diff options
| author | Ade Lee <alee@redhat.com> | 2014-07-11 20:20:07 +0800 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2014-07-11 22:24:26 +0800 |
| commit | f4dd27171037539fd354981da1092cad0e744926 (patch) | |
| tree | 1eb9570e9246bac095f1914a2c8470d32952e8b8 | |
| parent | 81fc9420ca77238c71474ff50bec959f799598c5 (diff) | |
| download | freeipa-alee_drm_0711.tar.gz freeipa-alee_drm_0711.tar.xz freeipa-alee_drm_0711.zip | |
fix from mergealee_drm_0711
| -rw-r--r-- | install/restart_scripts/renew_ca_cert | 17 | ||||
| -rw-r--r-- | install/tools/ipa-drm-install | 4 | ||||
| -rw-r--r-- | ipapython/dogtag.py | 14 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 26 | ||||
| -rw-r--r-- | ipaserver/install/dogtaginstance.py | 10 | ||||
| -rw-r--r-- | ipaserver/install/drminstance.py | 8 | ||||
| -rw-r--r-- | ipaserver/install/installutils.py | 25 |
7 files changed, 66 insertions, 38 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 1a3a6a9ab..68ea217fb 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -21,17 +21,14 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import sys -import os import syslog -import tempfile -import shutil import traceback -from ipapython import dogtag, certmonger, ipautil -from ipapython import services -from ipalib import api, errors, x509, util -from ipaserver.install import certs, cainstance, installutils -from ipaserver.plugins.ldap2 import ldap2 +from ipapython import dogtag, ipautil +from ipaplatform import services +from ipalib import api +from ipaserver.install import certs, cainstance + def main(): nickname = sys.argv[1] @@ -92,7 +89,9 @@ def main(): # off the servlet to verify that the CA is actually up and responding so # when this returns it should be good-to-go. The CA was stopped in the # pre-save state. - syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name) + syslog.syslog( + syslog.LOG_NOTICE, + 'Starting %s' % dogtag_service.service_name) try: dogtag_service.start(dogtag_instance) except Exception, e: diff --git a/install/tools/ipa-drm-install b/install/tools/ipa-drm-install index 55f0cfc6e..a744e64d2 100644 --- a/install/tools/ipa-drm-install +++ b/install/tools/ipa-drm-install @@ -24,11 +24,11 @@ import sys from ConfigParser import SafeConfigParser, NoOptionError from ipalib import api +from ipaplatform import services from ipapython import version from ipapython import certmonger from ipapython import dogtag from ipapython import ipautil -from ipapython import services as ipaservices from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import * from ipaserver.install import dogtaginstance @@ -209,7 +209,7 @@ def main(): drm.enable_client_auth_to_db(drm.dogtag_constants.DRM_CS_CFG_PATH) # Restart apache for new proxy config file - ipaservices.knownservices.httpd.restart(capture_output=True) + services.knownservices.httpd.restart(capture_output=True) try: with open("/etc/ipa/default.conf", "a") as fd: diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 902acee43..7975416bf 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -24,10 +24,9 @@ import ConfigParser from urllib import urlencode import nss.nss as nss -from nss.error import NSPRError from ipalib import api, errors -from ipalib.errors import NetworkError, CertificateOperationError +from ipalib.errors import NetworkError from ipalib.text import _ from ipapython import nsslib, ipautil from ipaplatform.paths import paths @@ -42,6 +41,7 @@ from ipapython.ipa_log_manager import * # The configured_constants() function below provides constants relevant to # the configured version. + class Dogtag10Constants(object): DOGTAG_VERSION = 10 UNSECURE_PORT = 8080 @@ -62,7 +62,7 @@ class Dogtag10Constants(object): PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT ALIAS_DIR = paths.PKI_TOMCAT_ALIAS_DIR.rstrip('/') - DRM_CS_CFG_PATH = '%s/conf/kra/CS.cfg' % PKI_ROOT + DRM_CS_CFG_PATH = '%s/conf/kra/CS.cfg' % PKI_ROOT SERVICE_NAME = 'pki_tomcatd' @@ -164,7 +164,8 @@ def get_ca_certchain(ca_host=None, dogtag_constants=None): if dogtag_constants is None: dogtag_constants = configured_constants() chain = None - conn = httplib.HTTPConnection(ca_host, + conn = httplib.HTTPConnection( + ca_host, api.env.ca_install_port or dogtag_constants.UNSECURE_PORT) conn.request("GET", "/ca/ee/ca/getCertChain") res = conn.getresponse() @@ -243,7 +244,7 @@ def https_request(host, port, url, secdir, password, nickname, **kw): body = urlencode(kw) return _httplib_request( - 