diff options
| -rw-r--r-- | ipaplatform/base/paths.py | 3 | ||||
| -rw-r--r-- | ipaplatform/fedora/tasks.py | 124 | ||||
| -rw-r--r-- | ipapython/platform/fedora18/__init__.py | 57 | ||||
| -rw-r--r-- | ipapython/platform/fedora19/__init__.py | 48 |
4 files changed, 124 insertions, 108 deletions
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 1f865b6ea..7a3ff4042 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -21,4 +21,5 @@ This base platform module exports default filesystem paths. ''' -SVC_LIST_FILE = "/var/run/ipa/services.list"
\ No newline at end of file +SVC_LIST_FILE = "/var/run/ipa/services.list" +SYSTEMWIDE_CA_STORE = "/etc/pki/ca-trust/source/anchors/" diff --git a/ipaplatform/fedora/tasks.py b/ipaplatform/fedora/tasks.py index 46fc08d70..8c49ab3a2 100644 --- a/ipaplatform/fedora/tasks.py +++ b/ipaplatform/fedora/tasks.py @@ -1,5 +1,6 @@ # Authors: Simo Sorce <ssorce@redhat.com> # Alexander Bokovoy <abokovoy@redhat.com> +# Martin Kosek <mkosek@redhat.com> # Tomas Babej <tbabej@redhat.com> # # Copyright (C) 2007-2014 Red Hat @@ -23,8 +24,17 @@ This module contains default Fedora-specific implementations of system tasks. ''' import os -import ipautil +import shutil +import stat +import socket +import sys +from subprocess import CalledProcessError + +from ipapython.ipa_log_manager import root_logger +from ipapython import ipautil + +from ipaplatform.paths import paths from ipaplatform.fedora.authconfig import FedoraAuthConfig from ipaplatform.base.tasks import * @@ -53,7 +63,7 @@ def restore_context(filepath, restorecon='/sbin/restorecon'): ipautil.run([restorecon, filepath], raiseonerr=False) -def check_selinux_status(restorecon='/sbin/restorecon'): +def check_selinux_status(restorecon=paths.RESTORECON): """ We don't have a specific package requirement for policycoreutils which provides restorecon. This is because we don't require @@ -141,3 +151,113 @@ def modify_pam_to_use_krb5(statestore): auth_config.enable("krb5") auth_config.add_option("nostart") auth_config.execute() + + +def insert_ca_cert_into_systemwide_ca_store(cacert_path): + # Add the 'ipa-' prefix to cert name to avoid name collisions + cacert_name = os.path.basename(cacert_path) + new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, + 'ipa-%s' % cacert_name) + + # Add the CA to the systemwide CA trust database + try: + shutil.copy(cacert_path, new_cacert_path) + ipautil.run(['/usr/bin/update-ca-trust']) + except OSError, e: + root_logger.info("Failed to copy %s to %s", cacert_path, + new_cacert_path) + except CalledProcessError, e: + root_logger.info("Failed to add CA to the systemwide " + "CA trust database: %s", e) + else: + root_logger.info('Added the CA to the systemwide CA trust database.') + return True + + return False + + +def remove_ca_cert_from_systemwide_ca_store(cacert_path): + # Derive the certificate name in the store + cacert_name = os.path.basename(cacert_path) + new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, + 'ipa-%s' % cacert_name) + + # Remove CA cert from systemwide store + if os.path.exists(new_cacert_path): + try: + os.remove(new_cacert_path) + ipautil.run(['/usr/bin/update-ca-trust']) + except OSError, e: + root_logger.error('Could not remove: %s, %s', new_cacert_path, e) + return False + except CalledProcessError, e: + root_logger.error('Could not update systemwide CA trust ' + 'database: %s', e) + return False + else: + root_logger.info('Systemwide CA database updated.') + + return True + + +def backup_and_replace_hostname(fstore, statestore, hostname): + old_hostname = socket.gethostname() + try: + ipautil.run(['/bin/hostname', hostname]) + except ipautil.CalledProcessError, e: + error_message = ("Failed to set this machine hostname to %s (%s)." + % (hostname, e)) + root_logger.error(error_message) + print >>sys.stderr, error_message + + filepath = '/etc/hostname' + if os.path.exists(filepath): + # read old hostname + with open(filepath, 'r') as f: + for line in f: + line = line.strip() + if not line or line.startswith('#'): + # skip comment or empty line + continue + old_hostname = line + break + fstore.backup_file(filepath) + + with open(filepath, 'w') as f: + f.write("%s\n" % hostname) + os.chmod(filepath, + stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) + os.chown(filepath, 0, 0) + restore_context(filepath) + + # store old hostname + statestore.backup_state('network', 'hostname', old_hostname) + + +def restore_network_configuration(fstore, statestore): + old_filepath = '/etc/sysconfig/network' + old_hostname = statestore.get_state('network', 'hostname') + hostname_was_configured = False + + if fstore.has_file(old_filepath): + # This is Fedora >=18 instance that was upgraded from previous + # Fedora version which held network configuration + # in /etc/sysconfig/network + old_filepath_restore = '/etc/sysconfig/network.ipabkp' + fstore.restore_file(old_filepath, old_filepath_restore) + print "Deprecated configuration file '%s' was restored to '%s'" \ + % (old_filepath, old_filepath_restore) + hostname_was_configured = True + + filepath = '/etc/hostname' + if fstore.has_file(filepath): + fstore.restore_file(filepath) + hostname_was_configured = True + + if not hostname_was_configured and old_hostname: + # hostname was not configured before but was set by IPA. Delete + # /etc/hostname to restore previous configuration + try: + os.remove(filepath) + except OSError: + pass diff --git a/ipapython/platform/fedora18/__init__.py b/ipapython/platform/fedora18/__init__.py index b7963c78e..f68c08390 100644 --- a/ipapython/platform/fedora18/__init__.py +++ b/ipapython/platform/fedora18/__init__.py @@ -50,63 +50,6 @@ __all__ = ['authconfig', 'service', 'knownservices', # Just copy a referential list of timedate services timedate_services = list(base.timedate_services) -def backup_and_replace_hostname(fstore, statestore, hostname): - old_hostname = socket.gethostname() - try: - ipautil.run(['/bin/hostname', hostname]) - except ipautil.CalledProcessError, e: - print >>sys.stderr, "Failed to set this machine hostname to %s (%s)." % (hostname, str(e)) - - filepath = '/etc/hostname' - if os.path.exists(filepath): - # read old hostname - with open(filepath, 'r') as f: - for line in f.readlines(): - line = line.strip() - if not line or line.startswith('#'): - # skip comment or empty line - continue - old_hostname = line - break - fstore.backup_file(filepath) - - with open(filepath, 'w') as f: - f.write("%s\n" % hostname) - os.chmod(filepath, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) - os.chown(filepath, 0, 0) - restore_context(filepath) - - # store old hostname - statestore.backup_state('network', 'hostname', old_hostname) - -def restore_network_configuration(fstore, statestore): - old_filepath = '/etc/sysconfig/network' - old_hostname = statestore.get_state('network', 'hostname') - hostname_was_configured = False - - if fstore.has_file(old_filepath): - # This is Fedora >=18 instance that was upgraded from previous - # Fedora version which held network configuration - # in /etc/sysconfig/network - old_filepath_restore = '/etc/sysconfig/network.ipabkp' - fstore.restore_file(old_filepath, old_filepath_restore) - print "Deprecated configuration file '%s' was restored to '%s'" \ - % (old_filepath, old_filepath_restore) - hostname_was_configured = True - - filepath = '/etc/hostname' - if fstore.has_file(filepath): - fstore.restore_file(filepath) - hostname_was_configured = True - - if not hostname_was_configured and old_hostname: - # hostname was not configured before but was set by IPA. Delete - # /etc/hostname to restore previous configuration - try: - os.remove(filepath) - except OSError: - pass - authconfig = fedora16.authconfig service = fedora16.service knownservices = fedora16.knownservices diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py index 9b931625b..0981f4ff4 100644 --- a/ipapython/platform/fedora19/__init__.py +++ b/ipapython/platform/fedora19/__init__.py @@ -70,51 +70,3 @@ service = fedora18.service knownservices = fedora18.knownservices restore_context = fedora18.restore_context check_selinux_status = fedora18.check_selinux_status - -systemwide_ca_store = '/etc/pki/ca-trust/source/anchors/' - - -def insert_ca_cert_into_systemwide_ca_store(cacert_path): - # Add the 'ipa-' prefix to cert name to avoid name collisions - cacert_name = os.path.basename(cacert_path) - new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name) - - # Add the CA to the systemwide CA trust database - try: - shutil.copy(cacert_path, new_cacert_path) - run(['/usr/bin/update-ca-trust']) - except OSError, e: - root_logger.info("Failed to copy %s to %s" % (cacert_path, - new_cacert_path)) - except CalledProcessError, e: - root_logger.info("Failed to add CA to the systemwide " - "CA trust database: %s" % str(e)) - else: - root_logger.info('Added the CA to the systemwide CA trust database.') - return True - - return False - - -def remove_ca_cert_from_systemwide_ca_store(cacert_path): - # Derive the certificate name in the store - cacert_name = os.path.basename(cacert_path) - new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name) - - # Remove CA cert from systemwide store - if os.path.exists(new_cacert_path): - try: - os.remove(new_cacert_path) - run(['/usr/bin/update-ca-trust']) - except OSError, e: - root_logger.error('Could not remove: %s, %s' - % (new_cacert_path, str(e))) - return False - except CalledProcessError, e: - root_logger.error('Could not update systemwide CA trust ' - 'database: %s' % str(e)) - return False - else: - root_logger.info('Systemwide CA database updated.') - - return True |