summaryrefslogtreecommitdiffstats
path: root/ipapython/platform
Commit message (Collapse)AuthorAgeFilesLines
* Manage ipa-otpd.socket by IPATomas Babej2013-06-061-0/+1
| | | | | | | | Adds a new simple service called OtpdInstance, that manages ipa-otpd.socket service. Added to server/replica installer and ipa-upgradeconfig script. https://fedorahosted.org/freeipa/ticket/3680
* Remove code to install Dogtag 9Petr Viktorin2013-05-311-4/+0
| | | | | | | | | Since we depend on Dogtag 10 now, there is no need to keep code that installs a Dogtag 9 CA. Support for upgraded Dogtag-9-style instances is left in. https://fedorahosted.org/freeipa/ticket/3529
* Process exceptions when talking to DogtagAlexander Bokovoy2013-03-211-1/+4
| | | | | | | | | | The problem is the ca_status() uses an HTTP GET operation to check Dogtag's status. Under some circumstances Dogtag may take a long time to respond, so the HTTP GET may time out much earlier than 2 minutes. And since the above code doesn't catch the exception, the whole loop fails immediately, so it doesn't wait for a full 2 minutes as expected. https://fedorahosted.org/freeipa/ticket/3492
* convert the base platform modules into packagesTimo Aaltonen2013-01-149-177/+267
|
* Stop and disable conflicting time&date servicesMartin Kosek2012-12-074-5/+18
| | | | | | | | | | | | | | | | | | | | Fedora 16 introduced chrony as default client time&date synchronization service: http://fedoraproject.org/wiki/Features/ChronyDefaultNTP Thus, there may be people already using chrony as their time and date synchronization service before installing IPA. However, installing IPA server or client on such machine may lead to unexpected behavior, as the IPA installer would configure ntpd and leave the machine with both ntpd and chronyd enabled. However, since the OS does not allow both chronyd and ntpd to be running concurrently and chronyd has the precedence, ntpd would not be run on that system at all. Make sure, that user is warned when trying to install IPA on such system and is given a possibility to either not to let IPA configure ntpd at all or to let the installer stop and disable chronyd. https://fedorahosted.org/freeipa/ticket/2974
* Only update the list of running services in the installer or ipactl.Rob Crittenden2012-12-052-4/+17
| | | | | | | | The file is only present in the case of a server installation. It should only be touched by the server installer and ipactl. https://fedorahosted.org/freeipa/ticket/3277
* Change network configuration fileMartin Kosek2012-12-053-2/+126
| | | | | | | | | | | Fedora+systemd changed deprecated /etc/sysconfig/network which was used by IPA to store static hostname for the IPA machine. See https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details. Change Fedora platform files to store the hostname to /etc/hostname instead. https://fedorahosted.org/freeipa/ticket/3279
* Save service name on service startup/shutdownSimo Sorce2012-11-013-0/+46
| | | | | | | | This is done as a default action of the ancestor class so that no matter what platform is currently used this code is always the same and the name is the wellknown service name. This information will be used by ipactl to stop only and all the services that have been started by any ipa tool/install script
* Revert "Save service name on service startup"Simo Sorce2012-11-013-25/+0
| | | | | | | This reverts commit 1ef651e7f9f5f940051dc470385aa08eefcd60af. This was an olde version of the patch, next commit will put in the acked version.
* Save service name on service startupSimo Sorce2012-11-013-0/+25
| | | | | | | | This is done as a default action of the ancestor class so that no matter what platform is currently used this code is always the same and the name is the wellknown service name. This information will be used by ipacl to stop only and all the services that have been started by any ipa tool/install script
* Preserve original service_name in servicesSimo Sorce2012-11-012-15/+16
| | | | | | | | | This is needed to be able to reference stuff always wth the same name. The platform specific private name must be kept in a platform specific variable. In the case of systemd we store it in systemd_name For the redhat platform wellknown names and service name are the same so currently no special name is needed.
