summaryrefslogtreecommitdiffstats
path: root/ipaplatform/fedora/tasks.py
diff options
context:
space:
mode:
authorTomas Babej <tbabej@redhat.com>2014-06-03 16:17:16 +0200
committerPetr Viktorin <pviktori@redhat.com>2014-06-16 19:48:21 +0200
commit8a5e2a816667587bf767990dc2715d6996975d44 (patch)
tree88f6c3f3cf05d721c923e43930156951d6936ba2 /ipaplatform/fedora/tasks.py
parentf0d0640a46647baa9e32c6e6dace7767b5c5b836 (diff)
downloadfreeipa-8a5e2a816667587bf767990dc2715d6996975d44.tar.gz
freeipa-8a5e2a816667587bf767990dc2715d6996975d44.tar.xz
freeipa-8a5e2a816667587bf767990dc2715d6996975d44.zip
ipaplatform: Contain all the tasks in the TaskNamespace
https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'ipaplatform/fedora/tasks.py')
-rw-r--r--ipaplatform/fedora/tasks.py416
1 files changed, 205 insertions, 211 deletions
diff --git a/ipaplatform/fedora/tasks.py b/ipaplatform/fedora/tasks.py
index 8c49ab3a2..525e550ce 100644
--- a/ipaplatform/fedora/tasks.py
+++ b/ipaplatform/fedora/tasks.py
@@ -39,225 +39,219 @@ from ipaplatform.fedora.authconfig import FedoraAuthConfig
from ipaplatform.base.tasks import *
-def restore_context(filepath, restorecon='/sbin/restorecon'):
- """
- restore security context on the file path
- SELinux equivalent is /path/to/restorecon <filepath>
-
- restorecon's return values are not reliable so we have to
- ignore them (BZ #739604).
-
- ipautil.run() will do the logging.
- """
- try:
- if os.path.exists('/usr/sbin/selinuxenabled'):
- ipautil.run(["/usr/sbin/selinuxenabled"])
- else:
- # No selinuxenabled, no SELinux
- return
- except ipautil.CalledProcessError:
- # selinuxenabled returns 1 if not enabled
- return
-
- if (os.path.exists(restorecon)):
- ipautil.run([restorecon, filepath], raiseonerr=False)
-
-
-def check_selinux_status(restorecon=paths.RESTORECON):
- """
- We don't have a specific package requirement for policycoreutils
- which provides restorecon. This is because we don't require
- SELinux on client installs. However if SELinux is enabled then
- this package is required.
-
- This function returns nothing but may raise a Runtime exception
- if SELinux is enabled but restorecon is not available.
- """
- try:
- if os.path.exists('/usr/sbin/selinuxenabled'):
- ipautil.run(["/usr/sbin/selinuxenabled"])
- else:
- # No selinuxenabled, no SELinux
+class FedoraTaskNamespace(BaseTaskNamespace):
+
+ def restore_context(self, filepath, restorecon='/sbin/restorecon'):
+ """
+ restore security context on the file path
+ SELinux equivalent is /path/to/restorecon <filepath>
+ restorecon's return values are not reliable so we have to
+ ignore them (BZ #739604).
+
+ ipautil.run() will do the logging.
+ """
+ try:
+ if os.path.exists(paths.SELINUXENABLED):
+ ipautil.run([paths.SELINUXENABLED])
+ else:
+ # No selinuxenabled, no SELinux
+ return
+ except ipautil.CalledProcessError:
+ # selinuxenabled returns 1 if not enabled
return
- except ipautil.CalledProcessError:
- # selinuxenabled returns 1 if not enabled
- return
-
- if not os.path.exists(restorecon):
- raise RuntimeError('SELinux is enabled but %s does not exist.\n'
- 'Install the policycoreutils package and start the '
- 'installation again.' % restorecon)
-
-
-def restore_pre_ipa_client_configuration(fstore, statestore,
- was_sssd_installed,
- was_sssd_configured):
-
- auth_config = FedoraAuthConfig()
- if statestore.has_state('authconfig'):
- # disable only those configurations that we enabled during install
- for conf in ('ldap', 'krb5', 'sssd', 'sssdauth', 'mkhomedir'):
- cnf = statestore.restore_state('authconfig', conf)
- # Do not disable sssd, as this can cause issues with its later
- # uses. Remove it from statestore however, so that it becomes
- # empty at the end of uninstall process.
