diff options
Diffstat (limited to 'install/tools/ipa-replica-install')
-rwxr-xr-x | install/tools/ipa-replica-install | 151 |
1 files changed, 21 insertions, 130 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 3feb2a93d..7daa0e8e3 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -21,17 +21,19 @@ import sys import socket -import tempfile, os, pwd, traceback, logging, shutil +import os, pwd, traceback, logging, shutil import grp -from ConfigParser import SafeConfigParser from ipapython import ipautil from ipaserver.install import dsinstance, installutils, krbinstance, service from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs -from ipaserver.install.replication import check_replication_plugin +from ipaserver.install.replication import check_replication_plugin, replica_conn_check from ipaserver.install.installutils import HostnameLocalhost, resolve_host +from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info +from ipaserver.install.installutils import get_host_name from ipaserver.plugins.ldap2 import ldap2 +from ipaserver.install import cainstance from ipapython import version from ipalib import api, errors, util from ipapython.config import IPAOptionParser @@ -40,16 +42,6 @@ from ipapython import sysrestore CACERT="/etc/ipa/ca.crt" REPLICA_INFO_TOP_DIR=None -class ReplicaConfig: - def __init__(self): - self.realm_name = "" - self.domain_name = "" - self.master_host_name = "" - self.dirman_password = "" - self.host_name = "" - self.dir = "" - self.subject_base = "" - def parse_options(): usage = "%prog [options] REPLICA_FILE" parser = IPAOptionParser(usage=usage, version=version.VERSION) @@ -76,6 +68,8 @@ def parse_options(): default=True, help="disables pkinit setup steps") parser.add_option("--skip-conncheck", dest="skip_conncheck", action="store_true", default=False, help="skip connection check to remote master") + parser.add_option("--setup-ca", dest="setup_ca", action="store_true", + default=False, help="configure a dogtag CA") parser.add_option("-U", "--unattended", dest="unattended", action="store_true", default=False, help="unattended installation never prompts the user") @@ -102,98 +96,10 @@ def parse_options(): def get_dirman_password(): return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False) -def expand_info(filename, password): - top_dir = tempfile.mkdtemp("ipa") - tarfile = top_dir+"/files.tar" - dir = top_dir + "/realm_info" - ipautil.decrypt_file(filename, tarfile, password, top_dir) - ipautil.run(["tar", "xf", tarfile, "-C", top_dir]) - os.remove(tarfile) - - return top_dir, dir - -def read_info(dir, rconfig): - filename = dir + "/realm_info" - fd = open(filename) - config = SafeConfigParser() - config.readfp(fd) - - rconfig.realm_name = config.get("realm", "realm_name") - rconfig.master_host_name = config.get("realm", "master_host_name") - rconfig.domain_name = config.get("realm", "domain_name") - rconfig.host_name = config.get("realm", "destination_host") - rconfig.subject_base = config.get("realm", "subject_base") - -def get_host_name(no_host_dns): - hostname = installutils.get_fqdn() - try: - installutils.verify_fqdn(hostname, no_host_dns) - except RuntimeError, e: - logging.error(str(e)) - sys.exit(1) - - return hostname - def set_owner(config, dir): pw = pwd.getpwnam(dsinstance.DS_USER) os.chown(dir, pw.pw_uid, pw.pw_gid) -def install_ca(config): - # FIXME, need to pass along the CA plugin to use - cafile = config.dir + "/cacert.p12" - - if not ipautil.file_exists(cafile): - # CA not used on the server, return empty instances - return (None, None) - - try: - from ipaserver.install import cainstance - except ImportError: - print >> sys.stderr, "Import failed: %s" % sys.exc_value - sys.exit(1) - - if not cainstance.check_inst(): - print "A CA was specified but the dogtag certificate server" - print "is not installed on the system" - print "Please install dogtag and restart the setup program" - sys.exit(1) - - pkcs12_info = None - if ipautil.file_exists(config.dir + "/dogtagcert.p12"): - pkcs12_info = (config.dir + "/dogtagcert.p12", - config.dir + "/dirsrv_pin.txt") - cs = cainstance.CADSInstance() - cs.create_instance(config.realm_name, config.host_name, - config.domain_name, config.dirman_password, - pkcs12_info) - cs.load_pkcs12() - cs.enable_ssl() - cs.restart_instance() - ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR) - ca.configure_instance(config.host_name, config.dirman_password, - config.dirman_password, pkcs12_info=(cafile,), - master_host=config.master_host_name, - subject_base=config.subject_base) - - # The dogtag DS instance needs to be restarted after installation. - # The procedure for this is: stop dogtag, stop DS, start DS, start - # dogtag - # - # The service_name trickery is due to the service naming we do - # internally. In the case of the dogtag DS the name doesn't match the - # unix service. - - service_name = cs.service_name - service.print_msg("Restarting the directory and certificate servers") - cs.service_name = "dirsrv" - ca.stop() - cs.stop("PKI-IPA") - cs.start("PKI-IPA") - ca.start() - cs.service_name = service_name - - return (ca, cs) - def install_replica_ds(config): dsinstance.check_existing_installation() dsinstance.check_ports() @@ -392,7 +298,7 @@ def main(): sys.exit(0) try: - top_dir, dir = expand_info(filename, dirman_password) + top_dir, dir = expand_replica_info(filename, dirman_password) global REPLICA_INFO_TOP_DIR REPLICA_INFO_TOP_DIR = top_dir except Exception, e: @@ -401,9 +307,13 @@ def main(): sys.exit(1) config = ReplicaConfig() - read_info(dir, config) + read_replica_info(dir, config) config.dirman_password = dirman_password - host = get_host_name(options.no_host_dns) + try: + host = get_host_name(options.no_host_dns) + except RuntimeError, e: + logging.error(str(e)) + sys.exit(1) if config.host_name != host: try: print "This replica was created for '%s' but this machine is named '%s'" % (config.host_name, host) @@ -414,32 +324,12 @@ def main(): except KeyboardInterrupt: sys.exit(0) config.dir = dir + config.setup_ca = options.setup_ca # check connection if not options.skip_conncheck: - print "Run connection check to master" - args = ["/usr/sbin/ipa-replica-conncheck", "--master", config.master_host_name, - "--auto-master-check", "--realm", config.realm_name, - "--principal", "admin", - "--hostname", config.host_name] - - if options.admin_password: - args.extend(["--password", options.admin_password]) - - cafile = config.dir + "/cacert.p12" - if ipautil.file_exists(cafile): # with CA - args.append('--check-ca') - logging.debug("Running ipa-replica-conncheck with following arguments: %s" % - " ".join(args)) - (stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False, capture_output=False) - - if returncode != 0: - sys.exit("Connection check failed!" + - "\nPlease fix your network settings according to error messages above." + - "\nIf the check results are not valid it can be skipped with --skip-conncheck parameter.") - else: - print "Connection check OK" + replica_conn_check(config.master_host_name, config.host_name, config.realm_name, options.setup_ca, options.admin_password) # Create the management framework config file # Note: We must do this before bootstraping and finalizing ipalib.api @@ -516,7 +406,7 @@ def main(): ntp.create_instance() # Configure the CA if necessary - (CA, cs) = install_ca(config) + (CA, cs) = cainstance.install_replica_ca(config) # Always try to install DNS records install_dns_records(config, options) @@ -525,7 +415,7 @@ def main(): ds = install_replica_ds(config) # We need to ldap_enable the CA now that DS is up and running - if CA: + if CA and config.setup_ca: CA.ldap_enable('CA', config.host_name, config.dirman_password, util.realm_to_suffix(config.realm_name)) cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name)) @@ -537,8 +427,9 @@ def main(): CA.import_ra_cert(dir + "/ra.p12") CA.fix_ra_perms() service.restart("httpd") - service.print_msg("Setting the certificate subject base") - CA.set_subject_in_config(util.realm_to_suffix(config.realm_name)) + if config.setup_ca: + service.print_msg("Setting the certificate subject base") + CA.set_subject_in_config(util.realm_to_suffix(config.realm_name)) # The DS instance is created before the keytab, add the SSL cert we # generated |