From e5e42fc83ae74f0e0c68e68417a39fe6f2f2ae63 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 17 Jun 2014 11:45:43 +0200 Subject: ipaplatform: Move paths from installers to paths module Part of: https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin --- .../certmonger/dogtag-ipa-ca-renew-agent-submit | 7 +- install/tools/ipa-adtrust-install | 7 +- install/tools/ipa-ca-install | 7 +- install/tools/ipa-compat-manage | 3 +- install/tools/ipa-dns-install | 5 +- install/tools/ipa-nis-manage | 3 +- install/tools/ipa-replica-conncheck | 9 +- install/tools/ipa-replica-install | 21 ++-- install/tools/ipa-replica-manage | 3 +- install/tools/ipa-server-install | 29 ++--- install/tools/ipa-upgradeconfig | 47 ++++---- ipa-client/ipa-install/ipa-client-automount | 25 ++-- ipa-client/ipa-install/ipa-client-install | 132 ++++++++++----------- ipaplatform/base/paths.py | 47 +++++++- ipaserver/install/ipa_backup.py | 2 +- 15 files changed, 199 insertions(+), 148 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 57eb4e584..2777c24de 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -35,6 +35,7 @@ import contextlib from ipapython import ipautil from ipapython.dn import DN from ipalib import api, errors, pkcs10, x509 +from ipaplatform.paths import paths from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install import cainstance, certs @@ -58,7 +59,7 @@ def ldap_connect(): tmpdir = tempfile.mkdtemp(prefix="tmp-") try: principal = str('host/%s@%s' % (api.env.host, api.env.realm)) - ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, + ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, principal) conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) @@ -77,7 +78,7 @@ def request_cert(): syslog.syslog(syslog.LOG_NOTICE, "Forwarding request to dogtag-ipa-renew-agent") - path = '/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit' + path = paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT args = [path] + sys.argv[1:] stdout, stderr, rc = ipautil.run(args, raiseonerr=False, env=os.environ) sys.stderr.write(stderr) @@ -261,7 +262,7 @@ def export_csr(): if not cert: return (REJECTED, "New certificate requests not supported") - csr_file = '/var/lib/ipa/ca.csr' + csr_file = paths.IPA_CA_CSR try: with open(csr_file, 'wb') as f: f.write(csr) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 9b54abdaa..7b616c1b6 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -29,10 +29,11 @@ from ipapython import ipautil, sysrestore from ipalib import api, errors, util from ipapython.config import IPAOptionParser import krbV +from ipaplatform.paths import paths from ipapython.ipa_log_manager import * from ipapython.dn import DN -log_file_name = "/var/log/ipaserver-install.log" +log_file_name = paths.IPASERVER_INSTALL_LOG def parse_options(): parser = IPAOptionParser(version=version.VERSION) @@ -222,7 +223,7 @@ def main(): check_server_configuration() global fstore - fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + fstore = sysrestore.FileStore(paths.SYSRESTORE) print "==============================================================================" print "This program will setup components needed to establish trust to AD domains for" @@ -276,7 +277,7 @@ def main(): allow_empty = False): sys.exit("Aborting installation.") - elif os.path.exists('/etc/samba/smb.conf'): + elif os.path.exists(paths.SMB_CONF): print("WARNING: The smb.conf already exists. Running " "ipa-adtrust-install will break your existing samba " "configuration.\n\n") diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 01f7b790e..3c9307edf 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -40,8 +40,9 @@ from ipapython import sysrestore from ipapython import dogtag from ipapython.ipa_log_manager import * from ipaplatform import services +from ipaplatform.paths import paths -log_file_name = "/var/log/ipareplica-ca-install.log" +log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG REPLICA_INFO_TOP_DIR = None def parse_options(): @@ -105,7 +106,7 @@ def main(): sys.exit("Replica file %s does not exist" % filename) global sstore - sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore') + sstore = sysrestore.StateFile(paths.SYSRESTORE) if not dsinstance.DsInstance().is_configured(): sys.exit("IPA server is not configured on this system.\n") @@ -194,7 +195,7 @@ def main(): #update dogtag version in config file try: - fd = open("/etc/ipa/default.conf", "a") + fd = open(paths.IPA_DEFAULT_CONF, "a") fd.write( "dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION) fd.close() diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage index 3cd75e22d..23b528f83 100755 --- a/install/tools/ipa-compat-manage +++ b/install/tools/ipa-compat-manage @@ -20,6 +20,7 @@ # import sys +from ipaplatform.paths import paths try: from optparse import OptionParser from ipapython import ipautil, config @@ -80,7 +81,7 @@ def get_entry(dn, conn): def main(): retval = 0 - files = ['/usr/share/ipa/schema_compat.uldif'] + files = [paths.SCHEMA_COMPAT_ULDIF] options, args = parse_options() diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 78acc2d9b..5e191974b 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -29,10 +29,11 @@ from ipaserver.install import installutils from ipapython import version from ipapython import ipautil, sysrestore from ipalib import api, errors, util +from ipaplatform.paths import paths from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import standard_logging_setup, root_logger -log_file_name = "/var/log/ipaserver-install.log" +log_file_name = paths.IPASERVER_INSTALL_LOG def parse_options(): parser = IPAOptionParser(version=version.VERSION) @@ -85,7 +86,7 @@ def main(): installutils.check_server_configuration() global fstore - fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + fstore = sysrestore.FileStore(paths.SYSRESTORE) print "==============================================================================" print "This program will setup DNS for the FreeIPA Server." diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage index ad2cd6d0d..b412bb0f5 100755 --- a/install/tools/ipa-nis-manage +++ b/install/tools/ipa-nis-manage @@ -21,6 +21,7 @@ import sys import os +from ipaplatform.paths import paths try: from optparse import OptionParser from ipapython import ipautil, config @@ -82,7 +83,7 @@ def get_entry(dn, conn): def main(): retval = 0 - files = ['/usr/share/ipa/nis.uldif'] + files = [paths.NIS_ULDIF] servicemsg = "" if