Set explicit confdir option for global contexts

Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.

The special contexts are:

* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates

The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.

https://fedorahosted.org/freeipa/ticket/6389

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

18 files changed, 47 insertions, 27 deletions

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 7389a5e0f..2e137ad44 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -494,7 +494,7 @@ def main():
         'ipaCACertRenewal':     renew_ca_cert,
     }
 
-    api.bootstrap(in_server=True, context='renew')
+    api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)
     api.finalize()
     api.Backend.ldap2.connect()
 
diff --git a/install/migration/migration.py b/install/migration/migration.py
index 4743279be..73e47776b 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -24,6 +24,7 @@ import cgi
 import errno
 from wsgiref.util import request_uri
 
+from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import root_logger
 from ipapython.dn import DN
 from ipapython import ipaldap
@@ -72,7 +73,7 @@ def application(environ, start_response):
 
     # API object only for configuration, finalize() not needed
     api = create_api(mode=None)
-    api.bootstrap(context='server', in_server=True)
+    api.bootstrap(context='server', confdir=paths.ETC_IPA, in_server=True)
     try:
         bind(api.env.ldap_uri, api.env.basedn,
              form_data['username'].value, form_data['password'].value)
diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains
index a0d8a3165..e5c2e8ce5 100755
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
@@ -8,6 +8,7 @@ from ipapython.dn import DN
 from ipalib.config import Env
 from ipalib.constants import DEFAULT_CONFIG
 from ipaplatform.constants import constants
+from ipaplatform.paths import paths
 import sys
 import os
 import pwd
@@ -95,7 +96,8 @@ env._bootstrap(debug=options.debug, log=None)
 env._finalize_core(**dict(DEFAULT_CONFIG))
 
 # Initialize the API with the proper debug level
-api.bootstrap(in_server=True, debug=env.debug, log=None, context='server')
+api.bootstrap(in_server=True, debug=env.debug, log=None,
+              context='server', confdir=paths.ETC_IPA)
 api.finalize()
 
 # Only import trust plugin after api is initialized or internal imports
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 46e4242a4..bbeae1ae1 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -40,7 +40,7 @@ from ipaplatform.paths import paths
 def _main():
     nickname = sys.argv[1]
 
-    api.bootstrap(in_server=True, context='restart')
+    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
     api.finalize()
     api.Backend.ldap2.connect()
 
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index eb11c81a8..d978f946c 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -36,7 +36,7 @@ from ipaplatform.paths import paths
 def _main():
     nickname = 'ipaCert'
 
-    api.bootstrap(in_server=True, context='restart')
+    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
     api.finalize()
     api.Backend.ldap2.connect()
 
diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv
index 72d3c544b..b4c9490c1 100644
--- a/install/restart_scripts/restart_dirsrv
+++ b/install/restart_scripts/restart_dirsrv
@@ -24,6 +24,7 @@ import syslog
 import traceback
 from ipalib import api
 from ipaplatform import services
+from ipaplatform.paths import paths
 from ipaserver.install import certs
 
 
@@ -33,7 +34,7 @@ def _main():
     except IndexError:
         instance = ""
 
-    api.bootstrap(in_server=True, context='restart')
+    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
     api.finalize()
 
     syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance)
diff --git a/install/restart_scripts/stop_pkicad b/install/restart_scripts/stop_pkicad
index ae07dcd58..133a4ef8f 100644
--- a/install/restart_scripts/stop_pkicad
+++ b/install/restart_scripts/stop_pkicad
@@ -23,11 +23,12 @@ import syslog
 import traceback
 from ipalib import api
 from ipaplatform import services
+from ipaplatform.paths import paths
 from ipaserver.install import certs
 
 
 def main():
-    api.bootstrap(in_server=True, context='restart')
+    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
     api.finalize()
 
     dogtag_service = services.knownservices['pki_tomcatd']
diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py
index 658204bc1..4daed6f51 100755
--- a/install/share/copy-schema-to-ca.py
+++ b/install/share/copy-schema-to-ca.py
@@ -114,7 +114,7 @@ def main():
     standard_logging_setup(verbose=True)
 
     # In 3.0, restarting needs access to api.env
-    api.bootstrap_with_global_options(context='server')
+    api.bootstrap_with_global_options(context='server', confdir=paths.ETC_IPA)
 
     add_ca_schema()
     restart_pki_ds()
diff --git a/install/share/wsgi.py b/install/share/wsgi.py
index ee9311e4e..ca97d1e23 100644
--- a/install/share/wsgi.py
+++ b/install/share/wsgi.py
@@ -23,6 +23,7 @@
 """
 WSGI appliction for IPA server.
 """
+from ipaplatform.paths import paths
 from ipalib import api
 from ipalib.config import Env
 from ipalib.constants import DEFAULT_CONFIG
@@ -31,11 +32,12 @@ from ipalib.constants import DEFAULT_CONFIG
 # by reading in the configuration file(s). The server always reads
 # default.conf and will also read in `context'.conf.
 env = Env()
-env._bootstrap(context='server', log=None)
+env._bootstrap(context='server', log=None, confdir=paths.ETC_IPA)
 env._finalize_core(**dict(DEFAULT_CONFIG))
 
 # Initialize the API with the proper debug level
-api.bootstrap(context='server', debug=env.debug, log=None)
+api.bootstrap(context='server', confdir=paths.ETC_IPA,
+              debug=env.debug, log=None)
 try:
     api.finalize()
 except Exception as e:
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 918b23850..8d927f10e 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -263,11 +263,12 @@ def main():
         sys.exit("Aborting installation.")
 
