Re: [Freeipa-devel] NTP in FreeIPA
On 30.11.2016 16:09, Rob Crittenden wrote: David Kupka wrote: On 29/11/16 18:10, Alexander Bokovoy wrote: Still, bug reports and users' complaints is the only external measure we have. There are close to nothing in complaints about NTP functionality, other than requests to support chronyd and a better discover of existing NTP setups. I don't think that requires dramatic action like removal of NTP support at all. As Petr already pointed out, since Fedora 16 chronyd is enabled by default and ipa-client-install doesn't configure time synchronization when chronyd is enabled. I believe that majority of users haven't used '--force-ntpd' and since it still worked they haven't filed any ticket. IMO in this case no bug reports means no users rather than no bugs or requests. Unfortunately, this is just my guess and AFAIK we don't have any data from users showing how they use FreeIPA. For argument's sake, let's say NTP configuration in the client is dropped and managed by the OS or other administrators. What implication does this have for configuring NTP server on masters? Would that be stopped as well? What about existing installs? I think there should be no implication, the server is a completely different thing. The only thing I would maybe do is to detect if there is an existing NTP server configuration and if there is, do not touch it. I don't believe there is a precedence for removing a service from IPA. rob -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] NTP in FreeIPA
On Wed, 2016-11-30 at 16:57 +0100, David Kupka wrote: > Upgrades to 4.x will revert configuration if done by FreeIPA. Why would you revert a perfectly valid configuration ? I can understand that you wan to stop managing the server, but I do not see why you should un-configure it. > I think it's actually that simple. The only hard part is reaching the > agreement. I still think we need to offer the NTP option even if not on by default, so on upgrade we would have to keep maintaining it. Keep in mind that NTP is extremely important, still, in virtualized environment and PoC environment where you must assure, with your own means, that clocks are synchronized. Testing environments are often very broken, reason why we also offer a DNS server. And a testing environment generally give you the first impression, so if it breaks horrible (as it does when clocks are not in sync then people just stop caring and do not move to production. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time
URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time tiran commented: """ +1 for my trick Since I disabled the import warnings for samba bindings in fef6f18aa, pylint is passing under Python 3, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-263954366 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#290][closed] Require python-cryptography >= 1.3.1
URL: https://github.com/freeipa/freeipa/pull/290 Author: tiran Title: #290: Require python-cryptography >= 1.3.1 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/290/head:pr290 git checkout pr290 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#290][comment] Require python-cryptography >= 1.3.1
URL: https://github.com/freeipa/freeipa/pull/290 Title: #290: Require python-cryptography >= 1.3.1 martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/289982e02fa6bef700fe2c1900ddbed864876faa """ See the full comment at https://github.com/freeipa/freeipa/pull/290#issuecomment-263922200 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#290][+ack] Require python-cryptography >= 1.3.1
URL: https://github.com/freeipa/freeipa/pull/290 Title: #290: Require python-cryptography >= 1.3.1 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#290][+pushed] Require python-cryptography >= 1.3.1
URL: https://github.com/freeipa/freeipa/pull/290 Title: #290: Require python-cryptography >= 1.3.1 Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#289][comment] Require python-gssapi >= 1.2.0
URL: https://github.com/freeipa/freeipa/pull/289 Title: #289: Require python-gssapi >= 1.2.0 frozencemetery commented: """ We (the python-gssapi team) do not believe that is correct. This problem with enum34 is fixed in the latest 1.1.z release (1.1.4). We also do have CI that runs on every commit, so every released version should be stable, though 1.2.0 is also a great version. """ See the full comment at https://github.com/freeipa/freeipa/pull/289#issuecomment-263917633 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#1][comment] Port bind-dyndb-ldap to BIND 9.11
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/1 Title: #1: Port bind-dyndb-ldap to BIND 9.11 pspacek commented: """ Pushed to master: 2649ef1da1cbfc1203337665c4e589e1fe75f04b BIND 9.11: Remove #if blocks for older BIND versions. 8178f3cf856829c081a663a2e3f4d77ecc2db6b1 BIND 9.11: Add wrapper for new DB API method nodefullname. da9bc9b157a5ddc9a70147bf8df94e2bebb05c07 BIND 9.11: Port to new dyndb API. 08da3390cfc0985abdc0f791115f0f595e915df6 BIND 9.11: use new public header isc/errno.h instead of private isc/errno2result.h 4424cc349142dc7501eabaf352cf2ce59c34d7cb Fix error handling in syncrepl_update() to avoid hung mctx. c3bfe1a62ac4f8a73207bf4e80d64a4a3a58d9e4 Remove obsolete options: cache_ttl, psearch, serial_autoincrement, zone_refresh. e7cb75353d1b8fec6f063e4edaf5ead5b784e10d Use ISC configuration parser for dyndb section. 7c8d8e553932ad1ce05d6fb8b4e845d4fdf7d6c2 Print configuration grammar when a configuration error is detected. 189c1850582bac964877764e7f0828d083a1d384 Migrate README to Markdown syntax: create README.md """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/1#issuecomment-263915947 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#1][closed] Port bind-dyndb-ldap to BIND 9.11
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/1 Author: pspacek Title: #1: Port bind-dyndb-ldap to BIND 9.11 Action: closed To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/1/head:pr1 git checkout pr1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#290][synchronized] Require python-cryptography >= 1.3.1