os.getegid() != 0: diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index eafd37256..88e42bafb 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -37,11 +37,12 @@ import threading import errno from socket import SOCK_STREAM, SOCK_DGRAM import distutils.spawn +from ipaplatform.paths import paths CONNECT_TIMEOUT = 5 RESPONDERS = [ ] QUIET = False -CCACHE_FILE = "/etc/ipa/.conncheck_ccache" +CCACHE_FILE = paths.CONNCHECK_CCACHE KRB5_CONFIG = None class SshExec(object): @@ -168,7 +169,7 @@ def logging_setup(options): log_file = None if os.getegid() == 0: - log_file = "/var/log/ipareplica-conncheck.log" + log_file = paths.IPAREPLICA_CONNCHECK_LOG standard_logging_setup(log_file, debug=options.debug) @@ -372,7 +373,7 @@ def main(): stderr='' - (stdout, stderr, returncode) = ipautil.run(['/usr/bin/kinit', principal], + (stdout, stderr, returncode) = ipautil.run([paths.KINIT, principal], env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE}, stdin=password, raiseonerr=False) if returncode != 0: @@ -380,7 +381,7 @@ def main(): # Verify kinit was actually successful stderr='' - (stdout, stderr, returncode) = ipautil.run(['/usr/bin/kvno', + (stdout, stderr, returncode) = ipautil.run([paths.BIN_KVNO, 'host/%s' % options.master], env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE}, raiseonerr=False) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 7658dfa66..5bfd61ee6 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -52,8 +52,9 @@ from ipapython.dn import DN import ipaclient.ntpconf from ipaplatform.tasks import tasks from ipaplatform import services +from ipaplatform.paths import paths -log_file_name = "/var/log/ipareplica-install.log" +log_file_name = paths.IPAREPLICA_INSTALL_LOG REPLICA_INFO_TOP_DIR = None DIRMAN_DN = DN(('cn', 'directory manager')) @@ -236,15 +237,15 @@ def install_http(config, auto_redirect): try: if ipautil.file_exists(config.dir + "/preferences.html"): shutil.copy(config.dir + "/preferences.html", - "/usr/share/ipa/html/preferences.html") + paths.PREFERENCES_HTML) if ipautil.file_exists(config.dir + "/configure.jar"): shutil.copy(config.dir + "/configure.jar", - "/usr/share/ipa/html/configure.jar") + paths.CONFIGURE_JAR) if ipautil.file_exists(config.dir + "/krb.js"): shutil.copy(config.dir + "/krb.js", - "/usr/share/ipa/html/krb.js") + paths.KRB_JS) shutil.copy(config.dir + "/kerberosauth.xpi", - "/usr/share/ipa/html/kerberosauth.xpi") + paths.KERBEROSAUTH_XPI) except Exception, e: print "error copying files: " + str(e) sys.exit(1) @@ -461,17 +462,17 @@ def main(): if not ipautil.file_exists(filename): sys.exit("Replica file %s does not exist" % filename) - client_fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore') + client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) if client_fstore.has_files(): sys.exit("IPA client is already configured on this system.\n" + "Please uninstall it first before configuring the replica, " + "using 'ipa-client-install --uninstall'.") global sstore - sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore') + sstore = sysrestore.StateFile(paths.SYSRESTORE) global fstore - fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + fstore = sysrestore.FileStore(paths.SYSRESTORE) # check the bind is installed if options.setup_dns: @@ -559,7 +560,7 @@ def main(): # Note: We must do this before bootstraping and finalizing ipalib.api old_umask = os.umask(022) # must be readable for httpd try: - fd = open("/etc/ipa/default.conf", "w") + fd = open(paths.IPA_DEFAULT_CONF, "w") fd.write("[global]\n") fd.write("host=%s\n" % config.host_name) fd.write("basedn=%s\n" % str(ipautil.realm_to_suffix(config.realm_name))) @@ -728,7 +729,7 @@ def main(): # Call client install script try: - args = ["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", config.domain_name, "--server", config.host_name, "--realm", config.realm_name] + args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--domain", config.domain_name, "--server", config.host_name, "--realm", config.realm_name] if not options.create_sshfp: args.append("--no-dns-sshfp") if options.trust_sshfp: diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index ee7aef881..d468850e5 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -38,6 +38,7 @@ from ipapython.dn import DN from ipapython.config import IPAOptionParser from ipaclient import ipadiscovery from xmlrpclib import MAXINT +from ipaplatform.paths import paths # dict of command name and tuples of min/max num of args needed commands = { @@ -1144,7 +1145,7 @@ def set_DNA_range(hostname, range, realm, dirman_passwd, next_range=False, def main(): if os.getegid() == 0: installutils.check_server_configuration() - elif not os.path.exists('/etc/ipa/default.conf'): + elif not os.path.exists(paths.IPA_DEFAULT_CONF): sys.exit("IPA is not configured on this system.") options, args = parse_options() diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index e3b7d5555..671a226d6 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -79,6 +79,7 @@ from ipapython.dn import DN import ipaclient.ntpconf from ipaplatform.tasks import tasks from ipaplatform import services +from ipaplatform.paths import paths uninstalling = False installation_cleanup = True @@ -91,7 +92,7 @@ VALID_SUBJECT_ATTRS = ['st', 'o', 'ou', 'dnqualifier', 'c', 'incorporationlocality', 'incorporationstate', 'incorporationcountry', 'businesscategory'] -SYSRESTORE_DIR_PATH = '/var/lib/ipa/sysrestore' +SYSRESTORE_DIR_PATH = paths.SYSRESTORE def subject_callback(option, opt_str, value, parser): """ @@ -335,7 +336,7 @@ def signal_handler(signum, frame): dsinstance.erase_ds_instance_data (ds.serverid) sys.exit(1) -ANSWER_CACHE = "/root/.ipa_cache" +ANSWER_CACHE = paths.ROOT_IPA_CACHE def read_cache(dm_password): """ @@ -469,7 +470,7 @@ def uninstall(): print "Shutting down all IPA services" try: - (stdout, stderr, rc) = run(["/usr/sbin/ipactl", "stop"], raiseonerr=False) + (stdout, stderr, rc) = run([paths.IPACTL, "stop"], raiseonerr=False) except Exception, e: pass @@ -478,7 +479,7 @@ def uninstall(): print "Removing IPA client configuration" try: - (stdout, stderr, rc) = run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--uninstall"], raiseonerr=False) + (stdout, stderr, rc) = run([paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--uninstall"], raiseonerr=False) if rc not in [0,2]: root_logger.debug("ipa-client-install returned %d" % rc) raise RuntimeError(stdout) @@ -588,10 +589,10 @@ def main(): if options.uninstall: uninstalling = True - standard_logging_setup("/var/log/ipaserver-uninstall.log", debug=options.debug) + standard_logging_setup(paths.IPASERVER_UNINSTALL_LOG, debug=options.debug) installation_cleanup = False else: - standard_logging_setup("/var/log/ipaserver-install.log", debug=options.debug) + standard_logging_setup(paths.IPASERVER_INSTALL_LOG, debug=options.debug) print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log" if not options.external_ca and not options.external_cert_file and is_ipa_configured(): installation_cleanup = False @@ -599,7 +600,7 @@ def main(): "If you want to reinstall the IPA server, please uninstall " + "it first using 'ipa-server-install --uninstall'.") - client_fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore') + client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) if client_fstore.has_files(): installation_cleanup = False sys.exit("IPA client is already configured on this system.\n" + @@ -1001,7 +1002,7 @@ def main(): installation_cleanup = False # Create the management framework config file and finalize api - target_fname = '/etc/ipa/default.conf' + target_fname = paths.IPA_DEFAULT_CONF fd = open(target_fname, "w") fd.write("[global]\n") fd.write("host=%s\n" % host_name) @@ -1093,7 +1094,7 @@ def main(): options.reverse_zone = reverse_zone write_cache(vars(options)) ca.configure_instance(host_name, domain_name, dm_password, - dm_password, csr_file="/root/ipa.csr", + dm_password, csr_file=paths.ROOT_IPA_CSR, subject_base=options.subject) else: # stage 2 of external CA installation @@ -1157,7 +1158,7 @@ def main(): http.create_instance( realm_name, host_name, domain_name, dm_password, subject_base=options.subject, auto_redirect=options.ui_redirect) - tasks.restore_context("/var/cache/ipa/sessions") + tasks.restore_context(paths.CACHE_IPA_SESSIONS) set_subject_in_config(realm_name, dm_password, ipautil.realm_to_suffix(realm_name), options.subject) @@ -1201,7 +1202,7 @@ def main(): # Call client install script try: - args = ["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name] + args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name] if not options.create_sshfp: args.append("--no-dns-sshfp") if options.trust_sshfp: @@ -1267,9 +1268,9 @@ if __name__ == '__main__': # out from all install scripts safe_options, options = parse_options() if options.uninstall: - log_file_name = "/var/log/ipaserver-uninstall.log" + log_file_name = paths.IPASERVER_UNINSTALL_LOG else: - log_file_name = "/var/log/ipaserver-install.log" + log_file_name = paths.IPASERVER_INSTALL_LOG # Use private ccache with private_ccache(): @@ -1282,6 +1283,6 @@ if __name__ == '__main__': # Do a cautious clean up as we don't know what failed and what is # the state of the environment try: - fstore.restore_file('/etc/hosts') + fstore.restore_file(paths.HOSTS) except: pass diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 688e17872..622c92d75 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -42,6 +42,7 @@ from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import * from ipapython import certmonger from ipapython import dogtag +from ipaplatform.paths import paths from ipaserver.install import installutils from ipaserver.install import dsinstance from ipaserver.install import httpinstance @@ -114,7 +115,7 @@ def update_conf(sub_dict, filename, template_filename): def find_hostname(): """Find the hostname currently configured in ipa-rewrite.conf""" - filename="/etc/httpd/conf.d/ipa-rewrite.conf" + filename=paths.HTTPD_IPA_REWRITE_CONF if not ipautil.file_exists(filename): return None @@ -137,7 +138,7 @@ def find_autoredirect(fqdn): Returns True if autoredirect is enabled, False otherwise """ - filename = '/etc/httpd/conf.d/ipa-rewrite.conf' + filename = paths.HTTPD_IPA_REWRITE_CONF if os.path.exists(filename): pattern = "^RewriteRule \^/\$ https://%s/ipa/ui \[L,NC,R=301\]" % fqdn p = re.compile(pattern) @@ -200,12 +201,12 @@ def upgrade(sub_dict, filename, template, add=False): def check_certs(): """Check ca.crt is in the right place, and try to fix if not""" root_logger.info('[Verifying that root certificate is published]') - if not os.path.exists("/usr/share/ipa/html/ca.crt"): - ca_file = "/etc/httpd/alias/cacert.asc" + if not os.path.exists(paths.CA_CRT): + ca_file = paths.ALIAS_CACERT_ASC if os.path.exists(ca_file): old_umask = os.umask(022) # make sure its readable by httpd try: - shutil.copyfile(ca_file, "/usr/share/ipa/html/ca.crt") + shutil.copyfile(ca_file, paths.CA_CRT) finally: os.umask(old_umask) else: @@ -231,14 +232,14 @@ def upgrade_pki(ca, fstore): http.enable_mod_nss_renegotiate() if not installutils.get_directive(configured_constants.CS_CFG_PATH, 'proxy.securePort', '=') and \ - os.path.exists('/usr/bin/pki-setup-proxy'): - ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib' + os.path.exists(paths.PKI_SETUP_PROXY): + ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' ,'-pki_instance_name=pki-ca','-subsystem_type=ca']) root_logger.debug('Proxy configuration updated') else: root_logger.debug('Proxy configuration up-to-date') -def update_dbmodules(realm, filename="/etc/krb5.conf"): +def update_dbmodules(realm, filename=paths.KRB5_CONF): newfile = [] found_dbrealm = False found_realm = False @@ -287,7 +288,7 @@ def cleanup_kdc(fstore): """ root_logger.info('[Checking for deprecated KDC configuration files]') for file in ['kpasswd.keytab', 'ldappwd']: - filename = '/var/kerberos/krb5kdc/%s' % file + filename = os.path.join(paths.VAR_KERBEROS_KRB5KDC_DIR, file) installutils.remove_file(filename) if fstore.has_file(filename): fstore.untrack_file(filename) @@ -301,7 +302,7 @@ def cleanup_adtrust(fstore): root_logger.info('[Checking for deprecated backups of Samba ' 'configuration files]') - for backed_up_file in ['/etc/samba/smb.conf']: + for backed_up_file in [paths.SMB_CONF]: if fstore.has_file(backed_up_file): fstore.untrack_file(backed_up_file) root_logger.debug('Removing %s from backup', backed_up_file) @@ -540,7 +541,7 @@ def named_update_gssapi_configuration(): bindinstance.NAMED_SECTION_OPTIONS) bindinstance.named_conf_set_directive('tkey-domain', None, bindinstance.NAMED_SECTION_OPTIONS) - bindinstance.named_conf_set_directive('tkey-gssapi-keytab', '/etc/named.keytab', + bindinstance.named_conf_set_directive('tkey-gssapi-keytab', paths.NAMED_KEYTAB, bindinstance.NAMED_SECTION_OPTIONS) except IOError, e: root_logger.error('Cannot update