- if cnf and conf != 'sssd':
- auth_config.disable(conf)
- else:
- # There was no authconfig status store
- # It means the code was upgraded after original install
- # Fall back to old logic
- auth_config.disable("ldap")
- auth_config.disable("krb5")
- if not(was_sssd_installed and was_sssd_configured):
- # Only disable sssdauth. Disabling sssd would cause issues
- # with its later uses.
- auth_config.disable("sssdauth")
- auth_config.disable("mkhomedir")
-
- auth_config.execute()
-
-
-def set_nisdomain(nisdomain):
- # Let authconfig setup the permanent configuration
- auth_config = FedoraAuthConfig()
- auth_config.add_parameter("nisdomain", nisdomain)
- auth_config.execute()
-
-
-def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore):
- auth_config = FedoraAuthConfig()
-
- if sssd:
- statestore.backup_state('authconfig', 'sssd', True)
- statestore.backup_state('authconfig', 'sssdauth', True)
- auth_config.enable("sssd")
- auth_config.enable("sssdauth")
- else:
- statestore.backup_state('authconfig', 'ldap', True)
- auth_config.enable("ldap")
- auth_config.enable("forcelegacy")
-
- if mkhomedir:
- statestore.backup_state('authconfig', 'mkhomedir', True)
- auth_config.enable("mkhomedir")
-
- auth_config.execute()
-
-
-def modify_pam_to_use_krb5(statestore):
- auth_config = FedoraAuthConfig()
- statestore.backup_state('authconfig', 'krb5', True)
- auth_config.enable("krb5")
- auth_config.add_option("nostart")
- auth_config.execute()
-
-
-def insert_ca_cert_into_systemwide_ca_store(cacert_path):
- # Add the 'ipa-' prefix to cert name to avoid name collisions
- cacert_name = os.path.basename(cacert_path)
- new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE,
- 'ipa-%s' % cacert_name)
-
- # Add the CA to the systemwide CA trust database
- try:
- shutil.copy(cacert_path, new_cacert_path)
- ipautil.run(['/usr/bin/update-ca-trust'])
- except OSError, e:
- root_logger.info("Failed to copy %s to %s", cacert_path,
- new_cacert_path)
- except CalledProcessError, e:
- root_logger.info("Failed to add CA to the systemwide "
- "CA trust database: %s", e)
- else:
- root_logger.info('Added the CA to the systemwide CA trust database.')
- return True
- return False
+ if (os.path.exists(restorecon)):
+ ipautil.run([restorecon, filepath], raiseonerr=False)
+ def check_selinux_status(self, restorecon=paths.RESTORECON):
+ """
+ We don't have a specific package requirement for policycoreutils
+ which provides restorecon. This is because we don't require
+ SELinux on client installs. However if SELinux is enabled then
+ this package is required.
-def remove_ca_cert_from_systemwide_ca_store(cacert_path):
- # Derive the certificate name in the store
- cacert_name = os.path.basename(cacert_path)
- new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE,
- 'ipa-%s' % cacert_name)
+ This function returns nothing but may raise a Runtime exception
+ if SELinux is enabled but restorecon is not available.
+ """
+ try:
+ if os.path.exists(paths.SELINUXENABLED):
+ ipautil.run([paths.SELINUXENABLED])
+ else:
+ # No selinuxenabled, no SELinux
+ return
+ except ipautil.CalledProcessError:
+ # selinuxenabled returns 1 if not enabled
+ return
- # Remove CA cert from systemwide store
- if os.path.exists(new_cacert_path):
+ if not os.path.exists(restorecon):
+ raise RuntimeError('SELinux is enabled but %s does not exist.\n'
+ 'Install the policycoreutils package and start '
+ 'the installation again.' % restorecon)
+
+ def restore_pre_ipa_client_configuration(self, fstore, statestore,
+ was_sssd_installed,
+ was_sssd_configured):
+
+ auth_config = FedoraAuthConfig()
+ if statestore.has_state('authconfig'):
+ # disable only those configurations that we enabled during install
+ for conf in ('ldap', 'krb5', 'sssd', 'sssdauth', 'mkhomedir'):
+ cnf = statestore.restore_state('authconfig', conf)
+ # Do not disable sssd, as this can cause issues with its later
+ # uses. Remove it from statestore however, so that it becomes
+ # empty at the end of uninstall process.
