diff options
| author | Tomas Babej <tbabej@redhat.com> | 2014-06-03 16:17:16 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-16 19:48:21 +0200 |
| commit | 8a5e2a816667587bf767990dc2715d6996975d44 (patch) | |
| tree | 88f6c3f3cf05d721c923e43930156951d6936ba2 /ipaplatform | |
| parent | f0d0640a46647baa9e32c6e6dace7767b5c5b836 (diff) | |
| download | freeipa-8a5e2a816667587bf767990dc2715d6996975d44.tar.gz freeipa-8a5e2a816667587bf767990dc2715d6996975d44.tar.xz freeipa-8a5e2a816667587bf767990dc2715d6996975d44.zip | |
ipaplatform: Contain all the tasks in the TaskNamespace
https://fedorahosted.org/freeipa/ticket/4052
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'ipaplatform')
| -rw-r--r-- | ipaplatform/base/tasks.py | 73 | ||||
| -rw-r--r-- | ipaplatform/fedora/tasks.py | 416 |
2 files changed, 236 insertions, 253 deletions
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 7d776deb5..f4bfbb6db 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -25,56 +25,45 @@ This module contains default platform-specific implementations of system tasks. from ipaplatform.paths import paths -# restore context default implementation that does nothing -def restore_context(filepath): - return +class BaseTaskNamespace(object): + # restore context default implementation that does nothing + def restore_context(self, filepath): + return + # Default implementation of backup and replace hostname that does nothing + def backup_and_replace_hostname(self, fstore, statestore, hostname): + return -# Default implementation of backup and replace hostname that does nothing -def backup_and_replace_hostname(fstore, statestore, hostname): - return + def insert_ca_cert_into_systemwide_ca_store(self, path): + return True + def remove_ca_cert_from_systemwide_ca_store(self, path): + return True -def insert_ca_cert_into_systemwide_ca_store(path): - return True + def get_svc_list_file(self): + return paths.SVC_LIST_FILE + # See if SELinux is enabled and /usr/sbin/restorecon is installed. + # Default to a no-op. Those platforms that support SELinux should + # implement this function. + def check_selinux_status(self): + return -def remove_ca_cert_from_systemwide_ca_store(path): - return True + def restore_network_configuration(self, fstore, statestore): + return + def restore_pre_ipa_client_configuration(self, fstore, statestore, + was_sssd_installed, + was_sssd_configured): + return -def get_svc_list_file(): - return paths.SVC_LIST_FILE + def set_nisdomain(self, nisdomain): + return + def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore): + return -# See if SELinux is enabled and /usr/sbin/restorecon is installed. -# Default to a no-op. Those platforms that support SELinux should -# implement this function. -def check_selinux_status(): - return + def modify_pam_to_use_krb5(statestore): + return - -def restore_network_configuration(fstore, statestore): - return - - -def backup_and_replace_hostname(fstore, statestore, hostname): - return - - -def restore_pre_ipa_client_configuration(fstore, statestore, - was_sssd_installed, - was_sssd_configured): - return - - -def set_nisdomain(nisdomain): - return - - -def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore): - return - - -def modify_pam_to_use_krb5(statestore): - return +task_namespace = BaseTaskNamespace() diff --git a/ipaplatform/fedora/tasks.py b/ipaplatform/fedora/tasks.py index 8c49ab3a2..525e550ce 100644 --- a/ipaplatform/fedora/tasks.py +++ b/ipaplatform/fedora/tasks.py @@ -39,225 +39,219 @@ from ipaplatform.fedora.authconfig import FedoraAuthConfig from ipaplatform.base.tasks import * -def restore_context(filepath, restorecon='/sbin/restorecon'): - """ - restore security context on the file path - SELinux equivalent is /path/to/restorecon <filepath> - - restorecon's return values are not reliable so we have to - ignore them (BZ #739604). - - ipautil.run() will do the logging. - """ - try: - if os.path.exists('/usr/sbin/selinuxenabled'): - ipautil.run(["/usr/sbin/selinuxenabled"]) - else: - # No selinuxenabled, no SELinux - return - except ipautil.CalledProcessError: - # selinuxenabled returns 1 if not enabled - return - - if (os.path.exists(restorecon)): - ipautil.run([restorecon, filepath], raiseonerr=False) - - -def check_selinux_status(restorecon=paths.RESTORECON): - """ - We don't have a specific