GSSAPI configuration in %s: %s', @@ -581,7 +582,7 @@ def named_update_pid_file(): return False try: - bindinstance.named_conf_set_directive('pid-file', '/run/named/named.pid', + bindinstance.named_conf_set_directive('pid-file', paths.NAMED_PID, bindinstance.NAMED_SECTION_OPTIONS) except IOError, e: root_logger.error('Cannot update pid-file configuration in %s: %s', @@ -625,7 +626,7 @@ def certificate_renewal_update(ca): 'renew_ca_cert', ), ( - '/etc/httpd/alias', + paths.HTTPD_ALIAS_DIR, 'ipaCert', 'dogtag-ipa-ca-renew-agent', None, @@ -686,7 +687,7 @@ def certificate_renewal_update(ca): if not sysupgrade.get_upgrade_state('dogtag', 'certificate_renewal_update_1'): - filename = '/var/lib/certmonger/cas/ca_renewal' + filename = paths.CERTMONGER_CAS_CA_RENEWAL if os.path.exists(filename): with installutils.stopped_service('certmonger'): root_logger.info("Removing %s" % filename) @@ -916,10 +917,10 @@ def uninstall_selfsign(ds, http): root_logger.warning( 'Removing self-signed CA. Certificates will need to managed manually.') p = ConfigParser.SafeConfigParser() - p.read('/etc/ipa/default.conf') + p.read(paths.IPA_DEFAULT_CONF) p.set('global', 'enable_ra', 'False') p.set('global', 'ra_plugin', 'none') - with open('/etc/ipa/default.conf', 'w') as f: + with open(paths.IPA_DEFAULT_CONF, 'w') as f: p.write(f) ds.stop_tracking_certificates() @@ -994,7 +995,7 @@ def set_sssd_domain_option(option, value): domain = sssdconfig.get_domain(str(api.env.domain)) domain.set_option(option, value) sssdconfig.save_domain(domain) - sssdconfig.write("/etc/sssd/sssd.conf") + sssdconfig.write(paths.SSSD_CONF) def main(): @@ -1018,12 +1019,12 @@ def main(): else: console_format = '%(message)s' - standard_logging_setup('/var/log/ipaupgrade.log', debug=options.debug, + standard_logging_setup(paths.IPAUPGRADE_LOG, debug=options.debug, verbose=verbose, console_format=console_format, filemode='a') root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) root_logger.debug('IPA version %s' % version.VENDOR_VERSION) - fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + fstore = sysrestore.FileStore(paths.SYSRESTORE) api.bootstrap(context='restart', in_server=True) api.finalize() @@ -1066,9 +1067,9 @@ def main(): certmap_dir = dsinstance.config_dirname( dsinstance.realm_to_serverid(api.env.realm)) - upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf") - upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf") - upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) + upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf") + upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf") + upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) if subject_base: upgrade( sub_dict, @@ -1079,7 +1080,7 @@ def main(): update_dbmodules(api.env.realm) uninstall_ipa_kpasswd() - removed_sysconfig_file = '/etc/sysconfig/httpd' + removed_sysconfig_file = paths.SYSCONFIG_HTTPD if fstore.has_file(removed_sysconfig_file): root_logger.info('Restoring %s as it is no longer required', removed_sysconfig_file) diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount index 4d0a025ee..110e0ba13 100755 --- a/ipa-client/ipa-install/ipa-client-automount +++ b/ipa-client/ipa-install/ipa-client-automount @@ -39,12 +39,13 @@ from ipapython.ipa_log_manager import * from ipapython.dn import DN from ipaplatform.tasks import tasks from ipaplatform import services +from ipaplatform.paths import paths -AUTOFS_CONF = '/etc/sysconfig/autofs' -NSSWITCH_CONF = '/etc/nsswitch.conf' -AUTOFS_LDAP_AUTH = '/etc/autofs_ldap_auth.conf' -NFS_CONF = '/etc/sysconfig/nfs' -IDMAPD_CONF = '/etc/idmapd.conf' +AUTOFS_CONF = paths.SYSCONFIG_AUTOFS +NSSWITCH_CONF = paths.NSSWITCH_CONF +AUTOFS_LDAP_AUTH = paths.AUTOFS_LDAP_AUTH_CONF +NFS_CONF = paths.SYSCONFIG_NFS +IDMAPD_CONF = paths.IDMAPD_CONF def parse_options(): usage = "%prog [options]\n" @@ -189,7 +190,7 @@ def configure_autofs_sssd(fstore, statestore, autodiscover, options): sys.exit('SSSD is not configured.') sssdconfig.save_domain(domain) - sssdconfig.write("/etc/sssd/sssd.conf") + sssdconfig.write(paths.SSSD_CONF) statestore.backup_state('autofs', 'sssd', True) sssd = services.service('sssd') @@ -279,7 +280,7 @@ def uninstall(fstore, statestore): domain.remove_provider('autofs') break sssdconfig.save_domain(domain) - sssdconfig.write("/etc/sssd/sssd.conf") + sssdconfig.write(paths.SSSD_CONF) sssd = services.service('sssd') sssd.restart() wait_for_sssd() @@ -357,15 +358,15 @@ def configure_nfs(fstore, statestore): def main(): - fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore') - statestore = sysrestore.StateFile('/var/lib/ipa-client/sysrestore') - if not fstore.has_files() and not os.path.exists('/etc/ipa/default.conf'): + fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) + statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE) + if not fstore.has_files() and not os.path.exists(paths.IPA_DEFAULT_CONF): sys.exit('IPA client is not configured on this system.\n') options, args = parse_options() standard_logging_setup( - '/var/log/ipaclient-install.log', verbose=False, debug=options.debug, + paths.IPACLIENT_INSTALL_LOG, verbose=False, debug=options.debug, filemode='a', console_format='%(message)s') cfg = dict( @@ -430,7 +431,7 @@ def main(): try: try: os.environ['KRB5CCNAME'] = ccache_name - ipautil.run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', 'host/%s@%s' % (api.env.host, api.env.realm)]) + ipautil.run([paths.KINIT, '-k', '-t', paths.KRB5_KEYTAB, 'host/%s@%s' % (api.env.host, api.env.realm)]) except ipautil.CalledProcessError, e: sys.exit("Failed to obtain host TGT.") # Now we have a TGT, connect to IPA diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index c20ad1a09..4e2519bce 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -69,14 +69,12 @@ CLIENT_NOT_CONFIGURED = 2 CLIENT_ALREADY_CONFIGURED = 3 CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state -SSH_AUTHORIZEDKEYSCOMMAND = '/usr/bin/sss_ssh_authorizedkeys' -SSH_PROXYCOMMAND = '/usr/bin/sss_ssh_knownhostsproxy' -SSH_KNOWNHOSTSFILE = '/var/lib/sss/pubconf/known_hosts' +SSH_AUTHORIZEDKEYSCOMMAND = paths.SSS_SSH_AUTHORIZEDKEYS +SSH_PROXYCOMMAND = paths.SSS_SSH_KNOWNHOSTSPROXY +SSH_KNOWNHOSTSFILE = paths.SSSD_PUBCONF_KNOWN_HOSTS client_nss_nickname_format = 'IPA Machine Certificate - %s' -NSSWITCH_CONF = '/etc/nsswitch.conf' - def parse_options(): def validate_ca_cert_file_option(option, opt, value, parser): if not os.path.exists(value): @@ -214,10 +212,10 @@ def parse_options(): return safe_opts, options def logging_setup(options): - log_file = "/var/log/ipaclient-install.log" + log_file = paths.IPACLIENT_INSTALL_LOG if options.uninstall: - log_file = "/var/log/ipaclient-uninstall.log" + log_file = paths.IPACLIENT_UNINSTALL_LOG standard_logging_setup( filename=log_file, verbose=True, debug=options.debug, @@ -228,7 +226,7 @@ def log_service_error(name, action, error): root_logger.error("%s failed to %s: %s", name, action, str(error)) def nickname_exists(nickname): - (sout, serr, returncode) = run(["/usr/bin/certutil", "-L", "-d", "/etc/pki/nssdb", "-n", nickname], raiseonerr=False) + (sout, serr, returncode) = run([paths.CERTUTIL, "-L", "-d", paths.NSS_DB_DIR, "-n", nickname], raiseonerr=False) if returncode == 0: return True @@ -297,8 +295,8 @@ def restore_state(service): # Checks whether nss_ldap or nss-pam-ldapd is installed. If anyone of mandatory files was found returns True and list of all files found. def nssldap_exists(): - files_to_check = [{'function':'configure_ldap_conf', 'mandatory':['/etc/ldap.conf','/etc/nss_ldap.conf','/etc/libnss-ldap.conf'], 'optional':['/etc/pam_ldap.conf']}, - {'function':'configure_nslcd_conf', 'mandatory':['/etc/nslcd.conf']}] + files_to_check = [{'function':'configure_ldap_conf', 'mandatory':[paths.LDAP_CONF,paths.NSS_LDAP_CONF,paths.LIBNSS_LDAP_CONF], 'optional':[paths.PAM_LDAP_CONF]}, + {'function':'configure_nslcd_conf', 'mandatory':[paths.NSLCD_CONF]}] files_found = {} retval = False @@ -356,7 +354,7 @@ def is_ipa_client_installed(on_master=False): """ installed = fstore.has_files() or \ - (not on_master and os.path.exists('/etc/ipa/default.conf')) + (not on_master and os.path.exists(paths.IPA_DEFAULT_CONF)) return installed @@ -380,15 +378,15 @@ def configure_nsswitch_database(fstore, database, services, preserve=True, """ # Backup the original version of nsswitch.conf, we're going to edit it now - if not fstore.has_file(NSSWITCH_CONF): - fstore.backup_file(NSSWITCH_CONF) + if not fstore.has_file(paths.NSSWITCH_CONF): + fstore.backup_file(paths.NSSWITCH_CONF) conf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") conf.setOptionAssignment(':') if preserve: # Read the existing configuration - with open('/etc/nsswitch.conf', 'r') as f: + with open(paths.NSSWITCH_CONF, 'r') as f: opts = conf.parse(f) raw_database_entry = conf.findOpts(opts, 'option', database)[1] @@ -419,8 +417,8 @@ def configure_nsswitch_database(fstore, database, services, preserve=True, 'type':'empty' }] - conf.changeConf(NSSWITCH_CONF, opts) - root_logger.info("Configured %s in %s" % (database, NSSWITCH_CONF)) + conf.changeConf(paths.NSSWITCH_CONF, opts) + root_logger.info("Configured %s in %s" % (database, paths.NSSWITCH_CONF)) def uninstall(options, env): @@ -429,7 +427,7 @@ def uninstall(options, env): root_logger.error("IPA client is not configured on this system.") return CLIENT_NOT_CONFIGURED - server_fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + server_fstore = sysrestore.FileStore(paths.SYSRESTORE) if server_fstore.has_files() and not options.on_master: root_logger.error( "IPA client is configured as a part of IPA server on this system.") @@ -487,7 +485,7 @@ def uninstall(options, env): # Remove our host cert and CA cert if nickname_exists("IPA CA"): try: - run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "IPA CA"]) + run([paths.CERTUTIL, "-D", "-d", paths.NSS_DB_DIR, "-n", "IPA CA"]) except Exception, e: root_logger.error( "Failed to remove IPA CA from /etc/pki/nssdb: %s", str(e)) @@ -507,14 +505,14 @@ def uninstall(options, env): log_service_error(cmonger.service_name, 'start', e) try: - certmonger.stop_tracking('/etc/pki/nssdb', nickname=client_nss_nickname) + certmonger.stop_tracking(paths.NSS_DB_DIR, nickname=client_nss_nickname) except (CalledProcessError, RuntimeError), e: root_logger.error("%s failed to stop tracking certificate: %s", cmonger.service_name, str(e)) if nickname_exists(client_nss_nickname): try: - run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", client_nss_nickname]) + run([paths.CERTUTIL, "-D", "-d", paths.NSS_DB_DIR, "-n", client_nss_nickname]) except Exception, e: root_logger.error("Failed to remove %s from /etc/pki/nssdb: %s", client_nss_nickname, str(e)) @@ -534,9 +532,9 @@ def uninstall(options, env): "Failed to disable automatic startup of the %s service: %s", cmonger.service_name, str(e)) - if not options.on_master and os.path.exists('/etc/ipa/default.conf'): + if not options.on_master and os.path.exists(paths.IPA_DEFAULT_CONF): root_logger.info("Unenrolling client from IPA server") - join_args = ["/usr/sbin/ipa-join", "--unenroll", "-h", hostname] + join_args = [paths.SBIN_IPA_JOIN, "--unenroll", "-h", hostname] if options.debug: join_args.append("-d") env['XMLRPC_TRACE_CURL'] = 'yes' @@ -544,16 +542,16 @@ def uninstall(options, env): if returncode != 0: root_logger.error("Unenrolling host failed: %s", stderr) - if os.path.exists('/etc/ipa/default.conf'): + if os.path.exists(paths.IPA_DEFAULT_CONF): root_logger.info( "Removing Kerberos service principals from /etc/krb5.keytab") try: parser = RawConfigParser() - fp = open('/etc/ipa/default.conf', 'r') + fp = open(paths.IPA_DEFAULT_CONF, 'r') parser.readfp(fp) fp.close() realm = parser.get('global', 'realm') - run(["/usr/sbin/ipa-rmkeytab", "-k", "/etc/krb5.keytab", "-r", realm]) + run([paths.IPA_RMKEYTAB, "-k", paths.KRB5_KEYTAB, "-r", realm]) except Exception, e: root_logger.error( "Failed to remove Kerberos service principals: %s", str(e)) @@ -562,7 +560,7 @@ def uninstall(options, env): was_sssd_installed = False was_sshd_configured = False if fstore.has_files(): - was_sssd_installed = fstore.has_file("/etc/sssd/sssd.conf") + was_sssd_installed = fstore.has_file(paths.SSSD_CONF) sshd_config = os.path.join(services.knownservices.sshd.get_config_dir(), "sshd_config") was_sshd_configured = fstore.has_file(sshd_config) @@ -595,7 +593,7 @@ def uninstall(options, env): restored = False try: - restored = fstore.restore_file("/etc/sssd/sssd.conf","/etc/sssd/sssd.conf.bkp") + restored = fstore.restore_file(paths.SSSD_CONF,paths.SSSD_CONF_BKP) except OSError: root_logger.debug("Error while restoring pre-IPA /etc/sssd/sssd.conf.") @@ -628,10 +626,10 @@ def uninstall(options, env): # than IPA are configured in sssd.conf - make sure config file is removed elif not was_sssd_installed and not was_sssd_configured: try: - os.rename("/etc/sssd/sssd.conf","/etc/sssd/sssd.conf.deleted") + os.rename(paths.SSSD_CONF,paths.SSSD_CONF_DELETED) except OSError: - root_logger.debug("Error while moving /etc/sssd/sssd.conf to " - "/etc/sssd/sssd.conf.deleted") + root_logger.debug("Error while moving /etc/sssd/sssd.conf to %s" % + paths.SSSD_CONF_DELETED) root_logger.info("Redundant SSSD configuration file " + "/etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted") @@ -680,10 +678,10 @@ def uninstall(options, env): # the reason for it might be that freeipa-client was updated # to this version but not unenrolled/enrolled again # In such case it is OK to fail - restored = fstore.restore_file("/etc/ntp.conf") - restored |= fstore.restore_file("/etc/sysconfig/ntpd") + restored = fstore.restore_file(paths.NTP_CONF) + restored |= fstore.restore_file(paths.SYSCONFIG_NTPD) if ntp_step_tickers: - restored |= fstore.restore_file("/etc/ntp/step-tickers") + restored |= fstore.restore_file(paths.NTP_STEP_TICKERS) except Exception: pass @@ -714,8 +712,8 @@ def uninstall(options, env): rv = 0 if fstore.has_files(): - root_logger.error('Some files have not been restored, see ' - '/var/lib/ipa-client/sysrestore/sysrestore.index') + root_logger.error('Some files have not been restored, see %s' % + paths.SYSRESTORE_INDEX) has_state = False for module in statestore.modules.keys(): root_logger.error('Some installation state for %s has not been ' @@ -734,7 +732,7 @@ def uninstall(options, env): # Remove the IPA configuration file try: - os.remove("/etc/ipa/default.conf") + os.remove(paths.IPA_DEFAULT_CONF) except OSError, e: root_logger.warning('/etc/ipa/default.conf could not be removed: %s', str(e)) @@ -766,7 +764,7 @@ def uninstall(options, env): if not options.on_master: if user_input("Do you want to reboot the machine?", False): try: - run(["/sbin/reboot"]) + run([paths.SBIN_REBOOT]) except Exception, e: root_logger.error( "Reboot command failed to exceute: %s", str(e)) @@ -795,7 +793,7 @@ def configure_ipa_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server): opts.append({'name':'global', 'type':'section', 'value':defopts}) opts.append({'name':'empty', 'type':'empty'}) - target_fname = '/etc/ipa/default.conf' + target_fname = paths.IPA_DEFAULT_CONF fstore.backup_file(target_fname) ipaconf.newConf(target_fname, opts) os.chmod(target_fname, 0644) @@ -809,9 +807,9 @@ def disable_ra(): Note that api.env will retain the old value (it is readonly). """ parser = RawConfigParser() - parser.read('/etc/ipa/default.conf') + parser.read(paths.IPA_DEFAULT_CONF) parser.set('global', 'enable_ra', 'False') - fp = open('/etc/ipa/default.conf', 'w') + fp = open(paths.IPA_DEFAULT_CONF, 'w') parser.write(fp) fp.close() @@ -948,7 +946,7 @@ def configure_openldap_conf(fstore, cli_basedn, cli_server): {'action':'addifnotset', 'name':'TLS_CACERT', 'type':'option', 'value':CACERT},] - target_fname = '/etc/openldap/ldap.conf' + target_fname = paths.OPENLDAP_LDAP_CONF fstore.backup_file(target_fname) error_msg = "Configuring {path} failed with: {err}" @@ -975,7 +973,7 @@ def hardcode_ldap_server(cli_server): DNS Discovery didn't return a valid IPA server, hardcode a value into the file instead. """ - if not file_exists('/etc/ldap.conf'): + if not file_exists(paths.LDAP_CONF): return ldapconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") @@ -985,7 +983,7 @@ def hardcode_ldap_server(cli_server): {'name':'empty', 'type':'empty'}] # Errors raised by this should be caught by the caller - ldapconf.changeConf("/etc/ldap.conf", opts) + ldapconf.changeConf(paths.LDAP_CONF, opts) root_logger.info("Changed configuration of /etc/ldap.conf to use " + "hardcoded server name: %s", cli_server[0]) @@ -1005,7 +1003,7 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok, # SSSD include dir if options.sssd: - opts.append({'name':'includedir', 'type':'option', 'value':'/var/lib/sss/pubconf/krb5.include.d/', 'delim':' '}) + opts.append({'name':'includedir', 'type':'option', 'value':paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, 'delim':' '}) opts.append({'name':'empty', 'type':'empty'}) #[libdefaults] @@ -1116,7 +1114,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, client_nss_nickname = client_nss_nickname_format % hostname subject = DN(('CN', hostname), subject_base) try: - run(["ipa-getcert", "request", "-d", "/etc/pki/nssdb", + run(["ipa-getcert", "request", "-d", paths.NSS_DB_DIR, "-n", client_nss_nickname, "-N", str(subject), "-K", principal]) except Exception: @@ -1132,7 +1130,7 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.import_config() except Exception, e: - if os.path.exists("/etc/sssd/sssd.conf") and options.preserve_sssd: + if os.path.exists(paths.SSSD_CONF) and options.preserve_sssd: # SSSD config is in place but we are unable to read it # In addition, we are instructed to preserve it # This all means we can't use it and have to bail out @@ -1254,7 +1252,7 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie domain.set_active(True) sssdconfig.save_domain(domain) - sssdconfig.write("/etc/sssd/sssd.conf") + sssdconfig.write(paths.SSSD_CONF) return 0 @@ -1376,7 +1374,7 @@ def configure_sshd_config(fstore, options): ) for candidate in candidates: - args = ['sshd', '-t', '-f', '/dev/null'] + args = ['sshd', '-t', '-f', paths.DEV_NULL] for item in candidate.iteritems(): args.append('-o') args.append('%s=%s' % item) @@ -1432,9 +1430,9 @@ def configure_nisdomain(options, domain): nis_domain_name = '' # First backup the old NIS domain name - if os.path.exists('/usr/bin/nisdomainname'): + if os.path.exists(paths.BIN_NISDOMAINNAME): try: - nis_domain_name, _, _ = ipautil.run(['/usr/bin/nisdomainname']) + nis_domain_name, _, _ = ipautil.run([paths.BIN_NISDOMAINNAME]) except CalledProcessError, e: pass @@ -1515,7 +1513,7 @@ def do_nsupdate(update_txt): result = False try: - ipautil.run(['/usr/bin/nsupdate', '-g', UPDATE_FILE]) + ipautil.run([paths.NSUPDATE, '-g', UPDATE_FILE]) result = True except CalledProcessError, e: root_logger.debug('nsupdate failed: %s', str(e)) @@ -1549,8 +1547,8 @@ show send """ -UPDATE_FILE = "/etc/ipa/.dns_update.txt" -CCACHE_FILE = "/etc/ipa/.dns_ccache" +UPDATE_FILE = paths.IPA_DNS_UPDATE_TXT +CCACHE_FILE = paths.IPA_DNS_CCACHE def update_dns(server, hostname): @@ -1723,7 +1721,7 @@ def get_ca_cert_from_http(url, ca_file, warn=True): root_logger.debug("trying to retrieve CA cert via HTTP from %s", url) try: - run(["/usr/bin/wget", "-O", ca_file, url]) + run([paths.BIN_WGET, "-O", ca_file, url]) except