'https', host, port, url, connection_factory, body) + 'https', host, port, url, connection_factory, body) def http_request(host, port, url, **kw): @@ -290,7 +291,8 @@ def _httplib_request( root_logger.debug('request body %r', request_body) try: conn = connection_factory(host, port) - conn.request('POST', uri, + conn.request( + 'POST', uri, body=request_body, headers={'Content-type': 'application/x-www-form-urlencoded'}, ) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 3c7dade13..6e4d50029 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -43,10 +43,13 @@ from ipalib import api from ipalib import pkcs10, x509 from ipalib import errors +from ipaplatform import services +from ipaplatform.paths import paths +from ipaplatform.tasks import tasks + from ipapython import dogtag from ipapython import certmonger from ipapython import ipautil -from ipapython import services from ipapython import ipaldap from ipapython.certdb import get_ca_nickname from ipapython.dn import DN @@ -543,7 +546,7 @@ class CAInstance(DogtagInstance): print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate" sys.exit(0) else: - shutil.move(paths.CA_BACKUP_KEYS_P12, \ + shutil.move(paths.CA_BACKUP_KEYS_P12, paths.CACERT_P12) root_logger.debug("completed creating ca instance") @@ -760,7 +763,8 @@ class CAInstance(DogtagInstance): '%s' % ipautil.format_netloc( self.fqdn, self.dogtag_constants.AGENT_SECURE_PORT), ] - (stdout, _stderr, _returncode) = ipautil.run(args, nolog=(self.admin_password,)) + (stdout, _stderr, _returncode) = ipautil.run( + args, nolog=(self.admin_password,)) data = stdout.split(self.dogtag_constants.RACERT_LINE_SEP) params = get_defList(data) @@ -782,7 +786,8 @@ class CAInstance(DogtagInstance): '%s' % ipautil.format_netloc( self.fqdn, self.dogtag_constants.AGENT_SECURE_PORT), ] - (stdout, _stderr, _returncode) = ipautil.run(args, nolog=(self.admin_password,)) + (stdout, _stderr, _returncode) = ipautil.run( + args, nolog=(self.admin_password,)) data = stdout.split(self.dogtag_constants.RACERT_LINE_SEP) outputList = get_outputList(data) @@ -861,7 +866,7 @@ class CAInstance(DogtagInstance): conn.unbind() - def __run_certutil(self, args, database=None, pwd_file=None,stdin=None): + def __run_certutil(self, args, database=None, pwd_file=None, stdin=None): if not database: database = self.ra_agent_db if not pwd_file: @@ -887,7 +892,7 @@ class CAInstance(DogtagInstance): os.close(f) os.chmod(self.ra_agent_pwd, stat.S_IRUSR) - (_stdout, _stderr, _returncode) = self.__run_certutil(["-N"]) + (_stdout, _stderr, _returncode) = self.__run_certutil(["-N"]) def __get_ca_chain(self): try: @@ -923,7 +928,8 @@ class CAInstance(DogtagInstance): # makes openssl throw up. data = base64.b64decode(chain) - (certlist, _stderr, _returncode) = ipautil.run([paths.OPENSSL, + (certlist, _stderr, _returncode) = ipautil.run( + [paths.OPENSSL, "pkcs7", "-inform", "DER", @@ -1327,8 +1333,8 @@ class CAInstance(DogtagInstance): def stop_tracking_agent_certificate(dogtag_constants): """Stop tracking agent certificate. Called on uninstall. """ - cmonger = ipaservices.knownservices.certmonger - ipaservices.knownservices.messagebus.start() + cmonger = services.knownservices.certmonger + services.knownservices.messagebus.start() cmonger.start() try: certmonger.stop_tracking('/etc/httpd/alias', nickname='ipaCert') @@ -1396,7 +1402,7 @@ class CAInstance(DogtagInstance): # this is the default setting from pki-ca/pki-tomcat. Don't touch it # if a user has manually modified it. if setlist == '1,2,3,4,5,6,7,8,10' or setlist == '1,2,3,4,5,6,7,8,9,10': - setlist = setlist + ',11' + setlist += ',11' installutils.set_directive( self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.list', diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 64683f4f8..afe03e2b3 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -26,11 +26,11 @@ import traceback from pki.client import PKIConnection import pki.system +from ipaplatform import services from ipapython import certmonger from ipapython import dogtag from ipapython import ipaldap from ipapython import ipautil -from ipapython import services as ipaservices from ipapython.dn import DN from ipaserver.install import service from ipaserver.install import installutils @@ -298,9 +298,9 @@ class DogtagInstance(service.Service): @param nicknames: list of nicknames """ - cmonger = ipaservices.knownservices.certmonger + cmonger = services.knownservices.certmonger cmonger.enable() - ipaservices.knownservices.messagebus.start() + services.knownservices.messagebus.start() cmonger.start() pin = self.