URL: https://github.com/freeipa/freeipa/pull/290 Author: tiran Title: #290: Require python-cryptography >= 1.3.1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/290/head:pr290 git checkout pr290 From fa40d5247dbc742ac7fe8a4d42b37d8df4004710 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 30 Nov 2016 11:10:36 +0100 Subject: [PATCH] Require python-cryptography >= 1.3.1 python-cryptography versions < 1.3 no longer compile with recent OpenSSL 1.0.2 versions. In order to build wheels, a more recent version of cryptography is required. 1.3.1 is the oldest well tested version (RHEL 7.3) that is known to work with FreeIPA. Bump up in freeipa.spec is not required for technical reasons. The problem only affects PyPI packages. It's policy to keep requirements in sync. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes --- freeipa.spec.in | 12 ++-- ipasetup.py.in | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index bdf510f..15c3e68 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -113,8 +113,8 @@ BuildRequires: python-cffi %if 0%{?with_lint} BuildRequires: samba-python BuildRequires: python-setuptools -# 0.6: serialization.load_pem_private_key, load_pem_public_key -BuildRequires: python-cryptography >= 0.6 +# 1.3: oldest PyPI version that still compiles with recent OpenSSL +BuildRequires: python-cryptography >= 1.3.1 BuildRequires: python-gssapi >= 1.2.0 BuildRequires: pylint >= 1.0 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -510,7 +510,7 @@ Requires: gnupg Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 -Requires: python-cryptography >= 0.9 +Requires: python-cryptography >= 1.3.1 Requires: python-netaddr Requires: python-libipa_hbac Requires: python-qrcode-core >= 5.0.0 @@ -559,7 +559,7 @@ Requires: gnupg Requires: keyutils Requires: python3-pyOpenSSL Requires: python3-nss >= 0.16 -Requires: python3-cryptography +Requires: python3-cryptography >= 1.3.1 Requires: python3-netaddr Requires: python3-libipa_hbac Requires: python3-qrcode-core >= 5.0.0 @@ -633,7 +633,7 @@ Requires: python-pytest-multihost >= 0.5 Requires: python-pytest-sourceorder Requires: ldns-utils Requires: python-sssdconfig -Requires: python2-cryptography +Requires: python2-cryptography >= 1.3.1 Provides: %{alt_name}-tests = %{version} Conflicts: %{alt_name}-tests @@ -667,7 +667,7 @@ Requires: python3-pytest-multihost >= 0.5 Requires: python3-pytest-sourceorder Requires: ldns-utils Requires: python3-sssdconfig -Requires: python3-cryptography +Requires: python3-cryptography >= 1.3.1 %description -n python3-ipatests IPA is an integrated solution to provide centrally managed Identity (users, diff --git a/ipasetup.py.in b/ipasetup.py.in index 08c9178..2200e4b 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -52,7 +52,7 @@ class build_py(setuptools_build_py): PACKAGE_VERSION = { -'cryptography': 'cryptography >= 0.9', +'cryptography': 'cryptography >= 1.3.1', 'dnspython': 'dnspython >= 1.13', 'gssapi': 'gssapi > 1.2.0', 'ipaclient': 'ipaclient == @VERSION@', -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] NTP in FreeIPA
On 30/11/16 16:09, Rob Crittenden wrote: David Kupka wrote: On 29/11/16 18:10, Alexander Bokovoy wrote: Still, bug reports and users' complaints is the only external measure we have. There are close to nothing in complaints about NTP functionality, other than requests to support chronyd and a better discover of existing NTP setups. I don't think that requires dramatic action like removal of NTP support at all. As Petr already pointed out, since Fedora 16 chronyd is enabled by default and ipa-client-install doesn't configure time synchronization when chronyd is enabled. I believe that majority of users haven't used '--force-ntpd' and since it still worked they haven't filed any ticket. IMO in this case no bug reports means no users rather than no bugs or requests. Unfortunately, this is just my guess and AFAIK we don't have any data from users showing how they use FreeIPA. For argument's sake, let's say NTP configuration in the client is dropped and managed by the OS or other administrators. What implication does this have for configuring NTP server on masters? Would that be stopped as well? What about existing installs? I don't believe there is a precedence for removing a service from IPA. rob Well, everything was done for the first time at some point in history. I would prefer removing it from server too. I imagine it this way: 0. We agree that NTP as FreeIPA service will be dropped in 4.x 1. We add big fat warning to nearest release (currently 4.5) that FreeIPA will stop supporting NTP as its service on server and client and if NTP was configured by FreeIPA (we can tell from sysrestore) upgrade will revert those changes. 2. New installations of 4.x will not configure NTP on server nor client. Upgrades to 4.x will revert configuration if done by FreeIPA. I think it's actually that simple. The only hard part is reaching the agreement. While I understand that the value of FreeIPA is entirely in taking care of non-trivial services and orchestrating them in a way most comfortable for the administrator I think configuring NTP is: * reasonably easy (<5 lines on client, <10 lines on server), * unnecessary in most cases (distributions defaults or DHCP+NetworkManager just work) and so not worth keeping in FreeIPA. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#284][+ack] ipautil: check for open ports on all resolved IPs
URL: https://github.com/freeipa/freeipa/pull/284 Title: #284: ipautil: check for open ports on all resolved IPs Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#284][synchronized] ipautil: check for open ports on all resolved IPs
URL: https://github.com/freeipa/freeipa/pull/284 Author: tomaskrizek Title: #284: ipautil: check for open ports on all resolved IPs Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/284/head:pr284 git checkout pr284 From d85861c7b24d7e1bf21ed55d9cb9d7add1580e2f Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Tue, 29 Nov 2016 18:19:07 +0100 Subject: [PATCH] ipautil: check for open ports on all resolved IPs When a hostname is provided to host_port_open, it should check if ports are open for ALL IPs that are resolved from the hostname, instead of checking whether the port is reachable on at least one of the IPs. https://fedorahosted.org/freeipa/ticket/6522 --- install/tools/ipa-replica-conncheck | 5 +++-- ipapython/ipautil.py| 44 - 2 files changed, 37 insertions(+), 12 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 544116e..9a30385 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -315,8 +315,9 @@ def port_check(host, port_list): ports_udp_warning = [] # conncheck could not verify that port is open for port in port_list: try: -port_open = ipautil.host_port_open(host, port.port, -port.port_type, socket_timeout=CONNECT_TIMEOUT) +port_open = ipautil.host_port_open( +host, port.port, port.port_type, +socket_timeout=CONNECT_TIMEOUT, log_errors=True) except socket.gaierror: raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host) if port_open: diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 1c95a81..73056e5 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -55,6 +55,12 @@ GEN_TMP_PWD_LEN = 12 # only for OTP password that is manually retyped by user +PROTOCOL_NAMES = { +socket.SOCK_STREAM: 'tcp', +socket.SOCK_DGRAM: 