summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/installutils.py
Commit message (Collapse)AuthorAgeFilesLines
* Fix internal errors in host-add and other commands caused by DNS resolutionPetr Spacek2016-07-011-10/+3
| | | | | | | | | | | | | | | | | | Previously resolver was returning CheckedIPAddress objects. This internal server error in cases where DNS actually returned reserved IP addresses. Now the resolver is returning UnsafeIPAddress objects which do syntactic checks but do not filter IP addresses. From now on we can decide if some IP address should be accepted as-is or if it needs to be contrained to some subset of IP addresses using CheckedIPAddress class. This regression was caused by changes for https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use NSS for name->resolution in IPA installerPetr Spacek2016-06-291-2/+41
| | | | | | | | | | | | This fixes scenarios where IPA server is not able to resolve own name and option --ip-address was not specified by the user. This partially reverts changes from commit dc405005f537cf278fd6ddfe6b87060bd13d9a67 https://fedorahosted.org/freeipa/ticket/5962 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Report missing certificate in external trust chainFlorence Blanc-Renaud2016-06-231-2/+3
| | | | | | | | | | | | | When ipa-server-install is called with an external CA, but the cert chain is incomplete, the command exits with the following error: ERROR CA certificate chain in <list of --external-cert-file> is incomplete The fix adds in the log the name of the missing certificate: ERROR CA certificate chain in <list of --external-cert-file> is incomplete: missing certificate with subject '<dn of the missing certificate>' https://fedorahosted.org/freeipa/ticket/5792 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replica install: use remote server API to create service entriesJan Cholasta2016-06-091-19/+4
| | | | | | | | | | | Use the existing remote server API to create service entries instead of a client API. This fixes a crash during replica promotion due to unavailable schema. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* Move IP address resolution from ipaserver.install.installutils to ↵Petr Spacek2016-05-301-21/+5
| | | | | | | | | | | ipapython.dnsutil This is to make it reusable from other modules and to avoid future code duplication. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* pylint: remove bare exceptMartin Basti2016-03-221-2/+2
| | | | | | | Bare except should not be used. Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* pylint: supress false positive no-member errorsMartin Basti2016-03-021-2/+7
| | | | | | | | | pylint 1.5 prints many false positive no-member errors which are supressed by this commit. https://fedorahosted.org/freeipa/ticket/5615 Reviewed-By: David Kupka <dkupka@redhat.com>
* Make PTR records check optional for IPA installationMartin Basti2016-02-291-8/+9
| | | | | | | | | PTR records are not mandratory for IPA, result fo checks should be only warning not hard error. https://fedorahosted.org/freeipa/ticket/5686 Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* Remove unused importsMartin Basti2015-12-231-4/+1
| | | | | | | This patch removes unused imports, alse pylint has been configured to check unused imports. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replica install: add remote connection check over APIJan Cholasta2015-12-111-12/+0
| | | | | | | | | | Add server_conncheck command which calls ipa-replica-conncheck --replica over oddjob. https://fedorahosted.org/freeipa/ticket/5497 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-dns-install offer IP addresses from resolv.conf as default forwardersPetr Spacek2015-12-011-0/+7
| | | | | | | | | In non-interactive more option --auto-forwarders can be used to do the same. --forward option can be used to supply additional IP addresses. https://fedorahosted.org/freeipa/ticket/5438 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* install: drop support for Dogtag 9Jan Cholasta2015-11-251-4/+4
| | | | | | | | | | | Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
* Install: Force service add during replica promotionMartin Basti2015-11-241-1/+2
| | | | | | | | | Replica does not need to have A/AAAA records during install, so we cannot enforce it and service must be added with --force option. https://fedorahosted.org/freeipa/ticket/5420 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* remove Kerberos authenticators when installing/uninstalling service instanceMartin Babinsky2015-11-111-0/+37
| | | | | | | | | | each service possessing Kerberos keytab/ccache will now perform their removal before service principal creation and during service uninstall https://fedorahosted.org/freeipa/ticket/5243 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Remove dead code in ipaserver/install/installutils: read_ip_address()Petr Spacek2015-11-101-14/+0
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Add method to read changes from LDIFMartin Basti2015-10-151-0/+40
| | | | | | | | | | | | | | | | modifications_from_ldif will read LDIF file and changes in LDIF will be cached until parse() is called. After calling parse() method changes will be applied into destination LDIF. Only changetype modify is supported, the default operation is add. https://fedorahosted.org/freeipa/ticket/4949 Also fixes: https://fedorahosted.org/freeipa/ticket/4048 https://fedorahosted.org/freeipa/ticket/1930 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Make offline LDIF modify more robustMartin Basti2015-10-151-0/+98