CalledProcessError, e: raise errors.NoCertificateError(entry=url) @@ -2306,8 +2304,8 @@ def install(options, env, fstore, statestore): if not options.on_master: # Try removing old principals from the keytab try: - ipautil.run(['/usr/sbin/ipa-rmkeytab', - '-k', '/etc/krb5.keytab', '-r', cli_realm]) + ipautil.run([paths.IPA_RMKEYTAB, + '-k', paths.KRB5_KEYTAB, '-r', cli_realm]) except CalledProcessError, e: if e.returncode not in (3, 5): # 3 - Unable to open keytab @@ -2316,7 +2314,7 @@ def install(options, env, fstore, statestore): "/usr/sbin/ipa-rmkeytab returned %s" % e.returncode) else: root_logger.info("Removed old keys for realm %s from %s" % ( - cli_realm, '/etc/krb5.keytab')) + cli_realm, paths.KRB5_KEYTAB)) if options.hostname and not options.on_master: # configure /etc/sysconfig/network to contain the hostname we set. @@ -2372,7 +2370,7 @@ def install(options, env, fstore, statestore): (ccache_fd, ccache_name) = tempfile.mkstemp() os.close(ccache_fd) env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = ccache_name - join_args = ["/usr/sbin/ipa-join", + join_args = [paths.SBIN_IPA_JOIN, "-s", cli_server[0], "-b", str(realm_to_suffix(cli_realm)), "-h", hostname] @@ -2422,7 +2420,7 @@ def install(options, env, fstore, statestore): join_args.append("-f") if os.path.exists(options.keytab): (stderr, stdout, returncode) = run( - ['/usr/bin/kinit','-k', '-t', options.keytab, + [paths.KINIT,'-k', '-t', options.keytab, 'host/%s@%s' % (hostname, cli_realm)], env=env, raiseonerr=False) @@ -2502,7 +2500,7 @@ def install(options, env, fstore, statestore): # Once we have the TGT, it's usable on any server. env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = CCACHE_FILE try: - run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', + run([paths.KINIT, '-k', '-t', paths.KRB5_KEYTAB, 'host/%s@%s' % (hostname, cli_realm)], env=env) except CalledProcessError, e: root_logger.error("Failed to obtain host TGT.") @@ -2536,7 +2534,7 @@ def install(options, env, fstore, statestore): return CLIENT_INSTALL_ERROR # Always back up sssd.conf. It gets updated by authconfig --enablekrb5. - fstore.backup_file("/etc/sssd/sssd.conf") + fstore.backup_file(paths.SSSD_CONF) if options.sssd: if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, hostname): return CLIENT_INSTALL_ERROR @@ -2549,7 +2547,7 @@ def install(options, env, fstore, statestore): try: root_logger.debug("Attempting to add CA directly to the " "default NSS database.") - run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", + run([paths.CERTUTIL, "-A", "-d", paths.NSS_DB_DIR, "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT]) except CalledProcessError, e: root_logger.info("Failed to add CA to the default NSS database.") @@ -2563,14 +2561,14 @@ def install(options, env, fstore, statestore): # Get the host TGT. os.environ['KRB5CCNAME'] = CCACHE_FILE try: - run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', + run([paths.KINIT, '-k', '-t', paths.KRB5_KEYTAB, host_principal]) except CalledProcessError, e: root_logger.error("Failed to obtain host TGT.") return CLIENT_INSTALL_ERROR else: # Configure krb5.conf - fstore.backup_file("/etc/krb5.conf") + fstore.backup_file(paths.KRB5_CONF) if configure_krb5_conf( cli_realm=cli_realm, cli_domain=cli_domain, @@ -2578,7 +2576,7 @@ def install(options, env, fstore, statestore): cli_kdc=cli_kdc, dnsok=dnsok, options=options, - filename="/etc/krb5.conf", + filename=paths.KRB5_CONF, client_domain=client_domain): return CLIENT_INSTALL_ERROR @@ -2816,10 +2814,10 @@ def main(): env={"PATH":"/bin:/sbin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/bin:/usr/sbin"} global fstore - fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore') + fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) global statestore - statestore = sysrestore.StateFile('/var/lib/ipa-client/sysrestore') + statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE) if options.uninstall: return uninstall(options, env) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index ed7150ed8..12721b8c5 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -21,6 +21,7 @@ This base platform module exports default filesystem paths. ''' + class BasePathNamespace(object): BASH = "/bin/bash" BIN_FALSE = "/bin/false" @@ -34,6 +35,7 @@ class BasePathNamespace(object): BIN_TRUE = "/bin/true" DEV_NULL = "/dev/null" DEV_STDIN = "/dev/stdin" + AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf" ETC_DIRSRV = "/etc/dirsrv" DS_KEYTAB = "/etc/dirsrv/ds.keytab" ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE = "/etc/dirsrv/slapd-%s" @@ -44,6 +46,7 @@ class BasePathNamespace(object): HOSTS = "/etc/hosts" ETC_HTTPD_DIR = "/etc/httpd" HTTPD_ALIAS_DIR = "/etc/httpd/alias" + ALIAS_CACERT_ASC = "/etc/httpd/alias/cacert.asc" ALIAS_PWDFILE_TXT = "/etc/httpd/alias/pwdfile.txt" HTTPD_CONF_D_DIR = "/etc/httpd/conf.d/" HTTPD_IPA_PKI_PROXY_CONF = "/etc/httpd/conf.d/ipa-pki-proxy.conf" @@ -53,19 +56,28 @@ class BasePathNamespace(object): HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf" IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab" HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf" + IDMAPD_CONF = "/etc/idmapd.conf" ETC_IPA = "/etc/ipa" + CONNCHECK_CCACHE = "/etc/ipa/.conncheck_ccache" + IPA_DNS_CCACHE = "/etc/ipa/.dns_ccache" + IPA_DNS_UPDATE_TXT = "/etc/ipa/.dns_update.txt" IPA_CA_CRT = "/etc/ipa/ca.crt" IPA_DEFAULT_CONF = "/etc/ipa/default.conf" IPA_SMARTPROXY_CONF = "/etc/ipa/ipa-smartproxy.conf" KRB5_CONF = "/etc/krb5.conf" KRB5_KEYTAB = "/etc/krb5.keytab" + LDAP_CONF = "/etc/ldap.conf" + LIBNSS_LDAP_CONF = "/etc/libnss-ldap.conf" NAMED_CONF = "/etc/named.conf" NAMED_KEYTAB = "/etc/named.keytab" NAMED_RFC1912_ZONES = "/etc/named.rfc1912.zones" + NSLCD_CONF = "/etc/nslcd.conf" + NSS_LDAP_CONF = "/etc/nss_ldap.conf" NSSWITCH_CONF = "/etc/nsswitch.conf" NTP_CONF = "/etc/ntp.conf" NTP_STEP_TICKERS = "/etc/ntp/step-tickers" OPENLDAP_LDAP_CONF = "/etc/openldap/ldap.conf" + PAM_LDAP_CONF = "/etc/pam_ldap.conf" PASSWD = "/etc/passwd" ETC_PKI_CA_DIR = "/etc/pki-ca" SYSTEMWIDE_CA_STORE = "/etc/pki/ca-trust/source/anchors/" @@ -84,14 +96,19 @@ class BasePathNamespace(object): SSH_CONFIG = "/etc/ssh/ssh_config" SSHD_CONFIG = "/etc/ssh/sshd_config" SSSD_CONF = "/etc/sssd/sssd.conf" + SSSD_CONF_BKP = "/etc/sssd/sssd.conf.bkp" + SSSD_CONF_DELETED = "/etc/sssd/sssd.conf.deleted" ETC_SYSCONFIG_AUTHCONFIG = "/etc/sysconfig/authconfig" + SYSCONFIG_AUTOFS = "/etc/sysconfig/autofs" SYSCONFIG_DIRSRV = "/etc/sysconfig/dirsrv" - SYSCONFIG_DIRSRV_SYSTEMD = "/etc/sysconfig/dirsrv.systemd" SYSCONFIG_DIRSRV_INSTANCE = "/etc/sysconfig/dirsrv-%s" SYSCONFIG_DIRSRV_PKI_IPA_DIR = "/etc/sysconfig/dirsrv-PKI-IPA" + SYSCONFIG_DIRSRV_SYSTEMD = "/etc/sysconfig/dirsrv.systemd" + SYSCONFIG_HTTPD = "/etc/sysconfig/httpd" SYSCONFIG_KRB5KDC_DIR = "/etc/sysconfig/krb5kdc" SYSCONFIG_NETWORK = "/etc/sysconfig/network" SYSCONFIG_NETWORK_IPABKP = "/etc/sysconfig/network.ipabkp" + SYSCONFIG_NFS = "/etc/sysconfig/nfs" SYSCONFIG_NTPD = "/etc/sysconfig/ntpd" SYSCONFIG_PKI = "/etc/sysconfig/pki" SYSCONFIG_PKI_CA_DIR = "/etc/sysconfig/pki-ca" @@ -104,12 +121,16 @@ class BasePathNamespace(object): SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service" SYSTEMD_PKI_TOMCAT_SERVICE = "/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service" HOME_DIR = "/home" + ROOT_IPA_CACHE = "/root/.ipa_cache" ROOT_PKI = "/root/.pki" CA_AGENT_P12 = "/root/ca-agent.p12" CACERT_P12 = "/root/cacert.p12" + ROOT_IPA_CSR = "/root/ipa.csr" ROOT_TMP_CA_P12 = "/root/tmp-ca.p12" + NAMED_PID = "/run/named/named.pid" IP = "/sbin/ip" NOLOGIN = "/sbin/nologin" + SBIN_REBOOT = "/sbin/reboot" SBIN_RESTORECON = "/sbin/restorecon" SBIN_SERVICE = "/sbin/service" TMP = "/tmp" @@ -128,36 +149,48 @@ class BasePathNamespace(object): IPA_GETCERT = "/usr/bin/ipa-getcert" KDESTROY = "/usr/bin/kdestroy" KINIT = "/usr/bin/kinit" + BIN_KVNO = "/usr/bin/kvno" LDAPMODIFY = "/usr/bin/ldapmodify" LDAPPASSWD = "/usr/bin/ldappasswd" NET = "/usr/bin/net" + BIN_NISDOMAINNAME = "/usr/bin/nisdomainname" + NSUPDATE = "/usr/bin/nsupdate" OPENSSL = "/usr/bin/openssl" PERL = "/usr/bin/perl" PK12UTIL = "/usr/bin/pk12util" + PKI_SETUP_PROXY = "/usr/bin/pki-setup-proxy" PKICREATE = "/usr/bin/pkicreate" PKIREMOVE = "/usr/bin/pkiremove" PKISILENT = "/usr/bin/pkisilent" SETPASSWD = "/usr/bin/setpasswd" SIGNTOOL = "/usr/bin/signtool" SSLGET = "/usr/bin/sslget" + SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys" + SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy" UPDATE_CA_TRUST = "/usr/bin/update-ca-trust" + BIN_WGET = "/usr/bin/wget" ZIP = "/usr/bin/zip" BIND_LDAP_SO = "/usr/lib/bind/ldap.so" USR_LIB_DIRSRV = "/usr/lib/dirsrv" USR_LIB_SLAPD_INSTANCE_TEMPLATE = "/usr/lib/dirsrv/slapd-%s" USR_LIB_SLAPD_PKI_IPA_DIR = "/usr/lib/dirsrv/slapd-PKI-IPA" LIB_FIREFOX = "/usr/lib/firefox" + LIB_SYSTEMD_SYSTEMD_DIR = "/usr/lib/systemd/system/" BIND_LDAP_SO_64 = "/usr/lib64/bind/ldap.so" USR_LIB_DIRSRV_64 = "/usr/lib64/dirsrv" USR_LIB_DIRSRV_SLAPD_INSTANCE_DIR_TEMPLATE = "/usr/lib64/dirsrv/slapd-%s" - LIB_SYSTEMD_SYSTEMD_DIR = "/usr/lib/systemd/system/" SLAPD_PKI_IPA = "/usr/lib64/dirsrv/slapd-PKI-IPA" LIB64_FIREFOX = "/usr/lib64/firefox" DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit" + DOGTAG_IPA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit" GETSEBOOL = "/usr/sbin/getsebool" GROUPADD = "/usr/sbin/groupadd" HTTPD = "/usr/sbin/httpd" + IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install" + SBIN_IPA_JOIN = "/usr/sbin/ipa-join" IPA_REPLICA_CONNCHECK = "/usr/sbin/ipa-replica-conncheck" + IPA_RMKEYTAB = "/usr/sbin/ipa-rmkeytab" + IPACTL = "/usr/sbin/ipactl" NTPD = "/usr/sbin/ntpd" PKIDESTROY = "/usr/sbin/pkidestroy" PKISPAWN = "/usr/sbin/pkispawn" @@ -178,11 +211,14 @@ class BasePathNamespace(object): HTML_KRB5_INI = "/usr/share/ipa/html/krb5.ini" HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con" PREFERENCES_HTML = "/usr/share/ipa/html/preferences.html" + NIS_ULDIF = "/usr/share/ipa/nis.uldif" IPA_PLUGINS = "/usr/share/ipa/plugins" SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif" IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins" UPDATES_DIR = "/usr/share/ipa/updates/" PKI_CONF_SERVER_XML = "/usr/share/pki/ca/conf/server.xml" + CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions" + VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/" VAR_KRB5KDC_K5_REALM = "/var/kerberos/krb5kdc/.k5." CACERT_PEM = "/var/kerberos/krb5kdc/cacert.pem" KRB5KDC_KDC_CONF = "/var/kerberos/krb5kdc/kdc.conf" @@ -191,6 +227,7 @@ class BasePathNamespace(object): AUTHCONFIG_LAST = "/var/lib/authconfig/last" VAR_LIB_CERTMONGER_DIR = "/var/lib/certmonger" CERTMONGER_CAS_DIR = "/var/lib/certmonger/cas/" + CERTMONGER_CAS_CA_RENEWAL = "/var/lib/certmonger/cas/ca_renewal" CERTMONGER_REQUESTS_DIR = "/var/lib/certmonger/requests/" VAR_LIB_DIRSRV = "/var/lib/dirsrv" DIRSRV_BOOT_LDIF = "/var/lib/dirsrv/boot.ldif" @@ -202,7 +239,9 @@ class BasePathNamespace(object): VAR_LIB_SLAPD_PKI_IPA_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-PKI-IPA" VAR_LIB_IPA = "/var/lib/ipa" IPA_CLIENT_SYSRESTORE = "/var/lib/ipa-client/sysrestore" + SYSRESTORE_INDEX = "/var/lib/ipa-client/sysrestore/sysrestore.index" IPA_BACKUP_DIR = "/var/lib/ipa/backup" + IPA_CA_CSR = "/var/lib/ipa/ca.csr" PKI_CA_PUBLISH_DIR = "/var/lib/ipa/pki-ca/publish" REPLICA_INFO_TEMPLATE = "/var/lib/ipa/replica-info-%s" REPLICA_INFO_GPG_TEMPLATE = "/var/lib/ipa/replica-info-%s.gpg" @@ -216,7 +255,8 @@ class BasePathNamespace(object): SAMBA_DIR = "/var/lib/samba/" SSSD_MC_GROUP = "/var/lib/sss/mc/group" SSSD_MC_PASSWD = "/var/lib/sss/mc/passwd" - SSS_KRB5_INCLUDE_D = "/var/lib/sss/pubconf/krb5.include.d" + SSSD_PUBCONF_KNOWN_HOSTS = "/var/lib/sss/pubconf/known_hosts" + SSSD_PUBCONF_KRB5_INCLUDE_D_DIR = "/var/lib/sss/pubconf/krb5.include.d/" DIRSRV_LOCK_DIR = "/var/lock/dirsrv" SLAPD_INSTANCE_LOCK_TEMPLATE = "/var/lock/dirsrv/slapd-%s" VAR_LOG_DIRSRV_INSTANCE_TEMPLATE = "/var/log/dirsrv/slapd-%s" @@ -227,6 +267,7 @@ class BasePathNamespace(object): IPABACKUP_LOG = "/var/log/ipabackup.log" IPACLIENT_INSTALL_LOG = "/var/log/ipaclient-install.log" IPACLIENT_UNINSTALL_LOG = "/var/log/ipaclient-uninstall.log" + IPAREPLICA_CA_INSTALL_LOG = "/var/log/ipareplica-ca-install.log" IPAREPLICA_CONNCHECK_LOG = "/var/log/ipareplica-conncheck.log" IPAREPLICA_INSTALL_LOG = "/var/log/ipareplica-install.log" IPARESTORE_LOG = "/var/log/iparestore.log" diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index 91330dfa3..8f27e8a60 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -113,7 +113,7 @@ class Backup(admintool.AdminTool): paths.VAR_LIB_PKI_CA_DIR, paths.SYSRESTORE, paths.IPA_CLIENT_SYSRESTORE, - paths.SSS_KRB5_INCLUDE_D, + paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, paths.AUTHCONFIG_LAST, paths.VAR_LIB_CERTMONGER_DIR, paths.VAR_LIB_IPA, -- cgit