From 1e6a204b4372bbbfb722a00370a5ce4e34406b9f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 28 Nov 2016 16:24:33 +0100 Subject: Set explicit confdir option for global contexts Some API contexts are used to modify global state (e.g. files in /etc and /var). These contexts do not support confdir overrides. Initialize the API with an explicit confdir argument to paths.ETC_IPA. The special contexts are: * backup * cli_installer * installer * ipctl * renew * restore * server * updates The patch also corrects the context of the ipa-httpd-kdcproxy script to 'server'. https://fedorahosted.org/freeipa/ticket/6389 Signed-off-by: Christian Heimes Reviewed-By: Jan Cholasta --- install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +- install/migration/migration.py | 3 ++- install/oddjob/com.redhat.idm.trust-fetch-domains | 4 +++- install/restart_scripts/renew_ca_cert | 2 +- install/restart_scripts/renew_ra_cert | 2 +- install/restart_scripts/restart_dirsrv | 3 ++- install/restart_scripts/stop_pkicad | 3 ++- install/share/copy-schema-to-ca.py | 2 +- install/share/wsgi.py | 6 ++++-- install/tools/ipa-adtrust-install | 5 +++-- install/tools/ipa-ca-install | 5 ++++- install/tools/ipa-csreplica-manage | 9 ++++----- install/tools/ipa-dns-install | 7 +++---- install/tools/ipa-httpd-kdcproxy | 3 ++- install/tools/ipa-nis-manage | 4 +++- install/tools/ipa-replica-conncheck | 4 +++- install/tools/ipa-replica-manage | 5 ++++- install/tools/ipactl | 5 ++++- 18 files changed, 47 insertions(+), 27 deletions(-) (limited to 'install') diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 7389a5e0f..2e137ad44 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -494,7 +494,7 @@ def main(): 'ipaCACertRenewal': renew_ca_cert, } - api.bootstrap(in_server=True, context='renew') + api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA) api.finalize() api.Backend.ldap2.connect() diff --git a/install/migration/migration.py b/install/migration/migration.py index 4743279be..73e47776b 100644 --- a/install/migration/migration.py +++ b/install/migration/migration.py @@ -24,6 +24,7 @@ import cgi import errno from wsgiref.util import request_uri +from ipaplatform.paths import paths from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN from ipapython import ipaldap @@ -72,7 +73,7 @@ def application(environ, start_response): # API object only for configuration, finalize() not needed api = create_api(mode=None) - api.bootstrap(context='server', in_server=True) + api.bootstrap(context='server', confdir=paths.ETC_IPA, in_server=True) try: bind(api.env.ldap_uri, api.env.basedn, form_data['username'].value, form_data['password'].value) diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index a0d8a3165..e5c2e8ce5 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -8,6 +8,7 @@ from ipapython.dn import DN from ipalib.config import Env from ipalib.constants import DEFAULT_CONFIG from ipaplatform.constants import constants +from ipaplatform.paths import paths import sys import os import pwd @@ -95,7 +96,8 @@ env._bootstrap(debug=options.debug, log=None) env._finalize_core(**dict(DEFAULT_CONFIG)) # Initialize the API with the proper debug level -api.bootstrap(in_server=True, debug=env.debug, log=None, context='server') +api.bootstrap(in_server=True, debug=env.debug, log=None, + context='server', confdir=paths.ETC_IPA) api.finalize() # Only import trust plugin after api is initialized or internal imports diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 46e4242a4..bbeae1ae1 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -40,7 +40,7 @@ from ipaplatform.paths import paths def _main(): nickname = sys.argv[1] - api.bootstrap(in_server=True, context='restart') + api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) api.finalize() api.Backend.ldap2.connect() diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index eb11c81a8..d978f946c 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -36,7 +36,7 @@ from ipaplatform.paths import paths def _main(): nickname = 'ipaCert' - api.bootstrap(in_server=True, context='restart') + api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) api.finalize() api.Backend.ldap2.connect() diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv index 72d3c544b..b4c9490c1 100644 --- a/install/restart_scripts/restart_dirsrv +++ b/install/restart_scripts/restart_dirsrv @@ -24,6 +24,7 @@ import syslog import traceback from ipalib import api from ipaplatform import services +from ipaplatform.paths import paths from ipaserver.install import certs @@ -33,7 +34,7 @@ def _main(): except IndexError: instance = "" - api.bootstrap(in_server=True, context='restart') + api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) api.finalize() syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance) diff --git a/install/restart_scripts/stop_pkicad b/install/restart_scripts/stop_pkicad index ae07dcd58..133a4ef8f 100644 --- a/install/restart_scripts/stop_pkicad +++ b/install/restart_scripts/stop_pkicad @@ -23,11 +23,12 @@ import syslog import traceback from ipalib import api from ipaplatform import services +from ipaplatform.paths import paths from ipaserver.install import certs def main(): - api.bootstrap(in_server=True, context='restart') + api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) api.finalize() dogtag_service = services.knownservices['pki_tomcatd'] diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py index 658204bc1..4daed6f51 100755 --- a/install/share/copy-schema-to-ca.py +++ b/install/share/copy-schema-to-ca.py @@ -114,7 +114,7 @@ def main(): standard_logging_setup(verbose=True) # In 3.0, restarting needs access to api.env - api.bootstrap_with_global_options(context='server') + api.bootstrap_with_global_options(context='server', confdir=paths.ETC_IPA) add_ca_schema() restart_pki_ds() diff --git a/install/share/wsgi.py b/install/share/wsgi.py index ee9311e4e..ca97d1e23 100644 --- a/install/share/wsgi.py +++ b/install/share/wsgi.py @@ -23,6 +23,7 @@ """ WSGI appliction for IPA server. """ +from ipaplatform.paths import paths from ipalib import api from ipalib.config import Env from ipalib.constants import DEFAULT_CONFIG @@ -31,11 +32,12 @@ from ipalib.constants import DEFAULT_CONFIG # by reading in the configuration file(s). The server always reads # default.conf and will also read in `context'.conf. env = Env() -env._bootstrap(context='server', log=None) +env._bootstrap(context='server', log=None, confdir=paths.ETC_IPA) env._finalize_core(**dict(DEFAULT_CONFIG)) # Initialize the API with the proper debug level -api.bootstrap(context='server', debug=env.debug, log=None) +api.bootstrap(context='server', confdir=paths.ETC_IPA, + debug=env.debug, log=None) try: api.finalize() except Exception as e: diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 918b23850..8d927f10e 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -263,11 +263,12 @@ def main(): sys.exit("Aborting installation.") # Initialize the ipalib api - cfg = dict( + api.bootstrap( in_server=True, debug=options.debug, + context='install', + confdir=paths.ETC_IPA ) - api.bootstrap(**cfg) api.finalize() # If domain name and realm does not match, IPA server will not be able diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index bf817c7f1..88939f9db 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -261,7 +261,10 @@ def main(): # override ra_plugin setting read from default.conf so that we have # functional dogtag backend plugins during CA install - api.bootstrap(in_server=True, ra_plugin='dogtag') + api.bootstrap( + context='install', confdir=paths.ETC_IPA, + in_server=True, ra_plugin='dogtag' + ) api.finalize() api.Backend.ldap2.connect() diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index 6a3b8693c..f494380e6 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -408,14 +408,13 @@ def main(): # Just initialize the environment. This is so the installer can have # access to the plugin environment - api_env = {'in_server' : True, - 'verbose' : options.verbose, - } - + api_env = {} if os.getegid() != 0: api_env['log'] = None # turn off logging for non-root - api.bootstrap(**api_env) + api.bootstrap( + context='cli', in_server=True, verbose=options.verbose, **api_env + ) api.finalize() dirman_passwd = None diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 699749d08..5bd0ba6d7 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -132,11 +132,10 @@ def main(): installutils.check_server_configuration() # Initialize the ipalib api - cfg = dict( - in_server=True, - debug=options.debug, + api.bootstrap( + context='install', confdir=paths.ETC_IPA, + in_server=True, debug=options.debug, ) - api.bootstrap(**cfg) api.finalize() api.Backend.ldap2.connect() diff --git a/install/tools/ipa-httpd-kdcproxy b/install/tools/ipa-httpd-kdcproxy index 329565c2b..bb2949be8 100755 --- a/install/tools/ipa-httpd-kdcproxy +++ b/install/tools/ipa-httpd-kdcproxy @@ -184,7 +184,8 @@ class KDCProxyConfig(object): def main(debug=DEBUG, time_limit=TIME_LIMIT): # initialize API without file logging if not api.isdone('bootstrap'): - api.bootstrap(context='ipa-httpd-kdcproxy', log=None, debug=debug) + api.bootstrap(context='server', confdir=paths.ETC_IPA, + log=None, debug=debug) standard_logging_setup(verbose=True, debug=debug) try: diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage index 21ff18334..c44b0f9ed 100755 --- a/install/tools/ipa-nis-manage +++ b/install/tools/ipa-nis-manage @@ -113,7 +113,9 @@ def main(): if not dirman_password: sys.exit("No password supplied") - api.bootstrap(context='cli', debug=options.debug, in_server=True) + api.bootstrap( + context='cli', confdir=paths.ETC_IPA, + debug=options.debug, in_server=True) api.finalize() api.Backend.ldap2.connect(bind_pw=dirman_password) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 2413754e5..121f06844 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -554,7 +554,9 @@ def main(): else: nss_dir = None - api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri, + api.bootstrap(context='client', + confdir=paths.ETC_IPA, + xmlrpc_uri=xmlrpc_uri, nss_dir=nss_db.secdir) api.finalize() try: diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 1ee7301e6..56cb90bea 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -1508,7 +1508,10 @@ def main(options, args): if os.getegid() != 0: api_env['log'] = None # turn off logging for non-root - api.bootstrap(**api_env) + api.bootstrap( + context='cli', confdir=paths.ETC_IPA, + in_server=True, verbose=options.verbose + ) api.finalize() dirman_passwd = None diff --git a/install/tools/ipactl b/install/tools/ipactl index ce4fe0254..db8ff6249 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -560,7 +560,10 @@ def main(): else: raise e - api.bootstrap(in_server=True, context='ipactl', debug=options.debug) + api.bootstrap(in_server=True, + context='ipactl', + confdir=paths.ETC_IPA, + debug=options.debug) api.finalize() if '.' not in api.env.host: -- cgit