This patch is required for the installer ref@#$%&ing work
(https://fedorahosted.org/freeipa/ticket/4468).
It required quite a bit of hacking to get it work as expected, but I
hope that it's not so bad.
Requires PATCH 0035 "do not check for directory manager password during
KRA uninstall" to apply.
--
Martin^3 Babinsky
From 9d6fceb2c869d2939edf714eda02f90de0cf88f7 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 15 May 2015 19:02:22 +0200
Subject: [PATCH] merge KRA installation machinery to a single module
This is a prerequisite to further refactoring of KRA install/uninstall
functionality in all IPA install scripts.
https://fedorahosted.org/freeipa/ticket/4468
---
install/tools/ipa-replica-install | 21 +++----
install/tools/ipa-server-install | 26 +++-----
ipaserver/install/ipa_kra_install.py | 118 ++++++++---------------------------
ipaserver/install/kra.py | 116 ++++++++++++++++++++++++++++++++++
4 files changed, 158 insertions(+), 123 deletions(-)
create mode 100644 ipaserver/install/kra.py
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index f68cc8cf4722264ecea2f1f50de3aa245be24ef9..d0c4a28fcf0bf0a2693ffef10626a8f99a69c8bc 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -37,10 +37,10 @@ from ipaserver.install import memcacheinstance, dnskeysyncinstance
from ipaserver.install import otpdinstance
from ipaserver.install.replication import replica_conn_check, ReplicationManager
from ipaserver.install.installutils import (
- create_replica_config, read_replica_info_kra_enabled, private_ccache)
+ create_replica_config, private_ccache)
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install import cainstance
-from ipaserver.install import krainstance
+from ipaserver.install import kra
from ipaserver.install import dns as dns_installer
from ipalib import api, create_api, errors, util, certstore, x509
from ipalib.constants import CACERT
@@ -473,12 +473,12 @@ def main():
config.setup_kra = options.setup_kra
if config.setup_kra:
- if not config.setup_ca:
- print "CA must be installed with the KRA"
- sys.exit(1)
- if not read_replica_info_kra_enabled(config.dir):
- print "KRA is not installed on the master system"
- sys.exit(1)
+ try:
+ kra.check_install(options, dirman_password,
+ config.setup_ca, filename)
+ except RuntimeError as e:
+ print str(e)
+ exit(1)
installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
@@ -660,10 +660,7 @@ def main():
ds.apply_updates()
if options.setup_kra:
- kra = krainstance.install_replica_kra(config)
- service.print_msg("Restarting the directory server")
- ds.restart()
- kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
+ kra.install(options, dirman_password, replica_file=filename)
else:
service.print_msg("Restarting the directory server")
ds.restart()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index cb6e1abe2016c0f8cefc35b1d685373f05b3ef89..f4ef71d84d30d79f70f164c30f274d8769b3e319 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -53,13 +53,13 @@ from ipaserver.install import httpinstance
from ipaserver.install import ntpinstance
from ipaserver.install import certs
from ipaserver.install import cainstance
-from ipaserver.install import krainstance
from ipaserver.install import memcacheinstance
from ipaserver.install import otpdinstance
from ipaserver.install import sysupgrade
from ipaserver.install import replication
from ipaserver.install import dns as dns_installer
from ipaserver.install import service, installutils
+from ipaserver.install import kra
from ipapython import version
from ipapython import certmonger
from ipapython import ipaldap
@@ -577,11 +577,12 @@ def uninstall():
if cads_instance.is_configured():
cads_instance.uninstall()
- kra_instance = krainstance.KRAInstance(
- api.env.realm, dogtag_constants=dogtag_constants)
- kra_instance.stop_tracking_certificates()
- if kra_instance.is_installed():
- kra_instance.uninstall()
+ try:
+ kra.check_uninstall()
+ except RuntimeError:
+ pass
+ else:
+ kra.uninstall()
ca_instance = cainstance.CAInstance(
api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
@@ -1290,18 +1291,7 @@ def main():
http.restart()
if setup_kra:
- kra = krainstance.KRAInstance(realm_name,
- dogtag_constants=dogtag.install_constants)
- kra.configure_instance(host_name, domain_name, dm_password,
- dm_password, subject_base=options.subject)
-
- # This is done within stopped_service context, which restarts KRA
- service.print_msg("Restarting the directory server")
- ds.restart()
-
- service.print_msg("Enabling KRA to authenticate with the database "
- "using client certificates")
- kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
+ kra.install(options, dm_password)
# Set the admin user kerberos password
ds.change_admin_password(admin_password)
diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py
index 08b4331f4d1741b6970c676283401abf0d861673..8d7f82f6c062277e4cb0d4e23fe8ffd2924cafe7 100644
--- a/ipaserver/install/ipa_kra_install.py
+++ b/ipaserver/install/ipa_kra_install.py
@@ -18,22 +18,14 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-from ConfigParser import RawConfigParser
from textwrap import dedent
from ipalib import api
-from ipaplatform import services
from ipaplatform.paths import paths
from ipapython import admintool
-from ipapython import dogtag
from ipapython import ipautil
-from ipaserver.install import cainstance
-from ipaserver.install import dogtaginstance
-from ipaserver.install import krainstance
-from ipaserver.install import dsinstance
from ipaserver.install import installutils
-from ipaserver.install import service
-from ipaserver.install.installutils import (
- read_replica_info_kra_enabled, create_replica_config)
+from ipaserver.install import dogtaginstance
+import kra
class KRAInstall(admintool.AdminTool):
@@ -93,29 +85,14 @@ class KRAUninstaller(KRAInstall):
if self.args:
self.option_parser.error("Too many parameters provided.")