'udp' +} + + class UnsafeIPAddress(netaddr.IPAddress): """Any valid IP address with or without netmask.""" @@ -866,15 +872,21 @@ def user_input(prompt, default = None, allow_empty = True): return ret -def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=None): +def host_port_open(host, port, socket_type=socket.SOCK_STREAM, + socket_timeout=None, log_errors=False): +""" +host: either hostname or IP address; + if hostname is provided, port MUST be open on ALL resolved IPs + +returns True is port is open, False otherwise +""" +port_open = True + +# port has to be open on ALL resolved IPs for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket_type): af, socktype, proto, _canonname, sa = res try: -try: -s = socket.socket(af, socktype, proto) -except socket.error: -s = None -continue +s = socket.socket(af, socktype, proto) if socket_timeout is not None: s.settimeout(socket_timeout) @@ -884,15 +896,27 @@ def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=No if socket_type == socket.SOCK_DGRAM: s.send('') s.recv(512) - -return True except socket.error: -pass +port_open = False + +if log_errors: +msg = ('Failed to connect to port %(port)d %(proto)s on ' + '%(addr)s' % dict(port=port, + proto=PROTOCOL_NAMES[socket_type], + addr=sa[0])) + +# Do not log udp failures as errors (to be consistent with +# the rest of the code that checks for open ports) +if socket_type == socket.SOCK_DGRAM: +root_logger.warning(msg) +else: +root_logger.error(msg) finally: if s: s.close() +s = None -return False +return port_open def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=None, responder_data=None): host = None # all available interfaces -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#287][+pushed] Wheel bundles fixes
URL: https://github.com/freeipa/freeipa/pull/287 Title: #287: Wheel bundles fixes Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#287][closed] Wheel bundles fixes
URL: https://github.com/freeipa/freeipa/pull/287 Author: tiran Title: #287: Wheel bundles fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/287/head:pr287 git checkout pr287 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#287][comment] Wheel bundles fixes
URL: https://github.com/freeipa/freeipa/pull/287 Title: #287: Wheel bundles fixes mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/235f68524767c1eb2e12fb6d1d9f6a520414c583 """ See the full comment at https://github.com/freeipa/freeipa/pull/287#issuecomment-263907173 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#285][+pushed] Check the result of cert request in replica installer
URL: https://github.com/freeipa/freeipa/pull/285 Title: #285: Check the result of cert request in replica installer Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#263][synchronized] Backwards compatibility with setuptools 0.9.8
URL: https://github.com/freeipa/freeipa/pull/263 Author: tiran Title: #263: Backwards compatibility with setuptools 0.9.8 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/263/head:pr263 git checkout pr263 From 5ed592d08488a50990992616e9728f1b530d391d Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 22 Nov 2016 16:08:46 +0100 Subject: [PATCH] Backwards compatibility with setuptools 0.9.8 Setuptools 0.9.8 does not support PEP 440 version schema with +git suffix and PEP 508 env markers. Signed-off-by: Christian Heimes --- ipasetup.py.in | 31 +-- 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/ipasetup.py.in b/ipasetup.py.in index 08c9178..8e1dc21 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -50,16 +50,27 @@ class build_py(setuptools_build_py): return setuptools_build_py.build_module(self, module, module_file, package) +import setuptools + +VERSION = '@VERSION@' + +SETUPTOOLS_VERSION = tuple(int(v) for v in setuptools.__version__.split(".")) + +# backwards compatibility with setuptools 0.9.8, split off +gitHASH suffix +# PEP 440 was introduced in setuptools 8. +if SETUPTOOLS_VERSION < (8, 0, 0): +VERSION = VERSION.split('+')[0] + PACKAGE_VERSION = { 'cryptography': 'cryptography >= 0.9', 'dnspython': 'dnspython >= 1.13', 'gssapi': 'gssapi > 1.2.0', -'ipaclient': 'ipaclient == @VERSION@', -'ipalib': 'ipalib == @VERSION@', -'ipaplatform': 'ipaplatform == @VERSION@', -'ipapython': 'ipapython == @VERSION@', -'ipaserver': 'ipaserver == @VERSION@', +'ipaclient': 'ipaclient == {}'.format(VERSION), +'ipalib': 'ipalib == {}'.format(VERSION), +'ipaplatform': 'ipaplatform == {}'.format(VERSION), +'ipapython': 'ipapython == {}'.format(VERSION), +'ipaserver': 'ipaserver == {}'.format(VERSION), 'kdcproxy': 'kdcproxy >= 0.3', 'netifaces': 'netifaces >= 0.10.4', 'pyldap': 'pyldap >= 2.4.15', @@ -70,7 +81,7 @@ PACKAGE_VERSION = { common_args = dict( -version="@VERSION@", +version=VERSION, license="GPLv3", author="FreeIPA Developers", author_email="freeipa-devel@redhat.com", @@ -126,6 +137,14 @@ def ipasetup(name, doc, **kwargs): cmdclass = setup_kwargs.setdefault('cmdclass', {}) cmdclass['build_py'] = build_py +# Env markers like ":python_version<'3.3'" are not supported by +# setuptools < 18.0. +if 'extras_require' in setup_kwargs and SETUPTOOLS_VERSION < (18, 0, 0): +for k in list(setup_kwargs['extras_require']): +if k.startswith(':'): +req = setup_kwargs.setdefault('install_requires', []) +req.extend(setup_kwargs['extras_require'].pop(k)) + os.chdir(local_path) try: # BEFORE importing distutils, remove MANIFEST. distutils doesn't -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#285][closed] Check the result of cert request in replica installer
URL: https://github.com/freeipa/freeipa/pull/285 Author: flo-renaud Title: #285: Check the result of cert request in replica installer Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/285/head:pr285 git checkout pr285 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#267][synchronized] ipa-replica-conncheck: do not close listening ports until required
