On 12/01/2015 08:19 AM, Jan Cholasta wrote:
> On 30.11.2015 19:17, Simo Sorce wrote:
>> On Mon, 2015-11-30 at 12:25 +0100, Tomas Babej wrote:
>>> + # Perform only if we have the necessary options
>>> + if not any([installer.admin_password, installer.keytab]):
>>> + sys.exit("IPA client is not configured on this system.\n"
>>> + "You must use a replica file or join the system "
>>> + "either by using by running 'ipa-client-install'. "
>>> + "Alternatively, you may specify enrollment related
>>> options "
>>> + "directly, see man ipa-replica-install.")
>>> +
>>
>> There is a typo "either by using by "
>>
>> Also this seem to be run in promote_check, so you should not mention
>> replica files, as promotion can only be run at domain level 1 where
>> replica files cannot be used.
>
> One more thing from me: admin password should be passed to
> ipa-client-install through stdin. Apply the following changes (tested
> and working) to make it so:
>
> args.extend(["--hostname", installer.host_name])
>
> if installer.admin_password:
> - args.extend(["--password", installer.admin_password])
> args.extend(["--principal", installer.principal or "admin"])
> if installer.keytab:
> args.extend(["--keytab", installer.keytab])
> @@ -792,7 +791,13 @@ def ensure_enrolled(installer):
> args.append("--no-sshd")
> if installer.mkhomedir:
> args.append("--mkhomedir")
> - ipautil.run(args)
> +
> + if installer.admin_password:
> + stdin = installer.admin_password
> + else:
> + stdin = None
> +
> + ipautil.run(args, stdin=stdin)
> except Exception as e:
> sys.exit("Configuration of client side components failed!\n"
> "ipa-client-install returned: " + str(e))
>
Both Simo's and Jan's suggestions make sense, thanks.
Updated patch attached.
Tomas
From a454af101534fa0593c002f97a9bf137058af9d3 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Mon, 23 Nov 2015 12:46:15 +0100
Subject: [PATCH] replicainstall: Add possiblity to install client in one
command
https://fedorahosted.org/freeipa/ticket/5310
---
ipaserver/install/server/common.py | 2 +-
ipaserver/install/server/replicainstall.py | 94 +++++++++++++++++++++++++++---
2 files changed, 86 insertions(+), 10 deletions(-)
diff --git a/ipaserver/install/server/common.py b/ipaserver/install/server/common.py
index 82c2c9eac253f82baeffbebfa388718dcc30d14a..376c39dfa11847525244d41a27262dbe9849bcdb 100644
--- a/ipaserver/install/server/common.py
+++ b/ipaserver/install/server/common.py
@@ -280,7 +280,7 @@ class BaseServer(common.Installable, common.Interactive, core.Composite):
host_name = Knob(
str, None,
- description="fully qualified name of server",
+ description="fully qualified name of this host",
cli_name='hostname',
)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index eac42dab2a3f94c4e9c4f0f2d0d1b84d4a1f0847..74069f0fbb82b2696091c9d0468942aa8c862f31 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -4,6 +4,7 @@
from __future__ import print_function
+import collections
import dns.exception as dnsexception
import dns.name as dnsname
import dns.resolver as dnsresolver
@@ -751,6 +752,53 @@ def install(installer):
remove_replica_info_dir(installer)
+def ensure_enrolled(installer):
+ config = installer._config
+
+ # Perform only if we have the necessary options
+ if not any([installer.admin_password, installer.keytab]):
+ sys.exit("IPA client is not configured on this system.\n"
+ "You must join the system by running 'ipa-client-install' "
+ "first. Alternatively, you may specify enrollment related "
+ "options directly, see man ipa-replica-install.")
