From 4d2ef43f287aa96df3d65b97977fc7a824b6b33c Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Thu, 29 May 2014 14:47:17 +0200 Subject: ipaplatform: Move all filesystem paths to ipaplatform.paths module https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin --- ipaserver/dcerpc.py | 7 +- ipaserver/install/adtrustinstance.py | 31 +++-- ipaserver/install/bindinstance.py | 21 +-- ipaserver/install/cainstance.py | 71 +++++----- ipaserver/install/certs.py | 27 ++-- ipaserver/install/dsinstance.py | 67 ++++----- ipaserver/install/httpinstance.py | 82 +++++------ ipaserver/install/installutils.py | 13 +- ipaserver/install/ipa_backup.py | 183 +++++++++++++------------ ipaserver/install/ipa_ldap_updater.py | 7 +- ipaserver/install/ipa_replica_prepare.py | 23 ++-- ipaserver/install/ipa_restore.py | 27 ++-- ipaserver/install/ipa_server_certinstall.py | 5 +- ipaserver/install/krbinstance.py | 41 +++--- ipaserver/install/ldapupdate.py | 5 +- ipaserver/install/ntpinstance.py | 21 +-- ipaserver/install/plugins/ca_renewal_master.py | 3 +- ipaserver/install/plugins/updateclient.py | 3 +- ipaserver/install/replication.py | 3 +- ipaserver/install/service.py | 5 +- ipaserver/install/sysupgrade.py | 3 +- ipaserver/install/upgradeinstance.py | 7 +- ipaserver/plugins/dogtag.py | 5 +- ipaserver/plugins/rabase.py | 5 +- ipaserver/rpcserver.py | 9 +- 25 files changed, 344 insertions(+), 330 deletions(-) (limited to 'ipaserver') diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 312761662..ec6a26d5a 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -55,6 +55,7 @@ from dns import resolver, rdatatype from dns.exception import DNSException import pysss_nss_idmap import pysss +from ipaplatform.paths import paths __doc__ = _(""" Classes to manage trust joins using DCE-RPC calls @@ -474,13 +475,13 @@ class DomainValidator(object): realm = api.env.realm hostname = api.env.host principal = 'HTTP/%s@%s' % (hostname, realm) - keytab = '/etc/httpd/conf/ipa.keytab' + keytab = paths.IPA_KEYTAB # Destroy the contents of the ccache root_logger.debug('Destroying the contents of the separate ccache') (stdout, stderr, returncode) = ipautil.run( - ['/usr/bin/kdestroy', '-A', '-c', ccache_path], + [paths.KDESTROY, '-A', '-c', ccache_path], env={'KRB5CCNAME': ccache_path}, raiseonerr=False) @@ -489,7 +490,7 @@ class DomainValidator(object): 'service principal with MS-PAC attached.') (stdout, stderr, returncode) = ipautil.run( - ['/usr/bin/kinit', '-kt', keytab, principal], + [paths.KINIT, '-kt', keytab, principal], env={'KRB5CCNAME': ccache_path}, raiseonerr=False) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 59a383e2e..362965e96 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -40,6 +40,7 @@ from ipapython.ipa_log_manager import * import ipaclient.ipachangeconf from ipaplatform import services +from ipaplatform.paths import paths ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits @@ -60,7 +61,7 @@ and re-run ipa-adtrust-instal again afterwards. """ def check_inst(): - for smbfile in ['/usr/sbin/smbd', '/usr/bin/net']: + for smbfile in [paths.SMBD, paths.NET]: if not os.path.exists(smbfile): print "%s was not found on this system" % smbfile print "Please install the 'samba' packages and " \ @@ -73,7 +74,7 @@ def check_inst(): def ipa_smb_conf_exists(): try: - conf_fd = open('/etc/samba/smb.conf', 'r') + conf_fd = open(paths.SMB_CONF, 'r') except IOError, err: if err.errno == errno.ENOENT: return False @@ -134,7 +135,7 @@ class ADTRUSTInstance(service.Service): if fstore: self.fstore = fstore else: - self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + self.fstore = sysrestore.FileStore(paths.SYSRESTORE) self.__setup_default_attributes() @@ -145,8 +146,8 @@ class ADTRUSTInstance(service.Service): """ # Constants - self.smb_conf = "/etc/samba/smb.conf" - self.samba_keytab = "/etc/samba/samba.keytab" + self.smb_conf = paths.SMB_CONF + self.samba_keytab = paths.SAMBA_KEYTAB self.selinux_booleans = ["samba_portmapper"] self.cifs_hosts = [] @@ -485,7 +486,7 @@ class ADTRUSTInstance(service.Service): os.write(tmp_fd, conf) os.close(tmp_fd) - args = ["/usr/bin/net", "conf", "import", tmp_name] + args = [paths.NET, "conf", "import", tmp_name] try: ipautil.run(args) @@ -608,8 +609,8 @@ class ADTRUSTInstance(service.Service): def __configure_selinux_for_smbd(self): selinux = False try: - if (os.path.exists('/usr/sbin/selinuxenabled')): - ipautil.run(["/usr/sbin/selinuxenabled"]) + if (os.path.exists(paths.SELINUXENABLED)): + ipautil.run([paths.SELINUXENABLED]) selinux = True except ipautil.CalledProcessError: # selinuxenabled returns 1 if not enabled @@ -620,7 +621,7 @@ class ADTRUSTInstance(service.Service): sebools = [] for var in self.selinux_booleans: try: - (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool", var]) + (stdout, stderr, returncode) = ipautil.run([paths.GETSEBOOL, var]) if stdout and not stderr and returncode == 0: self.backup_state(var, stdout.split()[2]) sebools.append(var) @@ -629,7 +630,7 @@ class ADTRUSTInstance(service.Service): if sebools: bools = [var + "=true" for var in sebools] - args = ["/usr/sbin/setsebool", "-P"] + args = [paths.SETSEBOOL, "-P"] args.extend(bools); try: ipautil.run(args) @@ -665,7 +666,7 @@ class ADTRUSTInstance(service.Service): {'name':'realms', 'type':'section', 'action':'set', 'value':ropts}] - krbconf.changeConf("/etc/krb5.conf", opts) + krbconf.changeConf(paths.KRB5_CONF, opts) def __update_krb5_conf(self): """ @@ -673,7 +674,7 @@ class ADTRUSTInstance(service.Service): """ try: - krb5conf = open("/etc/krb5.conf", 'r') + krb5conf = open(paths.KRB5_CONF, 'r') except IOError, e: self.print_msg("Cannot open /etc/krb5.conf (%s)\n" % str(e)) return @@ -908,20 +909,20 @@ class ADTRUSTInstance(service.Service): sebool_state = self.restore_state(var) if not sebool_state is None: try: - ipautil.run(["/usr/sbin/setsebool", + ipautil.run([paths.SETSEBOOL, "-P", var, sebool_state]) except Exception: self.print_msg(SELINUX_WARNING % dict(var=var)) # Remove samba's credentials cache - krb5cc_samba = '/var/run/samba/krb5cc_samba' + krb5cc_samba = paths.KRB5CC_SAMBA installutils.remove_file(krb5cc_samba) # Remove samba's configuration file installutils.remove_file(self.smb_conf) # Remove samba's persistent and temporary tdb files - tdb_files = [tdb_file for tdb_file in os.listdir("/var/lib/samba/") + tdb_files = [tdb_file for tdb_file in os.listdir(paths.SAMBA_DIR) if tdb_file.endswith(".tdb")] for tdb_file in tdb_files: installutils.remove_file(tdb_file) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index af9ddbc9c..78810297a 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -35,13 +35,14 @@ from ipapython.ipa_log_manager import * from ipapython.dn import DN import ipalib from ipalib import api, errors +from ipaplatform.paths import paths from ipalib.util import (validate_zonemgr_str, normalize_zonemgr, get_dns_forward_zone_update_policy, get_dns_reverse_zone_update_policy, normalize_zone, get_reverse_zone_default, zone_is_reverse) from ipalib.constants import CACERT -NAMED_CONF = '/etc/named.conf' -RESOLV_CONF = '/etc/resolv.conf' +NAMED_CONF = paths.NAMED_CONF +RESOLV_CONF = paths.RESOLV_CONF named_conf_section_ipa_start_re = re.compile('\s*dynamic-db\s+"ipa"\s+{') named_conf_section_options_start_re = re.compile('\s*options\s+{') @@ -55,14 +56,14 @@ def check_inst(unattended): has_bind = True # So far this file is always present in both RHEL5 and Fedora if all the necessary # bind packages are installed (RHEL5 requires also the pkg: caching-nameserver) - if not os.path.exists('/etc/named.rfc1912.zones'): + if not os.path.exists(paths.NAMED_RFC1912_ZONES): print "BIND was not found on this system" print "Please install the 'bind' package and start the installation again" has_bind = False # Also check for the LDAP BIND plug-in - if not os.path.exists('/usr/lib/bind/ldap.so') and \ - not os.path.exists('/usr/lib64/bind/ldap.so'): + if not os.path.exists(paths.BIND_LDAP_SO) and \ + not os.path.exists(paths.BIND_LDAP_SO_64): print "The BIND LDAP plug-in was not found on this system" print "Please install the 'bind-dyndb-ldap' package and start the installation again" has_bind = False @@ -458,7 +459,7 @@ class BindInstance(service.Service): if fstore: self.fstore = fstore else: - self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + self.fstore = sysrestore.FileStore(paths.SYSRESTORE) suffix = ipautil.dn_attribute_property('_suffix') @@ -758,8 +759,8 @@ class BindInstance(service.Service): installutils.kadmin_addprinc(dns_principal) # Store the keytab on disk - self.fstore.backup_file("/etc/named.keytab") - installutils.create_keytab("/etc/named.keytab", dns_principal) + self.fstore.backup_file(paths.NAMED_KEYTAB) + installutils.create_keytab(paths.NAMED_KEYTAB, dns_principal) p = self.move_service(dns_principal) if p is None: # the service has already been moved, perhaps we're doing a DNS reinstall @@ -770,8 +771,8 @@ class BindInstance(service.Service): # Make sure access is strictly reserved to the named