URL: https://github.com/freeipa/freeipa/pull/267 Author: tomaskrizek Title: #267: ipa-replica-conncheck: do not close listening ports until required Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/267/head:pr267 git checkout pr267 From 97d7ba26117cad07ebd7bd56bcf6efb4a479c492 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 23 Nov 2016 13:55:14 +0100 Subject: [PATCH] ipa-replica-conncheck: do not close listening ports until required Previously, a separate thread would be created for each socket used for conncheck. It would also time out after one second, after which it would be closed and reopened again. This caused random failures of conncheck. Now all sockets are handled in a single thread and once the server starts to listen on a port, it does not close that connection until the script finishes. Only IPv6 socket is used for simplicity, since it can handle both IPv6 and IPv4 connections. This requires IPv6 kernel support, which is required by other parts of IPA anyway. https://fedorahosted.org/freeipa/ticket/6487 --- install/tools/ipa-replica-conncheck | 151 +++- ipapython/ipautil.py| 71 - 2 files changed, 113 insertions(+), 109 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 544116e..2413754 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -31,14 +31,16 @@ from ipaserver.install import installutils from optparse import OptionGroup, OptionValueError # pylint: enable=deprecated-module from ipapython.ipa_log_manager import root_logger, standard_logging_setup +import copy import sys import os import signal import tempfile +import select import socket import time import threading -import errno +import traceback from socket import SOCK_STREAM, SOCK_DGRAM import distutils.spawn from ipaplatform.paths import paths @@ -46,11 +48,12 @@ import gssapi from cryptography.hazmat.primitives import serialization CONNECT_TIMEOUT = 5 -RESPONDERS = [ ] +RESPONDER = None QUIET = False CCACHE_FILE = None KRB5_CONFIG = None + class SshExec(object): def __init__(self, user, addr): self.user = user @@ -96,6 +99,7 @@ class CheckedPort(object): self.port_type = port_type self.description = description + BASE_PORTS = [ CheckedPort(389, SOCK_STREAM, "Directory Service: Unsecure port"), CheckedPort(636, SOCK_STREAM, "Directory Service: Secure port"), @@ -112,6 +116,7 @@ def print_info(msg): if not QUIET: print(msg) + def parse_options(): def ca_cert_file_callback(option, opt, value, parser): if not os.path.exists(value): @@ -211,6 +216,7 @@ def parse_options(): return safe_options, options + def logging_setup(options): log_file = None @@ -219,16 +225,6 @@ def logging_setup(options): standard_logging_setup(log_file, debug=options.debug) -def clean_responders(responders): -if not responders: -return - -for responder in responders: -responder.stop() - -for responder in responders: -responder.join() -responders.remove(responder) def sigterm_handler(signum, frame): # do what SIGINT does (raise a KeyboardInterrupt) @@ -236,6 +232,7 @@ def sigterm_handler(signum, frame): if callable(sigint_handler): sigint_handler(signum, frame) + def configure_krb5_conf(realm, kdc, filename): krbconf = ipaclient.install.ipachangeconf.IPAChangeConf("IPA Installer") @@ -283,32 +280,107 @@ def configure_krb5_conf(realm, kdc, filename): krbconf.newConf(filename, opts) + class PortResponder(threading.Thread): -def __init__(self, port, port_type, socket_timeout=1): +PROTO = {socket.SOCK_STREAM: 'tcp', + socket.SOCK_DGRAM: 'udp'} + +def __init__(self, ports): +""" +ports: a list of CheckedPort +""" super(PortResponder, self).__init__() -self.port = port -self.port_type = port_type -self.socket_timeout = socket_timeout -self._stop_request = False +# copy ports to avoid the need to synchronize it between threads +self.ports = copy.deepcopy(ports) +self._sockets = [] +self._close = False +self._close_lock = threading.Lock() +self.responder_data = 'FreeIPA' +self.ports_open = threading.Condition() def run(self): -while not self._stop_request: +root_logger.debug('Starting listening thread.') + +for port in self.ports: +self._bind_to_port(port.port, port.port_type) +with self.ports_open: +root_logger.debug('Ports opened, notify original thread') +self.ports_open.notify() + +while not self._is_closing(): +ready_socks, _socks1, _s
[Freeipa-devel] [freeipa PR#285][comment] Check the result of cert request in replica installer
URL: https://github.com/freeipa/freeipa/pull/285 Title: #285: Check the result of cert request in replica installer mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/dbb98765d73519289ee22f3de1a5ccde140f6f5d """ See the full comment at https://github.com/freeipa/freeipa/pull/285#issuecomment-263904080 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#263][comment] Backwards compatibility with setuptools 0.9.8
URL: https://github.com/freeipa/freeipa/pull/263 Title: #263: Backwards compatibility with setuptools 0.9.8 martbab commented: """ Please reabse this PR and add ticket to the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/263#issuecomment-263903379 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#287][comment] Wheel bundles fixes
URL: https://github.com/freeipa/freeipa/pull/287 Title: #287: Wheel bundles fixes tomaskrizek commented: """ I wasn't able to fully test this since there is an issue with building `bdist_wheel`. But since ipaplatform dependency has been removed, it seems to be all right. """ See the full comment at https://github.com/freeipa/freeipa/pull/287#issuecomment-263903162 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#267][comment] ipa-replica-conncheck: do not close listening ports until required
URL: https://github.com/freeipa/freeipa/pull/267 Title: #267: ipa-replica-conncheck: do not close listening ports until required mbasti-rh commented: """ needs rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/267#issuecomment-263903284 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#287][+ack] Wheel bundles fixes
URL: https://github.com/freeipa/freeipa/pull/287 Title: #287: Wheel bundles fixes Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#289][+pushed] Require python-gssapi >= 1.2.0
URL: https://github.com/freeipa/freeipa/pull/289 Title: #289: Require python-gssapi >= 1.2.0 Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#200][+pushed] Test: basic kerberos over http functionality
URL: https://github.com/freeipa/freeipa/pull/200 Title: #200: Test: basic kerberos over http functionality Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#200][comment] Test: basic kerberos over http functionality
URL: https://github.com/freeipa/freeipa/pull/200 Title: #200: Test: basic kerberos over http functionality mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c7fd46e42a9f5b4676415910b800e0340f77dc88 https://fedorahosted.org/freeipa/changeset/503d0929e9265dfc0c6c28ac49146b72a0a7edea """ See the full comment at https://github.com/freeipa/freeipa/pull/200#issuecomment-263902720 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#290][comment] Require python-cryptography >= 1.3.1
URL: https://github.com/freeipa/freeipa/pull/290 Title: #290: Require python-cryptography >= 1.3.1 martbab commented: """ Please rebase the PR so we can do clean merge, it should be simple conflict resolution. """ See the full comment at https://github.com/freeipa/freeipa/pull/290#issuecomment-263902430 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] NTP in FreeIPA
On ke, 30 marras 2016, Rob Crittenden wrote: David Kupka wrote: On 29/11/16 18:10, Alexander Bokovoy wrote: Still, bug reports and users' complaints is the only external measure we have. There are close to nothing in complaints about NTP functionality, other than requests to support chronyd and a better discover of existing NTP setups. I don't think that requires dramatic action like removal of NTP support at all. As Petr already pointed out, since Fedora 16 chronyd is enabled by default and ipa-client-install doesn't configure time synchronization when chronyd is enabled. I believe that majority of users haven't used '--force-ntpd' and since it still worked they haven't filed any ticket. IMO in this case no bug reports means no users rather than no bugs or requests. Unfortunately, this is just my guess and AFAIK we don't have any data from users showing how they use FreeIPA. For argument's sake, let's say NTP configuration in the client is dropped and managed by the OS or other administrators. What implication does this have for configuring NTP server on masters? Would that be stopped as well? What about existing installs? Here is the problem: in Kerberos realm services must have time synchronized with KDC. The patches from StefW which added ability to record a time skew between the Kerberos client and KDC do not apply to Kerberos client - Kerberos service communication. Given that IPA clients can host Kerberos services (at the very least, SSH is such a service), this practically means they need to have a time source that is synchronized with the KDC(s) they are talking to. To me this means we should not really remove NTP configuration but instead expand ntpd support to cover chronyd as well. I don't believe there is a precedence for removing a service from IPA. Neither do I. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#289][comment] Require python-gssapi >= 1.2.0
URL: https://github.com/freeipa/freeipa/pull/289 Title: #289: Require python-gssapi >= 1.2.0 martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/8559791e0d520f4a3503e35d1975ac31448b1390 """ See the full comment at https://github.com/freeipa/freeipa/pull/289#issuecomment-263901279 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#289][closed] Require python-gssapi >= 1.2.0
URL: https://github.com/freeipa/freeipa/pull/289 Author: tiran Title: #289: Require python-gssapi >= 1.2.0 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/289/head:pr289 git checkout pr289 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#289][+ack] Require python-gssapi >= 1.2.0
URL: https://github.com/freeipa/freeipa/pull/289 Title: #289: Require python-gssapi >= 1.2.0 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#287][comment] Wheel bundles fixes
URL: https://github.com/freeipa/freeipa/pull/287 Title: #287: Wheel bundles fixes tiran commented: """ @tomaskrizek thanks! I rebased the PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/287#issuecomment-263898074 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#287][synchronized] Wheel bundles fixes
URL: https://github.com/freeipa/freeipa/pull/287 Author: tiran Title: #287: Wheel bundles fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/287/head:pr287 git checkout pr287 From 34f9b60a625852cf2566a758136aca9e291e2b09 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 30 Nov 2016 10:19:18 +0100 Subject: [PATCH] Wheel bundles fixes * make wheel_bundle no longer bundles ipaplatform * ipaclient and ipalib use a consistent extra tag for the install subpackage. `pip install ipalib[ipalib.install]` looks a bit silly. https://fedorahosted.org/freeipa/ticket/6474 Signed-off-by: Christian Heimes --- Makefile.am| 4 ++-- ipaclient/setup.py | 2 +- ipalib/setup.py| 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile.am b/Makefile.am index f9922bb..a7c74b0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,7 +1,7 @@ ACLOCAL_AMFLAGS = -I m4 -IPACLIENT_SUBDIRS = ipaclient ipalib ipaplatform ipapython -SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaserver ipatests po +IPACLIENT_SUBDIRS = ipaclient ipalib ipapython +SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ignore_import_errors.pyc ignore_import_errors.pyo \ diff --git a/ipaclient/setup.py b/ipaclient/setup.py index 0183aaf..c413fc5 100644 --- a/ipaclient/setup.py +++ b/ipaclient/setup.py @@ -54,7 +54,7 @@ "six", ], extras_require={ -"ipaclient.install": ["ipaplatform"], +"install": ["ipaplatform"], "otptoken_yubikey": ["yubico", "usb"] } ) diff --git a/ipalib/setup.py b/ipalib/setup.py index 4be3eb1..36b06fc 100644 --- a/ipalib/setup.py +++ b/ipalib/setup.py @@ -48,6 +48,6 @@ "wheel", ], extras_require={ -"ipalib.install": ["ipaplatform"], +"install": ["ipaplatform"], }, ) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#287][comment] Wheel bundles fixes
URL: https://github.com/freeipa/freeipa/pull/287 Title: #287: Wheel bundles fixes tomaskrizek commented: """ PR needs a rebase to fix `extra_requires` -> `extras_require` typo. """ See the full comment at https://github.com/freeipa/freeipa/pull/287#issuecomment-263896997 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] NTP in FreeIPA
David Kupka wrote: > On 29/11/16 18:10, Alexander Bokovoy wrote: >> Still, bug reports and users' complaints is the only external measure we >> have. There are close to nothing in complaints about NTP functionality, >> other than requests to support chronyd and a better discover of existing >> NTP setups. I don't think that requires dramatic action like removal of >> NTP support at all. >> > > As Petr already pointed out, since Fedora 16 chronyd is enabled by > default and ipa-client-install doesn't configure time synchronization > when chronyd is enabled. > > I believe that majority of users haven't used '--force-ntpd' and since > it still worked they haven't filed any ticket. > > IMO in this case no bug reports means no users rather than no bugs or > requests. > > Unfortunately, this is just my guess and AFAIK we don't have any data > from users showing how they use FreeIPA. For argument's sake, let's say NTP configuration in the client is dropped and managed by the OS or other administrators. What implication does this have for configuring NTP server on masters? Would that be stopped as well? What about existing installs? I don't believe there is a precedence for removing a service from IPA. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#267][+ack] ipa-replica-conncheck: do not close listening ports until required
URL: https://github.com/freeipa/freeipa/pull/267 Title: #267: ipa-replica-conncheck: do not close listening ports until required Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#263][+ack] Backwards compatibility with setuptools 0.9.8