* Make sure the CA is running when starting servicesPetr Viktorin2012-10-231-2/+49
| | | | | | | | | | | | | | | | - Provide a function for determinig the CA status using Dogtag 10's new getStatus endpoint. This must be done over HTTPS, but since our client certificate may not be set up yet, we need HTTPS without client authentication. Rather than copying from the existing http_request and https_request function, shared code is factored out to a common helper. - Call the new function when restarting the CA service. Since our Service can only be extended in platform-specific code, do this for Fedora only. Also, the status is only checked with Dogtag 10+. - When a restart call in cainstance failed, users were refered to the installation log, but no info was actually logged. Log the exception. https://fedorahosted.org/freeipa/ticket/3084
* Add fallback for httpd restarts on sysV platformsMartin Kosek2012-10-181-0/+17
| | | | | | | | | | | | httpd init script on sysV based platforms cannot guarantee that two consecutive httpd service restarts succeed when run in a small time distance. Add fallback procedure that adds additional waiting time after such failed restart attempt, and then try to stop and start the service again. https://fedorahosted.org/freeipa/ticket/2965
* Wait for secure Dogtag ports when starting the pki servicesPetr Viktorin2012-10-031-4/+4
| | | | | | | | Dogtag opens not only the insecure port (8080 or 9180, for d10 and d9 respectively), but also secure ports (8443 or 9443&9444). Wait for them when starting. Part of the fix for https://fedorahosted.org/freeipa/ticket/3084
* Use Dogtag 10 only when it is availablePetr Viktorin2012-09-171-1/+1
| | | | | | | | | | | Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
* Modifications to install scripts for dogtag 10Ade Lee2012-09-173-6/+12
| | | | | | | Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. https://fedorahosted.org/freeipa/ticket/2846
* Create /etc/sysconfig/network if it doesn't existPetr Viktorin2012-08-031-3/+13
| | | | | | | | | | When the --hostname option is given to ipa-client-install, we write HOSTNAME to /etc/sysconfig/network. When that file didn't exist, the installer crashed. Create the file if it doesn't exist and we need to write to it. https://fedorahosted.org/freeipa/ticket/2840
* Use certmonger to renew CA subsystem certificatesRob Crittenden2012-07-302-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Certificate renewal can be done only one one CA as the certificates need to be shared amongst them. certmonger has been trained to communicate directly with dogtag to perform the renewals. The initial CA installation is the defacto certificate renewal master. A copy of the certificate is stored in the IPA LDAP tree in cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the certificate, when a certificate is renewed. Only the most current certificate is stored. It is valid to have no certificates there, it means that no renewals have taken place. The clones are configured with a new certmonger CA type that polls this location in the IPA tree looking for an updated certificate. If one is not found then certmonger is put into the CA_WORKING state and will poll every 8 hours until an updated certificate is available. The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case. When this certificate is updated we also need to update its entry in the dogtag tree, adding the updated certificate and telling dogtag which certificate to use. This is the certificate that lets IPA issue certificates. On upgrades we check to see if the certificate tracking is already in place. If not then we need to determine if this is the master that will do the renewals or not. This decision is made based on whether it was the first master installed. It is concievable that this master is no longer available meaning that none are actually tracking renewal. We will need to document this. https://fedorahosted.org/freeipa/ticket/2803
* Centralize timeout for waiting for servers to start.Rob Crittenden2012-07-024-26/+79
| | | | | | | | | | | | | All service start/restart currently go through ipapython/platform so move the "wait for service to start" code there as well. A dictionary of known services and ports to wait on is defined in base.py This is referenced by the platforms by instance name to determine what to wait for. For the case of dirsrv if we get that as a plain name (no specific instance) it is assumed to be the main IPA service. https://fedorahosted.org/freeipa/ticket/2375 https://fedorahosted.org/freeipa/ticket/2610