+ if cnf and conf != 'sssd':
+ auth_config.disable(conf)
+ else:
+ # There was no authconfig status store
+ # It means the code was upgraded after original install
+ # Fall back to old logic
+ auth_config.disable("ldap")
+ auth_config.disable("krb5")
+ if not(was_sssd_installed and was_sssd_configured):
+ # Only disable sssdauth. Disabling sssd would cause issues
+ # with its later uses.
+ auth_config.disable("sssdauth")
+ auth_config.disable("mkhomedir")
+
+ auth_config.execute()
+
+ def set_nisdomain(self, nisdomain):
+ # Let authconfig setup the permanent configuration
+ auth_config = FedoraAuthConfig()
+ auth_config.add_parameter("nisdomain", nisdomain)
+ auth_config.execute()
+
+ def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore):
+ auth_config = FedoraAuthConfig()
+
+ if sssd:
+ statestore.backup_state('authconfig', 'sssd', True)
+ statestore.backup_state('authconfig', 'sssdauth', True)
+ auth_config.enable("sssd")
+ auth_config.enable("sssdauth")
+ else:
+ statestore.backup_state('authconfig', 'ldap', True)
+ auth_config.enable("ldap")
+ auth_config.enable("forcelegacy")
+
+ if mkhomedir:
+ statestore.backup_state('authconfig', 'mkhomedir', True)
+ auth_config.enable("mkhomedir")
+
+ auth_config.execute()
+
+ def modify_pam_to_use_krb5(statestore):
+ auth_config = FedoraAuthConfig()
+ statestore.backup_state('authconfig', 'krb5', True)
+ auth_config.enable("krb5")
+ auth_config.add_option("nostart")
+ auth_config.execute()
+
+ def insert_ca_cert_into_systemwide_ca_store(self, cacert_path):
+ # Add the 'ipa-' prefix to cert name to avoid name collisions
+ cacert_name = os.path.basename(cacert_path)
+ new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE,
+ 'ipa-%s' % cacert_name)
+
+ # Add the CA to the systemwide CA trust database
try:
- os.remove(new_cacert_path)
+ shutil.copy(cacert_path, new_cacert_path)
ipautil.run(['/usr/bin/update-ca-trust'])
except OSError, e:
- root_logger.error('Could not remove: %s, %s', new_cacert_path, e)
- return False
+ root_logger.info("Failed to copy %s to %s" % (cacert_path,
+ new_cacert_path))
except CalledProcessError, e:
- root_logger.error('Could not update systemwide CA trust '
- 'database: %s', e)
- return False
+ root_logger.info("Failed to add CA to the systemwide "
+ "CA trust database: %s" % str(e))
else:
- root_logger.info('Systemwide CA database updated.')
-
- return True
-
-
-def backup_and_replace_hostname(fstore, statestore, hostname):
- old_hostname = socket.gethostname()
- try:
- ipautil.run(['/bin/hostname', hostname])
- except ipautil.CalledProcessError, e:
- error_message = ("Failed to set this machine hostname to %s (%s)."