URL: https://github.com/freeipa/freeipa/pull/263 Title: #263: Backwards compatibility with setuptools 0.9.8 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts pvoborni commented: """ If I understand Christian right, it is not disagreement about something which needs to be done. But rather a proposal to address rest of the scripts later in other pull request. So that we can push this PR to unblock subsequent reviews. Is it correct? If so can be proceed with checking if current code is OK and finished rest in other PR? """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263891701 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#283][closed] [ipa-4-4] Prevent denial of replication updates during CA replica install
URL: https://github.com/freeipa/freeipa/pull/283 Author: martbab Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/283/head:pr283 git checkout pr283 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#283][+pushed] [ipa-4-4] Prevent denial of replication updates during CA replica install
URL: https://github.com/freeipa/freeipa/pull/283 Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica install Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#283][comment] [ipa-4-4] Prevent denial of replication updates during CA replica install
URL: https://github.com/freeipa/freeipa/pull/283 Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica install martbab commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/8c6a10ceddb4fce9a3dd4a334e6804800b5c89f9 https://fedorahosted.org/freeipa/changeset/9502ee5fb84edf40422bd0bc38949b03e4171f4d """ See the full comment at https://github.com/freeipa/freeipa/pull/283#issuecomment-263890231 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#283][comment] [ipa-4-4] Prevent denial of replication updates during CA replica install
URL: https://github.com/freeipa/freeipa/pull/283 Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica install flo-renaud commented: """ Hi, the patch works as expected. Thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/283#issuecomment-263888532 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#283][+ack] [ipa-4-4] Prevent denial of replication updates during CA replica install
URL: https://github.com/freeipa/freeipa/pull/283 Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica install Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#284][synchronized] ipautil: check for open ports on all resolved IPs
URL: https://github.com/freeipa/freeipa/pull/284 Author: tomaskrizek Title: #284: ipautil: check for open ports on all resolved IPs Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/284/head:pr284 git checkout pr284 From b8f099f0c9f8141df8d8aec28e0cf939b8d3a555 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Tue, 29 Nov 2016 18:19:07 +0100 Subject: [PATCH] ipautil: check for open ports on all resolved IPs When a hostname is provided to host_port_open, it should check if ports are open for ALL IPs that are resolved from the hostname, instead of checking whether the port is reachable on at least one of the IPs. https://fedorahosted.org/freeipa/ticket/6522 --- install/tools/ipa-replica-conncheck | 5 +++-- ipapython/ipautil.py| 44 - 2 files changed, 37 insertions(+), 12 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 544116e..9a30385 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -315,8 +315,9 @@ def port_check(host, port_list): ports_udp_warning = [] # conncheck could not verify that port is open for port in port_list: try: -port_open = ipautil.host_port_open(host, port.port, -port.port_type, socket_timeout=CONNECT_TIMEOUT) +port_open = ipautil.host_port_open( +host, port.port, port.port_type, +socket_timeout=CONNECT_TIMEOUT, log_errors=True) except socket.gaierror: raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host) if port_open: diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 1c95a81..24a42e9 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -55,6 +55,12 @@ GEN_TMP_PWD_LEN = 12 # only for OTP password that is manually retyped by user +PROTOCOL_NAMES = { +socket.SOCK_STREAM: 'tcp', +socket.SOCK_DGRAM: 'udp' +} + + class UnsafeIPAddress(netaddr.IPAddress): """Any valid IP address with or without netmask.""" @@ -866,15 +872,21 @@ def user_input(prompt, default = None, allow_empty = True): return ret -def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=None): +def host_port_open(host, port, socket_type=socket.SOCK_STREAM, + socket_timeout=None, log_errors=False): +""" +host: either hostname or IP address; + if hostname is provided, port MUST be open on ALL resolved IPs + +returns True is port is open, False otherwise +""" +port_open = True + +# port has to be open on ALL resolved IPs for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket_type): af, socktype, proto, _canonname, sa = res try: -try: -s = socket.socket(af, socktype, proto) -except socket.error: -s = None -continue +s = socket.socket(af, socktype, proto) if socket_timeout is not None: s.settimeout(socket_timeout) @@ -884,15 +896,27 @@ def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=No if socket_type == socket.SOCK_DGRAM: s.send('') s.recv(512) - -return True except socket.error: -pass +port_open = False + +if log_errors: +msg = ('Failed to connect to port %(port)d %(proto)s on ' + '%(addr)s' % dict(port=port, + proto=PROTOCOL_NAMES[socket_type], + addr=sa[0])) + +# Do not log udp failures as errors (to be consistent with +# the rest of the code that checks for open ports) +if socket_type == socket.SOCK_DGRAM: +root_logger.debug(msg) +else: +root_logger.error(msg) finally: if s: s.close() +s = None -return False +return port_open def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=None, responder_data=None): host = None # all available interfaces -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#285][+ack] Check the result of cert request in replica installer
URL: https://github.com/freeipa/freeipa/pull/285 Title: #285: Check the result of cert request in replica installer Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#263][synchronized] Backwards compatibility with setuptools 0.9.8