-
- if not api.env.enable_kra:
- self.option_parser.error(
- "Cannot uninstall. There is no KRA installed on this system."
- )
+ try:
+ kra.check_uninstall()
+ except RuntimeError as e:
+ self.option_parser.error(str(e))
def run(self):
super(KRAUninstaller, self).run()
- dogtag_constants = dogtag.configured_constants()
-
- kra_instance = krainstance.KRAInstance(
- api.env.realm, dogtag_constants=dogtag_constants)
- kra_instance.stop_tracking_certificates()
- if kra_instance.is_installed():
- kra_instance.uninstall()
-
- # Update config file
- parser = RawConfigParser()
- parser.read(paths.IPA_DEFAULT_CONF)
- parser.set('global', 'enable_kra', 'False')
-
- with open(paths.IPA_DEFAULT_CONF, 'w') as f:
- parser.write(f)
+ kra.uninstall()
class KRAInstaller(KRAInstall):
@@ -136,31 +113,14 @@ class KRAInstaller(KRAInstall):
super(KRAInstaller, self).validate_options(needs_root=True)
if self.options.unattended and self.options.password is None:
- self.option_parser.error(
- "Directory Manager password must be specified using -p"
- " in unattended mode"
- )
-
- dogtag_version = int(api.env.dogtag_version)
- enable_kra = api.env.enable_kra
-
- if enable_kra:
- self.option_parser.error("KRA is already installed.")
-
- ca_installed = cainstance.is_ca_installed_locally()
-
- if ca_installed:
- if dogtag_version >= 10:
- # correct dogtag version of CA installed
- pass
- else:
- self.option_parser.error(
- "Dogtag must be version 10.2 or above to install KRA")
- else:
- self.option_parser.error(
- "Dogtag CA is not installed. Please install the CA first")
+ self.option_parser.error(
+ "Directory Manager password must be specified using -p"
+ " in unattended mode"
+ )
self.installing_replica = dogtaginstance.is_installing_replica("KRA")
+ self.replica_file = None
+
if self.installing_replica:
if not self.args:
self.option_parser.error("A replica file is required.")
@@ -177,7 +137,7 @@ class KRAInstaller(KRAInstall):
"No replica file is required.")