- % (hostname, e))
- root_logger.error(error_message)
- print >>sys.stderr, error_message
-
- filepath = '/etc/hostname'
- if os.path.exists(filepath):
- # read old hostname
- with open(filepath, 'r') as f:
- for line in f:
- line = line.strip()
- if not line or line.startswith('#'):
- # skip comment or empty line
- continue
- old_hostname = line
- break
- fstore.backup_file(filepath)
-
- with open(filepath, 'w') as f:
- f.write("%s\n" % hostname)
- os.chmod(filepath,
- stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
- os.chown(filepath, 0, 0)
- restore_context(filepath)
-
- # store old hostname
- statestore.backup_state('network', 'hostname', old_hostname)
-
-
-def restore_network_configuration(fstore, statestore):
- old_filepath = '/etc/sysconfig/network'
- old_hostname = statestore.get_state('network', 'hostname')
- hostname_was_configured = False
-
- if fstore.has_file(old_filepath):
- # This is Fedora >=18 instance that was upgraded from previous
- # Fedora version which held network configuration
- # in /etc/sysconfig/network
- old_filepath_restore = '/etc/sysconfig/network.ipabkp'
- fstore.restore_file(old_filepath, old_filepath_restore)
- print "Deprecated configuration file '%s' was restored to '%s'" \
- % (old_filepath, old_filepath_restore)
- hostname_was_configured = True
-
- filepath = '/etc/hostname'
- if fstore.has_file(filepath):
- fstore.restore_file(filepath)
- hostname_was_configured = True
-
- if not hostname_was_configured and old_hostname:
- # hostname was not configured before but was set by IPA. Delete
- # /etc/hostname to restore previous configuration
+ root_logger.info('Added the CA to the systemwide CA trust '
+ 'database.')
+ return True
+
+ return False
+
+ def remove_ca_cert_from_systemwide_ca_store(self, cacert_path):
+ # Derive the certificate name in the store
+ cacert_name = os.path.basename(cacert_path)
+ new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE,
+ 'ipa-%s' % cacert_name)
+
+ # Remove CA cert from systemwide store
+ if os.path.exists(new_cacert_path):
+ try:
+ os.remove(new_cacert_path)
+ ipautil.run(['/usr/bin/update-ca-trust'])
+ except OSError, e:
+ root_logger.error('Could not remove: %s, %s'
+ % (new_cacert_path, str(e)))
+ return False
+ except CalledProcessError, e:
+ root_logger.error('Could not update systemwide CA trust '
+ 'database: %s' % str(e))
+ return False
+ else:
+ root_logger.info('Systemwide CA database updated.')
+
+ return True
+
+ def backup_and_replace_hostname(self, fstore, statestore, hostname):
+ old_hostname = socket.gethostname()
try:
- os.remove(filepath)
- except OSError:
- pass
+ ipautil.run(['/bin/hostname', hostname])
+ except ipautil.CalledProcessError, e:
+ print >>sys.stderr, ("Failed to set this machine hostname to "
+ "%s (%s)." % (hostname, str(e)))
+
+ filepath = '/etc/hostname'
+ if os.path.exists(filepath):
+ # read old hostname
+ with open(filepath, 'r') as f:
+ for line in f.readlines():
+ line = line.strip()
+ if not line or line.startswith('#'):
+ # skip comment or empty line
+ continue
+ old_hostname = line
+ break
+ fstore.backup_file(filepath)
+
+ with open(filepath, 'w') as f:
+ f.write("%s\n" % hostname)
+ os.chmod(filepath,
+ stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
+ os.chown(filepath, 0, 0)
+ self.restore_context(filepath)
+
+ # store old hostname
+ statestore.backup_state('network', 'hostname', old_hostname)
+
+ def restore_network_configuration(self, fstore, statestore):
+ old_filepath = '/etc/sysconfig/network'
+ old_hostname = statestore.get_state('network', 'hostname')
+ hostname_was_configured = False
+
+ if fstore.has_file(old_filepath):
+ # This is Fedora >=18 instance that was upgraded from previous
+ # Fedora version which held network configuration
+ # in /etc/sysconfig/network
+ old_filepath_restore = '/etc/sysconfig/network.ipabkp'
+ fstore.restore_file(old_filepath, old_filepath_restore)
+ print "Deprecated configuration file '%s' was restored to '%s'" \
+ % (old_filepath, old_filepath_restore)
+ hostname_was_configured = True
+
+ filepath = '/etc/hostname'
+ if fstore.has_file(filepath):
+ fstore.restore_file(filepath)
+ hostname_was_configured = True
+
+ if not hostname_was_configured and old_hostname:
+ # hostname was not configured before but was set by IPA. Delete
+ # /etc/hostname to restore previous configuration
+ try:
+ os.remove(filepath)
+ except OSError:
+ pass
+
+tasks = FedoraTaskNamespace()