URL: https://github.com/freeipa/freeipa/pull/263 Author: tiran Title: #263: Backwards compatibility with setuptools 0.9.8 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/263/head:pr263 git checkout pr263 From c29798777108b598c3fde58bd3315e13d9036f31 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 22 Nov 2016 16:08:46 +0100 Subject: [PATCH] Backwards compatibility with setuptools 0.9.8 Setuptools 0.9.8 does not support PEP 440 version schema with +git suffix and PEP 508 env markers. Signed-off-by: Christian Heimes --- ipasetup.py.in | 31 +-- 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/ipasetup.py.in b/ipasetup.py.in index 0d11135..629a911 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -50,16 +50,27 @@ class build_py(setuptools_build_py): return setuptools_build_py.build_module(self, module, module_file, package) +import setuptools + +VERSION = '@VERSION@' + +SETUPTOOLS_VERSION = tuple(int(v) for v in setuptools.__version__.split(".")) + +# backwards compatibility with setuptools 0.9.8, split off +gitHASH suffix +# PEP 440 was introduced in setuptools 8. +if SETUPTOOLS_VERSION < (8, 0, 0): +VERSION = VERSION.split('+')[0] + PACKAGE_VERSION = { 'cryptography': 'cryptography >= 0.9', 'dnspython': 'dnspython >= 1.13', 'gssapi': 'gssapi > 1.1.2', -'ipaclient': 'ipaclient == @VERSION@', -'ipalib': 'ipalib == @VERSION@', -'ipaplatform': 'ipaplatform == @VERSION@', -'ipapython': 'ipapython == @VERSION@', -'ipaserver': 'ipaserver == @VERSION@', +'ipaclient': 'ipaclient == {}'.format(VERSION), +'ipalib': 'ipalib == {}'.format(VERSION), +'ipaplatform': 'ipaplatform == {}'.format(VERSION), +'ipapython': 'ipapython == {}'.format(VERSION), +'ipaserver': 'ipaserver == {}'.format(VERSION), 'kdcproxy': 'kdcproxy >= 0.3', 'netifaces': 'netifaces >= 0.10.4', 'pyldap': 'pyldap >= 2.4.15', @@ -70,7 +81,7 @@ PACKAGE_VERSION = { common_args = dict( -version="@VERSION@", +version=VERSION, license="GPLv3", author="FreeIPA Developers", author_email="freeipa-devel@redhat.com", @@ -126,6 +137,14 @@ def ipasetup(name, doc, **kwargs): cmdclass = setup_kwargs.setdefault('cmdclass', {}) cmdclass['build_py'] = build_py +# Env markers like ":python_version<'3.3'" are not supported by +# setuptools < 18.0. +if 'extras_require' in setup_kwargs and SETUPTOOLS_VERSION < (18, 0, 0): +for k in list(setup_kwargs['extras_require']): +if k.startswith(':'): +req = setup_kwargs.setdefault('install_requires', []) +req.extend(setup_kwargs['extras_require'].pop(k)) + os.chdir(local_path) try: # BEFORE importing distutils, remove MANIFEST. distutils doesn't -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ @martbab The wheel bundle and packages need some documentation. I have started some docs but they are not finished.. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263875159 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#285][comment] Check the result of cert request in replica installer
URL: https://github.com/freeipa/freeipa/pull/285 Title: #285: Check the result of cert request in replica installer mbasti-rh commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/285#issuecomment-263870742 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time
URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ @mbasti-rh @jcholast @tiran If you want I can replace the `--with-pytlint` option with `--enable-pylint` option (without parameters) and use cheimes's trick with `$(PYTHON) -m pylint` so the Pylint always follows the Python version you used for particular build. Up to you. (Just keep in mind that build needs to be done under Python 2 till samba-python bindings are ported to Python 3.) """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-263868961 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time
URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ Fixed. Now `with_pylint` section contains nested section `with_python3`. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-263868364 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#291][+pushed] replica install: track the RA agent certificate again
URL: https://github.com/freeipa/freeipa/pull/291 Title: #291: replica install: track the RA agent certificate again Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#291][comment] replica install: track the RA agent certificate again
URL: https://github.com/freeipa/freeipa/pull/291 Title: #291: replica install: track the RA agent certificate again jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/4221266562778806f02748fee2dfbd814261f2b4 """ See the full comment at https://github.com/freeipa/freeipa/pull/291#issuecomment-263867421 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#291][closed] replica install: track the RA agent certificate again
URL: https://github.com/freeipa/freeipa/pull/291 Author: jcholast Title: #291: replica install: track the RA agent certificate again Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/291/head:pr291 git checkout pr291 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#285][comment] Check the result of cert request in replica installer
URL: https://github.com/freeipa/freeipa/pull/285 Title: #285: Check the result of cert request in replica installer flo-renaud commented: """ Thanks for the suggestion. I added certmonger's request status in the exception message. """ See the full comment at https://github.com/freeipa/freeipa/pull/285#issuecomment-263865840 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#285][synchronized] Check the result of cert request in replica installer
URL: https://github.com/freeipa/freeipa/pull/285 Author: flo-renaud Title: #285: Check the result of cert request in replica installer Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/285/head:pr285 git checkout pr285 From 8bbca8a93bc713d64d43692689ab827106527019 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 29 Nov 2016 21:15:29 +0100 Subject: [PATCH] Check the result of cert request in replica installer When running ipa-replica-install in domain-level 1, the installer requests the LDAP and HTTP certificates using certmonger but does not check the return code. The installer goes on and fails when restarting dirsrv. Fix: when certmonger was not able to request the certificate, raise an exception and exit from the installer: [28/45]: retrieving DS Certificate [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERRORCertificate issuance failed (CA_UNREACHABLE) ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERRORThe ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information https://fedorahosted.org/freeipa/ticket/6514 --- ipalib/install/certmonger.py | 3 ++- ipaserver/install/certs.py | 12 +--- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index 6f0948a..3ea900b 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -312,9 +312,10 @@ def request_and_wait_for_cert( state = wait_for_request(reqId, timeout=60) ca_error = get_request_value(reqId, 'ca-error') if state != 'MONITORING' or ca_error: -raise RuntimeError("Certificate issuance failed") +raise RuntimeError("Certificate issuance failed ({})".format(state)) return reqId + def request_cert( nssdb, nickname, subject, principal, passwd_fname=None, dns=None, ca='IPA', profile=None, pre_command=None, post_command=None): diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index ab2379b..45602ba 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -647,13 +647,11 @@ def export_pem_cert(self, nickname, location): def request_service_cert(self, nickname, principal, host, pwdconf=False): if pwdconf: self.create_password_conf() -reqid = certmonger.request_cert(nssdb=self.secdir, -nickname=nickname, -principal=principal, -subject=host, -passwd_fname=self.passwd_fname) -# Now wait for the cert to appear. Check three times then abort -certmonger.wait_for_request(reqid, timeout=60) +certmonger.request_and_wait_for_cert(nssdb=self.secdir, + nickname=nickname, + principal=principal, + subject=host, + passwd_fname=self.passwd_fname) class _CrossProcessLock(object): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#272][synchronized] Build: makerpms.sh generates Python 2 & 3 packages at the same time