user pent = pwd.getpwnam(self.named_user) - os.chown("/etc/named.keytab", pent.pw_uid, pent.pw_gid) - os.chmod("/etc/named.keytab", 0400) + os.chown(paths.NAMED_KEYTAB, pent.pw_uid, pent.pw_gid) + os.chmod(paths.NAMED_KEYTAB, 0400) # modify the principal so that it is marked as an ipa service so that # it can host the memberof attribute, then also add it to the diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index b9c786be9..b5c6cdcde 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -59,8 +59,9 @@ from ipaserver.install.installutils import stopped_service from ipaserver.plugins import ldap2 from ipapython.ipa_log_manager import * from ipaplatform import services +from ipaplatform.paths import paths -HTTPD_CONFD = "/etc/httpd/conf.d/" +HTTPD_CONFD = paths.HTTPD_CONF_D_DIR DEFAULT_DSPORT = dogtag.install_constants.DS_PORT PKI_USER = "pkiuser" @@ -99,7 +100,7 @@ def check_inst(): return False # This is the template tomcat file for a CA - if not os.path.exists('/usr/share/pki/ca/conf/server.xml'): + if not os.path.exists(paths.PKI_CONF_SERVER_XML): return False return True @@ -132,7 +133,7 @@ def get_preop_pin(instance_root, instance_name): def import_pkcs12(input_file, input_passwd, cert_database, cert_passwd): - ipautil.run(["/usr/bin/pk12util", "-d", cert_database, + ipautil.run([paths.PK12UTIL, "-d", cert_database, "-i", input_file, "-k", cert_passwd, "-w", input_passwd]) @@ -322,7 +323,7 @@ def stop_tracking_certificates(dogtag_constants): "certmonger failed to stop tracking certificate: %s" % str(e)) try: - certmonger.stop_tracking('/etc/httpd/alias', nickname='ipaCert') + certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname='ipaCert') except (ipautil.CalledProcessError, RuntimeError), e: root_logger.error( "certmonger failed to stop tracking certificate: %s" % str(e)) @@ -444,7 +445,7 @@ class CAInstance(service.Service): if self.dogtag_constants.DOGTAG_VERSION >= 10: self.step("configuring certificate server instance", self.__spawn_instance) else: - if not ipautil.dir_exists("/var/lib/pki-ca"): + if not ipautil.dir_exists(paths.VAR_LIB_PKI_CA_DIR): self.step("creating pki-ca instance", self.create_instance) self.step("configuring certificate server instance", self.__configure_instance) self.step("stopping certificate server instance to update CS.cfg", self.__stop) @@ -526,7 +527,7 @@ class CAInstance(service.Service): config.set("CA", "pki_admin_nickname", "ipa-ca-agent") config.set("CA", "pki_admin_subject_dn", str(DN(('cn', 'ipa-ca-agent'), self.subject_base))) - config.set("CA", "pki_client_admin_cert_p12", "/root/ca-agent.p12") + config.set("CA", "pki_client_admin_cert_p12", paths.CA_AGENT_P12) # Directory server config.set("CA", "pki_ds_ldap_port", str(self.ds_port)) @@ -555,9 +556,9 @@ class CAInstance(service.Service): if (self.clone): cafile = self.pkcs12_info[0] - shutil.copy(cafile, "/tmp/ca.p12") + shutil.copy(cafile, paths.TMP_CA_P12) pent = pwd.getpwnam(PKI_USER) - os.chown("/tmp/ca.p12", pent.pw_uid, pent.pw_gid) + os.chown(paths.TMP_CA_P12, pent.pw_uid, pent.pw_gid) # Security domain registration config.set("CA", "pki_security_domain_hostname", self.master_host) @@ -567,7 +568,7 @@ class CAInstance(service.Service): # Clone config.set("CA", "pki_clone", "True") - config.set("CA", "pki_clone_pkcs12_path", "/tmp/ca.p12") + config.set("CA", "pki_clone_pkcs12_path", paths.TMP_CA_P12) config.set("CA", "pki_clone_pkcs12_password", self.dm_password) config.set("CA", "pki_clone_replication_security", "TLS") config.set("CA", "pki_clone_replication_master_port", str(self.master_replication_port)) @@ -593,7 +594,7 @@ class CAInstance(service.Service): # Define the things we don't want logged nolog = (self.admin_password, self.dm_password,) - args = ["/usr/sbin/pkispawn", "-s", "CA", "-f", cfg_file ] + args = [paths.PKISPAWN, "-s", "CA", "-f", cfg_file ] with open(cfg_file) as f: root_logger.debug( @@ -613,8 +614,8 @@ class CAInstance(service.Service): print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate" sys.exit(0) else: - shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \ - "/root/cacert.p12") + shutil.move(paths.CA_BACKUP_KEYS_P12, \ + paths.CACERT_P12) root_logger.debug("completed creating ca instance") @@ -624,8 +625,8 @@ class CAInstance(service.Service): """ # Only used for Dogtag 9 - args = ['/usr/bin/pkicreate', - '-pki_instance_root', '/var/lib', + args = [paths.PKICREATE, + '-pki_instance_root', paths.VAR_LIB, '-pki_instance_name', self.dogtag_constants.PKI_INSTANCE_NAME, '-subsystem_type', 'ca', @@ -660,9 +661,9 @@ class CAInstance(service.Service): root_logger.debug("ca user %s exists" % PKI_USER) except KeyError: root_logger.debug("adding ca user %s" % PKI_USER) - args = ["/usr/sbin/useradd", "-c", "CA System User", - "-d", "/var/lib", - "-s", "/sbin/nologin", + args = [paths.USERADD, "-c", "CA System User", + "-d", paths.VAR_LIB, + "-s", paths.NOLOGIN, "-M", "-r", PKI_USER] try: ipautil.run(args) @@ -676,7 +677,7 @@ class CAInstance(service.Service): self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME) try: - args = ["/usr/bin/perl", "/usr/bin/pkisilent", "ConfigureCA", + args = [paths.PERL, paths.PKISILENT, "ConfigureCA", "-cs_hostname", self.fqdn, "-cs_port", str(self.dogtag_constants.ADMIN_SECURE_PORT), "-client_certdb_dir", self.ca_agent_db, @@ -731,9 +732,9 @@ class CAInstance(service.Service): """ # The install wizard expects the file to be here. cafile = self.pkcs12_info[0] - shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12") + shutil.copy(cafile, paths.PKI_ALIAS_CA_P12) pent = pwd.getpwnam(PKI_USER) - os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid ) + os.chown(paths.PKI_ALIAS_CA_P12, pent.pw_uid, pent.pw_gid ) args.append("-clone") args.append("true") args.append("-clone_p12_file") @@ -773,8 +774,8 @@ class CAInstance(service.Service): # pkisilent makes a copy of the CA PKCS#12 file for us but gives # it a lousy name. - if ipautil.file_exists("/root/tmp-ca.p12"): - shutil.move("/root/tmp-ca.p12", "/root/cacert.p12") + if ipautil.file_exists(paths.ROOT_TMP_CA_P12): + shutil.move(paths.ROOT_TMP_CA_P12, paths.CACERT_P12) root_logger.debug("completed creating ca instance") @@ -805,7 +806,7 @@ class CAInstance(service.Service): # Look thru the cert chain to get all the certs we need to add # trust for - p = subprocess.Popen(["/usr/bin/certutil", "-d", self.ca_agent_db, + p = subprocess.Popen([paths.CERTUTIL, "-d", self.ca_agent_db, "-O", "-n", "ipa-ca-agent"], stdout=subprocess.PIPE) chain = p.stdout.read() @@ -836,7 +837,7 @@ class CAInstance(service.Service): # to use the final RA agent database when issuing certs for DS and # mod_nss. args = [ - '/usr/bin/sslget', + paths.SSLGET, '-v', '-n', 'ipa-ca-agent', '-p', self.admin_password, @@ -857,7 +858,7 @@ class CAInstance(service.Service): # Now issue the RA certificate. args = [ - '/usr/bin/sslget', + paths.SSLGET, '-v', '-n', 'ipa-ca-agent', '-p', self.admin_password, @@ -951,7 +952,7 @@ class CAInstance(service.Service): database = self.ra_agent_db if not pwd_file: pwd_file = self.ra_agent_pwd - new_args = ["/usr/bin/certutil", "-d", database, "-f", pwd_file] + new_args = [paths.CERTUTIL, "-d", database, "-f", pwd_file] new_args = new_args + args return ipautil.run(new_args, stdin, nolog=(pwd_file,)) @@ -987,9 +988,9 @@ class CAInstance(service.Service): os.write(pwd_fd, self.admin_password) os.close(pwd_fd) try: - ipautil.run(["/usr/bin/pk12util", + ipautil.run([paths.PK12UTIL, "-n", "ipa-ca-agent", - "-o", "/root/ca-agent.p12", + "-o", paths.CA_AGENT_P12, "-d", self.ca_agent_db, "-k", pwd_name, "-w", pwd_name]) @@ -1008,7 +1009,7 @@ class CAInstance(service.Service): # makes openssl throw up. data = base64.b64decode(chain) - (certlist, stderr, returncode) = ipautil.run(["/usr/bin/openssl", + (certlist, stderr, returncode) = ipautil.run([paths.OPENSSL, "pkcs7", "-inform", "DER", @@ -1318,11 +1319,11 @@ class CAInstance(service.Service): try: if self.dogtag_constants.DOGTAG_VERSION >= 10: - ipautil.run(["/usr/sbin/pkidestroy", "-i", + ipautil.run([paths.PKIDESTROY, "-i", self.dogtag_constants.PKI_INSTANCE_NAME, "-s", "CA"]) else: - ipautil.run(["/usr/bin/pkiremove", + ipautil.run([paths.PKIREMOVE, "-pki_instance_root=/var/lib", "-pki_instance_name=%s" % self.dogtag_constants.PKI_INSTANCE_NAME, @@ -1401,7 +1402,7 @@ class CAInstance(service.Service): if not path: iface.add_known_ca( 'dogtag-ipa-ca-renew-agent', - '/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit', []) + paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT, []) def configure_agent_renewal(self): try: @@ -1409,8 +1410,8 @@ class CAInstance(service.Service): ca='dogtag-ipa-ca-renew-agent', nickname='ipaCert', pin=None, - pinfile='/etc/httpd/alias/pwdfile.txt', - secdir='/etc/httpd/alias', + pinfile=paths.ALIAS_PWDFILE_TXT, + secdir=paths.HTTPD_ALIAS_DIR, pre_command=None, post_command='renew_ra_cert') except (ipautil.CalledProcessError, RuntimeError), e: @@ -1802,5 +1803,5 @@ if __name__ == "__main__": standard_logging_setup("install.log") ds = dsinstance.DsInstance() - ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias") + ca = CAInstance("EXAMPLE.COM", paths.HTTPD_ALIAS_DIR) ca.configure_instance("catest.example.com", "example.com", "password", "password") diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index a005fb9f7..6e01efb9c 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -42,10 +42,11 @@ from ipalib import pkcs10, x509, api from ipalib.errors import CertificateOperationError from ipalib.text import _ from ipaplatform import services +from ipaplatform.paths import paths # Apache needs access to this database so we need to create it # where apache can reach -NSS_DIR = "/etc/httpd/alias" +NSS_DIR = paths.HTTPD_ALIAS_DIR def find_cert_from_txt(cert, start=0): """ @@ -114,7 +115,7 @@ class NSSDatabase(object): self.close() def run_certutil(self, args, stdin=None): - new_args = ["/usr/bin/certutil", "-d", self.secdir] + new_args = [paths.CERTUTIL, "-d", self.secdir] new_args = new_args + args return ipautil.run(new_args, stdin) @@ -177,12 +178,12 @@ class NSSDatabase(object): def import_pkcs12(self, pkcs12_filename, db_password_filename, pkcs12_passwd=None): - args = ["/usr/bin/pk12util", "-d", self.secdir, + args = [paths.PK12UTIL, "-d", self.secdir, "-i", pkcs12_filename, "-k", db_password_filename, '-v'] if pkcs12_passwd is not None: pkcs12_passwd = pkcs12_passwd + '\n' - args = args + ["-w", "/dev/stdin"] + args = args + ["-w", paths.DEV_STDIN] try: ipautil.run(args, stdin=pkcs12_passwd) except ipautil.CalledProcessError, e: @@ -298,7 +299,7 @@ class CertDB(object): self.cacert_fname = self.secdir + "/cacert.asc" self.pk12_fname = self.secdir + "/cacert.p12" self.pin_fname = self.secdir + "/pin.txt" - self.pwd_conf = "/etc/httpd/conf/password.conf" + self.pwd_conf = paths.HTTPD_PASSWORD_CONF self.reqdir = None self.certreq_fname = None self.certder_fname = None @@ -328,7 +329,7 @@ class CertDB(object): if fstore: self.fstore = fstore else: - self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + self.fstore = sysrestore.FileStore(paths.SYSRESTORE) subject_base = ipautil.dn_attribute_property('_subject_base') @@ -351,7 +352,7 @@ class CertDB(object): if self.reqdir is not None: return - self.reqdir = tempfile.mkdtemp('', 'ipa-', '/var/lib/ipa') + self.reqdir = tempfile.mkdtemp('', 'ipa-', paths.VAR_LIB_IPA) self.certreq_fname = self.reqdir + "/tmpcertreq" self.certder_fname = self.reqdir + "/tmpcert.der" @@ -379,7 +380,7 @@ class CertDB(object): def run_signtool(self, args, stdin=None): with open(self.passwd_fname, "r") as f: password = f.readline() - new_args = ["/usr/bin/signtool", "-d", self.secdir, "-p", password] + new_args = [paths.SIGNTOOL, "-d", self.secdir, "-p", password] new_args = new_args + args ipautil.run(new_args, stdin) @@ -446,7 +447,7 @@ class CertDB(object): os.chmod(self.cacert_fname, stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH) if create_pkcs12: ipautil.backup_file(self.pk12_fname) - ipautil.run(["/usr/bin/pk12util", "-d", self.secdir, + ipautil.run([paths.PK12UTIL, "-d", self.secdir, "-o", self.pk12_fname, "-n", self.cacert_name, "-w", self.passwd_fname, @@ -508,7 +509,7 @@ class CertDB(object): libpath = 'lib64' else: libpath = 'lib' - command = '/usr/%s/ipa/certmonger/%s' % (libpath, command) + command = paths.CERTMONGER_COMMAND_TEMPLATE % (libpath, command) cmonger = services.knownservices.certmonger cmonger.enable() services.knownservices.messagebus.start() @@ -779,7 +780,7 @@ class CertDB(object): if nickname is None: nickname = get_ca_nickname(api.env.realm) - ipautil.run(["/usr/bin/pk12util", "-d", self.secdir, + ipautil.run([paths.PK12UTIL, "-d", self.secdir, "-o", pkcs12_fname, "-n", nickname, "-k", self.passwd_fname, @@ -787,7 +788,7 @@ class CertDB(object): def export_pem_p12(self, pkcs12_fname, pkcs12_pwd_fname, nickname, pem_fname): - ipautil.run(["/usr/bin/openssl", "pkcs12", + ipautil.run([paths.OPENSSL, "pkcs12", "-export", "-name", nickname, "-in", pem_fname, "-out", pkcs12_fname, "-passout", "file:" + pkcs12_pwd_fname]) @@ -857,7 +858,7 @@ class CertDB(object): def install_pem_from_p12(self, p12_fname, p12_passwd, pem_fname): pwd = ipautil.write_tmp_file(p12_passwd) - ipautil.run(["/usr/bin/openssl", "pkcs12", "-nodes", + ipautil.run([paths.OPENSSL, "pkcs12", "-nodes", "-in", p12_fname, "-out", pem_fname, "-passin", "file:" + pwd.name]) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index c1b2ba62a..2a9f3b618 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -43,9 +43,10 @@ from ipaplatform.tasks import tasks from ipalib.constants import CACERT from ipapython.dn import DN from ipaplatform import services +from ipaplatform.paths import paths -SERVER_ROOT_64 = "/usr/lib64/dirsrv" -SERVER_ROOT_32 = "/usr/lib/dirsrv" +SERVER_ROOT_64 = paths.USR_LIB_DIRSRV_64 +SERVER_ROOT_32 = paths.USR_LIB_DIRSRV DS_USER = 'dirsrv' DS_GROUP = 'dirsrv' @@ -75,32 +76,32 @@ def realm_to_serverid(realm_name): return "-".join(realm_name.split(".")) def config_dirname(serverid): - return "/etc/dirsrv/slapd-" + serverid + "/" + return (paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % serverid) + "/" def schema_dirname(serverid): return config_dirname(serverid) + "/schema/" def erase_ds_instance_data(serverid): - installutils.rmtree("/etc/dirsrv/slapd-%s" % serverid) + installutils.rmtree(paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % serverid) - installutils.rmtree("/usr/lib/dirsrv/slapd-%s" % serverid) + installutils.rmtree(paths.USR_LIB_SLAPD_INSTANCE_TEMPLATE % serverid) - installutils.rmtree("/usr/lib64/dirsrv/slapd-%s" % serverid) + installutils.rmtree(paths.USR_LIB_DIRSRV_SLAPD_INSTANCE_DIR_TEMPLATE % serverid) - installutils.rmtree("/var/lib/dirsrv/slapd-%s" % serverid) + installutils.rmtree(paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % serverid) - installutils.rmtree("/var/lock/dirsrv/slapd-%s" % serverid) + installutils.rmtree(paths.SLAPD_INSTANCE_LOCK_TEMPLATE % serverid) - installutils.remove_file("/var/run/slapd-%s.socket" % serverid) + installutils.remove_file(paths.SLAPD_INSTANCE_SOCKET_TEMPLATE % serverid) - installutils.rmtree("/var/lib/dirsrv/scripts-%s" % serverid) + installutils.rmtree(paths.VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE % serverid) - installutils.remove_file("/etc/dirsrv/ds.keytab") + installutils.remove_file(paths.DS_KEYTAB) - installutils.remove_file("/etc/sysconfig/dirsrv-%s" % serverid) + installutils.remove_file(paths.SYSCONFIG_DIRSRV_INSTANCE % serverid) # try: -# shutil.rmtree("/var/log/dirsrv/slapd-%s" % serverid) +# shutil.rmtree(paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % serverid) # except: # pass @@ -112,7 +113,7 @@ def get_ds_instances(): matches 389ds behavior. ''' - dirsrv_instance_dir='/etc/dirsrv' + dirsrv_instance_dir=paths.ETC_DIRSRV instance_prefix = 'slapd-' instances = [] @@ -158,11 +159,11 @@ def create_ds_user(): except KeyError: root_logger.debug('Adding DS user %s', DS_USER) args = [ - '/usr/sbin/useradd', + paths.USERADD, '-g', DS_GROUP, '-c', 'DS System User', - '-d', '/var/lib/dirsrv', - '-s', '/sbin/nologin', + '-d', paths.VAR_LIB_DIRSRV, + '-s', paths.NOLOGIN, '-M', '-r', DS_USER ] try: @@ -184,7 +185,7 @@ def create_ds_group(): except KeyError: group_exists = False root_logger.debug('Adding DS group %s', DS_GROUP) - args = ['/usr/sbin/groupadd', '-r', DS_GROUP] + args = [paths.GROUPADD, '-r', DS_GROUP] try: ipautil.run(args) root_logger.debug('Done adding DS group') @@ -251,7 +252,7 @@ class DsInstance(service.Service): if fstore: self.fstore = fstore else: - self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + self.fstore = sysrestore.FileStore(paths.SYSRESTORE) subject_base = ipautil.dn_attribute_property('_subject_base') @@ -433,13 +434,13 @@ class DsInstance(service.Service): pent = pwd.getpwnam(DS_USER) self.backup_state("serverid", self.serverid) - self.fstore.backup_file("/etc/sysconfig/dirsrv") + self.fstore.backup_file(paths.SYSCONFIG_DIRSRV) self.sub_dict['BASEDC'] = self.realm.split('.')[0].lower() base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict) root_logger.debug(base_txt) - target_fname = '/var/lib/dirsrv/boot.ldif' + target_fname = paths.DIRSRV_BOOT_LDIF base_fd = open(target_fname, "w") base_fd.write(base_txt) base_fd.close() @@ -453,11 +454,11 @@ class DsInstance(service.Service): inf_fd = ipautil.write_tmp_file(inf_txt) inf_txt = re.sub(r"RootDNPwd=.