| | | | | | | | | | | | | | * move code to installutils * add replace_value method * use lists instead of single values for add_value, remove_value methods https://fedorahosted.org/freeipa/ticket/4949 Also fixes: https://fedorahosted.org/freeipa/ticket/4048 https://fedorahosted.org/freeipa/ticket/1930 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Make checks for existing credentials reusableSimo Sorce2015-10-151-0/+73
| | | | | | | move the in installutils so they can be reused by multiple scripts Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Implement replica promotion functionalitySimo Sorce2015-10-151-1/+28
| | | | | | | | | | | | | | | | | | This patch implements a new flag --promote for the ipa-replica-install command that allows an administrative user to 'promote' an already joined client to become a full ipa server. The only credentials used are that of an administrator. This code relies on ipa-custodia being available on the peer master as well as a number of other patches to allow a computer account to request certificates for its services. Therefore this feature is marked to work only with domain level 1 and above servers. Ticket: https://fedorahosted.org/freeipa/ticket/2888 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add ipa-custodia serviceSimo Sorce2015-10-151-0/+8
| | | | | | | | | | Add a customized Custodia daemon and enable it after installation. Generates server keys and loads them in LDAP autonomously on install or update. Provides client code classes too. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use six.moves.configparser instead of ConfigParserPetr Viktorin2015-10-071-1/+1
| | | | | | | | The module name was lowercased in Python 3. Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Alias "unicode" to "str" under Python 3Jan Cholasta2015-09-171-0/+4
| | | | | | | | | The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Installer: do not modify /etc/hosts before user agreementMartin Basti2015-09-031-13/+23
| | | | | | | | | https://fedorahosted.org/freeipa/ticket/4561 As side effect this also fixes: https://fedorahosted.org/freeipa/ticket/5266 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use the print functionPetr Viktorin2015-09-011-39/+40
| | | | | | | | | In Python 3, `print` is no longer a statement. Call it as a function everywhere, and include the future import to remove the statement in Python 2 code as well. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-18/+18
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* adtrustinstance: Enable and start oddjobdTomas Babej2015-07-081-0/+11
| | | | | | | Enable and start the oddjobd service as part of the ipa-adtrust-install for the new IPA installations. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix removal of ipa-kdc-proxy.conf symlinkChristian Heimes2015-06-291-1/+1
| | | | | | | installutils.remove_file() ignored broken symlinks. Now it uses os.path.lexists() to detect and also remove dangling symlinks. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* fix handling of ldap.LDAPError in installerPetr Vobornik2015-06-291-3/+7
| | | | | | | | 'info' is optional component in LDAPError http://www.python-ldap.org/doc/html/ldap.html#exceptions Reviewed-By: Martin Basti <mbasti@redhat.com>
* Improve error messages about reverse address resolution in ipa-replica-preparePetr Spacek2015-06-181-2/+8
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* vault: Fix ipa-kra-installJan Cholasta2015-06-101-16/+0
| | | | | | | | | Use state in LDAP rather than local state to check if KRA is installed. Use correct log file names. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Move private_ccache from ipaserver to ipapythonJan Cholasta2015-06-081-22/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Clarify messages related to adding DNS forwardersPetr Spacek2015-06-051-6/+5
| | | | | | Proposed by Tomas Capek. Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS install: extract DNS installer into one moduleMartin Basti2015-05-191-0/+2
| | | | | | | | | | | | This is required modification to be able move to new installers. DNS subsystem will be installed by functions in this module in each of ipa-server-install, ipa-dns-install, ipa-replica-install install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* move realm_to_serverid to installutils moduleMartin Basti2015-05-051-0/+3
| | | | | | | | | To avoid cyclic imports realm_to_serverid function had to be moved to installutils from dsinstance. Required for: https://fedorahosted.org/freeipa/ticket/4925 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Server Upgrade: Verify version and platformMartin Basti2015-05-041-1/+69
| | | | | | | | | | | | | | | | | | | | | | | | Verify version and platform before upgrade or ipactl start|restart Upgrade: * do not allow upgrade on different platforms * do not allow upgrade data with higher version than build has Start: * do not start services if platform mismatch * do not start services if upgrade is needed * do not start services if data with higher version than build has New ipactl options: --skip-version-check: do not validate IPA version --ignore-service-failures (was --force): ignore if a service start fail and continue with starting other services --force: combine --skip-version-check and --ignore-service-failures https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* fix improper handling of boolean option inMartin Babinsky2015-04-021-1/+1
| | | | | | | | read_replica_info_kra_enabled This patch fixes https://fedorahosted.org/freeipa/ticket/4530. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Do not crash on unknown services in installutils.stopped_serviceJan Cholasta2015-01-131-3/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4835 Reviewed-By: David Kupka <dkupka@redhat.com>
* Always add /etc/hosts record when DNS is being configured.David Kupka2014-12-181-1/+1
