diff options
author | Jan Cholasta <jcholast@redhat.com> | 2015-12-09 08:18:21 +0100 |
---|---|---|
committer | Tomas Babej <tbabej@redhat.com> | 2015-12-11 18:44:13 +0100 |
commit | 8d7f67e08c8320712321501451e4a444b89a4423 (patch) | |
tree | ced31cce2bf2c83a8d1e3106d6b72f8b5c9bff80 /install | |
parent | 00f591d4e93cfe1f6f020a1c708a3d90b5b34288 (diff) | |
download | freeipa-8d7f67e08c8320712321501451e4a444b89a4423.tar.gz freeipa-8d7f67e08c8320712321501451e4a444b89a4423.tar.xz freeipa-8d7f67e08c8320712321501451e4a444b89a4423.zip |
replica install: add remote connection check over API
Add server_conncheck command which calls ipa-replica-conncheck --replica
over oddjob.
https://fedorahosted.org/freeipa/ticket/5497
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Diffstat (limited to 'install')
-rw-r--r-- | install/oddjob/Makefile.am | 3 | ||||
-rw-r--r-- | install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf | 21 | ||||
-rw-r--r-- | install/oddjob/etc/oddjobd.conf.d/ipa-server.conf | 20 | ||||
-rwxr-xr-x | install/oddjob/org.freeipa.server.conncheck | 2 | ||||
-rwxr-xr-x | install/tools/ipa-ca-install | 6 | ||||
-rwxr-xr-x | install/tools/ipa-replica-conncheck | 131 | ||||
-rw-r--r-- | install/updates/90-post_upgrade_plugins.update | 1 |
7 files changed, 166 insertions, 18 deletions
diff --git a/install/oddjob/Makefile.am b/install/oddjob/Makefile.am index 5cdaf2b29..fb64f6cf4 100644 --- a/install/oddjob/Makefile.am +++ b/install/oddjob/Makefile.am @@ -6,14 +6,17 @@ dbusconfdir = $(sysconfdir)/dbus-1/system.d oddjob_SCRIPTS = \ com.redhat.idm.trust-fetch-domains \ + org.freeipa.server.conncheck \ $(NULL) dbusconf_DATA = \ etc/dbus-1/system.d/oddjob-ipa-trust.conf \ + etc/dbus-1/system.d/org.freeipa.server.conf \ $(NULL) oddjobconf_DATA = \ etc/oddjobd.conf.d/oddjobd-ipa-trust.conf \ + etc/oddjobd.conf.d/ipa-server.conf \ $(NULL) diff --git a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf new file mode 100644 index 000000000..b2cbf746f --- /dev/null +++ b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf @@ -0,0 +1,21 @@ +<!DOCTYPE busconfig PUBLIC + "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> + +<busconfig> + + <policy user="root"> + <allow own="org.freeipa.server"/> + + <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/> + </policy> + + <policy user="apache"> + <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/> + </policy> + + <policy context="default"> + <allow send_destination="org.freeipa.server" send_interface="org.freedesktop.DBus.Introspectable"/> + </policy> + +</busconfig> diff --git a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf new file mode 100644 index 000000000..3f806966b --- /dev/null +++ b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf @@ -0,0 +1,20 @@ +<?xml version="1.0"?> +<oddjobconfig> + <service name="org.freeipa.server"> + <allow user="root"/> + <allow user="apache"/> + <object name="/"> + <interface name="org.freeipa.server"> + <method name="conncheck"> + <helper exec="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck" + arguments="1" + prepend_user_name="no" + argument_passing_method="cmdline"/> + </method> + </interface> + <interface name="org.freedesktop.DBus.Introspectable"> + <allow min_uid="0" max_uid="0"/> + </interface> + </object> + </service> +</oddjobconfig> diff --git a/install/oddjob/org.freeipa.server.conncheck b/install/oddjob/org.freeipa.server.conncheck new file mode 100755 index 000000000..ab7a46a86 --- /dev/null +++ b/install/oddjob/org.freeipa.server.conncheck @@ -0,0 +1,2 @@ +#!/bin/sh +exec /usr/sbin/ipa-replica-conncheck --replica "$1" 2>&1 diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index b1d58f750..0b8f28cb7 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -149,8 +149,10 @@ def install_replica(safe_options, options, filename): config.ca_ds_port = 389 config.top_dir = tempfile.mkdtemp("ipa") config.dir = config.top_dir + cafile = paths.IPA_CA_CRT else: config = create_replica_config(dirman_password, filename, options) + cafile = config.dir + '/ca.crt' global REPLICA_INFO_TOP_DIR REPLICA_INFO_TOP_DIR = config.top_dir @@ -176,6 +178,10 @@ def install_replica(safe_options, options, filename): options.dm_password = config.dirman_password options.host_name = config.host_name options.subject = config.subject_base + if os.path.exists(cafile): + options.ca_cert_file = cafile + else: + options.ca_cert_file = None ca.install_check(True, config, options) if options.promote: diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index a67837c54..10e3437bd 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -22,11 +22,12 @@ from __future__ import print_function from ipapython.config import IPAOptionParser from ipapython import version -from ipapython import ipautil +from ipapython import ipautil, certdb from ipapython.ipautil import CalledProcessError +from ipalib import api, errors, x509 from ipaserver.install import installutils import ipaclient.ipachangeconf -from optparse import OptionGroup +from optparse import