diff options
| author | Matthew Harmsen <mharmsen@redhat.com> | 2012-05-23 18:59:06 -0700 |
|---|---|---|
| committer | Matthew Harmsen <mharmsen@redhat.com> | 2012-05-25 14:59:48 -0700 |
| commit | 4a263b8db27208413acd0f038ea67629d5ee27bb (patch) | |
| tree | 8c747215e522100304e9afced96d0720bd49501d /base/deploy | |
| parent | 2408bec41a56378fcf942a68a1ab290464c001d7 (diff) | |
| download | pki-4a263b8db27208413acd0f038ea67629d5ee27bb.tar.gz pki-4a263b8db27208413acd0f038ea67629d5ee27bb.tar.xz pki-4a263b8db27208413acd0f038ea67629d5ee27bb.zip | |
PKI Deployment Scriptlets
* Integration of Tomcat 7
* Addition of centralized 'pki-tomcatd' systemd functionality to the
PKI Deployment strategy
* Removal of 'pki_flavor' attribute
Diffstat (limited to 'base/deploy')
| -rw-r--r-- | base/deploy/CMakeLists.txt | 16 | ||||
| -rw-r--r-- | base/deploy/config/pkideployment.cfg | 5 | ||||
| -rw-r--r-- | base/deploy/config/pkislots.cfg | 3 | ||||
| -rw-r--r-- | base/deploy/scripts/operations | 1155 | ||||
| -rwxr-xr-x | base/deploy/scripts/pkidaemon | 74 | ||||
| -rwxr-xr-x | base/deploy/src/pkidestroy | 22 | ||||
| -rwxr-xr-x | base/deploy/src/pkispawn | 22 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/configuration.py | 19 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/finalization.py | 10 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/infrastructure_layout.py | 6 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/instance_layout.py | 12 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/pkiconfig.py | 12 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/pkiparser.py | 236 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/slot_substitution.py | 20 |
14 files changed, 1491 insertions, 121 deletions
diff --git a/base/deploy/CMakeLists.txt b/base/deploy/CMakeLists.txt index 44705818c..c7c4bd19b 100644 --- a/base/deploy/CMakeLists.txt +++ b/base/deploy/CMakeLists.txt @@ -23,6 +23,7 @@ set(APACHE_SUBSYSTEMS install( FILES + scripts/pkidaemon src/pkispawn src/pkidestroy DESTINATION @@ -35,6 +36,17 @@ install( install( FILES + scripts/operations + DESTINATION + ${DATA_INSTALL_DIR}/scripts/ + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ +) + +install( + FILES config/pkideployment.cfg config/pkislots.cfg DESTINATION @@ -97,8 +109,8 @@ install( ) # install empty directories -#install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/lock/pki)") -#install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/run/pki)") +install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/lock/pki)") +install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/run/pki)") # install subsystem directories for pkispawn and pkidestroy foreach(PKI_SUBSYSTEM ${PKI_SUBSYSTEMS}) diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg index c9c356043..dd688ed09 100644 --- a/base/deploy/config/pkideployment.cfg +++ b/base/deploy/config/pkideployment.cfg @@ -15,23 +15,20 @@ pki_ajp_port=8009 pki_proxy_http_port=80 pki_proxy_https_port=443 pki_security_manager=true +pki_tomcat_server_port=8005 [CA] pki_subsystem=CA pki_war_name=ca.war -pki_tomcat_server_port=9701 [KRA] pki_subsystem=KRA pki_war_name=kra.war -pki_tomcat_server_port=10701 [OCSP] pki_subsystem=OCSP pki_war_name=ocsp.war -pki_tomcat_server_port=11701 [RA] pki_subsystem=RA [TKS] pki_subsystem=TKS pki_war_name=tks.war -pki_tomcat_server_port=13701 [TPS] pki_subsystem=TPS diff --git a/base/deploy/config/pkislots.cfg b/base/deploy/config/pkislots.cfg index b04b8efa0..b6c40ebe3 100644 --- a/base/deploy/config/pkislots.cfg +++ b/base/deploy/config/pkislots.cfg @@ -15,6 +15,7 @@ PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT] PKI_LOCKDIR_SLOT=[PKI_LOCKDIR] PKI_PIDDIR_SLOT=[PKI_PIDDIR] PKI_REGISTRY_FILE_SLOT=[PKI_REGISTRY_FILE] +PKI_WEB_SERVER_TYPE_SLOT=[PKI_WEB_SERVER_TYPE] PORT_SLOT=[PORT] PROCESS_ID_SLOT=[PROCESS_ID] REQUIRE_CFG_PL_SLOT=[REQUIRE_CFG_PL] @@ -48,7 +49,6 @@ PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_UI] PKI_EE_SECURE_PORT_SLOT=[PKI_EE_SECURE_PORT] PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_EE_SECURE_PORT_CONNECTOR_NAME] PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_EE_SECURE_PORT_SERVER_COMMENT] -PKI_FLAVOR_SLOT=[PKI_FLAVOR] PKI_GROUP_SLOT=[PKI_GROUP] PKI_INSTANCE_ID_SLOT=[PKI_INSTANCE_ID] PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT] @@ -76,6 +76,7 @@ PKI_UNSECURE_PORT_SLOT=[PKI_UNSECURE_PORT] PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_UNSECURE_PORT_CONNECTOR_NAME] PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT] PKI_USER_SLOT=[PKI_USER] +PKI_WEB_SERVER_TYPE_SLOT=[PKI_WEB_SERVER_TYPE] PKI_WEBAPPS_NAME_SLOT=[PKI_WEBAPPS_NAME] TOMCAT_CFG_SLOT=[TOMCAT_CFG] TOMCAT_INSTANCE_COMMON_LIB_SLOT=[TOMCAT_INSTANCE_COMMON_LIB] diff --git a/base/deploy/scripts/operations b/base/deploy/scripts/operations new file mode 100644 index 000000000..ea7527f31 --- /dev/null +++ b/base/deploy/scripts/operations @@ -0,0 +1,1155 @@ +#!/bin/bash -X + +# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": +# +# Status Exit Codes +# +# 0 program is running or service is OK +# 1 program is dead and /var/run pid file exists +# 2 program is dead and /var/lock lock file exists +# 3 program is not running +# 4 program or service status is unknown +# 5-99 reserved for future LSB use +# 100-149 reserved for distribution use +# 150-199 reserved for application use +# 200-254 reserved +# +# Non-Status Exit Codes +# +# 0 action was successful +# 1 generic or unspecified error (current practice) +# 2 invalid or excess argument(s) +# 3 unimplemented feature (for example, "reload") +# 4 user had insufficient privilege +# 5 program is not installed +# 6 program is not configured +# 7 program is not running +# 8-99 reserved for future LSB use +# 100-149 reserved for distribution use +# 150-199 reserved for application use +# 200-254 reserved +# + +# PKI subsystem-level directory and file values for locks +lockfile="/var/lock/subsys/${SERVICE_NAME}" + +default_error=0 + +case $command in + start|stop|restart|condrestart|force-restart|try-restart) + # 1 generic or unspecified error (current practice) + default_error=1 + ;; + reload) + default_error=3 + ;; + status) + # 4 program or service status is unknown + default_error=4 + ;; + *) + # 2 invalid argument(s) + default_error=2 + ;; +esac + +# Enable nullglob, if set then shell pattern globs which do not match any +# file returns the empty string rather than the unmodified glob pattern. +shopt -s nullglob + +OS=`uname -s` +ARCHITECTURE=`uname -i` + +# Check to insure that this script's original invocation directory +# has not been deleted! +CWD=`/bin/pwd > /dev/null 2>&1` +if [ $? -ne 0 ] ; then + echo "Cannot invoke '$PROG_NAME' from non-existent directory!" + exit ${default_error} +fi + +# Check to insure that this script's associated PKI +# subsystem currently resides on this system. +PKI_CA_PATH="/usr/share/pki/ca" +PKI_KRA_PATH="/usr/share/pki/kra" +PKI_OCSP_PATH="/usr/share/pki/ocsp" +PKI_RA_PATH="/usr/share/pki/ra" +PKI_TKS_PATH="/usr/share/pki/tks" +PKI_TPS_PATH="/usr/share/pki/tps" +if [ '${PKI_TYPE}' == "apache" ] ; then + if [ ! -d ${PKI_RA_PATH} ] && + [ ! -d ${PKI_TPS_PATH} ] ; then + echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!" + if [ "${command}" != "status" ]; then + # 5 program is not installed + exit 5 + else + exit ${default_error} + fi + fi +elif [ '${PKI_TYPE}' == "tomcat" ] ; then + if [ ! -d ${PKI_CA_PATH} ] && + [ ! -d ${PKI_KRA_PATH} ] && + [ ! -d ${PKI_OCSP_PATH} ] && + [ ! -d ${PKI_TKS_PATH} ] ; then + echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!" + if [ "${command}" != "status" ]; then + # 5 program is not installed + exit 5 + else + exit ${default_error} + fi + fi +fi + +# This script must be run as root! +RV=0 +if [ `id -u` -ne 0 ] ; then + echo "Must be 'root' to execute '$PROG_NAME'!" + if [ "${command}" != "status" ]; then + # 4 user had insufficient privilege + exit 4 + else + # 4 program or service status is unknown + exit 4 + fi +fi + +PKI_REGISTRY_ENTRIES="" +TOTAL_PKI_REGISTRY_ENTRIES=0 +TOTAL_UNCONFIGURED_PKI_ENTRIES=0 + +# Gather ALL registered instances of this PKI web server type +for INSTANCE in ${PKI_REGISTRY}/*; do + if [ -d "$INSTANCE" ] ; then + for REGISTRY in ${INSTANCE}/*; do + if [ -f "$REGISTRY" ] ; then + PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $REGISTRY" + TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` + fi + done + fi +done + +# Execute the specified registered instance of this PKI web server type +if [ -n "${pki_instance_id}" ]; then + for INSTANCE in ${PKI_REGISTRY_ENTRIES}; do + if [ "${PKI_REGISTRY}/${pki_instance_id}" = "$INSTANCE" ]; then + PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance_id}" + TOTAL_PKI_REGISTRY_ENTRIES=1 + break + fi + done +fi + +usage() +{ + echo -n "Usage: ${SERVICE_PROG} ${SERVICE_NAME}" + echo -n "{start" + echo -n "|stop" + echo -n "|restart" + echo -n "|condrestart" + echo -n "|force-restart" + echo -n "|try-restart" + echo -n "|reload" + echo -n "|status} " + echo -n "[instance-name]" + echo + echo +} + +usage_systemd() +{ + echo -n "Usage: /usr/bin/pkidaemon " + echo -n "{start" + echo -n "|stop" + echo -n "|restart" + echo -n "|condrestart" + echo -n "|force-restart" + echo -n "|try-restart" + echo -n "|reload" + echo -n "|status} " + echo -n "subsystem-type " + echo -n "[instance-name]" + echo + echo +} + + +list_instances() +{ + echo + for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do + instance_name=`basename $PKI_REGISTRY_ENTRY` + echo " $instance_name" + done + echo +} + +# Check arguments +if [ $SYSTEMD ]; then + if [ $# -lt 2 ] ; then + # [insufficient arguments] + echo "$PROG_NAME: Insufficient arguments!" + echo + usage_systemd + echo "where valid instance names include:" + list_instances + exit 3 + elif [ ${default_error} -eq 2 ] ; then + # 2 invalid argument + echo "$PROG_NAME: Invalid arguments!" + echo + usage_systemd + echo "where valid instance names include:" + list_instances + exit 2 + elif [ $# -gt 3 ] ; then + echo "$PROG_NAME: Excess arguments!" + echo + usage_systemd + echo "where valid instance names include:" + list_instances + if [ "${command}" != "status" ]; then + # 2 excess arguments + exit 2 + else + # 4 program or service status is unknown + exit 4 + fi + fi +else + if [ $# -lt 1 ] ; then + # 3 unimplemented feature (for example, "reload") + # [insufficient arguments] + echo "$PROG_NAME: Insufficient arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + exit 3 + elif [ ${default_error} -eq 2 ] ; then + # 2 invalid argument + echo "$PROG_NAME: Invalid arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + exit 2 + elif [ $# -gt 2 ] ; then + echo "$PROG_NAME: Excess arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + if [ "${command}" != "status" ]; then + # 2 excess arguments + exit 2 + else + # 4 program or service status is unknown + exit 4 + fi + fi +fi + +# If an "instance" was supplied, check that it is a "valid" instance +if [ -n "${pki_instance_id}" ]; then + valid=0 + for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do + instance_name=`basename $PKI_REGISTRY_ENTRY` + if [ "${pki_instance_id}" == "${instance_name}" ]; then + valid=1 + break + fi + done + if [ $valid -eq 0 ]; then + echo -n "${pki_instance_id} is an invalid '${PKI_TYPE}' instance" + if [ ! $SYSTEMD ]; then + echo_failure + fi + echo + + if [ "${command}" != "status" ]; then + # 5 program is not installed + exit 5 + else + # 4 program or service status is unknown + exit 4 + fi + fi +fi + +check_pki_configuration_status() +{ + rv=0 + + case ${PKI_WEB_SERVER_TYPE} in + tomcat) + for SUBSYSTEM in ca kra ocsp tks; do + if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then + rv=`grep -c ^preop ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM}/CS.cfg` + rv=`expr ${rv} + 0` + fi + done + ;; + apache) + # TBD + ;; + *) + echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" + exit ${default_error} + ;; + esac + + if [ $rv -ne 0 ] ; then + echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" + echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" + if [ "${command}" != "status" ]; then + # 6 program is not configured + rv=6 + else + # 4 program or service status is unknown + rv=4 + fi + TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` + elif [ -f ${RESTART_SERVER} ] ; then + echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " + echo -n "it must still be RESTARTED!" + echo + if [ "${command}" != "status" ]; then + # 1 generic or unspecified error (current practice) + rv=1 + else + # 4 program or service status is unknown + rv=4 + fi + fi + + return $rv +} + +get_pki_status_definitions() +{ + case $PKI_WEB_SERVER_TYPE in + tomcat) + get_pki_status_definitions_tomcat + return $? + ;; + ra) + get_pki_status_definitions_ra + return $? + ;; + tps) + get_pki_status_definitions_tps + return $? + ;; + *) + echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" + exit ${default_error} + ;; + esac +} + +get_pki_status_definitions_ra() +{ + # establish well-known strings + total_ports=0 + UNSECURE_PORT="" + CLIENTAUTH_PORT="" + NON_CLIENTAUTH_PORT="" + + # check to see that an instance-specific "httpd.conf" file exists + if [ ! -f ${PKI_HTTPD_CONF} ] ; then + echo "File '${PKI_HTTPD_CONF}' does not exist!" + exit ${default_error} + fi + + # check to see that an instance-specific "nss.conf" file exists + if [ ! -f ${PKI_NSS_CONF} ] ; then + echo "File '${PKI_NSS_CONF}' does not exist!" + exit ${default_error} + fi + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 0 ]; then + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + else + echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + fi + total_ports=`expr ${total_ports} + 1` + + done + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 1 ]; then + CLIENTAUTH_PORT=$port + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}" + fi + if [ $total_ports -eq 2 ]; then + NON_CLIENTAUTH_PORT=$port + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}" + fi + total_ports=`expr ${total_ports} + 1` + + done + + return 0; +} + +get_pki_status_definitions_tps() +{ + # establish well-known strings + total_ports=0 + UNSECURE_PORT="" + CLIENTAUTH_PORT="" + NON_CLIENTAUTH_PORT="" + + # check to see that an instance-specific "httpd.conf" file exists + if [ ! -f ${PKI_HTTPD_CONF} ] ; then + echo "File '${PKI_HTTPD_CONF}' does not exist!" + exit ${default_error} + fi + + # check to see that an instance-specific "nss.conf" file exists + if [ ! -f ${PKI_NSS_CONF} ] ; then + echo "File '${PKI_NSS_CONF}' does not exist!" + exit ${default_error} + fi + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 0 ]; then + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi" + echo " (ESC Security Officer Enrollment)" + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/home/index.cgi" + echo " (ESC Phone Home)" + else + echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + fi + total_ports=`expr ${total_ports} + 1` + + done + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 1 ]; then + CLIENTAUTH_PORT=$port + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi" + echo " (ESC Security Officer Workstation)" + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/tus" + echo " (TPS Roles - Operator/Administrator/Agent)" + fi + if [ $total_ports -eq 2 ]; then + NON_CLIENTAUTH_PORT=$port + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi" + echo " (ESC Security Officer Enrollment)" + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi" + echo " (ESC Phone Home)" + fi + total_ports=`expr ${total_ports} + 1` + + done + + return 0; +} + +get_pki_status_definitions_tomcat() +{ + # establish well-known strings + begin_pki_status_comment="<!