package requirement for policycoreutils - which provides restorecon. This is because we don't require - SELinux on client installs. However if SELinux is enabled then - this package is required. - - This function returns nothing but may raise a Runtime exception - if SELinux is enabled but restorecon is not available. - """ - try: - if os.path.exists('/usr/sbin/selinuxenabled'): - ipautil.run(["/usr/sbin/selinuxenabled"]) - else: - # No selinuxenabled, no SELinux +class FedoraTaskNamespace(BaseTaskNamespace): + + def restore_context(self, filepath, restorecon='/sbin/restorecon'): + """ + restore security context on the file path + SELinux equivalent is /path/to/restorecon <filepath> + restorecon's return values are not reliable so we have to + ignore them (BZ #739604). + + ipautil.run() will do the logging. + """ + try: + if os.path.exists(paths.SELINUXENABLED): + ipautil.run([paths.SELINUXENABLED]) + else: + # No selinuxenabled, no SELinux + return + except ipautil.CalledProcessError: + # selinuxenabled returns 1 if not enabled return - except ipautil.CalledProcessError: - # selinuxenabled returns 1 if not enabled - return - - if not os.path.exists(restorecon): - raise RuntimeError('SELinux is enabled but %s does not exist.\n' - 'Install the policycoreutils package and start the ' - 'installation again.' % restorecon) - - -def restore_pre_ipa_client_configuration(fstore, statestore, - was_sssd_installed, - was_sssd_configured): - - auth_config = FedoraAuthConfig() - if statestore.has_state('authconfig'): - # disable only those configurations that we enabled during install - for conf in ('ldap', 'krb5', 'sssd', 'sssdauth', 'mkhomedir'): - cnf = statestore.restore_state('authconfig', conf) - # Do not disable sssd, as this can cause issues with its later - # uses. Remove it from statestore however, so that it becomes - # empty at the end of uninstall process. - if cnf and conf != 'sssd': - auth_config.disable(conf) - else: - # There was no authconfig status store - # It means the code was upgraded after original install - # Fall back to old logic - auth_config.disable("ldap") - auth_config.disable("krb5") - if not(was_sssd_installed and was_sssd_configured): - # Only disable sssdauth. Disabling sssd would cause issues - # with its later uses. - auth_config.disable("sssdauth") - auth_config.disable("mkhomedir") - - auth_config.execute() - - -def set_nisdomain(nisdomain): - # Let authconfig setup the permanent configuration - auth_config = FedoraAuthConfig() - auth_config.add_parameter("nisdomain", nisdomain) - auth_config.execute() - - -def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore): - auth_config = FedoraAuthConfig() - - if sssd: - statestore.backup_state('authconfig', 'sssd', True) - statestore.backup_state('authconfig', 'sssdauth', True) - auth_config.enable("sssd") - auth_config.enable("sssdauth") - else: - statestore.backup_state('authconfig', 'ldap', True) - auth_config.enable("ldap") - auth_config.enable("forcelegacy") - - if mkhomedir: - statestore.backup_state('authconfig', 'mkhomedir', True) - auth_config.enable("mkhomedir") - - auth_config.execute() - - -def modify_pam_to_use_krb5(statestore): - auth_config = FedoraAuthConfig() - statestore.backup_state('authconfig', 'krb5', True) - auth_config.enable("krb5") - auth_config.add_option("nostart") - auth_config.execute() - - -def insert_ca_cert_into_systemwide_ca_store(cacert_path): - # Add the 'ipa-' prefix to cert name to avoid name collisions - cacert_name = os.path.basename(cacert_path) - new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, - 'ipa-%s' % cacert_name) - - # Add the CA to the systemwide CA trust database - try: - shutil.copy(cacert_path, new_cacert_path) - ipautil.run(['/usr/bin/update-ca-trust']) - except OSError, e: - root_logger.info("Failed to copy %s to %s", cacert_path, - new_cacert_path) - except CalledProcessError, e: - root_logger.info("Failed to add CA to the systemwide " - "CA trust database: %s", e) - else: - root_logger.info('Added the CA to the systemwide CA trust database.') - return True - return False + if (os.path.exists(restorecon)): + ipautil.run([restorecon, filepath], raiseonerr=False) + def check_selinux_status(self, restorecon=paths.RESTORECON): + """ + We don't have a specific package requirement for policycoreutils + which