URL: https://github.com/freeipa/freeipa/pull/5003 Author: tiran Title: #5003: [Backport][ipa-4-8] Don't configure authselect in containers Action: opened
PR body: """ This PR was opened automatically because PR #4999 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5003/head:pr5003 git checkout pr5003
From b9f758945591f193480d3a641d8c8c6050f493a0 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Thu, 6 Aug 2020 12:44:32 +0200 Subject: [PATCH] Don't configure authselect in containers freeipa-container images come with authselect pre-configured. There is no need to configure, migrate, or restore authselect. The --mkhomedir option is not supported, too. Related: https://pagure.io/freeipa/issue/8401 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaclient/install/client.py | 8 ++++ ipaplatform/README.md | 50 ++++++++++++++++++++++++ ipaplatform/base/tasks.py | 5 +++ ipaplatform/fedora_container/__init__.py | 2 +- ipaplatform/fedora_container/tasks.py | 23 ++++++++++- ipaplatform/rhel_container/__init__.py | 2 +- ipaplatform/rhel_container/tasks.py | 23 ++++++++++- 7 files changed, 109 insertions(+), 4 deletions(-) create mode 100644 ipaplatform/README.md diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index ad03c81fd1..3df2cf9dcd 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2160,6 +2160,14 @@ def install_check(options): "authentication resources", rval=CLIENT_INSTALL_ERROR) + # --mkhomedir is not supported by fedora_container and rhel_container + if not tasks.is_mkhomedir_supported() and options.mkhomedir: + raise ScriptError( + "Option '--mkhomedir' is incompatible with the 'authselect' tool " + "provided by this distribution for configuring system " + "authentication resources", + rval=CLIENT_INSTALL_ERROR) + # when installing with '--no-sssd' option, check whether nss-ldap is # installed if not options.sssd: diff --git a/ipaplatform/README.md b/ipaplatform/README.md new file mode 100644 index 0000000000..a1aff58069 --- /dev/null +++ b/ipaplatform/README.md @@ -0,0 +1,50 @@ +# IPA platform abstraction + +The ``ipaplatform`` package provides an abstraction layer for +supported Linux distributions and flavors. The package contains +constants, paths to commands and config files, services, and tasks. + +* **base** abstract base platform +* **debian** Debian- and Ubuntu-like +* **redhat** abstract base for Red Hat platforms +* **fedora** Fedora +* **fedora_container** freeipa-container on Fedora +* **rhel** RHEL and CentOS +* **rhel_container** freeipa-container on RHEL and CentOS +* **suse** OpenSUSE and SLES + +``` +[base] + ├─ debian + ├─[redhat] + │ ├─ fedora + │ │ └─ fedora_container + │ └─ rhel + │ └─ rhel_container + └─ suse +``` +(Note: Debian and SUSE use some definitions from Red Hat namespace.) + + +## freeipa-container platform + +The **fedora_container** and **rhel_container** platforms are flavors +of the **fedora** and **rhel** platforms. These platform definitions +are specifically designed for +[freeipa-container](https://github.com/freeipa/freeipa-container). +The FreeIPA server container implements a read-only container. Paths +like ``/etc``, ``/usr``, and ``/var`` are mounted read-only and cannot +be modified. The image uses symlinks to store all variable data like +config files and LDAP database in ``/data``. + +* Some commands don't write through dangling symlinks. The IPA + platforms for containers prefix some paths with ``/data``. +* ``ipa-server-upgrade`` verifies that the platform does not change + between versions. To allow upgrades of old containers, sysupgrade + maps ``$distro_container`` to ``$distro`` platform. +* The container images come with authselect pre-configured with + ``sssd with-sudo`` option. The tasks ``modify_nsswitch_pam_stack`` + and ``migrate_auth_configuration`` are no-ops. ``ipa-restore`` + does not restore authselect settings. ``ipa-backup`` still stores + authselect settings in backup data. +* The ``--mkhomedir`` option is not supported. diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 2e35dfd424..ad1e90d398 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -208,7 +208,12 @@ def is_nosssd_supported(self): """ Check if the flag --no-sssd is supported for client install. """ + return True + def is_mkhomedir_supported(self): + """ + Check if the flag --mkhomedir is supported for client install. + """ return True def backup_auth_configuration(self, path): diff --git a/ipaplatform/fedora_container/__init__.py b/ipaplatform/fedora_container/__init__.py index 62f648841f..1f00322490 100644 --- a/ipaplatform/fedora_container/__init__.py +++ b/ipaplatform/fedora_container/__init__.py @@ -4,4 +4,4 @@ """ This module contains Fedora Container specific platform files. """ -NAME = 'fedora_container' +NAME = "fedora_container" diff --git a/ipaplatform/fedora_container/tasks.py b/ipaplatform/fedora_container/tasks.py index 946e581e01..a2b4da3ba8 100644 --- a/ipaplatform/fedora_container/tasks.py +++ b/ipaplatform/fedora_container/tasks.py @@ -3,11 +3,32 @@ # """Fedora container tasks """ +import logging + from ipaplatform.fedora.tasks import FedoraTaskNamespace +logger = logging.getLogger(__name__) + + class FedoraContainerTaskNamespace(FedoraTaskNamespace): - pass + def modify_nsswitch_pam_stack( + self, sssd, mkhomedir, statestore, sudo=True + ): + # freeipa-container images are preconfigured + # authselect select sssd with-sudo --force + logger.debug("Authselect is pre-configured in container images.") + + def is_mkhomedir_supported(self): + # authselect is not pre-configured with mkhomedir + return False + + def restore_auth_configuration(self, path): + # backup is supported but restore is a no-op + logger.debug("Authselect is pre-configured in container images.") + + def migrate_auth_configuration(self, statestore): + logger.debug("Authselect is pre-configured in container images.") tasks = FedoraContainerTaskNamespace() diff --git a/ipaplatform/rhel_container/__init__.py b/ipaplatform/rhel_container/__init__.py index 8bd13a42e9..b84643fb8c 100644 --- a/ipaplatform/rhel_container/__init__.py +++ b/ipaplatform/rhel_container/__init__.py @@ -4,4 +4,4 @@ """ This module contains RHEL Container specific platform files. """ -NAME = 'rhel_container' +NAME = "rhel_container" diff --git a/ipaplatform/rhel_container/tasks.py b/ipaplatform/rhel_container/tasks.py index 0b7fdcf7c2..5673fc65cb 100644 --- a/ipaplatform/rhel_container/tasks.py +++ b/ipaplatform/rhel_container/tasks.py @@ -3,11 +3,32 @@ # """RHEL container tasks """ +import logging + from ipaplatform.rhel.tasks import RHELTaskNamespace +logger = logging.getLogger(__name__) + + class RHELContainerTaskNamespace(RHELTaskNamespace): - pass + def modify_nsswitch_pam_stack( + self, sssd, mkhomedir, statestore, sudo=True + ): + # freeipa-container images are preconfigured + # authselect select sssd with-sudo --force + logger.debug("Authselect is pre-configured in container images.") + + def is_mkhomedir_supported(self): + # authselect is not pre-configured with mkhomedir + return False + + def restore_auth_configuration(self, path): + # backup is supported but restore is a no-op + logger.debug("Authselect is pre-configured in container images.") + + def migrate_auth_configuration(self, statestore): + logger.debug("Authselect is pre-configured in container images.") tasks = RHELContainerTaskNamespace()
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org