*\n", "", inf_txt) root_logger.debug(inf_txt) - if ipautil.file_exists("/usr/sbin/setup-ds.pl"): - args = ["/usr/sbin/setup-ds.pl", "--silent", "--logfile", "-", "-f", inf_fd.name] + if ipautil.file_exists(paths.SETUP_DS_PL): + args = [paths.SETUP_DS_PL, "--silent", "--logfile", "-", "-f", inf_fd.name] root_logger.debug("calling setup-ds.pl") else: - args = ["/usr/bin/ds_newinst.pl", inf_fd.name] + args = [paths.DS_NEWINST_PL, inf_fd.name] root_logger.debug("calling ds_newinst.pl") try: ipautil.run(args) @@ -476,7 +477,7 @@ class DsInstance(service.Service): print "failed to restart ds instance", e root_logger.debug("failed to restart ds instance %s" % e) inf_fd.close() - os.remove("/var/lib/dirsrv/boot.ldif") + os.remove(paths.DIRSRV_BOOT_LDIF) def __add_default_schemas(self): pent = pwd.getpwnam(DS_USER) @@ -560,7 +561,7 @@ class DsInstance(service.Service): def __enable_compat_plugin(self): ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, sub_dict=self.sub_dict) - rv = ld.update(['/usr/share/ipa/schema_compat.uldif']) + rv = ld.update([paths.SCHEMA_COMPAT_ULDIF]) if not rv: raise RuntimeError("Enabling compatibility plugin failed") @@ -591,8 +592,8 @@ class DsInstance(service.Service): def configure_dirsrv_ccache(self): pent = pwd.getpwnam("dirsrv") - ccache = '/tmp/krb5cc_%d' % pent.pw_uid - filepath = '/etc/sysconfig/dirsrv' + ccache = paths.TMP_KRB5CC % pent.pw_uid + filepath = paths.SYSCONFIG_DIRSRV if not os.path.exists(filepath): # file doesn't exist; create it with correct ownership & mode open(filepath, 'a').close() @@ -753,15 +754,15 @@ class DsInstance(service.Service): admpwdfile = "" try: - (dmpwdfd, dmpwdfile) = tempfile.mkstemp(dir='/var/lib/ipa') + (dmpwdfd, dmpwdfile) = tempfile.mkstemp(dir=paths.VAR_LIB_IPA) os.write(dmpwdfd, self.dm_password) os.close(dmpwdfd) - (admpwdfd, admpwdfile) = tempfile.mkstemp(dir='/var/lib/ipa') + (admpwdfd, admpwdfile) = tempfile.mkstemp(dir=paths.VAR_LIB_IPA) os.write(admpwdfd, password) os.close(admpwdfd) - args = ["/usr/bin/ldappasswd", "-h", self.fqdn, + args = [paths.LDAPPASSWD, "-h", self.fqdn, "-ZZ", "-x", "-D", str(DN(('cn', 'Directory Manager'))), "-y", dmpwdfile, "-T", admpwdfile, str(DN(('uid', 'admin'), ('cn', 'users'), ('cn', 'accounts'), self.suffix))] @@ -790,8 +791,8 @@ class DsInstance(service.Service): running = self.restore_state("running") try: - self.fstore.restore_file("/etc/security/limits.conf") - self.fstore.restore_file("/etc/sysconfig/dirsrv") + self.fstore.restore_file(paths.LIMITS_CONF) + self.fstore.restore_file(paths.SYSCONFIG_DIRSRV) except ValueError, error: root_logger.debug(error) pass diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 2709356be..3ca3bf77f 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -35,19 +35,9 @@ from ipapython.ipa_log_manager import * from ipaserver.install import sysupgrade from ipalib import api from ipaplatform.tasks import tasks +from ipaplatform.paths import paths from ipalib.constants import CACERT -HTTPD_DIR = "/etc/httpd" -SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf" -NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf" - -selinux_warning = """ -WARNING: could not set selinux boolean(s) %(var)s to true. The web -interface may not function correctly until this boolean is successfully -change with the command: - /usr/sbin/setsebool -P %(var)s true -Try updating the policycoreutils and selinux-policy packages. -""" def httpd_443_configured(): """ @@ -58,7 +48,7 @@ def httpd_443_configured(): False otherwise. """ try: - (stdout, stderr, rc) = ipautil.run(['/usr/sbin/httpd', '-t', '-D', 'DUMP_VHOSTS']) + (stdout, stderr, rc) = ipautil.run([paths.HTTPD, '-t', '-D', 'DUMP_VHOSTS']) except ipautil.CalledProcessError, e: service.print_msg("WARNING: cannot check if port 443 is already configured") service.print_msg("httpd returned error when checking: %s" % e) @@ -84,7 +74,7 @@ class HTTPInstance(service.Service): if fstore: self.fstore = fstore else: - self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + self.fstore = sysrestore.FileStore(paths.SYSRESTORE) self.cert_nickname = cert_nickname @@ -151,15 +141,15 @@ class HTTPInstance(service.Service): else: updates = ["%s=%s" % update for update in changes.iteritems()] - args = ["/usr/sbin/setsebool", "-P"] + args = [paths.SETSEBOOL, "-P"] args.extend(updates) return args selinux = False try: - if (os.path.exists('/usr/sbin/selinuxenabled')): - ipautil.run(["/usr/sbin/selinuxenabled"]) + if (os.path.exists(paths.SELINUXENABLED)): + ipautil.run([paths.SELINUXENABLED]) selinux = True except ipautil.CalledProcessError: # selinuxenabled returns 1 if not enabled @@ -173,7 +163,7 @@ class HTTPInstance(service.Service): ("httpd_manage_ipa", "on")) for setting, state in required_settings: try: - (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool", setting]) + (stdout, stderr, returncode) = ipautil.run([paths.GETSEBOOL, setting]) original_state = stdout.split()[2] self.backup_state(setting, original_state) @@ -208,12 +198,12 @@ class HTTPInstance(service.Service): def __create_http_keytab(self): installutils.kadmin_addprinc(self.principal) - installutils.create_keytab("/etc/httpd/conf/ipa.keytab", self.principal) + installutils.create_keytab(paths.IPA_KEYTAB, self.principal) self.move_service(self.principal) self.add_cert_to_service() pent = pwd.getpwnam("apache") - os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) + os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid) def remove_httpd_ccache(self): # Clean up existing ccache @@ -222,17 +212,17 @@ class HTTPInstance(service.Service): ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={}) def __configure_http(self): - target_fname = '/etc/httpd/conf.d/ipa.conf' + target_fname = paths.HTTPD_IPA_CONF http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict) - self.fstore.backup_file("/etc/httpd/conf.d/ipa.conf") + self.fstore.backup_file(paths.HTTPD_IPA_CONF) http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0644) - target_fname = '/etc/httpd/conf.d/ipa-rewrite.conf' + target_fname = paths.HTTPD_IPA_REWRITE_CONF http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict) - self.fstore.backup_file("/etc/httpd/conf.d/ipa-rewrite.conf") + self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF) http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() @@ -249,28 +239,28 @@ class HTTPInstance(service.Service): # # Remove the workaround. if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'): - installutils.set_directive(NSS_CONF, 'Listen', '443', quotes=False) + installutils.set_directive(paths.HTTPD_NSS_CONF, 'Listen', '443', quotes=False) sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False) def __set_mod_nss_port(self): - self.fstore.backup_file(NSS_CONF) - if installutils.update_file(NSS_CONF, '8443', '443') != 0: - print "Updating port in %s failed." % NSS_CONF + self.fstore.backup_file(paths.HTTPD_NSS_CONF) + if installutils.update_file(paths.HTTPD_NSS_CONF, '8443', '443') != 0: + print "Updating port in %s failed." % paths.HTTPD_NSS_CONF def __set_mod_nss_nickname(self, nickname): - installutils.set_directive(NSS_CONF, 'NSSNickname', nickname) + installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname) def enable_mod_nss_renegotiate(self): - installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on', False) - installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) + installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) + installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) def __set_mod_nss_passwordfile(self): - installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf') + installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf') def __add_include(self): """This should run after __set_mod_nss_port so is already backed up""" - if installutils.update_file(NSS_CONF, '', 'Include conf.d/ipa-rewrite.conf\n') != 0: - print "Adding Include conf.d/ipa-rewrite to %s failed." % NSS_CONF + if installutils.update_file(paths.HTTPD_NSS_CONF, '', 'Include conf.d/ipa-rewrite.conf\n') != 0: + print "Adding Include conf.d/ipa-rewrite to %s failed." % paths.HTTPD_NSS_CONF def __setup_ssl(self): fqdn = self.fqdn @@ -321,7 +311,7 @@ class HTTPInstance(service.Service): tasks.restore_context(certs.NSS_DIR + "/key3.db") def __setup_autoconfig(self): - target_fname = '/usr/share/ipa/html/preferences.html' + target_fname = paths.PREFERENCES_HTML ipautil.copy_template_file( ipautil.SHARE_DIR + "preferences.html.template", target_fname, self.sub_dict) @@ -335,8 +325,8 @@ class HTTPInstance(service.Service): # Setup configure.jar if db.has_nickname('Signing-Cert'): tmpdir = tempfile.mkdtemp(prefix="tmp-") - target_fname = '/usr/share/ipa/html/configure.jar' - shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir) + target_fname = paths.CONFIGURE_JAR + shutil.copy(paths.PREFERENCES_HTML, tmpdir) db.run_signtool(["-k", "Signing-Cert", "-Z", target_fname, "-e", ".html", "-p", pwd, @@ -356,7 +346,7 @@ class HTTPInstance(service.Service): ``force`` is true. """ - target_fname = '/usr/share/ipa/html/krb.js' + target_fname = paths.KRB_JS if os.path.exists(target_fname) and not force: root_logger.info( '%s exists, skipping install of Firefox extension', @@ -375,8 +365,8 @@ class HTTPInstance(service.Service): # Setup extension tmpdir = tempfile.mkdtemp(prefix="tmp-") extdir = tmpdir + "/ext" - target_fname = "/usr/share/ipa/html/kerberosauth.xpi" - shutil.copytree("/usr/share/ipa/ffextension", extdir) + target_fname = paths.KERBEROSAUTH_XPI + shutil.copytree(paths.FFEXTENSION, extdir) if db.has_nickname('Signing-Cert'): db.run_signtool(["-k", "Signing-Cert", "-p", pwd, @@ -386,14 +376,14 @@ class HTTPInstance(service.Service): root_logger.warning('Object-signing certificate was not found. ' 'Creating unsigned Firefox configuration extension.') filenames = os.listdir(extdir) - ipautil.run(['/usr/bin/zip', '-r', target_fname] + filenames, + ipautil.run([paths.ZIP, '-r', target_fname] + filenames, cwd=extdir) shutil.rmtree(tmpdir) os.chmod(target_fname, 0644) def __publish_ca_cert(self): ca_db = certs.CertDB(self.realm) - ca_db.publish_ca_cert("/usr/share/ipa/html/ca.crt") + ca_db.publish_ca_cert(paths.CA_CRT) def uninstall(self): if self.is_configured(): @@ -409,7 +399,7 @@ class HTTPInstance(service.Service): if not enabled is None and not enabled: self.disable() - for f in ["/etc/httpd/conf.d/ipa.conf", SSL_CONF, NSS_CONF]: + for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_NSS_CONF]: try: self.fstore.restore_file(f) except ValueError, error: @@ -417,15 +407,15 @@ class HTTPInstance(service.Service): pass # Remove the configuration files we create - installutils.remove_file("/etc/httpd/conf.d/ipa-rewrite.conf") - installutils.remove_file("/etc/httpd/conf.d/ipa.conf") - installutils.remove_file("/etc/httpd/conf.d/ipa-pki-proxy.conf") + installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF) + installutils.remove_file(paths.HTTPD_IPA_CONF) + installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF) for var in ["httpd_can_network_connect", "httpd_manage_ipa"]: sebool_state = self.restore_state(var) if not sebool_state is None: try: - ipautil.run(["/usr/sbin/setsebool", "-P", var, sebool_state]) + ipautil.run([paths.SETSEBOOL, "-P", var, sebool_state]) except ipautil.CalledProcessError, e: self.print_msg("Cannot restore SELinux boolean '%s' back to '%s': %s" \ % (var, sebool_state, e)) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 48c347e04..2c7479795 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -43,6 +43,7 @@ from ipalib import errors from ipapython.dn import DN from ipaserver.install import certs, service from ipaplatform import services +from ipaplatform.paths import paths # Used to determine install status IPA_MODULES = [ @@ -172,7 +173,7 @@ def verify_fqdn(host_name, no_host_dns=False, local_hostname=True): raise HostReverseLookupError("The host name %s does not match the reverse lookup %s" % (host_name, revname)) verified.add(address) -def record_in_hosts(ip, host_name=None, file="/etc/hosts"): +def record_in_hosts(ip, host_name=None, file=paths.HOSTS): """ Search record in /etc/hosts - static table lookup for hostnames @@ -209,7 +210,7 @@ def record_in_hosts(ip, host_name=None, file="/etc/hosts"): return None -def add_record_to_hosts(ip, host_name, file="/etc/hosts"): +def add_record_to_hosts(ip, host_name, file=paths.HOSTS): hosts_fd = open(file, 'r+') hosts_fd.seek(0, 2) hosts_fd.write(ip+'\t'+host_name+' '+host_name.split('.')[0]+'\n') @@ -488,7 +489,7 @@ def get_server_ip_address(host_name, fstore, unattended, options): if hosts_record is None: if ip_add_to_hosts: print "Adding ["+ip_address+" "+host_name+"] to your /etc/hosts file" - fstore.backup_file("/etc/hosts") + fstore.backup_file(paths.HOSTS) add_record_to_hosts(ip_address, host_name) else: primary_host = hosts_record[1][0] @@ -566,7 +567,7 @@ def check_server_configuration(): Most convenient use case for the function is in install tools that require configured IPA for its function. """ - server_fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + server_fstore = sysrestore.FileStore(paths.SYSRESTORE) if not server_fstore.has_files(): raise RuntimeError("IPA is not configured on this system.") @@ -597,8 +598,8 @@ def is_ipa_configured(): """ installed = False - sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore') - fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + sstore = sysrestore.StateFile(paths.SYSRESTORE) + fstore = sysrestore.FileStore(paths.SYSRESTORE) for module in IPA_MODULES: if sstore.has_state(module): diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index e704c1cb8..91330dfa3 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -25,6 +25,7 @@ import time import pwd from optparse import OptionGroup from ConfigParser import SafeConfigParser +from ipaplatform.paths import paths from ipaplatform import services from ipalib import api, errors @@ -62,14 +63,14 @@ EOF --keyring /root/backup.pub --list-secret-keys """ -BACKUP_DIR = '/var/lib/ipa/backup' +BACKUP_DIR = paths.IPA_BACKUP_DIR def encrypt_file(filename, keyring, remove_original=True): source = filename dest = filename + '.gpg' - args = ['/usr/bin/gpg', + args = [paths.GPG, '--batch', '--default-recipient-self', '-o', dest] @@ -96,91 +97,91 @@ def encrypt_file(filename, keyring, remove_original=True): class Backup(admintool.AdminTool): command_name = 'ipa-backup' - log_file_name = '/var/log/ipabackup.log' + log_file_name = paths.IPABACKUP_LOG usage = "%prog [options]" description = "Back up IPA files and databases." - dirs = ('/usr/share/ipa/html', - '/root/.pki', - '/etc/pki-ca', - '/etc/pki/pki-tomcat', - '/etc/sysconfig/pki', - '/etc/httpd/alias', - '/var/lib/pki', - '/var/lib/pki-ca', - '/var/lib/ipa/sysrestore', - '/var/lib/ipa-client/sysrestore', - '/var/lib/sss/pubconf/krb5.include.d', - '/var/lib/authconfig/last', - '/var/lib/certmonger', - '/var/lib/ipa', - '/var/run/dirsrv', - '/var/lock/dirsrv', + dirs = (paths.IPA_HTML_DIR, + paths.ROOT_PKI, + paths.ETC_PKI_CA_DIR, + paths.PKI_TOMCAT, + paths.SYSCONFIG_PKI, + paths.HTTPD_ALIAS_DIR, + paths.VAR_LIB_PKI_DIR, + paths.VAR_LIB_PKI_CA_DIR, + paths.SYSRESTORE, + paths.IPA_CLIENT_SYSRESTORE, + paths.SSS_KRB5_INCLUDE_D, + paths.AUTHCONFIG_LAST, + paths.VAR_LIB_CERTMONGER_DIR, + paths.VAR_LIB_IPA, + paths.VAR_RUN_DIRSRV_DIR, + paths.DIRSRV_LOCK_DIR, ) files = ( - '/etc/named.conf', - '/etc/named.keytab', - '/etc/resolv.conf', - '/etc/sysconfig/pki-ca', - '/etc/sysconfig/pki-tomcat', - '/etc/sysconfig/dirsrv', - '/etc/sysconfig/ntpd', - '/etc/sysconfig/krb5kdc', - '/etc/sysconfig/pki/ca/pki-ca', - '/etc/sysconfig/authconfig', - '/etc/pki/nssdb/cert8.db', - '/etc/pki/nssdb/key3.db', - '/etc/pki/nssdb/secmod.db', - '/etc/nsswitch.conf', - '/etc/krb5.keytab', - '/etc/sssd/sssd.conf', - '/etc/openldap/ldap.conf', - '/etc/security/limits.conf', - '/etc/httpd/conf/password.conf', - '/etc/httpd/conf/ipa.keytab', - '/etc/httpd/conf.d/ipa-pki-proxy.conf', - '/etc/httpd/conf.d/ipa-rewrite.conf', - '/etc/httpd/conf.d/nss.conf', - '/etc/httpd/conf.d/ipa.conf', - '/etc/ssh/sshd_config', - '/etc/ssh/ssh_config', - '/etc/krb5.conf', - '/etc/group', - '/etc/passwd', + paths.NAMED_CONF, + paths.NAMED_KEYTAB, + paths.RESOLV_CONF, + paths.SYSCONFIG_PKI_CA_DIR, + paths.SYSCONFIG_PKI_TOMCAT, + paths.SYSCONFIG_DIRSRV, + paths.SYSCONFIG_NTPD, + paths.SYSCONFIG_KRB5KDC_DIR, + paths.SYSCONFIG_PKI_CA_PKI_CA_DIR, + paths.ETC_SYSCONFIG_AUTHCONFIG, + paths.NSSDB_CERT8_DB, + paths.NSSDB_KEY3_DB, + paths.NSSDB_SECMOD_DB, + paths.NSSWITCH_CONF, + paths.KRB5_KEYTAB, + paths.SSSD_CONF, + paths.OPENLDAP_LDAP_CONF, + paths.LIMITS_CONF, + paths.HTTPD_PASSWORD_CONF, + paths.IPA_KEYTAB, + paths.HTTPD_IPA_PKI_PROXY_CONF, + paths.HTTPD_IPA_REWRITE_CONF, + paths.HTTPD_NSS_CONF, + paths.HTTPD_IPA_CONF, + paths.SSHD_CONFIG, + paths.SSH_CONFIG, + paths.KRB5_CONF, + paths.GROUP, + paths.PASSWD, CACERT, - '/etc/ipa/default.conf', - '/etc/dirsrv/ds.keytab', - '/etc/ntp.conf', - '/etc/samba/smb.conf', - '/etc/samba/samba.keytab', - '/root/ca-agent.p12', - '/root/cacert.p12', - '/var/kerberos/krb5kdc/kdc.conf', - '/etc/systemd/system/multi-user.target.wants/ipa.service', - '/etc/systemd/system/multi-user.target.wants/sssd.service', - '/etc/systemd/system/multi-user.target.wants/certmonger.service', - '/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service', - '/var/run/ipa/services.list', + paths.IPA_DEFAULT_CONF, + paths.DS_KEYTAB, + paths.NTP_CONF, + paths.SMB_CONF, + paths.SAMBA_KEYTAB, + paths.CA_AGENT_P12, + paths.CACERT_P12, + paths.KRB5KDC_KDC_CONF, + paths.SYSTEMD_IPA_SERVICE, + paths.SYSTEMD_SSSD_SERVICE, + paths.SYSTEMD_CERTMONGER_SERVICE, + paths.SYSTEMD_PKI_TOMCAT_SERVICE, + paths.SVC_LIST_FILE, ) logs=( - '/var/log/pki-ca', - '/var/log/pki/', - '/var/log/dirsrv/slapd-PKI-IPA', - '/var/log/httpd', - '/var/log/ipaserver-install.log', - '/var/log/kadmind.log', - '/var/log/pki-ca-install.log', - '/var/log/messages', - '/var/log/ipaclient-install.log', - '/var/log/secure', - '/var/log/ipaserver-uninstall.log', - '/var/log/pki-ca-uninstall.log', - '/var/log/ipaclient-uninstall.log', - '/var/named/data/named.run', + paths.PKI_CA_LOG_DIR, + paths.VAR_LOG_PKI_DIR, + paths.VAR_LOG_SLAPD_PKI_IPA_DIR, + paths.VAR_LOG_HTTPD_DIR, + paths.IPASERVER_INSTALL_LOG, + paths.KADMIND_LOG, + paths.PKI_CA_INSTALL_LOG, + paths.MESSAGES, + paths.IPACLIENT_INSTALL_LOG, + paths.LOG_SECURE, + paths.IPASERVER_UNINSTALL_LOG, + paths.PKI_CA_UNINSTALL_LOG, + paths.IPACLIENT_UNINSTALL_LOG, + paths.NAMED_RUN, ) def __init__(self, options, args): @@ -277,8 +278,8 @@ class Backup(admintool.AdminTool): run(['ipactl', 'stop']) for instance in [realm_to_serverid(api.env.realm), 'PKI-IPA']: - if os.path.exists('/var/lib/dirsrv/slapd-%s' % instance): - if os.path.exists('/var/lib/dirsrv/slapd-%s/db/ipaca' % instance): + if os.path.exists(paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % instance): + if os.path.exists(paths.IPACA_DIRSRV_INSTANCE_DB_TEMPLATE % instance): self.db2ldif(instance, 'ipaca', online=options.online) self.db2ldif(instance, 'userRoot', online=options.online) self.db2bak(instance, online=options.online) @@ -310,26 +311,26 @@ class Backup(admintool.AdminTool): instance. ''' for dir in [ - '/etc/dirsrv/slapd-%s' % realm_to_serverid(api.env.realm), - '/var/lib/dirsrv/scripts-%s' % realm_to_serverid(api.env.realm), - '/var/lib/dirsrv/slapd-%s' % realm_to_serverid(api.env.realm), - '/usr/lib64/dirsrv/slapd-PKI-IPA', - '/usr/lib/dirsrv/slapd-PKI-IPA', - '/etc/dirsrv/slapd-PKI-IPA', - '/var/lib/dirsrv/slapd-PKI-IPA', + paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % realm_to_serverid(api.env.realm), + paths.VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE % realm_to_serverid(api.env.realm), + paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % realm_to_serverid(api.env.realm), + paths.VAR_LIB_SLAPD_PKI_IPA_DIR_TEMPLATE, + paths.USR_LIB_SLAPD_PKI_IPA_DIR, + paths.ETC_SLAPD_PKI_IPA_DIR, + paths.VAR_LIB_SLAPD_PKI_IPA_DIR_TEMPLATE, self.__find_scripts_dir('PKI-IPA'), ]: if os.path.exists(dir): self.dirs.append(dir) for file in [ - '/etc/sysconfig/dirsrv-%s' % realm_to_serverid(api.env.realm), - '/etc/sysconfig/dirsrv-PKI-IPA']: + paths.SYSCONFIG_DIRSRV_INSTANCE % realm_to_serverid(api.env.realm), + paths.SYSCONFIG_DIRSRV_PKI_IPA_DIR]: if os.path.exists(file): self.files.append(file) for log in [ - '/var/log/dirsrv/slapd-%s' % realm_to_serverid(api.env.realm),]: + paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % realm_to_serverid(api.env.realm),]: self.logs.append(log) @@ -372,7 +373,7 @@ class Backup(admintool.AdminTool): ldifname = '%s-%s.ldif' % (instance, backend) ldiffile = os.path.join( - '/var/lib/dirsrv/slapd-%s/ldif' % instance, + paths.SLAPD_INSTANCE_LDIF_DIR_TEMPLATE % instance, ldifname) if online: @@ -421,7 +422,7 @@ class Backup(admintool.AdminTool): cn = time.strftime('backup_%Y_%m_%d_%H_%M_%S') dn = DN(('cn', cn), ('cn', 'backup'), ('cn', 'tasks'), ('cn', 'config')) - bakdir = os.path.join('/var/lib/dirsrv/slapd-%s/bak/%s' % (instance, instance)) + bakdir = os.path.join(paths.SLAPD_INSTANCE_BACKUP_DIR_TEMPLATE % (instance, instance)) if online: conn = self.get_connection() @@ -560,10 +561,10 @@ class Backup(admintool.AdminTool): does so we need to probe for it. """ if instance != 'PKI-IPA': - return os.path.join('/var/lib/dirsrv', 'scripts-%s' % instance) + return os.path.join(paths.VAR_LIB_DIRSRV, 'scripts-%s' % instance) else: if sys.maxsize > 2**32L: libpath = 'lib64' else: libpath = 'lib' - return os.path.join('/usr', libpath, 'dirsrv', 'slapd-PKI-IPA') + return os.path.join(paths.USR_DIR, libpath, 'dirsrv', 'slapd-PKI-IPA') diff --git a/ipaserver/install/ipa_ldap_updater.py b/ipaserver/install/ipa_ldap_updater.py index d894b3024..e8ef2b576 100644 --- a/ipaserver/install/ipa_ldap_updater.py +++ b/ipaserver/install/ipa_ldap_updater.py @@ -30,6 +30,7 @@ import krbV from ipalib import api from ipapython import ipautil, admintool +from ipaplatform.paths import paths from ipaserver.install import installutils, dsinstance, schemaupdate from ipaserver.install.ldapupdate import LDAPUpdate, UPDATES_DIR from ipaserver.install.upgradeinstance import IPAUpgrade @@ -94,7 +95,7 @@ class LDAPUpdater(admintool.AdminTool): except RuntimeError, e: print unicode(e) sys.exit(1) - elif not os.path.exists('/etc/ipa/default.conf'): + elif not os.path.exists(paths.IPA_DEFAULT_CONF): print "IPA is not configured on this system." sys.exit(1) @@ -124,7 +125,7 @@ class LDAPUpdater(admintool.AdminTool): class LDAPUpdater_Upgrade(LDAPUpdater): - log_file_name = '/var/log/ipaupgrade.log' + log_file_name = paths.IPAUPGRADE_LOG def validate_options(self): if os.getegid() != 0: @@ -154,7 +155,7 @@ class LDAPUpdater_Upgrade(LDAPUpdater): class LDAPUpdater_NonUpgrade(LDAPUpdater): - log_file_name = '/var/log/ipaupgrade.log' + log_file_name = paths.IPAUPGRADE_LOG def validate_options(self): super(LDAPUpdater_NonUpgrade, self).validate_options() diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index e71dd22e4..81b54211f 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -34,6 +34,7 @@ from ipapython.dn import DN from ipapython import version from ipalib import api from ipalib import errors +from ipaplatform.paths import paths from ipalib.constants import CACERT @@ -60,7 +61,7 @@ class ReplicaPrepare(admintool.AdminTool): parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", default=True, help="disables pkinit setup steps") - parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12", + parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12, metavar="FILE", help="location of CA PKCS#12 file, default /root/cacert.p12") @@ -358,16 +359,16 @@ class ReplicaPrepare(admintool.AdminTool): self.log.info("Copying additional files") self.copy_info_file(CACERT, "ca.crt") - preferences_filename = "/usr/share/ipa/html/preferences.html" + preferences_filename = paths.PREFERENCES_HTML if ipautil.file_exists(preferences_filename): self.copy_info_file(preferences_filename, "preferences.html") - self.copy_info_file("/usr/share/ipa/html/krb.js", "krb.js") + self.copy_info_file(paths.KRB_JS, "krb.js") self.copy_info_file( - "/usr/share/ipa/html/kerberosauth.xpi", "kerberosauth.xpi") - jar_filename = "/usr/share/ipa/html/configure.jar" + paths.KERBEROSAUTH_XPI, "kerberosauth.xpi") + jar_filename = paths.CONFIGURE_JAR if ipautil.file_exists(jar_filename): self.copy_info_file(jar_filename, "configure.jar") - cacert_filename = "/var/kerberos/krb5kdc/cacert.pem" + cacert_filename = paths.CACERT_PEM if ipautil.file_exists(cacert_filename): self.copy_info_file(cacert_filename, "cacert.pem") @@ -387,12 +388,12 @@ class ReplicaPrepare(admintool.AdminTool): config.write(fd) def package_replica_file(self): - replicafile = "/var/lib/ipa/replica-info-%s" % self.replica_fqdn + replicafile = paths.REPLICA_INFO_TEMPLATE % self.replica_fqdn encfile = "%s.gpg" % replicafile self.log.info("Packaging replica information into %s", encfile) ipautil.run( - ["/bin/tar", "cf", replicafile, "-C", self.top_dir, "realm_info"]) + [paths.TAR, "cf", replicafile, "-C", self.top_dir, "realm_info"]) ipautil.encrypt_file( replicafile, encfile, self.dirman_password, self.top_dir) @@ -546,7 +547,7 @@ class ReplicaPrepare(admintool.AdminTool): dm_pwd_fd = ipautil.write_tmp_file(self.dirman_password) keydb_pwd = '' - with open('/etc/pki/pki-tomcat/password.conf') as f: + with open(paths.PKI_TOMCAT_PASSWORD_CONF) as f: for line in f.readlines(): key, value = line.strip().split('=') if key == 'internal': @@ -556,8 +557,8 @@ class ReplicaPrepare(admintool.AdminTool): keydb_pwd_fd = ipautil.write_tmp_file(keydb_pwd) ipautil.run([ - '/usr/bin/PKCS12Export', - '-d', '/etc/pki/pki-tomcat/alias/', + paths.PKCS12EXPORT, + '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-p', keydb_pwd_fd.name, '-w', dm_pwd_fd.name, '-o', ca_file diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index bf9b95a84..948d0be32 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -40,6 +40,7 @@ from ipapython import ipaldap from ipaplatform.tasks import tasks from ipaserver.install.ipa_backup import BACKUP_DIR from ipaplatform import services +from ipaplatform.paths import paths def recursive_chown(path, uid, gid): @@ -65,7 +66,7 @@ def decrypt_file(tmpdir, filename, keyring): dest = os.path.basename(dest) dest = os.path.join(tmpdir, dest) - args = ['/usr/bin/gpg', + args = [paths.GPG, '--batch', '-o', dest] @@ -88,7 +89,7 @@ def decrypt_file(tmpdir, filename, keyring): class Restore(admintool.AdminTool): command_name = 'ipa-restore' - log_file_name = '/var/log/iparestore.log' + log_file_name = paths.IPARESTORE_LOG usage = "%prog [options] backup" @@ -180,7 +181,7 @@ class Restore(admintool.AdminTool): if not options.instance: instances = [] for instance in [realm_to_serverid(api.env.realm), 'PKI-IPA']: - if os.path.exists('/var/lib/dirsrv/slapd-%s' % instance): + if os.path.exists(paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % instance): instances.append(instance) else: instances = [options.instance] @@ -277,10 +278,10 @@ class Restore(admintool.AdminTool): # have a unified instance we need to restore both userRoot and # ipaca. for instance in instances: - if os.path.exists('/var/lib/dirsrv/slapd-%s' % instance): + if os.path.exists(paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % instance): if options.backend is None: self.ldif2db(instance, 'userRoot', online=options.online) - if os.path.exists('/var/lib/dirsrv/slapd-%s/db/ipaca' % instance): + if os.path.exists(paths.IPACA_DIRSRV_INSTANCE_DB_TEMPLATE % instance): self.ldif2db(instance, 'ipaca', online=options.online) else: self.ldif2db(instance, options.backend, online=options.online) @@ -589,13 +590,13 @@ class Restore(admintool.AdminTool): does so we need to probe for it. """ if instance != 'PKI-IPA': - return os.path.join('/var/lib/dirsrv', 'scripts-%s' % instance) + return os.path.join(paths.VAR_LIB_DIRSRV, 'scripts-%s' % instance) else: if sys.maxsize > 2**32L: libpath = 'lib64' else: libpath = 'lib' - return os.path.join('/usr', libpath, 'dirsrv', 'slapd-PKI-IPA') + return os.path.join(paths.USR_DIR, libpath, 'dirsrv', 'slapd-PKI-IPA') def __create_dogtag_log_dirs(self): """ @@ -606,16 +607,16 @@ class Restore(admintool.AdminTool): or a d10-based installation. We can tell based on whether there is a PKI-IPA 389-ds instance. """ - if os.path.exists('/etc/dirsrv/slapd-PKI-IPA'): # dogtag 9 - topdir = '/var/log/pki-ca' + if os.path.exists(paths.ETC_SLAPD_PKI_IPA_DIR): # dogtag 9 + topdir = paths.PKI_CA_LOG_DIR dirs = [topdir, '/var/log/pki-ca/signedAudit,'] else: # dogtag 10 - topdir = '/var/log/pki/pki-tomcat' + topdir = paths.TOMCAT_TOPLEVEL_DIR dirs = [topdir, - '/var/log/pki/pki-tomcat/ca', - '/var/log/pki/pki-tomcat/ca/archive', - '/var/log/pki/pki-tomcat/ca/signedAudit',] + paths.TOMCAT_CA_DIR, + paths.TOMCAT_CA_ARCHIVE_DIR, + paths.TOMCAT_SIGNEDAUDIT_DIR,] if os.path.exists(topdir): return diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py index a1c7c8e91..af5d21a2a 100644 --- a/ipaserver/install/ipa_server_certinstall.py +++ b/ipaserver/install/ipa_server_certinstall.py @@ -24,6 +24,7 @@ import os.path import pwd import optparse +from ipaplatform.paths import paths from ipapython import admintool from ipapython.dn import DN from ipapython.ipautil import user_input, write_tmp_file @@ -132,14 +133,14 @@ class ServerCertInstall(admintool.AdminTool): def install_http_cert(self): dirname = certs.NSS_DIR - old_cert = installutils.get_directive(httpinstance.NSS_CONF, + old_cert = installutils.get_directive(paths.HTTPD_NSS_CONF, 'NSSNickname') server_cert = self.import_cert(dirname, self.options.pin, old_cert, 'HTTP/%s' % api.env.host, 'restart_httpd') - installutils.set_directive(httpinstance.NSS_CONF, + installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', server_cert) # Fix the database permissions diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index cbb54236e..81ed10581 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -45,6 +45,7 @@ import struct import certs from distutils import version from ipaplatform.tasks import tasks +from ipaplatform.paths import paths def update_key_val_in_file(filename, key, val): if os.path.exists(filename): @@ -88,7 +89,7 @@ class KrbInstance(service.Service): if fstore: self.fstore = fstore else: - self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + self.fstore = sysrestore.FileStore(paths.SYSRESTORE) suffix = ipautil.dn_attribute_property('_suffix') subject_base = ipautil.dn_attribute_property('_subject_base') @@ -345,11 +346,11 @@ class KrbInstance(service.Service): print "Failed to initialize the realm container" def __configure_instance(self): - self.__template_file("/var/kerberos/krb5kdc/kdc.conf", chmod=None) - self.__template_file("/etc/krb5.conf") - self.__template_file("/usr/share/ipa/html/krb5.ini") - self.__template_file("/usr/share/ipa/html/krb.con") - self.__template_file("/usr/share/ipa/html/krbrealm.con") + self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None) + self.__template_file(paths.KRB5_CONF) + self.__template_file(paths.HTML_KRB5_INI) + self.__template_file(paths.KRB_CON) + self.__template_file(paths.HTML_KRBREALM_CON) MIN_KRB5KDC_WITH_WORKERS = "1.9" cpus = os.sysconf('SC_NPROCESSORS_ONLN') @@ -367,10 +368,10 @@ class KrbInstance(service.Service): appendvars = {} if workers and cpus > 1: appendvars = {'KRB5KDC_ARGS': "'-w %s'" % str(cpus)} - ipautil.backup_config_and_replace_variables(self.fstore, "/etc/sysconfig/krb5kdc", + ipautil.backup_config_and_replace_variables(self.fstore, paths.SYSCONFIG_KRB5KDC_DIR, replacevars=replacevars, appendvars=appendvars) - tasks.restore_context("/etc/sysconfig/krb5kdc") + tasks.restore_context(paths.SYSCONFIG_KRB5KDC_DIR) def __write_stash_from_ds(self): try: @@ -390,7 +391,7 @@ class KrbInstance(service.Service): format = '=hi%ss' % len(keydata) s = struct.pack(format, keytype, len(keydata), keydata) try: - fd = open("/var/kerberos/krb5kdc/.k5."+self.realm, "w") + fd = open(paths.VAR_KRB5KDC_K5_REALM+self.realm, "w") fd.write(s) fd.close() except os.error, e: @@ -406,23 +407,23 @@ class KrbInstance(service.Service): installutils.kadmin_addprinc(ldap_principal) self.move_service(ldap_principal) - self.fstore.backup_file("/etc/dirsrv/ds.keytab") - installutils.create_keytab("/etc/dirsrv/ds.keytab", ldap_principal) + self.fstore.backup_file(paths.DS_KEYTAB) + installutils.create_keytab(paths.DS_KEYTAB, ldap_principal) - update_key_val_in_file("/etc/sysconfig/dirsrv", "KRB5_KTNAME", "/etc/dirsrv/ds.keytab") + update_key_val_in_file(paths.SYSCONFIG_DIRSRV, "KRB5_KTNAME", paths.DS_KEYTAB) pent = pwd.getpwnam(dsinstance.DS_USER) - os.chown("/etc/dirsrv/ds.keytab", pent.pw_uid, pent.pw_gid) + os.chown(paths.DS_KEYTAB, pent.pw_uid, pent.pw_gid) def __create_host_keytab(self): host_principal = "host/" + self.fqdn + "@" + self.realm installutils.kadmin_addprinc(host_principal) - self.fstore.backup_file("/etc/krb5.keytab") - installutils.create_keytab("/etc/krb5.keytab", host_principal) + self.fstore.backup_file(paths.KRB5_KEYTAB) + installutils.create_keytab(paths.KRB5_KEYTAB, host_principal) # Make sure access is strictly reserved to root only for now - os.chown("/etc/krb5.keytab", 0, 0) - os.chmod("/etc/krb5.keytab", 0600) + os.chown(paths.KRB5_KEYTAB, 0, 0) + os.chmod(paths.KRB5_KEYTAB, 0600) self.move_service_to_host(host_principal) @@ -433,13 +434,13 @@ class KrbInstance(service.Service): if self.pkcs12_info: ca_db.install_pem_from_p12(self.pkcs12_info[0], self.pkcs12_info[1], - "/var/kerberos/krb5kdc/kdc.pem") + paths.KDC_PEM) else: raise RuntimeError("PKI not supported yet\n") # Finally copy the cacert in the krb directory so we don't # have any selinux issues with the file context - shutil.copyfile(CACERT, "/var/kerberos/krb5kdc/cacert.pem") + shutil.copyfile(CACERT, paths.CACERT_PEM) def __add_anonymous_pkinit_principal(self): princ = "WELLKNOWN/ANONYMOUS" @@ -472,7 +473,7 @@ class KrbInstance(service.Service): except: pass - for f in ["/var/kerberos/krb5kdc/kdc.conf", "/etc/krb5.conf"]: + for f in [paths.KRB5KDC_KDC_CONF, paths.KRB5_CONF]: try: self.fstore.restore_file(f) except ValueError, error: diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index a9167aeee..ecdf8e6e1 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -22,8 +22,6 @@ # TODO # save undo files? -UPDATES_DIR="/usr/share/ipa/updates/" - import sys import uuid import platform @@ -41,11 +39,14 @@ from ipaserver.install import installutils from ipapython import ipautil, ipaldap from ipalib import errors from ipalib import api +from ipaplatform.paths import paths from ipapython.dn import DN from ipapython.ipa_log_manager import * from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE from ipaserver.plugins import ldap2 +UPDATES_DIR=paths.UPDATES_DIR + def connect(ldapi=False, realm=None, fqdn=None, dm_password=None, pw_name=None): """Create a connection for updates""" diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py index f2e8ffe36..c653525d3 100644 --- a/ipaserver/install/ntpinstance.py +++ b/ipaserver/install/ntpinstance.py @@ -21,6 +21,7 @@ import service from ipapython import sysrestore from ipapython import ipautil +from ipaplatform.paths import paths from ipapython.ipa_log_manager import * class NTPInstance(service.Service): @@ -30,20 +31,20 @@ class NTPInstance(service.Service): if fstore: self.fstore = fstore else: - self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + self.fstore = sysrestore.FileStore(paths.SYSRESTORE) def __write_config(self): - self.fstore.backup_file("/etc/ntp.conf") - self.fstore.backup_file("/etc/sysconfig/ntpd") + self.fstore.backup_file(paths.NTP_CONF) + self.fstore.backup_file(paths.SYSCONFIG_NTPD) # We use the OS variable to point it towards either the rhel # or fedora pools. Other distros should be added in the future # or we can get our own pool. os = "" - if ipautil.file_exists("/etc/fedora-release"): + if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): os = "fedora" - elif ipautil.file_exists("/etc/redhat-release"): + elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): os = "rhel" srv_vals = [] @@ -57,7 +58,7 @@ class NTPInstance(service.Service): file_changed = False fudge_present = False ntpconf = [] - fd = open("/etc/ntp.conf", "r") + fd = open(paths.NTP_CONF, "r") for line in fd: opt = line.split() if len(opt) < 1: @@ -85,7 +86,7 @@ class NTPInstance(service.Service): ntpconf.append(line) if file_changed or len(srv_vals) != 0 or not fudge_present: - fd = open("/etc/ntp.conf", "w") + fd = open(paths.NTP_CONF, "w") for line in ntpconf: fd.write(line) fd.write("\n### Added by IPA Installer ###\n") @@ -99,7 +100,7 @@ class