     # Initialize the ipalib api
-    cfg = dict(
+    api.bootstrap(
         in_server=True,
         debug=options.debug,
+        context='install',
+        confdir=paths.ETC_IPA
     )
-    api.bootstrap(**cfg)
     api.finalize()
 
     # If domain name and realm does not match, IPA server will not be able
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index bf817c7f1..88939f9db 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -261,7 +261,10 @@ def main():
 
     # override ra_plugin setting read from default.conf so that we have
     # functional dogtag backend plugins during CA install
-    api.bootstrap(in_server=True, ra_plugin='dogtag')
+    api.bootstrap(
+        context='install', confdir=paths.ETC_IPA,
+        in_server=True, ra_plugin='dogtag'
+    )
     api.finalize()
     api.Backend.ldap2.connect()
 
diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index 6a3b8693c..f494380e6 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -408,14 +408,13 @@ def main():
 
     # Just initialize the environment. This is so the installer can have
     # access to the plugin environment
-    api_env = {'in_server' : True,
-               'verbose'   : options.verbose,
-              }
-
+    api_env = {}
     if os.getegid() != 0:
         api_env['log'] = None # turn off logging for non-root
 
-    api.bootstrap(**api_env)
+    api.bootstrap(
+        context='cli', in_server=True, verbose=options.verbose, **api_env
+    )
     api.finalize()
 
     dirman_passwd = None
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 699749d08..5bd0ba6d7 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -132,11 +132,10 @@ def main():
     installutils.check_server_configuration()
 
     # Initialize the ipalib api
-    cfg = dict(
-        in_server=True,
-        debug=options.debug,
+    api.bootstrap(
+        context='install', confdir=paths.ETC_IPA,
+        in_server=True, debug=options.debug,
     )
-    api.bootstrap(**cfg)
     api.finalize()
     api.Backend.ldap2.connect()
 
diff --git a/install/tools/ipa-httpd-kdcproxy b/install/tools/ipa-httpd-kdcproxy
index 329565c2b..bb2949be8 100755
--- a/install/tools/ipa-httpd-kdcproxy
+++ b/install/tools/ipa-httpd-kdcproxy
@@ -184,7 +184,8 @@ class KDCProxyConfig(object):
 def main(debug=DEBUG, time_limit=TIME_LIMIT):
     # initialize API without file logging
     if not api.isdone('bootstrap'):
-        api.bootstrap(context='ipa-httpd-kdcproxy', log=None, debug=debug)
+        api.bootstrap(context='server', confdir=paths.ETC_IPA,
+                      log=None, debug=debug)
         standard_logging_setup(verbose=True, debug=debug)
 
     try:
diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage
index 21ff18334..c44b0f9ed 100755
--- a/install/tools/ipa-nis-manage
+++ b/install/tools/ipa-nis-manage
@@ -113,7 +113,9 @@ def main():
     if not dirman_password:
         sys.exit("No password supplied")
 
-    api.bootstrap(context='cli', debug=options.debug, in_server=True)
+    api.bootstrap(
+        context='cli', confdir=paths.ETC_IPA,
+        debug=options.debug, in_server=True)
     api.finalize()
     api.Backend.ldap2.connect(bind_pw=dirman_password)
 
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 2413754e5..121f06844 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -554,7 +554,9 @@ def main():
                     else:
                         nss_dir = None
 
-                    api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri,
+                    api.bootstrap(context='client',
+                                  confdir=paths.ETC_IPA,
+                                  xmlrpc_uri=xmlrpc_uri,
                                   nss_dir=nss_db.secdir)
                     api.finalize()
                     try:
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 1ee7301e6..56cb90bea 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -1508,7 +1508,10 @@ def main(options, args):
     if os.getegid() != 0:
         api_env['log'] = None # turn off logging for non-root
 
-    api.bootstrap(**api_env)
+    api.bootstrap(
+        context='cli', confdir=paths.ETC_IPA,
+        in_server=True, verbose=options.verbose
+    )
     api.finalize()
 
     dirman_passwd = None
diff --git a/install/tools/ipactl b/install/tools/ipactl
index ce4fe0254..db8ff6249 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -560,7 +560,10 @@ def main():
         else:
             raise e
 
-    api.bootstrap(in_server=True, context='ipactl', debug=options.debug)
+    api.bootstrap(in_server=True,
+                  context='ipactl',
+                  confdir=paths.ETC_IPA,
+                  debug=options.debug)
     api.finalize()
 
     if '.' not in api.env.host: