diff options
Diffstat (limited to 'ipa-client')
-rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 27 | ||||
-rw-r--r-- | ipa-client/ipaclient/ntpconf.py | 68 | ||||
-rw-r--r-- | ipa-client/man/ipa-client-install.1 | 3 |
3 files changed, 98 insertions, 0 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 9e45589b8..975759169 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -89,6 +89,9 @@ def parse_options(): basic_group.add_option("--ntp-server", dest="ntp_server", help="ntp server to use") basic_group.add_option("-N", "--no-ntp", action="store_false", help="do not configure ntp", default=True, dest="conf_ntp") + basic_group.add_option("", "--force-ntpd", dest="force_ntpd", + action="store_true", default=False, + help="Stop and disable any time&date synchronization services besides ntpd") basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true", help="configure OpenSSH client to trust DNS SSHFP records") basic_group.add_option("--no-ssh", dest="conf_ssh", default=True, action="store_false", @@ -142,6 +145,9 @@ def parse_options(): if (options.server and not options.domain): parser.error("--server cannot be used without providing --domain") + if options.force_ntpd and not options.conf_ntp: + parser.error("--force-ntpd cannot be used together with --no-ntp") + return safe_opts, options def logging_setup(options): @@ -519,6 +525,8 @@ def uninstall(options, env): if restored: ipaservices.knownservices.ntpd.restart() + ipaclient.ntpconf.restore_forced_ntpd(statestore) + if was_sshd_configured and ipaservices.knownservices.sshd.is_running(): ipaservices.knownservices.sshd.restart() @@ -1270,6 +1278,22 @@ def install(options, env, fstore, statestore): cli_domain_source = 'Unknown source' cli_server_source = 'Unknown source' + if options.conf_ntp and not options.on_master and not options.force_ntpd: + try: + ipaclient.ntpconf.check_timedate_services() + except ipaclient.ntpconf.NTPConflictingService, e: + print "WARNING: ntpd time&date synchronization service will not" \ + " be configured as" + print "conflicting service (%s) is enabled" % e.conflicting_service + print "Use --force-ntpd option to disable it and force configuration" \ + " of ntpd" + print "" + + # configuration of ntpd is disabled in this case + options.conf_ntp = False + except ipaclient.ntpconf.NTPConfigurationError: + pass + if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master: root_logger.error("One of password and principal are required.") return CLIENT_INSTALL_ERROR @@ -1884,6 +1908,9 @@ def install(options, env, fstore, statestore): "/etc/ldap.conf failed: %s", str(e)) if options.conf_ntp and not options.on_master: + # disable other time&date services first + if options.force_ntpd: + ipaclient.ntpconf.force_ntpd(statestore) if options.ntp_server: ntp_server = options.ntp_server else: diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py index 6e4173145..eb9afdeee 100644 --- a/ipa-client/ipaclient/ntpconf.py +++ b/ipa-client/ipaclient/ntpconf.py @@ -21,6 +21,7 @@ from ipapython import ipautil from ipapython import services as ipaservices import shutil import os +import sys ntp_conf = """# Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. @@ -154,3 +155,70 @@ def synconce_ntp(server_fqdn): except: pass return False + +class NTPConfigurationError(Exception): + pass + +class NTPConflictingService(NTPConfigurationError): + def __init__(self, message='', conflicting_service=None): + super(NTPConflictingService, self).__init__(self, message) + self.conflicting_service = conflicting_service + +def check_timedate_services(): + """ + System may contain conflicting services used for time&date synchronization. + As IPA server/client supports only ntpd, make sure that other services are + not enabled to prevent conflicts. For example when both chronyd and ntpd + are enabled, systemd would always start only chronyd to manage system + time&date which would make IPA configuration of ntpd ineffective. + + Reference links: + https://fedorahosted.org/freeipa/ticket/2974 + http://fedoraproject.org/wiki/Features/ChronyDefaultNTP + """ + for service in ipaservices.timedate_services: + if service == 'ntpd': + continue + # Make sure that the service is not enabled + service = ipaservices.service(service) + if service.is_enabled() or service.is_running(): + raise NTPConflictingService(conflicting_service=service.service_name) + +def force_ntpd(statestore): + """ + Force ntpd configuration and disable and stop any other conflicting + time&date service + """ + for service in ipaservices.timedate_services: + if service == 'ntpd': + continue + service = ipaservices.service(service) + enabled = service.is_enabled() + running = service.is_running() + + if enabled or running: + statestore.backup_state(service.service_name, 'enabled', enabled) + statestore.backup_state(service.service_name, 'running', running) + + if running: + service.stop() + + if enabled: + service.disable() + +def restore_forced_ntpd(statestore): + """ + Restore from --force-ntpd installation and enable/start service that were + disabled/stopped during installation + """ + for service in ipaservices.timedate_services: + if service == 'ntpd': + continue + if statestore.has_state(service): + service = ipaservices.service(service) + enabled = statestore.restore_state(service.service_name, 'enabled') + running = statestore.restore_state(service.service_name, 'running') + if enabled: + service.enable() + if running: + service.start() diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 382d4872f..abd74666e 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -71,6 +71,9 @@ Configure ntpd to use this NTP server. \fB\-N\fR, \fB\-\-no\-ntp\fR Do not configure or enable NTP. .TP +\fB\-\-force\-ntpd\fR +Stop and disable any time&date synchronization services besides ntpd. +.TP \fB\-\-ssh\-trust\-dns\fR Configure OpenSSH client to trust DNS SSHFP records. .TP |