| | | | | | | | | This was done previosly but accidentally removed when later with patch for ticket #3575. https://fedorahosted.org/freeipa/ticket/4817 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix: read_ip_addresses should return ipaddr objectMartin Basti2014-11-211-1/+1
| | | | | | | | Interactive prompt callback returns list of str instead of CheckedIPAddress instances. Ticket: https://fedorahosted.org/freeipa/ticket/4747 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Respect UID and GID soft static allocation.David Kupka2014-11-051-42/+0
| | | | | | | | https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation https://fedorahosted.org/freeipa/ticket/4585 Reviewed-By: Martin Basti <mbasti@redhat.com>
* CA-less installer options usability fixesJan Cholasta2014-09-301-50/+76
| | | | | | | | | | | | | | | | | | | The --*_pkcs12 options of ipa-server-install and ipa-replica-prepare have been replaced by --*-cert-file options which accept multiple files. ipa-server-certinstall now accepts multiple files as well. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. The --root-ca-file option of ipa-server-install has been replaced by --ca-cert-file option which accepts multiple files. The files are accepted in PEM and DER certificate and PKCS#7 certificate chain formats. The --*_pin options of ipa-server-install and ipa-replica-prepare have been renamed to --*-pin. https://fedorahosted.org/freeipa/ticket/4489 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* External CA installer options usability fixesJan Cholasta2014-09-301-42/+67
| | | | | | | | | | | The --external_cert_file and --external_ca_file options of ipa-server-install and ipa-ca-install have been replaced by --external-cert-file option which accepts multiple files. The files are accepted in PEM and DER certificate and PKCS#7 certificate chain formats. https://fedorahosted.org/freeipa/ticket/4480 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Detect and configure all usable IP addresses.David Kupka2014-09-261-61/+63
| | | | | | | | | | | Find, verify and configure all IP addresses that can be used to reach the server FreeIPA is being installed on. Ignore some IP address only if user specifies subset of detected addresses using --ip-address option. This change simplyfies FreeIPA installation on multihomed and dual-stacked servers. https://fedorahosted.org/freeipa/ticket/3575 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaserver.install: Consolidate system user creationPetr Viktorin2014-09-231-1/+43
| | | | | | | | | | | | | | Sytem users and their groups are always created together. Also, users & groups should never be removed once they exist on the system (see comit a5a55ce). Use a single function for generic user creation, and specific funtions in dsinstance and cainstance. Remove code left over from when we used to delete the DS user. Preparation for: https://fedorahosted.org/freeipa/ticket/3866 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Make CA-less ipa-server-install option --root-ca-file optional.Jan Cholasta2014-09-051-21/+25
| | | | | | | | | | | | | The CA cert specified by --root-ca-file option must always be the CA cert of the CA which issued the server certificates in the PKCS#12 files. As the cert is not actually user selectable, use CA cert from the PKCS#12 files by default if it is present. Document --root-ca-file in ipa-server-install man page. https://fedorahosted.org/freeipa/ticket/4457 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add record(s) to /etc/host when IPA is configured as DNS server.David Kupka2014-09-031-1/+1
| | | | | | | | | | This is to avoid chicken-egg problem when directory server fails to start without resolvable hostname and named fails to provide hostname without directory server. https://fedorahosted.org/freeipa/ticket/4220 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add a KRA to IPAAde Lee2014-08-221-21/+86
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the capability of installing a Dogtag KRA to an IPA instance. With this patch, a KRA is NOT configured by default when ipa-server-install is run. Rather, the command ipa-kra-install must be executed on an instance on which a Dogtag CA has already been configured. The KRA shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. To create a clone KRA, simply execute ipa-kra-install <replica_file> on a replica on which a Dogtag CA has already been replicated. ipa-kra-install will use the security domain to detect whether the system being installed is a replica, and will error out if a needed replica file is not provided. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to KRA and CA installs. This will become very useful when we add more PKI subsystems. The KRA will install its database as a subtree of o=ipaca, specifically o=ipakra,o=ipaca. This means that replication agreements created to replicate CA data will also replicate KRA data. No new replication agreements are required. Added dogtag plugin for KRA. This is an initial commit providing the basic vault functionality needed for vault. This plugin will likely be modified as we create the code to call some of these functions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 The uninstallation option in ipa-kra-install is temporarily disabled. Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add function for writing list of certificates to a PEM file to ipalib.x509.Jan Cholasta2014-07-301-1/+1
| | | | | | | | | | Also rename load_certificate_chain_from_file to load_certificate_list_from_file. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Move external cert validation from ipa-server-install to installutils.Jan Cholasta2014-07-301-1/+49
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-161-6/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-29 13:23:31 +0000