provides restorecon. This is because we don't require + SELinux on client installs. However if SELinux is enabled then + this package is required. -def remove_ca_cert_from_systemwide_ca_store(cacert_path): - # Derive the certificate name in the store - cacert_name = os.path.basename(cacert_path) - new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, - 'ipa-%s' % cacert_name) + This function returns nothing but may raise a Runtime exception + if SELinux is enabled but restorecon is not available. + """ + try: + if os.path.exists(paths.SELINUXENABLED): + ipautil.run([paths.SELINUXENABLED]) + else: + # No selinuxenabled, no SELinux + return + except ipautil.CalledProcessError: + # selinuxenabled returns 1 if not enabled + return - # Remove CA cert from systemwide store - if os.path.exists(new_cacert_path): + if not os.path.exists(restorecon): + raise RuntimeError('SELinux is enabled but %s does not exist.\n' + 'Install the policycoreutils package and start ' + 'the installation again.' % restorecon) + + def restore_pre_ipa_client_configuration(self, fstore, statestore, + was_sssd_installed, + was_sssd_configured): + + auth_config = FedoraAuthConfig() + if statestore.has_state('authconfig'): + # disable only those configurations that we enabled during install + for conf in ('ldap', 'krb5', 'sssd', 'sssdauth', 'mkhomedir'): + cnf = statestore.restore_state('authconfig', conf) + # Do not disable sssd, as this can cause issues with its later + # uses. Remove it from statestore however, so that it becomes + # empty at the end of uninstall process. + if cnf and conf != 'sssd': + auth_config.disable(conf) + else: + # There was no authconfig status store + # It means the code was upgraded after original install + # Fall back to old logic + auth_config.disable("ldap") + auth_config.disable("krb5") + if not(was_sssd_installed and was_sssd_configured): + # Only disable sssdauth. Disabling sssd would cause issues + # with its later uses. + auth_config.disable("sssdauth") + auth_config.disable("mkhomedir") + + auth_config.execute() + + def set_nisdomain(self, nisdomain): + # Let authconfig setup the permanent configuration + auth_config = FedoraAuthConfig() + auth_config.add_parameter("nisdomain", nisdomain) + auth_config.execute() + + def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore): + auth_config = FedoraAuthConfig() + + if sssd: + statestore.backup_state('authconfig', 'sssd', True) + statestore.backup_state('authconfig', 'sssdauth', True) + auth_config.enable("sssd") + auth_config.enable("sssdauth") + else: + statestore.backup_state('authconfig', 'ldap', True) + auth_config.enable("ldap") + auth_config.enable("forcelegacy") + + if mkhomedir: + statestore.backup_state('authconfig', 'mkhomedir', True) + auth_config.enable("mkhomedir") + + auth_config.execute() + + def modify_pam_to_use_krb5(statestore): + auth_config = FedoraAuthConfig() + statestore.backup_state('authconfig', 'krb5', True) + auth_config.enable("krb5") + auth_config.add_option("nostart") + auth_config.execute() + + def insert_ca_cert_into_systemwide_ca_store(self, cacert_path): + # Add the 'ipa-' prefix to cert name to avoid name collisions + cacert_name = os.path.basename(cacert_path) + new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, + 'ipa-%s' % cacert_name) + + # Add the CA to the systemwide CA trust database try: - os.remove(new_cacert_path) + shutil.copy(cacert_path, new_cacert_path) ipautil.run(['/usr/bin/update-ca-trust']) except OSError, e: - root_logger.error('Could not remove: %s, %s', new_cacert_path, e) - return False + root_logger.info("Failed to copy %s to %s" % (cacert_path, + new_cacert_path)) except CalledProcessError, e: - root_logger.error('Could not update systemwide CA trust ' - 'database: %s', e) - return False + root_logger.info("Failed to add CA to the systemwide " + "CA trust database: %s" % str(e)) else: - root_logger.info('Systemwide CA database updated.') - - return True - - -def backup_and_replace_hostname(fstore, statestore, hostname): - old_hostname = socket.gethostname() - try: - ipautil.run(['/bin/hostname', hostname]) - except ipautil.CalledProcessError, e: - error_message = ("Failed to set this machine hostname to %s (%s)." - % (hostname, e)) - root_logger.error(error_message) - print >>sys.stderr, error_message - - filepath = '/etc/hostname' - if os.path.exists(filepath): - # read old hostname - with open(filepath, 'r') as f: - for line in f: - line = line.strip() - if not line or line.startswith('#'): - # skip comment or empty line - continue - old_hostname = line - break - fstore.backup_file(filepath) - - with open(filepath, 'w') as f: - f.write("%s\n" % hostname) - os.chmod(filepath, - stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) - os.chown(filepath, 0, 0) - restore_context(filepath) - - # store old hostname - statestore.backup_state('network', 'hostname', old_hostname) - - -def restore_network_configuration(fstore, statestore): - old_filepath = '/etc/sysconfig/network' - old_hostname = statestore.get_state('network', 'hostname') - hostname_was_configured = False - - if fstore.has_file(old_filepath): - # This is Fedora >=18 instance that was upgraded from previous - # Fedora version which held network configuration - # in /etc/sysconfig/network - old_filepath_restore = '/etc/sysconfig/network.ipabkp' - fstore.restore_file(old_filepath, old_filepath_restore) - print "Deprecated configuration file '%s' was restored to '%s'" \ - % (old_filepath, old_filepath_restore) - hostname_was_configured = True - - filepath = '/etc/hostname' - if fstore.has_file(filepath): - fstore.restore_file(filepath) - hostname_was_configured = True - - if not hostname_was_configured and old_hostname: - # hostname was not configured before but was set by IPA. Delete - # /etc/hostname to restore previous configuration + root_logger.info('Added the CA to the systemwide CA trust ' + 'database.') + return True + + return False + + def remove_ca_cert_from_systemwide_ca_store(self, cacert_path): + # Derive the certificate name in the store + cacert_name = os.path.basename(cacert_path) + new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, + 'ipa-%s' % cacert_name) + + # Remove CA cert from systemwide store + if os.path.exists(new_cacert_path): + try: + os.remove(new_cacert_path) + ipautil.run(['/usr/bin/update-ca-trust']) + except OSError, e: + root_logger.error('Could not remove: %s, %s' + % (new_cacert_path, str(e))) + return False + except CalledProcessError, e: + root_logger.error('Could not update systemwide CA trust ' + 'database: %s' % str(e)) + return False + else: + root_logger.info('Systemwide CA database updated.') + + return True + + def backup_and_replace_hostname(self, fstore, statestore, hostname): + old_hostname = socket.gethostname() try: - os.remove(filepath) - except OSError: - pass + ipautil.run(['/bin/hostname', hostname]) + except ipautil.CalledProcessError, e: + print >>sys.stderr, ("Failed to set this machine hostname to " + "%s (%s)." % (hostname, str(e))) + + filepath = '/etc/hostname' + if os.path.exists(filepath): + # read old hostname + with open(filepath, 'r') as f: + for line in f.readlines(): + line = line.strip() + if not line or line.startswith('#'): + # skip comment or empty line + continue + old_hostname = line + break + fstore.backup_file(filepath) + + with open(filepath, 'w') as f: + f.write("%s\n" % hostname) + os.chmod(filepath, + stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) + os.chown(filepath, 0, 0) + self.restore_context(filepath) + + # store old hostname + statestore.backup_state('network', 'hostname', old_hostname) + + def restore_network_configuration(self, fstore, statestore): + old_filepath = '/etc/sysconfig/network' + old_hostname = statestore.get_state('network', 'hostname') + hostname_was_configured = False + + if fstore.has_file(old_filepath): + # This is Fedora >=18 instance that was upgraded from previous + # Fedora version which held network configuration + # in /etc/sysconfig/network + old_filepath_restore = '/etc/sysconfig/network.ipabkp' + fstore.restore_file(old_filepath, old_filepath_restore) + print "Deprecated configuration file '%s' was restored to '%s'" \ + % (old_filepath, old_filepath_restore) + hostname_was_configured = True + + filepath = '/etc/hostname' + if fstore.has_file(filepath): + fstore.restore_file(filepath) + hostname_was_configured = True + + if not hostname_was_configured and old_hostname: + # hostname was not configured before but was set by IPA. Delete + # /etc/hostname to restore previous configuration + try: + os.remove(filepath) + except OSError: + pass + +tasks = FedoraTaskNamespace() |