* Configure automount using autofs or sssd.Rob Crittenden2012-06-252-1/+6
| | | | | | | | | | | This script edits nsswitch.conf to use either ldap (autofs) or sss (sssd) to find automount maps. NFSv4 services are started so Kerberos encryption and/or integrity can be used on the maps. https://fedorahosted.org/freeipa/ticket/1233 https://fedorahosted.org/freeipa/ticket/2193
* If SELinux is enabled ensure we also have restorecon.Rob Crittenden2012-05-312-38/+93
| | | | | | | | | | | | We don't have a specific requires on the policycoreutils package. It gets pulled in as a dependency on the server anyway, but checking there is like a belt and suspenders. On the client we don't require SELinux at all. If SELinux is enabled however we need to set things up properly. This is provided by the policycoreutils package so fail if that isn't available. https://fedorahosted.org/freeipa/ticket/2368
* Don't run restorecon if SELinux is disabled or not present.Rob Crittenden2012-02-271-1/+12
| | | | | | | Also check for the existence of restorecon. This may be overkill but it will prevent a client installation from failing for no good reason. https://fedorahosted.org/freeipa/ticket/2368
* Add SSH service to platform-specific services.Jan Cholasta2012-02-133-4/+23
| | | | | | | | Add method for getting configuration directory path of a service, so that a different SSH configuration directory can be specified on different platforms. https://fedorahosted.org/freeipa/ticket/754
* Handle upgrade issues with systemd in Fedora 16 and aboveAlexander Bokovoy2012-02-082-21/+17
| | | | | | | | | | | | Since 389-ds-base-1.2.10-0.8.a7 Directory Server's systemd settings are configured via /etc/sysconfig/dirsrv.systemd. It means logic change in systemd/fedora16 platform of FreeIPA. Additionally, existing installs need to be handled during upgrade. Fixes: https://fedorahosted.org/freeipa/ticket/2117 https://fedorahosted.org/freeipa/ticket/2300
* Add support for systemd environments and use it to support Fedora 16Alexander Bokovoy2011-10-244-12/+339
| | | | https://fedorahosted.org/freeipa/ticket/1192
* Save the value of hostname even if it doesn't appear in /etc/sysconfig/networkRob Crittenden2011-10-131-1/+4
| | | | https://fedorahosted.org/freeipa/ticket/1871
* Refactor backup_and_replace_hostname() into a flexible config modification toolAlexander Bokovoy2011-10-111-40/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | backup_and_replace_hostname() was doing three things: 1. Given config file in 'key=value' style, replace value for a specified key (HOSTNAME) 2. Backup original file and install a replacement 3. Restore original security context after editing We have several more places where parts of the functionality are needed, thus making two tools in ipapython.ipautil: 1. config_replace_variables(filepath, replacevars=dict(), appendvars=dict()) Replaces or appends values to specified keys, adding new key=value pairs if key was absent 2. backup_config_and_replace_variables(fstore, filepath, replacevars=dict(), appendvars=dict()) Backups config file and calls config_replace_variables() A caller must handle security context after using these two tools. In addition, as before, there is ipapython.services.backup_and_replace_hostname() that uses these common tools and restores security context after editing. The code will be used extensively for systemd integration for Fedora 16. Fixes: https://fedorahosted.org/freeipa/ticket/1871
* The return value of restorecon is not reliable, ignore it.Rob Crittenden2011-09-201-3/+7
| | | | https://fedorahosted.org/freeipa/ticket/1816
* Introduce platform-specific adaptation for services used by FreeIPA.Alexander Bokovoy2011-09-133-0/+349
Refactor FreeIPA code to allow abstracting all calls to external processes and dependencies on modification of system-wide configuration. A platform provider would give its own implementation of those methods and FreeIPA would use it based on what's built in packaging process. https://fedorahosted.org/freeipa/ticket/1605
generated by cgit (git 2.34.1) at 2024-05-26 03:49:53 +0000