__get_pin() @@ -326,8 +326,8 @@ class DogtagInstance(service.Service): def stop_tracking_certificates(self, dogtag_constants, nicknames=None): """Stop tracking our certificates. Called on uninstall. """ - cmonger = ipaservices.knownservices.certmonger - ipaservices.knownservices.messagebus.start() + cmonger = services.knownservices.certmonger + services.knownservices.messagebus.start() cmonger.start() if nicknames is None: diff --git a/ipaserver/install/drminstance.py b/ipaserver/install/drminstance.py index 6d516853c..3581a7942 100644 --- a/ipaserver/install/drminstance.py +++ b/ipaserver/install/drminstance.py @@ -25,10 +25,10 @@ import sys import tempfile from ipalib import api +from ipaplatform import services from ipapython import dogtag from ipapython import ipaldap from ipapython import ipautil -from ipapython import services as ipaservices from ipapython.dn import DN from ipaserver.install import certs from ipaserver.install import cainstance @@ -62,7 +62,7 @@ class DRMInstance(DogtagInstance): DogtagInstance.__init__(self, realm, "KRA", "DRM server", dogtag_constants) - self.basedn = DN(('o', 'ipadrm'),('o', 'ipaca')) + self.basedn = DN(('o', 'ipadrm'), ('o', 'ipaca')) self.tracking_nicknames = ['auditSigningCert cert-pki-drm', 'transportCert cert-pki-drm', 'storageCert cert-pki-drm'] @@ -332,7 +332,7 @@ def install_replica_drm(config, postinstall=False): # Restart httpd since we changed it's config and added ipa-pki-proxy.conf if postinstall: - ipaservices.knownservices.httpd.restart() + services.knownservices.httpd.restart() # The dogtag DS instance needs to be restarted after installation. # The procedure for this is: stop dogtag, stop DS, start DS, start @@ -340,7 +340,7 @@ def install_replica_drm(config, postinstall=False): service.print_msg("Restarting the directory and DRM servers") _drm.stop(dogtag.install_constants.PKI_INSTANCE_NAME) - ipaservices.knownservices.dirsrv.restart() + services.knownservices.dirsrv.restart() _drm.start(dogtag.install_constants.PKI_INSTANCE_NAME) return _drm diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index faa2c31be..0346e0212 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -34,13 +34,12 @@ from dns import resolver, rdatatype from dns.exception import DNSException import ldap -from ipapython import ipautil, sysrestore, admintool, dogtag +from ipapython import ipautil, sysrestore, admintool, dogtag, version from ipapython.admintool import ScriptError from ipapython.ipa_log_manager import * from ipalib.util import validate_hostname from ipapython import config from ipalib import errors -from ipapython.dn import DN from ipaserver.install import certs, service from ipaplatform import services from ipaplatform.paths import paths @@ -607,6 +606,7 @@ def create_replica_config(dirman_password, filename, options): config.ca_ds_port = read_replica_info_dogtag_port(config.dir) return config + def check_server_configuration(): """ Check if IPA server is configured on the system. @@ -623,6 +623,7 @@ def check_server_configuration(): if not server_fstore.has_files(): raise RuntimeError("IPA is not configured on this system.") + def remove_file(filename): """ Remove a file and log any exceptions raised. @@ -633,6 +634,7 @@ def remove_file(filename): except Exception, e: root_logger.error('Error removing %s: %s' % (filename, str(e))) + def rmtree(path): """ Remove a directory structure and log any exceptions raised. @@ -643,6 +645,7 @@ def rmtree(path): except Exception, e: root_logger.error('Error removing %s: %s' % (path, str(e))) + def is_ipa_configured(): """ Using the state and index install files determine if IPA is already @@ -900,3 +903,21 @@ def stopped_service(service, instance_name=""): root_logger.debug('Starting %s%s.', service, log_instance_name) services.knownservices[service].start(instance_name) + +def check_entropy(): + """ + Checks if the system has enough entropy, if not, displays warning message + """ + try: + with open('/proc/sys/kernel/random/entropy_avail', 'r') as efname: + if int(efname.read()) < 200: + emsg = 'WARNING: Your system is running out of entropy, ' \ + 'you may experience long delays' + service.print_msg(emsg) + root_logger.debug(emsg) + except IOError as e: + root_logger.debug( + "Could not open /proc/sys/kernel/random/entropy_avail: %s" % e) + except ValueError as e: + root_logger.debug( + "Invalid value in /proc/sys/kernel/random/entropy_avail %s" % e) |