OptionGroup, OptionValueError from ipapython.ipa_log_manager import * import sys import os @@ -40,6 +41,7 @@ from socket import SOCK_STREAM, SOCK_DGRAM import distutils.spawn from ipaplatform.paths import paths import gssapi +from nss import nss CONNECT_TIMEOUT = 5 RESPONDERS = [ ] @@ -106,6 +108,30 @@ def print_info(msg): print(msg) def parse_options(): + def ca_cert_file_callback(option, opt, value, parser): + if not os.path.exists(value): + raise OptionValueError( + "%s option '%s' does not exist" % (opt, value)) + if not os.path.isfile(value): + raise OptionValueError( + "%s option '%s' is not a file" % (opt, value)) + if not os.path.isabs(value): + raise OptionValueError( + "%s option '%s' is not an absolute file path" % (opt, value)) + + initialized = nss.nss_is_initialized() + try: + x509.load_certificate_list_from_file(value) + except Exception: + raise OptionValueError( + "%s option '%s' is not a valid certificate file" % + (opt, value)) + finally: + if not initialized: + nss.nss_shutdown() + + parser.values.ca_cert_file = value + parser = IPAOptionParser(version=version.VERSION) replica_group = OptionGroup(parser, "on-replica options") @@ -123,6 +149,10 @@ def parse_options(): default=None, help="Principal to use to log in to remote master") replica_group.add_option("-w", "--password", dest="password", sensitive=True, help="Password for the principal"), + replica_group.add_option("--ca-cert-file", dest="ca_cert_file", + type="string", action="callback", + callback=ca_cert_file_callback, + help="load the CA certificate from this file") parser.add_option_group(replica_group) @@ -418,22 +448,89 @@ def main(): if returncode != 0: raise RuntimeError("Could not get ticket for master server: %s" % stderr) - user = principal.partition('@')[0] - ssh = SshExec(user, options.master) + try: + print_info("Check RPC connection to remote master") + + xmlrpc_uri = ('https://%s/ipa/xml' % + ipautil.format_netloc(options.master)) + api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri) + api.finalize() - print_info("Check SSH connection to remote master") - stdout, stderr, returncode = ssh('echo OK', verbose=True) - if returncode != 0: - print('Could not SSH into remote host. Error output:') - for line in stderr.splitlines(): - print(' %s' % line) - raise RuntimeError('Could not SSH to remote host.') - - print_info("Execute check on remote master") - stdout, stderr, returncode = ssh( - "/usr/sbin/ipa-replica-conncheck " + - " ".join(remote_check_opts)) - print_info(stdout) + if options.ca_cert_file: + nss_dir = None + else: + nss_dir = paths.IPA_NSSDB_DIR + + with certdb.NSSDatabase(nss_dir) as nss_db: + if options.ca_cert_file: + nss_dir = nss_db.secdir + + password = ipautil.ipa_generate_password() + password_file = ipautil.write_tmp_file(password) + nss_db.create_db(password_file.name) + + ca_certs = x509.load_certificate_list_from_file( + options.ca_cert_file, dbdir=nss_db.secdir) + for ca_cert in ca_certs: + nss_db.add_cert( + ca_cert.der_data, str(ca_cert.subject), 'C,,') + del ca_cert + del ca_certs + else: + nss_dir = None + + try: + api.Backend.rpcclient.connect(nss_dir=nss_dir) + api.Command.ping() + except Exception as e: + print_info( + "Could not connect to the remote host: %s" % e) + raise + + print_info("Execute check on remote master") + try: + result = api.Backend.rpcclient.forward( + 'server_conncheck', + ipautil.fsdecode(options.master), + ipautil.fsdecode(options.hostname), + version=u'2.162', + ) + except (errors.CommandError, errors.NetworkError) as e: + print_info( + "Remote master does not support check over RPC: " + "%s" % e) + raise + except errors.PublicError as e: + returncode = 1 + stderr = e + else: + for message in result['messages']: + print_info(message['message']) + returncode = int(not result['result']) + stderr = ("ipa-replica-conncheck returned non-zero " + "exit code") + finally: + if api.Backend.rpcclient.isconnected(): + api.Backend.rpcclient.disconnect() + except Exception: + print_info("Retrying using SSH...") + + user = principal.partition('@')[0] + ssh = SshExec(user, options.master) + + print_info("Check SSH connection to remote master") + stdout, stderr, returncode = ssh('echo OK', verbose=True) + if returncode != 0: + print('Could not SSH into remote host. Error output:') + for line in stderr.splitlines(): + print(' %s' % line) + raise RuntimeError('Could not SSH to remote host.') + + print_info("Execute check on remote master") + stdout, stderr, returncode = ssh( + "/usr/sbin/ipa-replica-conncheck " + + " ".join(remote_check_opts)) + print_info(stdout) if returncode != 0: raise RuntimeError("Remote master check failed with following error message(s):\n%s" % stderr) else: diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index 2089b3320..626255af7 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -19,4 +19,3 @@ plugin: update_managed_post plugin: update_managed_permissions plugin: update_idrange_baserid plugin: update_passync_privilege_update -plugin: update_oddjobd_for_adtrust |