+
+ # Call client install script
+ service.print_msg("Configuring client side components")
+ try:
+ args = [paths.IPA_CLIENT_INSTALL, "--unattended"]
+ if installer.domain_name:
+ args.extend(["--domain", installer.domain_name])
+ if installer.server:
+ args.extend(["--server", installer.server])
+ if installer.realm_name:
+ args.extend(["--realm", installer.realm_name])
+ if installer.host_name:
+ args.extend(["--hostname", installer.host_name])
+
+ if installer.admin_password:
+ # Always set principal if password was set explicitly,
+ # the password itself gets passed directly via stdin
+ args.extend(["--principal", installer.principal or "admin"])
+ if installer.keytab:
+ args.extend(["--keytab", installer.keytab])
+
+ if installer.no_dns_sshfp:
+ args.append("--no-dns-sshfp")
+ if installer.ssh_trust_dns:
+ args.append("--ssh-trust-dns")
+ if installer.no_ssh:
+ args.append("--no-ssh")
+ if installer.no_sshd:
+ args.append("--no-sshd")
+ if installer.mkhomedir:
+ args.append("--mkhomedir")
+
+ ipautil.run(args, stdin=installer.admin_password or None)
+
+ except Exception as e:
+ sys.exit("Configuration of client side components failed!\n"
+ "ipa-client-install returned: " + str(e))
+
@common_cleanup
def promote_check(installer):
options = installer
@@ -761,9 +809,7 @@ def promote_check(installer):
client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
if not client_fstore.has_files():
- sys.exit("IPA client is not configured on this system.\n"
- "You must use a replica file or join the system "
- "using 'ipa-client-install'.")
+ ensure_enrolled(installer)
sstore = sysrestore.StateFile(paths.SYSRESTORE)
@@ -1108,9 +1154,6 @@ class Replica(BaseServer):
description="a file generated by ipa-replica-prepare",
)
- realm_name = None
- domain_name = None
-
setup_ca = Knob(BaseServer.setup_ca)
setup_kra = Knob(BaseServer.setup_kra)
setup_dns = Knob(BaseServer.setup_dns)
@@ -1130,12 +1173,16 @@ class Replica(BaseServer):
admin_password = Knob(
BaseServer.admin_password,
- description="Admin user Kerberos password used for connection check",
+ description="Kerberos password for the specified admin principal",
cli_short_name='w',
)
+ server = Knob(
+ str, None,
+ description="fully qualified name of IPA server to enroll to",
+ )
+
mkhomedir = Knob(BaseServer.mkhomedir)
- host_name = None
no_host_dns = Knob(BaseServer.no_host_dns)
no_ntp = Knob(BaseServer.no_ntp)
no_pkinit = Knob(BaseServer.no_pkinit)
@@ -1153,10 +1200,17 @@ class Replica(BaseServer):
principal = Knob(
str, None,
sensitive=True,
- description="User Principal allowed to promote replicas",
+ description="User Principal allowed to promote replicas "
+ "and join IPA realm",
cli_short_name='P',
)
+ keytab = Knob(
+ str, None,
+ description="path to backed up keytab from previous enrollment",
+ cli_short_name='k',
+ )
+
promote = False
# ca
@@ -1197,6 +1251,28 @@ class Replica(BaseServer):
raise RuntimeError("Replica file %s does not exist"
% self.replica_file)
+ CLIKnob = collections.namedtuple('CLIKnob', ('value', 'name'))
+
+ conflicting_knobs = (
+ CLIKnob(self.realm_name, '--realm'),
+ CLIKnob(self.domain_name, '--domain'),
+ CLIKnob(self.host_name, '--hostname'),
+ CLIKnob(self.server, '--server'),
+ CLIKnob(self.admin_password, '--admin-password'),
+ CLIKnob(self.principal, '--principal'),
+ )
+
+ if any([k.value is not None for k in conflicting_knobs]):
+ conflicting_knob_names = [
+ knob.name for knob in conflicting_knobs
+ if knob.value is not None
+ ]
+
+ raise RuntimeError(
+ "You cannot specify '{0}' option(s) with replica file."
+ .format(", ".join(conflicting_knob_names))
+ )
+
if self.setup_dns:
#pylint: disable=no-member
if (not self.dns.forwarders and not self.dns.no_forwarders
--
2.5.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