NTPInstance(service.Service): #read in memory, find OPTIONS, check/change it, then overwrite file needopts = [ {'val':'-x', 'need':True}, {'val':'-g', 'need':True} ] - fd = open("/etc/sysconfig/ntpd", "r") + fd = open(paths.SYSCONFIG_NTPD, "r") lines = fd.readlines() fd.close() for line in lines: @@ -118,7 +119,7 @@ class NTPInstance(service.Service): done = False if newopts: - fd = open("/etc/sysconfig/ntpd", "w") + fd = open(paths.SYSCONFIG_NTPD, "w") for line in lines: if not done: sline = line.strip() @@ -167,7 +168,7 @@ class NTPInstance(service.Service): self.stop() try: - self.fstore.restore_file("/etc/ntp.conf") + self.fstore.restore_file(paths.NTP_CONF) except ValueError, error: root_logger.debug(error) pass diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py index b2a7ba7cc..37b5487fe 100644 --- a/ipaserver/install/plugins/ca_renewal_master.py +++ b/ipaserver/install/plugins/ca_renewal_master.py @@ -22,6 +22,7 @@ from ipaserver.install import installutils, certs, cainstance from ipalib import errors from ipalib.plugable import Registry from ipapython import certmonger, dogtag +from ipaplatform.paths import paths from ipapython.dn import DN register = Registry() @@ -52,7 +53,7 @@ class update_ca_renewal_master(PostUpdate): return (False, False, []) criteria = ( - ('cert_storage_location', '/etc/httpd/alias', certmonger.NPATH), + ('cert_storage_location', paths.HTTPD_ALIAS_DIR, certmonger.NPATH), ('cert_nickname', 'ipaCert', None), ) request_id = certmonger.get_request_id(criteria) diff --git a/ipaserver/install/plugins/updateclient.py b/ipaserver/install/plugins/updateclient.py index a4bc79238..7566b6cd8 100644 --- a/ipaserver/install/plugins/updateclient.py +++ b/ipaserver/install/plugins/updateclient.py @@ -22,6 +22,7 @@ from ipaserver.install.ldapupdate import LDAPUpdate from ipapython.ipautil import wait_for_open_socket from ipalib import api from ipalib import backend +from ipaplatform.paths import paths from ipapython.dn import DN class updateclient(backend.Executioner): @@ -143,7 +144,7 @@ class updateclient(backend.Executioner): def restart(self, dm_password, live_run): dsrestart = DSRestart() - socket_name = '/var/run/slapd-%s.socket' % \ + socket_name = paths.SLAPD_INSTANCE_SOCKET_TEMPLATE % \ api.env.realm.replace('.','-') if live_run: self.destroy_context() diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index dd12c0d1d..2805624af 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -30,6 +30,7 @@ from ipapython.ipa_log_manager import * from ipapython import ipautil, dogtag, ipaldap from ipapython.dn import DN from ipaplatform import services +from ipaplatform.paths import paths # the default container used by AD for user entries WIN_USER_CONTAINER = DN(('cn', 'Users')) @@ -68,7 +69,7 @@ def replica_conn_check(master_host, host_name, realm, check_ca, Does not return a value, will sys.exit() on failure. """ print "Run connection check to master" - args = ["/usr/sbin/ipa-replica-conncheck", "--master", master_host, + args = [paths.IPA_REPLICA_CONNCHECK, "--master", master_host, "--auto-master-check", "--realm", realm, "--principal", "admin", "--hostname", host_name] diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 6108a2b2a..9e4ea3700 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -29,6 +29,7 @@ from ipapython.dn import DN from ipapython.ipa_log_manager import * from ipalib import errors from ipaplatform import services +from ipaplatform.paths import paths # Autobind modes AUTO = 1 @@ -88,7 +89,7 @@ class Service(object): if sstore: self.sstore = sstore else: - self.sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore') + self.sstore = sysrestore.StateFile(paths.SYSRESTORE) self.realm = None self.suffix = DN() @@ -155,7 +156,7 @@ class Service(object): if 'RANDOM_PASSWORD' in sub_dict: nologlist.append(sub_dict['RANDOM_PASSWORD']) - args = ["/usr/bin/ldapmodify", "-v", "-f", path] + args = [paths.LDAPMODIFY, "-v", "-f", path] # As we always connect to the local host, # use URI of admin connection diff --git a/ipaserver/install/sysupgrade.py b/ipaserver/install/sysupgrade.py index c508d2bbd..d11d0a979 100644 --- a/ipaserver/install/sysupgrade.py +++ b/ipaserver/install/sysupgrade.py @@ -21,9 +21,10 @@ import os import os.path from ipapython import sysrestore +from ipaplatform.paths import paths from ipapython.ipa_log_manager import * -STATEFILE_DIR = '/var/lib/ipa/sysupgrade' +STATEFILE_DIR = paths.STATEFILE_DIR STATEFILE_FILE = 'sysupgrade.state' _sstore = sysrestore.StateFile(STATEFILE_DIR, STATEFILE_FILE) diff --git a/ipaserver/install/upgradeinstance.py b/ipaserver/install/upgradeinstance.py index 85c39b554..66eafa8cc 100644 --- a/ipaserver/install/upgradeinstance.py +++ b/ipaserver/install/upgradeinstance.py @@ -22,6 +22,7 @@ import sys import shutil import random import traceback +from ipaplatform.paths import paths from ipapython.ipa_log_manager import * from ipaserver.install import installutils @@ -30,7 +31,7 @@ from ipaserver.install import schemaupdate from ipaserver.install import ldapupdate from ipaserver.install import service -DSBASE = '/etc/dirsrv/slapd-' +DSBASE = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE DSE = 'dse.ldif' class IPAUpgrade(service.Service): @@ -53,8 +54,8 @@ class IPAUpgrade(service.Service): ext += h service.Service.__init__(self, "dirsrv") serverid = dsinstance.realm_to_serverid(realm_name) - self.filename = '%s%s/%s' % (DSBASE, serverid, DSE) - self.savefilename = '%s%s/%s.ipa.%s' % (DSBASE, serverid, DSE, ext) + self.filename = '%s/%s' % (DSBASE % serverid, DSE) + self.savefilename = '%s/%s.ipa.%s' % (DSBASE % serverid, DSE, ext) self.live_run = live_run self.files = files self.modified = False diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 123c2d54a..0b95ece79 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1212,6 +1212,7 @@ from ipalib.constants import TYPE_ERROR from ipalib.util import cachedproperty from ipapython import dogtag from ipalib import _ +from ipaplatform.paths import paths class ra(rabase.rabase): """ @@ -1222,8 +1223,8 @@ class ra(rabase.rabase): self.sec_dir = api.env.dot_ipa + os.sep + 'alias' self.pwd_file = self.sec_dir + os.sep + '.pwd' else: - self.sec_dir = "/etc/httpd/alias" - self.pwd_file = "/etc/httpd/alias/pwdfile.txt" + self.sec_dir = paths.HTTPD_ALIAS_DIR + self.pwd_file = paths.ALIAS_PWDFILE_TXT self.noise_file = self.sec_dir + os.sep + '.noise' self.ipa_key_size = "2048" self.ipa_certificate_nickname = "ipaCert" diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py index aa379be60..e14969970 100644 --- a/ipaserver/plugins/rabase.py +++ b/ipaserver/plugins/rabase.py @@ -35,6 +35,7 @@ from ipalib import Backend from ipalib import errors from ipaserver.install import certs import os +from ipaplatform.paths import paths class rabase(Backend): """ @@ -45,8 +46,8 @@ class rabase(Backend): self.sec_dir = api.env.dot_ipa + os.sep + 'alias' self.pwd_file = self.sec_dir + os.sep + '.pwd' else: - self.sec_dir = "/etc/httpd/alias" - self.pwd_file = "/etc/httpd/alias/pwdfile.txt" + self.sec_dir = paths.HTTPD_ALIAS_DIR + self.pwd_file = paths.ALIAS_PWDFILE_TXT super(rabase, self).__init__() diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index edce23654..ff1b7fe65 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -51,6 +51,7 @@ from ipalib.krb_utils import ( KRB5_CCache, krb_ticket_expiration_threshold, krb5_format_principal_name, krb5_format_service_principal_name) from ipapython import ipautil +from ipaplatform.paths import paths from ipapython.version import VERSION from ipalib.text import _ @@ -977,7 +978,7 @@ class login_password(Backend, KerberosSession, HTTP_Status): # get http service ccache as an armor for FAST to enable OTP authentication armor_principal = krb5_format_service_principal_name( 'HTTP', self.api.env.host, realm) - keytab = '/etc/httpd/conf/ipa.keytab' + keytab = paths.IPA_KEYTAB armor_name = "%sA_%s" % (krbccache_prefix, user) armor_path = os.path.join(krbccache_dir, armor_name) @@ -985,7 +986,7 @@ class login_password(Backend, KerberosSession, HTTP_Status): armor_principal, keytab, armor_path) (stdout, stderr, returncode) = ipautil.run( - ['/usr/bin/kinit', '-kt', keytab, armor_principal], + [paths.KINIT, '-kt', keytab, armor_principal], env={'KRB5CCNAME': armor_path}, raiseonerr=False) if returncode != 0: @@ -995,7 +996,7 @@ class login_password(Backend, KerberosSession, HTTP_Status): principal = krb5_format_principal_name(user, realm) (stdout, stderr, returncode) = ipautil.run( - ['/usr/bin/kinit', principal, '-T', armor_path], + [paths.KINIT, principal, '-T', armor_path], env={'KRB5CCNAME': ccache_name}, stdin=password, raiseonerr=False) self.debug('kinit: principal=%s returncode=%s, stderr="%s"', @@ -1003,7 +1004,7 @@ class login_password(Backend, KerberosSession, HTTP_Status): self.debug('Cleanup the armor ccache') ipautil.run( - ['/usr/bin/kdestroy', '-A', '-c', armor_path], + [paths.KDESTROY, '-A', '-c', armor_path], env={'KRB5CCNAME': armor_path}, raiseonerr=False) -- cgit