-- DO NOT REMOVE - Begin PKI Status Definitions -->" + end_pki_status_comment="<!-- DO NOT REMOVE - End PKI Status Definitions -->" + total_ports=0 + unsecure_port_statement="Unsecure Port" + secure_agent_port_statement="Secure Agent Port" + secure_ee_port_statement="Secure EE Port" + secure_ee_client_auth_port_statement="EE Client Auth Port" + secure_admin_port_statement="Secure Admin Port" + pki_console_port_statement="PKI Console Port" + tomcat_port_statement="Tomcat Port" + + # initialize looping variables + pki_status_comment_found=0 + + # first check to see that an instance-specific "server.xml" file exists + if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then + echo "File '${PKI_SERVER_XML_CONF}' does not exist!" + exit ${default_error} + fi + + # read this instance-specific "server.xml" file line-by-line + # to obtain the current PKI Status Definitions + exec < ${PKI_SERVER_XML_CONF} + while read line; do + # first look for the well-known end PKI Status comment + # (to turn off processing) + if [ "$line" == "$end_pki_status_comment" ] ; then + pki_status_comment_found=0 + break; + fi + + # then look for the well-known begin PKI Status comment + # (to turn on processing) + if [ "$line" == "$begin_pki_status_comment" ] ; then + pki_status_comment_found=1 + fi + + # once the well-known begin PKI Status comment has been found, + # begin processing to obtain all of the PKI Status Definitions + if [ $pki_status_comment_found -eq 1 ] ; then + # look for a PKI Status Definition and print it + head=`echo "$line" | sed -e 's/^\([^=]*\)[ \t]*= .*$/\1/' -e 's/[ \t]*$//'` + if [ "$head" == "$unsecure_port_statement" ] || + [ "$head" == "$secure_agent_port_statement" ] || + [ "$head" == "$secure_ee_port_statement" ] || + [ "$head" == "$secure_ee_client_auth_port_statement" ] || + [ "$head" == "$secure_admin_port_statement" ] || + [ "$head" == "$pki_console_port_statement" ] || + [ "$head" == "$tomcat_port_statement" ] ; then + echo " $line" + total_ports=`expr ${total_ports} + 1` + fi + fi + done + + return 0; +} + +get_pki_configuration_definitions() +{ + # Obtain the PKI Subsystem Type + line=`grep -e '^[ \t]*cs.type[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + pki_subsystem=`echo "${line}" | sed -e 's/^[^=]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + if [ "${line}" != "" ] ; then + if [ "${pki_subsystem}" != "CA" ] && + [ "${pki_subsystem}" != "KRA" ] && + [ "${pki_subsystem}" != "OCSP" ] && + [ "${pki_subsystem}" != "TKS" ] && + [ "${pki_subsystem}" != "RA" ] && + [ "${pki_subsystem}" != "TPS" ] + then + return ${default_error} + fi + if [ "${pki_subsystem}" == "KRA" ] ; then + # Rename "KRA" to "DRM" + pki_subsystem="DRM" + fi + else + return ${default_error} + fi + + # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, + # check to see if "${pki_subsystem}" is a "Clone" + pki_clone="" + if [ "${pki_subsystem}" == "CA" ] || + [ "${pki_subsystem}" == "DRM" ] || + [ "${pki_subsystem}" == "OCSP" ] || + [ "${pki_subsystem}" == "TKS" ] + then + line=`grep -e '^[ \t]*subsystem.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_clone=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + if [ "${pki_clone}" != "Clone" ] ; then + # Reset "${pki_clone}" to be empty + pki_clone="" + fi + else + return ${default_error} + fi + fi + + # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to + # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA + pki_hierarchy="" + if [ "${pki_subsystem}" == "CA" ] && + [ "${pki_clone}" != "Clone" ] + then + line=`grep -e '^[ \t]*hierarchy.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_hierarchy=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + else + return ${default_error} + fi + fi + + # If ${pki_subsystem} is a CA, check to + # see if it is also a Security Domain + pki_security_domain="" + if [ "${pki_subsystem}" == "CA" ] ; then + line=`grep -e '^[ \t]*securitydomain.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_security_domain=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + if [ "${pki_security_domain}" == "new" ] ; then + # Set a fixed value for "${pki_security_domain}" + pki_security_domain="(Security Domain)" + else + # Reset "${pki_security_domain}" to be empty + pki_security_domain="" + fi + else + return ${default_error} + fi + fi + + # Always obtain this PKI instance's "registered" + # security domain information + pki_security_domain_name="" + pki_security_domain_hostname="" + pki_security_domain_https_admin_port="" + + line=`grep -e '^[ \t]*securitydomain.name[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_security_domain_name=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + else + return ${default_error} + fi + + line=`grep -e '^[ \t]*securitydomain.host[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_security_domain_hostname=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + else + return ${default_error} + fi + + line=`grep -e '^[ \t]*securitydomain.httpsadminport[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_security_domain_https_admin_port=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + else + return ${default_error} + fi + + # Compose the "PKI Instance Name" Status Line + pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" + + # Compose the "PKI Subsystem Type" Status Line + header="PKI Subsystem Type: " + if [ "${pki_clone}" != "" ] ; then + if [ "${pki_security_domain}" != "" ]; then + # Possible Values: + # + # "CA Clone (Security Domain)" + # + data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" + else + # Possible Values: + # + # "CA Clone" + # "DRM Clone" + # "OCSP Clone" + # "TKS Clone" + # + data="${pki_subsystem} ${pki_clone}" + fi + elif [ "${pki_hierarchy}" != "" ] ; then + if [ "${pki_security_domain}" != "" ]; then + # Possible Values: + # + # "Root CA (Security Domain)" + # "Subordinate CA (Security Domain)" + # + data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" + else + # Possible Values: + # + # "Root CA" + # "Subordinate CA" + # + data="${pki_hierarchy} ${pki_subsystem}" + fi + else + # Possible Values: + # + # "DRM" + # "OCSP" + # "RA" + # "TKS" + # "TPS" + # + data="${pki_subsystem}" + fi + pki_subsystem_type="${header} ${data}" + + # Compose the "Registered PKI Security Domain Information" Status Line + header="Name: " + registered_pki_security_domain_name="${header} ${pki_security_domain_name}" + + header="URL: " + if [ "${pki_security_domain_hostname}" != "" ] && + [ "${pki_security_domain_https_admin_port}" != "" ] + then + data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" + else + return ${default_error} + fi + registered_pki_security_domain_url="${header} ${data}" + + # Print the "PKI Subsystem Type" Status Line + echo + echo " ${pki_instance_name}" + + # Print the "PKI Subsystem Type" Status Line + echo + echo " ${pki_subsystem_type}" + + # Print the "Registered PKI Security Domain Information" Status Line + echo + echo " Registered PKI Security Domain Information:" + echo " ==========================================================================" + echo " ${registered_pki_security_domain_name}" + echo " ${registered_pki_security_domain_url}" + echo " ==========================================================================" + + return 0 +} + +display_configuration_information() +{ + result=0 + check_pki_configuration_status + rv=$? + if [ $rv -eq 0 ] ; then + get_pki_status_definitions + rv=$? + if [ $rv -ne 0 ] ; then + result=$rv + echo + echo "${PKI_INSTANCE_ID} Status Definitions not found" + else + get_pki_configuration_definitions + rv=$? + if [ $rv -ne 0 ] ; then + result=$rv + echo + echo "${PKI_INSTANCE_ID} Configuration Definitions not found" + fi + fi + fi + return $result +} + +display_instance_status_systemd() +{ + echo -n "Status for ${PKI_INSTANCE_ID}: " + systemctl status "$PKI_SYSTEMD_TARGET@$PKI_INSTANCE_ID.service" > /dev/null 2>&1 + rv=$? + + if [ $rv -eq 0 ] ; then + echo "$PKI_INSTANCE_ID is running .." + display_configuration_information + else + echo "$PKI_INSTANCE_ID is stopped" + fi + + return $rv +} + +display_instance_status() +{ + # Verify there is an initscript for this instance + if [ ! -f $PKI_INSTANCE_INITSCRIPT ]; then + # 4 program or service status is unknown + return 4 + fi + + # Invoke the initscript for this instance + $PKI_INSTANCE_INITSCRIPT status + rv=$? + + if [ $rv -eq 0 ] ; then + display_configuration_information + fi + + return $rv +} + +start_instance() +{ + rv=0 + + if [ -f ${RESTART_SERVER} ] ; then + rm -f ${RESTART_SERVER} + fi + + # Invoke the initscript for this instance + case $PKI_WEB_SERVER_TYPE in + tomcat) + + # We must export the service name so that the systemd version + # of the tomcat init script knows which instance specific + # configuration file to source. + export SERVICE_NAME=$PKI_INSTANCE_ID + + if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then + # HACKS: + # (1) MUST eventually replace hard-coded 'pki_ca_script_t' + # with programmatic replacement of either + # 'pki_tomcat_script_t' or 'pki_apache_script_t', AND + # (2) MUST currently be run with SELinux in 'Permissive' mode! + /usr/bin/runcon -t pki_ca_script_t \ + $PKI_INSTANCE_INITSCRIPT start + rv=$? + else + $PKI_INSTANCE_INITSCRIPT start + rv=$? + fi + ;; + apache) + $PKI_INSTANCE_INITSCRIPT start + rv=$? + ;; + esac + + if [ $rv -ne 0 ] ; then + return $rv + fi + + # On Tomcat subsystems, make certain that the service has started + case $PKI_WEB_SERVER_TYPE in + tomcat) + count=0 + tries=30 + port=${PKI_UNSECURE_PORT} + while [ $count -lt $tries ] + do + netstat -antl | grep ${port} > /dev/null + netrv=$? + if [ $netrv -eq 0 ] ; then + break; + fi + sleep 1 + let count=$count+1; + done + if [ $netrv -ne 0 ] ; then + return 1 + fi + ;; + esac + + if [ $rv -eq 0 ] ; then + # From the PKI point of view a returned error code of 6 implies + # that the program is not "configured". An error code of 1 implies + # that the program was "configured" but must still be restarted. + # + # If the return code is 6 return this value unchanged to the + # calling routine so that the total number of configuration errors + # may be counted. Other return codes are ignored. + # + check_pki_configuration_status + rv=$? + if [ $rv -eq 6 ]; then + # 6 program is not configured + return 6 + else + # 0 success + + # Tomcat instances automatically place pid files under + # '/var/run' and lock files under '/var/lock/subsys'. + # + # However, since PKI subsystem instances can have any name, + # in order to identify the PKI subsystem type of a particular + # PKI instance, we create a separate "pki subsystem identity" + # symlink to the PKI instance pid file and place it under + # '/var/run/pki/<pki subsystem>', and a separate + # "pki subsystem identity" symlink to the PKI instance + # lock file and place it under '/var/lock/pki/<pki subsystem>'. + # + case $PKI_WEB_SERVER_TYPE in + tomcat) + if [ -h ${PKI_PIDFILE} ]; then + rm -f ${PKI_PIDFILE} + fi + if [ -f ${TOMCAT_PIDFILE} ]; then + ln -s ${TOMCAT_PIDFILE} ${PKI_PIDFILE} + chown -h ${TOMCAT_USER}:${TOMCAT_GROUP} ${PKI_PIDFILE} + fi + if [ -h ${PKI_LOCKFILE} ]; then + rm -f ${PKI_LOCKFILE} + fi + if [ -f ${TOMCAT_LOCKFILE} ]; then + ln -s ${TOMCAT_LOCKFILE} ${PKI_LOCKFILE} + fi + ;; + esac + + return 0 + fi + fi + return $rv +} + +stop_instance() +{ + rv=0 + + export SERVICE_NAME=$PKI_INSTANCE_ID + # Invoke the initscript for this instance + $PKI_INSTANCE_INITSCRIPT stop + rv=$? + + # On Tomcat subsystems, always remove the "pki subsystem identity" symlinks + # that were previously associated with the Tomcat 'pid' and 'lock' files. + case $PKI_WEB_SERVER_TYPE in + tomcat) + if [ -h ${PKI_PIDFILE} ]; then + rm -f ${PKI_PIDFILE} + fi + if [ -h ${PKI_LOCKFILE} ]; then + rm -f ${PKI_LOCKFILE} + fi + ;; + esac + + return $rv +} + +start() +{ + error_rv=0 + rv=0 + config_errors=0 + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + # 5 program is not installed + return 5 + fi + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ]; then + echo "BEGIN STARTING '${PKI_TYPE}' INSTANCES:" + fi + + # Start every PKI instance of this type that isn't already running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + start_instance + rv=$? + if [ $rv = 6 ] ; then + # Since at least ONE configuration error exists, then there + # is at least ONE unconfigured instance from the PKI point + # of view. + # + # However, it must still be considered that the + # instance is "running" from the point of view of other + # OS programs such as 'chkconfig'. + # + # Therefore, ignore non-zero return codes resulting + # from configuration errors. + # + + config_errors=`expr $config_errors + 1` + rv=0 + elif [ $rv != 0 ] ; then + errors=`expr $errors + 1` + error_rv=$rv + fi + done + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then + touch ${lockfile} + chmod 00600 ${lockfile} + fi + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + # NOTE: "bad" return code(s) OVERRIDE configuration errors! + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances failed to start!" + echo + fi + + if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " + echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances MUST be configured!" + echo + fi + + echo + echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." + fi + + return $rv +} + +stop() +{ + error_rv=0 + rv=0 + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + # 5 program is not installed + return 5 + fi + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" + fi + + # Shutdown every PKI instance of this type that is running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + stop_instance + rv=$? + if [ $rv != 0 ] ; then + errors=`expr $errors + 1` + error_rv=$rv + fi + done + + if [ ${errors} -eq 0 ] ; then + rm -f ${lockfile} + fi + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances were " + echo -n "unsuccessfully stopped!" + echo + fi + + echo + echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." + fi + + return $rv +} + +restart() +{ + stop + sleep 2 + start + + return $? +} + +registry_status() +{ + error_rv=0 + rv=0 + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + # 4 program or service status is unknown + return 4 + fi + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" + fi + + # Obtain status of every PKI instance of this type + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + case $PKI_WEB_SERVER_TYPE in + tomcat) + if [ $SYSTEMD ]; then + display_instance_status_systemd + else + display_instance_status + fi + rv=$? + ;; + apache) + display_instance_status + rv=$? + ;; + esac + if [ $rv -ne 0 ] ; then + errors=`expr $errors + 1` + error_rv=$rv + fi + done + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "4 - program or service status is unknown" + rv=4 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances reported status failures!" + echo + fi + + if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " + echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances MUST be configured!" + echo + fi + + echo + echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." + fi + + return $rv +} + diff --git a/base/deploy/scripts/pkidaemon b/base/deploy/scripts/pkidaemon new file mode 100755 index 000000000..7be30c9d3 --- /dev/null +++ b/base/deploy/scripts/pkidaemon @@ -0,0 +1,74 @@ +#!