def ask_for_options(self):
- super(KRAInstall, self).ask_for_options()
+ super(KRAInstaller, self).ask_for_options()
if not self.options.unattended and self.options.password is None:
self.options.password = installutils.read_password(
@@ -188,48 +148,20 @@ class KRAInstaller(KRAInstall):
"Directory Manager password required")
def _run(self):
+ # installation check has to be done after validating options and asking
+ # for missing ones, because we need dirman password for
+ # `read_replica_info_kra_enabled`
+ try:
+ kra.check_install(self.options, self.options.password, False,
+ self.replica_file)
+ except RuntimeError as e:
+ self.option_parser.error(str(e))
+
super(KRAInstaller, self).run()
print dedent(self.INSTALLER_START_MESSAGE)
- subject = dsinstance.DsInstance().find_subject_base()
- if not self.installing_replica:
- kra = krainstance.KRAInstance(
- api.env.realm,
- dogtag_constants=dogtag.install_constants)
-
- kra.configure_instance(
- api.env.host, api.env.domain, self.options.password,
- self.options.password, subject_base=subject)
- else:
- replica_config = create_replica_config(
- self.options.password,
- self.replica_file,
- self.options)
-
- if not read_replica_info_kra_enabled(replica_config.dir):
- raise admintool.ScriptError(
- "Either KRA is not installed on the master system or "
- "your replica file is out of date"
- )
-
- kra = krainstance.install_replica_kra(replica_config)
- service.print_msg("Restarting the directory server")
-
- ds = dsinstance.DsInstance()
- ds.restart()
-
- kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
-
- # Restart apache for new proxy config file
- services.knownservices.httpd.restart(capture_output=True)
-
- # Update config file
- parser = RawConfigParser()
- parser.read(paths.IPA_DEFAULT_CONF)
- parser.set('global', 'enable_kra', 'True')
-
- with open(paths.IPA_DEFAULT_CONF, 'w') as f:
- parser.write(f)
+ kra.install(self.options, self.options.password,
+ self.replica_file)
def run(self):
try:
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
new file mode 100644
index 0000000000000000000000000000000000000000..c98b989a8a19e0d8858119935bd257f271ad33aa
--- /dev/null
+++ b/ipaserver/install/kra.py
@@ -0,0 +1,116 @@
+#
+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
+#
+
+import os
+from ConfigParser import RawConfigParser
+from ipalib import api
+from ipaplatform import services
+from ipaplatform.paths import paths
+from ipapython import dogtag
+from ipaserver.install import cainstance
+from ipaserver.install import krainstance
+from ipaserver.install import dsinstance
+from ipaserver.install import service
+from ipaserver.install.installutils import (
+ read_replica_info_kra_enabled, create_replica_config)
+
+
+def install(options, dm_password, replica_file=None):
+ subject = dsinstance.DsInstance().find_subject_base()
+ if replica_file is None:
+ kra = krainstance.KRAInstance(
+ api.env.realm,
+ dogtag_constants=dogtag.install_constants)
+
+ kra.configure_instance(
+ api.env.host, api.env.domain, dm_password,
+ dm_password, subject_base=subject)
+ else:
+ replica_config = create_replica_config(
+ dm_password,
+ replica_file,
+ options)
+
+ kra = krainstance.install_replica_kra(replica_config)
+ service.print_msg("Restarting the directory server")
+
+ ds = dsinstance.DsInstance()
+ ds.restart()
+
+ kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
+
+ # Restart apache for new proxy config file
+ services.knownservices.httpd.restart(capture_output=True)
+
+ # Update config file
+ if os.path.exists(paths.IPA_DEFAULT_CONF):
+ parser = RawConfigParser()
+ parser.read(paths.IPA_DEFAULT_CONF)
+ parser.set('global', 'enable_kra', 'True')
+
+ with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+ parser.write(f)
+
+
+def uninstall():
+ dogtag_constants = dogtag.configured_constants()
+
+ kra_instance = krainstance.KRAInstance(
+ api.env.realm, dogtag_constants=dogtag_constants)
+ kra_instance.stop_tracking_certificates()
+ if kra_instance.is_installed():
+ kra_instance.uninstall()
+
+ # Update config file
+ if os.path.exists(paths.IPA_DEFAULT_CONF):
+ parser = RawConfigParser()
+ parser.read(paths.IPA_DEFAULT_CONF)
+ parser.set('global', 'enable_kra', 'False')
+
+ with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+ parser.write(f)
+
+
+def check_install(options, dm_password, setup_ca=False, replica_file=None):
+ enable_kra = False
+ dogtag_version = dogtag.install_constants.DOGTAG_VERSION
+
+ if hasattr(api.env, 'enable_kra'):
+ enable_kra = api.env.enable_kra
+ if hasattr(api.env, 'dogtag_version'):
+ dogtag_version = int(api.env.dogtag_version)
+
+ if enable_kra:
+ raise RuntimeError("KRA is already installed.")
+
+ if not setup_ca:
+ if cainstance.is_ca_installed_locally():
+ if dogtag_version >= 10:
+ # correct dogtag version of CA installed
+ pass
+ else:
+ raise RuntimeError(
+ "Dogtag must be version 10.2 or above to install KRA")
+ else:
+ raise RuntimeError(
+ "Dogtag CA is not installed. Please install the CA first")
+
+ if replica_file is not None:
+ replica_config = create_replica_config(
+ dm_password,
+ replica_file,
+ options)
+
+ if not read_replica_info_kra_enabled(replica_config.dir):
+ raise RuntimeError(
+ "Either KRA is not installed on the master system or "
+ "your replica file is out of date"
+ )
+
+
+def check_uninstall():
+ if hasattr(api.env, 'enable_kra') and not api.env.enable_kra:
+ raise RuntimeError(
+ "Cannot uninstall. There is no KRA installed on this system."
+ )
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code