setup_dns: dns.install_check(False, True, options, config.host_name) else: @@ -384,11 +519,11 @@ def install_check(installer): config.master_host_name, config.host_name, config.realm_name, options.setup_ca, config.ca_ds_port, options.admin_password) - cafile = config.dir + "/ca.crt" if not ipautil.file_exists(cafile): raise RuntimeError("CA cert file is not available. Please run " "ipa-replica-prepare to create a new replica file.") + installer._remote_api = remote_api installer._fstore = fstore installer._sstore = sstore installer._config = config @@ -403,144 +538,19 @@ def install(installer): dogtag_constants = dogtag.install_constants - # Create the management framework config file - # Note: We must do this before bootstraping and finalizing ipalib.api - old_umask = os.umask(022) # must be readable for httpd - try: - fd = open(paths.IPA_DEFAULT_CONF, "w") - fd.write("[global]\n") - fd.write("host=%s\n" % config.host_name) - fd.write("basedn=%s\n" % - str(ipautil.realm_to_suffix(config.realm_name))) - fd.write("realm=%s\n" % config.realm_name) - fd.write("domain=%s\n" % config.domain_name) - fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % - ipautil.format_netloc(config.host_name)) - fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % - installutils.realm_to_serverid(config.realm_name)) - if ipautil.file_exists(config.dir + "/cacert.p12"): - fd.write("enable_ra=True\n") - fd.write("ra_plugin=dogtag\n") - fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION) - else: - fd.write("enable_ra=False\n") - fd.write("ra_plugin=none\n") - - fd.write("enable_kra=%s\n" % config.setup_kra) - - fd.write("mode=production\n") - fd.close() - finally: - os.umask(old_umask) - - api.bootstrap(in_server=True, context='installer') - api.finalize() - # Create DS user/group if it doesn't exist yet dsinstance.create_ds_user() cafile = config.dir + "/ca.crt" - ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) - remote_api = create_api(mode=None) - remote_api.bootstrap(in_server=True, context='installer', - ldap_uri=ldapuri, basedn=DN()) - remote_api.finalize() + remote_api = installer._remote_api conn = remote_api.Backend.ldap2 - replman = None try: - try: - # Try out the password - conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password, - tls_cacertfile=cafile) - replman = ReplicationManager(config.realm_name, - config.master_host_name, - config.dirman_password) - - # Check that we don't already have a replication agreement - try: - (agreement_cn, agreement_dn) = replman.agreement_dn( - config.host_name) - entry = conn.get_entry(agreement_dn, ['*']) - except errors.NotFound: - pass - else: - root_logger.info('Error: A replication agreement for this ' - 'host already exists.') - print('A replication agreement for this host already exists. ' - 'It needs to be removed.') - print "Run this on the master that generated the info file:" - print(" %% ipa-replica-manage del %s --force" % - config.host_name) - sys.exit(3) - - # Detect the current domain level - try: - current = remote_api.Command['domainlevel_get']()['result'] - except errors.NotFound: - # If we're joining an older master, domain entry is not - # available - current = 0 - - # Detect if current level is out of supported range - # for this IPA version - under_lower_bound = current < constants.MIN_DOMAIN_LEVEL - above_upper_bound = current > constants.MAX_DOMAIN_LEVEL - - if under_lower_bound or above_upper_bound: - message = ("This version of FreeIPA does not support " - "the Domain Level which is currently set for " - "this domain. The Domain Level needs to be " - "raised before installing a replica with " - "this version is allowed to be installed " - "within this domain.") - root_logger.error(message) - print(message) - sys.exit(3) - - # Check pre-existing host entry - try: - entry = conn.find_entries(u'fqdn=%s' % config.host_name, - ['fqdn'], DN(api.env.container_host, - api.env.basedn)) - except errors.NotFound: - pass - else: - root_logger.info('Error: Host %s already exists on the master ' - 'server.' % config.host_name) - print('The host %s already exists on the master server.' % - config.host_name) - print "You should remove it before proceeding:" - print " %% ipa host-del %s" % config.host_name - sys.exit(3) - - # Install CA cert so that we can do SSL connections with ldap - install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) - - dns_masters = remote_api.Object['dnsrecord'].get_dns_masters() - if dns_masters: - if not options.no_host_dns: - master = config.master_host_name - root_logger.debug('Check forward/reverse DNS resolution') - resolution_ok = ( - check_dns_resolution(master, dns_masters) and - check_dns_resolution(config.host_name, dns_masters)) - if not resolution_ok and installer.interactive: - if not ipautil.user_input("Continue?", False): - sys.exit(0) - else: - root_logger.debug('No IPA DNS servers, ' - 'skipping forward/reverse resolution check') - - except errors.ACIError: - sys.exit("\nThe password provided is incorrect for LDAP server " - "%s" % config.master_host_name) - except errors.LDAPError: - sys.exit("\nUnable to connect to LDAP server %s" % - config.master_host_name) - finally: - if replman and replman.conn: - replman.conn.unbind() + conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password, + tls_cacertfile=cafile) + + # Install CA cert so that we can do SSL connections with ldap + install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) # Configure ntpd if not options.no_ntp: |