/bin/bash +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# + +PROG_NAME=`basename $0` +SERVICE_NAME="pkidaemon" +SERVICE_PROG="/bin/systemctl" + +command="$1" +pki_instance_type="$2" +pki_instance_id="$3" + +PKI_REGISTRY="/etc/sysconfig/pki/${pki_instance_type}" +PKI_TYPE="${pki_instance_type}" +PKI_SYSTEMD_TARGET="pki-${pki_instance_type}d" +SYSTEMD=1 + +# Source the PKI function library +. /usr/share/pki/scripts/operations + +# See how we were called. +case $command in + status) + # registry_status + echo "The 'status' action is TBD." + exit $? + ;; + start) + start + exit $? + ;; + restart) + restart + exit $? + ;; + stop) + stop + exit $? + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + echo "The '${command}' action is TBD." + exit $? + ;; + reload) + echo "The 'reload' action is an unimplemented feature." + exit ${default_error} + ;; + *) + echo "unknown action ($command)" + usage + echo "where valid instance names include:" + list_instances + exit ${default_error} + ;; +esac + diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy index 2d0b5d285..6a2db56b8 100755 --- a/base/deploy/src/pkidestroy +++ b/base/deploy/src/pkidestroy @@ -125,21 +125,21 @@ def main(argv): extra=config.PKI_INDENTATION_LEVEL_0) # Override PKI configuration file values with 'custom' command-line values. - if not config.pki_admin_domain_name is None: + if not config.custom_pki_admin_domain_name is None: config.pki_common_dict['pki_admin_domain_name'] =\ - config.pki_admin_domain_name - if not config.pki_instance_name is None: - config.pki_common_dict['pki_instance_name'] =\ - config.pki_instance_name - if not config.pki_http_port is None: + config.custom_pki_admin_domain_name + if not config.custom_pki_instance_name is None: + config.pki_web_server_dict['pki_instance_name'] =\ + config.custom_pki_instance_name + if not config.custom_pki_http_port is None: config.pki_web_server_dict['pki_http_port'] =\ - config.pki_http_port - if not config.pki_https_port is None: + config.custom_pki_http_port + if not config.custom_pki_https_port is None: config.pki_web_server_dict['pki_https_port'] =\ - config.pki_https_port - if not config.pki_ajp_port is None: + config.custom_pki_https_port + if not config.custom_pki_ajp_port is None: config.pki_web_server_dict['pki_ajp_port'] =\ - config.pki_ajp_port + config.custom_pki_ajp_port config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pp.pformat(config.pki_common_dict), diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn index d665f3c9f..66152a334 100755 --- a/base/deploy/src/pkispawn +++ b/base/deploy/src/pkispawn @@ -154,21 +154,21 @@ def main(argv): extra=config.PKI_INDENTATION_LEVEL_0) # Override PKI configuration file values with 'custom' command-line values. - if not config.pki_admin_domain_name is None: + if not config.custom_pki_admin_domain_name is None: config.pki_common_dict['pki_admin_domain_name'] =\ - config.pki_admin_domain_name - if not config.pki_instance_name is None: - config.pki_common_dict['pki_instance_name'] =\ - config.pki_instance_name - if not config.pki_http_port is None: + config.custom_pki_admin_domain_name + if not config.custom_pki_instance_name is None: + config.pki_web_server_dict['pki_instance_name'] =\ + config.custom_pki_instance_name + if not config.custom_pki_http_port is None: config.pki_web_server_dict['pki_http_port'] =\ - config.pki_http_port - if not config.pki_https_port is None: + config.custom_pki_http_port + if not config.custom_pki_https_port is None: config.pki_web_server_dict['pki_https_port'] =\ - config.pki_https_port - if not config.pki_ajp_port is None: + config.custom_pki_https_port + if not config.custom_pki_ajp_port is None: config.pki_web_server_dict['pki_ajp_port'] =\ - config.pki_ajp_port + config.custom_pki_ajp_port config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pp.pformat(config.pki_common_dict), diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py index 1155e9002..f40573940 100644 --- a/base/deploy/src/scriptlets/configuration.py +++ b/base/deploy/src/scriptlets/configuration.py @@ -47,6 +47,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_client_key_database'], master['pki_client_secmod_database'], password_file=master['pki_client_password_conf']) + util.symlink.create( + config.pki_master_dict['pki_systemd_service'], + config.pki_master_dict['pki_systemd_service_link']) else: util.password.create_password_conf( master['pki_client_password_conf'], @@ -71,17 +74,25 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_1) if not config.pki_dry_run_flag: if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instances() == 0: + util.instance.apache_instances() == 1: util.directory.delete(master['pki_client_path']) + util.symlink.delete( + config.pki_master_dict['pki_systemd_service_link']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instances() == 0: + util.instance.tomcat_instances() == 1: util.directory.delete(master['pki_client_path']) + util.symlink.delete( + config.pki_master_dict['pki_systemd_service_link']) else: # ALWAYS display correct information (even during dry_run) if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instances() == 1: + util.instance.apache_instances() == 0: util.directory.delete(master['pki_client_path']) + util.symlink.delete( + config.pki_master_dict['pki_systemd_service_link']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instances() == 1: + util.instance.tomcat_instances() == 0: util.directory.delete(master['pki_client_path']) + util.symlink.delete( + config.pki_master_dict['pki_systemd_service_link']) return self.rv diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py index acf51391a..02c5065cb 100644 --- a/base/deploy/src/scriptlets/finalization.py +++ b/base/deploy/src/scriptlets/finalization.py @@ -41,10 +41,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_subsystem_registry_path'] +\ "/" + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE) # Save a timestamped copy of the installation manifest file - filename = master['pki_root_prefix'] +\ - config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ - master['pki_instance_id'] + "/" +\ - master['pki_subsystem'].lower() +"/" +\ + filename = master['pki_subsystem_registry_path'] + "/" +\ "spawn" + "_" + "manifest" + "." +\ master['pki_timestamp'] + "." + "csv" config.pki_log.info(log.PKI_MANIFEST_MESSAGE_1, filename, @@ -74,10 +71,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): "/" + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE, overwrite_flag=True) # Save a timestamped copy of the updated manifest file - filename = master['pki_root_prefix'] +\ - config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ - master['pki_instance_id'] + "/" +\ - master['pki_subsystem'].lower() +"/" +\ + filename = master['pki_subsystem_registry_path'] + "/" +\ "respawn" + "_" + "manifest" + "." +\ master['pki_timestamp'] + "." + "csv" config.pki_log.info(log.PKI_MANIFEST_MESSAGE_1, filename, diff --git a/base/deploy/src/scriptlets/infrastructure_layout.py b/base/deploy/src/scriptlets/infrastructure_layout.py index fd94de512..471739700 100644 --- a/base/deploy/src/scriptlets/infrastructure_layout.py +++ b/base/deploy/src/scriptlets/infrastructure_layout.py @@ -80,7 +80,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove top-level infrastructure registry util.directory.delete(master['pki_registry_path']) if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - util.file.delete(master['pki_target_tomcat_conf']) + util.file.delete( + master['pki_target_tomcat_conf_instance_id']) else: # ALWAYS display correct information (even during dry_run) @@ -98,5 +99,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove top-level infrastructure registry util.directory.delete(master['pki_registry_path']) if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - util.file.delete(master['pki_target_tomcat_conf']) + util.file.delete( + master['pki_target_tomcat_conf_instance_id']) return self.rv diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py index 60e94d1a1..8a645f029 100644 --- a/base/deploy/src/scriptlets/instance_layout.py +++ b/base/deploy/src/scriptlets/instance_layout.py @@ -41,6 +41,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # establish instance configuration util.directory.create(master['pki_instance_configuration_path']) # establish instance registry + util.directory.create(master['pki_instance_type_registry_path']) util.directory.create(master['pki_instance_registry_path']) # establish Apache/Tomcat specific instance if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: @@ -59,6 +60,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.directory.create(master['pki_tomcat_webapps_webinf_lib_path']) # establish Tomcat instance logs # establish Tomcat instance configuration + util.directory.copy(master['pki_source_shared_path'], + master['pki_instance_configuration_path'], + overwrite_flag=True) # establish Tomcat instance registry # establish Tomcat instance convenience # symbolic links @@ -89,6 +93,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # update instance configuration util.directory.modify(master['pki_instance_configuration_path']) # update instance registry + util.directory.modify(master['pki_instance_type_registry_path']) util.directory.modify(master['pki_instance_registry_path']) # update Apache/Tomcat specific instance if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: @@ -116,6 +121,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # update instance convenience symbolic links util.symlink.modify(master['pki_instance_database_link']) util.symlink.modify(master['pki_instance_conf_link']) + util.directory.copy(master['pki_source_shared_path'], + master['pki_instance_configuration_path'], + overwrite_flag=True) util.symlink.modify(master['pki_instance_logs_link']) return self.rv @@ -133,6 +141,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove Apache instance configuration util.directory.delete(master['pki_instance_configuration_path']) # remove Apache instance registry + util.directory.delete(master['pki_instance_type_registry_path']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ util.instance.tomcat_instances() == 0: # remove Tomcat instance base @@ -143,6 +152,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove Tomcat instance configuration util.directory.delete(master['pki_instance_configuration_path']) # remove Tomcat instance registry + util.directory.delete(master['pki_instance_type_registry_path']) else: # ALWAYS display correct information (even during dry_run) if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ @@ -155,6 +165,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove Apache instance configuration util.directory.delete(master['pki_instance_configuration_path']) # remove Apache instance registry + util.directory.delete(master['pki_instance_type_registry_path']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ util.instance.tomcat_instances() == 1: # remove Tomcat instance base @@ -165,4 +176,5 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove Tomcat instance configuration util.directory.delete(master['pki_instance_configuration_path']) # remove Tomcat instance registry + util.directory.delete(master['pki_instance_type_registry_path']) return self.rv diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index 76d54ad15..2acd37d36 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -40,6 +40,8 @@ PKI_INDENTATION_LEVEL_3 = {'indent' : '........... '} PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '} PKI_DEPLOYMENT_SOURCE_ROOT = "/usr/share/pki" +PKI_DEPLOYMENT_SYSTEMD_ROOT = "/lib/systemd/system" +PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT = "/etc/systemd/system" PKI_DEPLOYMENT_TOMCAT_ROOT = "/usr/share/tomcat" PKI_DEPLOYMENT_TOMCAT_SYSTEMD = "/usr/sbin/tomcat-sysd" PKI_DEPLOYMENT_BASE_ROOT = "/var/lib/pki" @@ -92,11 +94,11 @@ pki_root_prefix = None pki_update_flag = False # PKI Deployment "Custom" Command-Line Variables -pki_admin_domain_name = None -pki_instance_name = None -pki_http_port = None -pki_https_port = None -pki_ajp_port = None +custom_pki_admin_domain_name = None +custom_pki_instance_name = None +custom_pki_http_port = None +custom_pki_https_port = None +custom_pki_ajp_port = None # PKI Deployment Logger Variables diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index a9a53dd76..0add192f7 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -79,23 +79,23 @@ def process_command_line_arguments(argv): custom = parser.add_argument_group('custom arguments ' '(OVERRIDES configuration file values)') custom.add_argument('-d', - dest='pki_admin_domain_name', action='store', + dest='custom_pki_admin_domain_name', action='store', nargs=1, metavar='<admin_domain>', help='PKI admin domain name (instance name prefix)') custom.add_argument('-i', - dest='pki_instance_name', action='store', + dest='custom_pki_instance_name', action='store', nargs=1, metavar='<instance>', help='PKI instance name (MUST specify REQUIRED ports)') custom.add_argument('--http_port', - dest='pki_http_port', action='store', + dest='custom_pki_http_port', action='store', nargs=1, metavar='<port>', help='HTTP port (CA, KRA, OCSP, RA, TKS, TPS)') custom.add_argument('--https_port', - dest='pki_https_port', action='store', + dest='custom_pki_https_port', action='store', nargs=1, metavar='<port>', help='HTTPS port (CA, KRA, OCSP, RA, TKS, TPS)') custom.add_argument('--ajp_port', - dest='pki_ajp_port', action='store', + dest='custom_pki_ajp_port', action='store', nargs=1, metavar='<port>', help='AJP port (CA, KRA, OCSP, TKS)') args = parser.parse_args() @@ -141,19 +141,22 @@ def process_command_line_arguments(argv): config.pki_jython_log_level = config.PKI_JYTHON_WARNING_LOG_LEVEL config.pki_console_log_level = logging.WARNING config.pki_log_level = logging.INFO - if not args.pki_admin_domain_name is None: - config.pki_admin_domain_name =\ - str(args.pki_admin_domain_name).strip('[\']') - if not args.pki_instance_name is None: - config.pki_instance_name =\ - str(args.pki_instance_name).strip('[\']') - if not args.pki_http_port is None: - config.pki_http_port = str(args.pki_http_port).strip('[\']') - if not args.pki_https_port is None: - config.pki_https_port = str(args.pki_https_port).strip('[\']') - if not args.pki_ajp_port is None: + if not args.custom_pki_admin_domain_name is None: + config.custom_pki_admin_domain_name =\ + str(args.custom_pki_admin_domain_name).strip('[\']') + if not args.custom_pki_instance_name is None: + config.custom_pki_instance_name =\ + str(args.custom_pki_instance_name).strip('[\']') + if not args.custom_pki_http_port is None: + config.custom_pki_http_port =\ + str(args.custom_pki_http_port).strip('[\']') + if not args.custom_pki_https_port is None: + config.custom_pki_https_port =\ + str(args.custom_pki_https_port).strip('[\']') + if not args.custom_pki_ajp_port is None: if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - config.pki_ajp_port = str(args.pki_ajp_port).strip('[\']') + config.custom_pki_ajp_port =\ + str(args.custom_pki_ajp_port).strip('[\']') else: print "ERROR: " +\ log.PKI_CUSTOM_TOMCAT_AJP_PORT_1 %\ @@ -161,24 +164,24 @@ def process_command_line_arguments(argv): print parser.print_help() parser.exit(-1); - if not args.pki_instance_name is None or\ - not args.pki_http_port is None or\ - not args.pki_https_port is None or\ - not args.pki_ajp_port is None: + if not args.custom_pki_instance_name is None or\ + not args.custom_pki_http_port is None or\ + not args.custom_pki_https_port is None or\ + not args.custom_pki_ajp_port is None: if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - if args.pki_instance_name is None or\ - args.pki_http_port is None or\ - args.pki_https_port is None: + if args.custom_pki_instance_name is None or\ + args.custom_pki_http_port is None or\ + args.custom_pki_https_port is None: print "ERROR: " + log.PKI_CUSTOM_APACHE_INSTANCE_1 %\ config.pki_subsystem print parser.print_help() parser.exit(-1); elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if args.pki_instance_name is None or\ - args.pki_http_port is None or\ - args.pki_https_port is None or\ - args.pki_ajp_port is None: + if args.custom_pki_instance_name is None or\ + args.custom_pki_http_port is None or\ + args.custom_pki_https_port is None or\ + args.custom_pki_ajp_port is None: print "ERROR: " + log.PKI_CUSTOM_TOMCAT_INSTANCE_1 %\ config.pki_subsystem print @@ -191,16 +194,51 @@ def process_command_line_arguments(argv): # explicitly specified if it does not use the default location # and/or default configuration file name. if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - default_pki_instance_name =\ - config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME + if not config.custom_pki_instance_name is None: + default_pki_instance_name = config.custom_pki_instance_name + else: + default_pki_instance_name =\ + config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME + if not config.custom_pki_admin_domain_name is None: + config.pkideployment_cfg =\ + config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ + config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME + "/" +\ + config.custom_pki_admin_domain_name + "-" +\ + default_pki_instance_name +"/" +\ + config.pki_subsystem.lower() +"/" +\ + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE + else: + config.pkideployment_cfg =\ + config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ + config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME + "/" +\ + default_pki_instance_name +"/" +\ + config.pki_subsystem.lower() +"/" +\ + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - default_pki_instance_name =\ - config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME - config.pkideployment_cfg = config.pki_root_prefix +\ - config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ - default_pki_instance_name +"/" +\ - config.pki_subsystem.lower() +"/" +\ - config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE + if not config.custom_pki_instance_name is None: + default_pki_instance_name = config.custom_pki_instance_name + else: + default_pki_instance_name =\ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME + if not config.custom_pki_admin_domain_name is None: + config.pkideployment_cfg =\ + config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME + "/" +\ + config.custom_pki_admin_domain_name + "-" +\ + default_pki_instance_name +"/" +\ + config.pki_subsystem.lower() +"/" +\ + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE + else: + config.pkideployment_cfg =\ + config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME + "/" +\ + default_pki_instance_name +"/" +\ + config.pki_subsystem.lower() +"/" +\ + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE if not os.path.exists(config.pkideployment_cfg) or\ not os.path.isfile(config.pkideployment_cfg): print "ERROR: " +\ @@ -334,16 +372,47 @@ def compose_pki_master_dictionary(): "conf") config.pki_master_dict['pki_source_setup_path'] =\ os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, - config.pki_master_dict['pki_subsystem'].lower(), "setup") + config.pki_master_dict['pki_source_shared_path'] =\ + os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, + "shared", + "conf") config.pki_master_dict['pki_source_cs_cfg'] =\ os.path.join(config.pki_master_dict['pki_source_conf_path'], "CS.cfg") config.pki_master_dict['pki_source_registry'] =\ os.path.join(config.pki_master_dict['pki_source_setup_path'], - "registry_instance") + "pkidaemon_registry") if config.pki_master_dict['pki_subsystem'] in\ - config.PKI_TOMCAT_SUBSYSTEMS: + config.PKI_APACHE_SUBSYSTEMS: + config.pki_master_dict['pki_systemd_service'] =\ + config.PKI_DEPLOYMENT_SYSTEMD_ROOT + "/" +\ + "pki-apached" + "@" + ".service" + config.pki_master_dict['pki_systemd_target'] =\ + config.PKI_DEPLOYMENT_SYSTEMD_ROOT + "/" +\ + "pki-apached.target" + config.pki_master_dict['pki_systemd_target_wants'] =\ + config.PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT + "/" +\ + "pki-apached.target.wants" + config.pki_master_dict['pki_systemd_service_link'] =\ + config.pki_master_dict['pki_systemd_target_wants'] + "/" +\ + "pki-apached" + "@" +\ + config.pki_master_dict['pki_instance_id'] + ".service" + elif config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['pki_systemd_service'] =\ + config.PKI_DEPLOYMENT_SYSTEMD_ROOT + "/" +\ + "pki-tomcatd" + "@" + ".service" + config.pki_master_dict['pki_systemd_target'] =\ + config.PKI_DEPLOYMENT_SYSTEMD_ROOT + "/" +\ + "pki-tomcatd.target" + config.pki_master_dict['pki_systemd_target_wants'] =\ + config.PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT + "/" +\ + "pki-tomcatd.target.wants" + config.pki_master_dict['pki_systemd_service_link'] =\ + config.pki_master_dict['pki_systemd_target_wants'] + "/" +\ + "pki-tomcatd" + "@" +\ + config.pki_master_dict['pki_instance_id'] + ".service" config.pki_master_dict['pki_tomcat_bin_path'] =\ os.path.join(config.PKI_DEPLOYMENT_TOMCAT_ROOT, "bin") @@ -364,16 +433,16 @@ def compose_pki_master_dictionary(): os.path.join(config.pki_master_dict['pki_war_path'], config.pki_master_dict['pki_war_name']) config.pki_master_dict['pki_source_catalina_properties'] =\ - os.path.join(config.pki_master_dict['pki_source_conf_path'], + os.path.join(config.pki_master_dict['pki_source_shared_path'], "catalina.properties") config.pki_master_dict['pki_source_servercertnick_conf'] =\ - os.path.join(config.pki_master_dict['pki_source_conf_path'], + os.path.join(config.pki_master_dict['pki_source_shared_path'], "serverCertNick.conf") config.pki_master_dict['pki_source_server_xml'] =\ - os.path.join(config.pki_master_dict['pki_source_conf_path'], + os.path.join(config.pki_master_dict['pki_source_shared_path'], "server.xml") config.pki_master_dict['pki_source_tomcat_conf'] =\ - os.path.join(config.pki_master_dict['pki_source_conf_path'], + os.path.join(config.pki_master_dict['pki_source_shared_path'], "tomcat.conf") config.pki_master_dict['pki_source_index_jsp'] =\ os.path.join(config.pki_master_dict['pki_source_webapps_path'], @@ -425,12 +494,24 @@ def compose_pki_master_dictionary(): os.path.join(config.pki_master_dict['pki_configuration_path'], config.pki_master_dict['pki_instance_id']) # Apache/Tomcat instance registry name/value pairs - config.pki_master_dict['pki_instance_registry_path'] =\ - os.path.join(config.pki_master_dict['pki_registry_path'], - config.pki_master_dict['pki_instance_id']) - # Tomcat-specific instance name/value pairs + # Apache-specific instance name/value pairs if config.pki_master_dict['pki_subsystem'] in\ - config.PKI_TOMCAT_SUBSYSTEMS: + config.PKI_APACHE_SUBSYSTEMS: + # Apache instance base name/value pairs + # Apache instance log name/value pairs + # Apache instance configuration name/value pairs + # Apache instance registry name/value pairs + config.pki_master_dict['pki_instance_type_registry_path'] =\ + os.path.join(config.pki_master_dict['pki_registry_path'], + "apache") + config.pki_master_dict['pki_instance_registry_path'] =\ + os.path.join( + config.pki_master_dict['pki_instance_type_registry_path'], + config.pki_master_dict['pki_instance_id']) + # Apache instance convenience symbolic links + # Tomcat-specific instance name/value pairs + elif config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: # Tomcat instance base name/value pairs config.pki_master_dict['pki_tomcat_common_path'] =\ os.path.join(config.pki_master_dict['pki_instance_path'], @@ -467,6 +548,13 @@ def compose_pki_master_dictionary(): # Tomcat instance log name/value pairs # Tomcat instance configuration name/value pairs # Tomcat instance registry name/value pairs + config.pki_master_dict['pki_instance_type_registry_path'] =\ + os.path.join(config.pki_master_dict['pki_registry_path'], + "tomcat") + config.pki_master_dict['pki_instance_registry_path'] =\ + os.path.join( + config.pki_master_dict['pki_instance_type_registry_path'], + config.pki_master_dict['pki_instance_id']) # Tomcat instance convenience symbolic links config.pki_master_dict['pki_tomcat_bin_link'] =\ os.path.join(config.pki_master_dict['pki_instance_path'], @@ -572,26 +660,30 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_subsystem_configuration_path'], "CS.cfg") config.pki_master_dict['pki_target_registry'] =\ - os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], + os.path.join(config.pki_master_dict['pki_instance_registry_path'], config.pki_master_dict['pki_instance_id']) if config.pki_master_dict['pki_subsystem'] in\ config.PKI_TOMCAT_SUBSYSTEMS: config.pki_master_dict['pki_target_catalina_properties'] =\ os.path.join( - config.pki_master_dict['pki_subsystem_configuration_path'], + config.pki_master_dict['pki_instance_configuration_path'], "catalina.properties") config.pki_master_dict['pki_target_servercertnick_conf'] =\ os.path.join( - config.pki_master_dict['pki_subsystem_configuration_path'], + config.pki_master_dict['pki_instance_configuration_path'], "serverCertNick.conf") config.pki_master_dict['pki_target_server_xml'] =\ os.path.join( - config.pki_master_dict['pki_subsystem_configuration_path'], + config.pki_master_dict['pki_instance_configuration_path'], "server.xml") - config.pki_master_dict['pki_target_tomcat_conf'] =\ + config.pki_master_dict['pki_target_tomcat_conf_instance_id'] =\ config.pki_master_dict['pki_root_prefix'] +\ "/etc/sysconfig/" +\ config.pki_master_dict['pki_instance_id'] + config.pki_master_dict['pki_target_tomcat_conf'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "tomcat.conf") config.pki_master_dict['pki_target_index_jsp'] =\ os.path.join( config.pki_master_dict['pki_tomcat_webapps_root_path'], @@ -626,14 +718,8 @@ def compose_pki_master_dictionary(): config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\ config.pki_master_dict['pki_instance_id'] config.pki_master_dict['PKI_INSTANCE_INITSCRIPT_SLOT'] =\ - os.path.join(config.pki_master_dict['pki_subsystem_path'], + os.path.join(config.pki_master_dict['pki_instance_path'], config.pki_master_dict['pki_instance_id']) - config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\ - os.path.join("/var/lock/pki", - config.pki_master_dict['pki_subsystem'].lower()) - config.pki_master_dict['PKI_PIDDIR_SLOT'] =\ - os.path.join("/var/run/pki", - config.pki_master_dict['pki_subsystem'].lower()) config.pki_master_dict['PKI_REGISTRY_FILE_SLOT'] =\ os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], config.pki_master_dict['pki_instance_id']) @@ -650,6 +736,13 @@ def compose_pki_master_dictionary(): config.pki_master_dict['NON_CLIENTAUTH_SECURE_PORT_SLOT'] = None config.pki_master_dict['NSS_CONF_SLOT'] = None config.pki_master_dict['OBJ_EXT_SLOT'] = None + config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\ + os.path.join("/var/lock/pki", + "apache") + config.pki_master_dict['PKI_PIDDIR_SLOT'] =\ + os.path.join("/var/run/pki", + "apache") + config.pki_master_dict['PKI_WEB_SERVER_TYPE_SLOT'] = "apache" config.pki_master_dict['PORT_SLOT'] = None config.pki_master_dict['PROCESS_ID_SLOT'] = None config.pki_master_dict['REQUIRE_CFG_PL_SLOT'] = None @@ -711,14 +804,15 @@ def compose_pki_master_dictionary(): "Unused" config.pki_master_dict['PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ "" - config.pki_master_dict['PKI_FLAVOR_SLOT'] =\ - "pki" config.pki_master_dict['PKI_GROUP_SLOT'] =\ config.pki_master_dict['pki_group'] config.pki_master_dict['PKI_INSTANCE_PATH_SLOT'] =\ - config.pki_master_dict['pki_subsystem_path'] - config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\ config.pki_master_dict['pki_instance_path'] + config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\ + config.pki_master_dict['pki_path'] + config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\ + os.path.join("/var/lock/pki", + "tomcat") config.pki_master_dict['PKI_MACHINE_NAME_SLOT'] =\ config.pki_master_dict['pki_hostname'] config.pki_master_dict['PKI_OPEN_AJP_PORT_COMMENT_SLOT'] =\ @@ -731,6 +825,9 @@ def compose_pki_master_dictionary(): config.pki_master_dict\ ['PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT_SLOT'] =\ "<!--" + config.pki_master_dict['PKI_PIDDIR_SLOT'] =\ + os.path.join("/var/run/pki", + "tomcat") config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] =\ config.pki_master_dict['pki_proxy_https_port'] config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] =\ @@ -752,9 +849,8 @@ def compose_pki_master_dictionary(): config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\ config.pki_master_dict['pki_subsystem'].lower() config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\ - "pki-" + config.pki_master_dict['pki_subsystem'].lower() +\ - "d" + "@" + "pki-" +\ - config.pki_master_dict['pki_subsystem'].lower() + ".service" + "pki-tomcatd" + "@" +\ + config.pki_master_dict['pki_instance_id'] + ".service" config.pki_master_dict['PKI_UNSECURE_PORT_SLOT'] =\ config.pki_master_dict['pki_http_port'] config.pki_master_dict['PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT'] =\ @@ -763,6 +859,8 @@ def compose_pki_master_dictionary(): "<!-- Shared Ports: Unsecure Port Connector -->" config.pki_master_dict['PKI_USER_SLOT'] =\ config.pki_master_dict['pki_user'] + config.pki_master_dict['PKI_WEB_SERVER_TYPE_SLOT'] =\ + "tomcat" config.pki_master_dict['PKI_WEBAPPS_NAME_SLOT'] =\ "webapps" config.pki_master_dict['TOMCAT_CFG_SLOT'] =\ @@ -772,7 +870,7 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_tomcat_common_lib_path'], "*.jar") config.pki_master_dict['TOMCAT_LOG_DIR_SLOT'] =\ - config.pki_master_dict['pki_subsystem_log_path'] + config.pki_master_dict['pki_instance_log_path'] config.pki_master_dict['TOMCAT_PIDFILE_SLOT'] =\ "/var/run/" + config.pki_master_dict['pki_instance_id'] + ".pid" config.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] =\ diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py index 2e2d94545..93b0ae750 100644 --- a/base/deploy/src/scriptlets/slot_substitution.py +++ b/base/deploy/src/scriptlets/slot_substitution.py @@ -38,17 +38,25 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.file.copy_with_slot_substitution(master['pki_source_cs_cfg'], master['pki_target_cs_cfg']) util.file.copy_with_slot_substitution(master['pki_source_registry'], - master['pki_target_registry']) + master['pki_target_registry'], + overwrite_flag=True) if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: util.file.copy_with_slot_substitution( master['pki_source_catalina_properties'], - master['pki_target_catalina_properties']) + master['pki_target_catalina_properties'], + overwrite_flag=True) util.file.copy_with_slot_substitution( master['pki_source_servercertnick_conf'], - master['pki_target_servercertnick_conf']) + master['pki_target_servercertnick_conf'], + overwrite_flag=True) util.file.copy_with_slot_substitution( master['pki_source_server_xml'], - master['pki_target_server_xml']) + master['pki_target_server_xml'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_tomcat_conf'], + master['pki_target_tomcat_conf_instance_id'], + overwrite_flag=True) util.file.copy_with_slot_substitution( master['pki_source_tomcat_conf'], master['pki_target_tomcat_conf'], @@ -93,6 +101,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): overwrite_flag=True) util.file.copy_with_slot_substitution( master['pki_source_tomcat_conf'], + master['pki_target_tomcat_conf_instance_id'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_tomcat_conf'], master['pki_target_tomcat_conf'], overwrite_flag=True) util.file.copy_with_slot_substitution( |