URL: https://github.com/freeipa/freeipa/pull/272 Author: pspacek Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/272/head:pr272 git checkout pr272 From f7beaa42acb6ebba8ff71326144510e0fc631606 Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Thu, 24 Nov 2016 17:35:24 +0100 Subject: [PATCH 1/2] Build: makerpms.sh generates Python 2 & 3 packages at the same time Petr Viktorin recommended me to copy the whole build directory and run configure twice, with different values for PYTHON variable. After thinking a bit about that, it seems as cleanest approach. Building for two versions of Python at the same time should be temporary state so I decided not to complicate Autotools build system with conditional spagetti for two versions of Python. For proper Python2/3 distiction in the two separate builds, I added find/grep/sed combo which replaces shebangs with system-wide Python interpreter as necessary. This is workaround for the fact that FreeIPA does not use setuptools properly. Honza told me that proper use of setuptools is not trivial so we decided to go with this for now. https://fedorahosted.org/freeipa/ticket/157 --- freeipa.spec.in | 148 +--- 1 file changed, 97 insertions(+), 51 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 6847bed..bf9c788 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -5,7 +5,7 @@ %if 0%{?rhel} %global with_python3 0 %else -%global with_python3 0 +%global with_python3 1 %endif # lint is not executed during rpmbuild @@ -267,6 +267,37 @@ and integration with Active Directory based infrastructures (Trusts). If you are installing an IPA server, you need to install this package. +%if 0%{?with_python3} + +%package -n python3-ipaserver +Summary: Python libraries used by IPA server +Group: System Environment/Libraries +BuildArch: noarch +%{?python_provide:%python_provide python3-ipaserver} +Requires: %{name}-server-common = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-ipaclient = %{version}-%{release} +Requires: python3-pyldap >= 2.4.15 +Requires: python3-lxml +Requires: python3-gssapi >= 1.1.2 +Requires: python3-sssdconfig +Requires: python3-pyasn1 +Requires: python3-dbus +Requires: python3-dns >= 1.11.1 +Requires: python3-kdcproxy >= 0.3 +Requires: rpm-libs + +%description -n python3-ipaserver +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are installing an IPA server, you need to install this package. + +%endif # with_python3 + + %package server-common Summary: Common files used by IPA server Group: System Environment/Base @@ -684,6 +715,11 @@ This package contains tests that verify IPA functionality under Python 3. %prep %setup -n freeipa-%{version} -q +%if 0%{?with_python3} +# Workaround: We want to build Python things twice. To be sure we do not mess +# up something, do two separate builds in separate directories. +cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 +%endif # with_python3 %build @@ -691,10 +727,33 @@ This package contains tests that verify IPA functionality under Python 3. export JAVA_STACK_SIZE="8m" # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235 export PATH=/usr/bin:/usr/sbin:$PATH +export PYTHON=%{__python2} +# Workaround: make sure all shebangs are pointing to Python 2 +# This should be solved properly using setuptools +# and this hack should be removed. +find \ + ! -name '*.pyc' -a \ + ! -name '*.pyo' -a \ + -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ + -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \; %configure --with-vendor-suffix=-%{release} # -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405 %make_build -Onone +%if 0%{?with_python3} +pushd %{_builddir}/freeipa-%{version}-python3 +export PYTHON=%{__python3} +# Workaround: make sure all shebangs are pointing to Python 3 +# This should be solved properly using setuptools +# and this hack should be removed. +find \ + ! -name '*.pyc' -a \ + ! -name '*.pyo' -a \ + -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ + -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python3}|' {} \; +%configure --with-vendor-suffix=-%{release} +popd +%endif # with_python3 %check %if ! %{ONLY_CLIENT} @@ -713,16 +772,25 @@ make %{?_smp_mflags} client-check VERBOSE=yes LIBDIR=%{_libdir} # All files and directories created by spec install should be marked as ghost. # (These are typically c
[Freeipa-devel] [freeipa PR#291][+ack] replica install: track the RA agent certificate again
URL: https://github.com/freeipa/freeipa/pull/291 Title: #291: replica install: track the RA agent certificate again Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][closed] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Author: tiran Title: #255: Adjustments for setup requirements Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/255/head:pr255 git checkout pr255 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ed9645b2ac58fd4664810f05970ea258c7948420 """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263862693 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][+pushed] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][+ack] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts tiran commented: """ - [X] ```daemons/dnssec/ipa-dnskeysync-replica:124:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file``` - [X] ```daemons/dnssec/ipa-dnskeysyncd:23:api.bootstrap(in_server=True, log=None) # no logging to file``` - [X] ```daemons/dnssec/ipa-ods-exporter:618:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file``` - [ ] ```doc/guide/wsgi.py.txt:9:env._bootstrap(context='server', log=None)``` - [ ] ```doc/guide/wsgi.py.txt:13:api.bootstrap(context='server', debug=env.debug, log=None) (ref:wsgi-app-bootstrap)``` - [X] ```install/restart_scripts/renew_ra_cert:39: api.bootstrap(in_server=True, context='restart')``` - [X] ```install/tools/ipa-adtrust-install:269:api.bootstrap(**cfg)``` - [X] ```install/tools/ipa-ca-install:262:api.bootstrap(in_server=True, ra_plugin='dogtag')``` - [ ] ```install/tools/ipa-compat-manage:105:api.bootstrap(context='cli', in_server=True, debug=options.debug)``` - [ ] ```install/tools/ipa-csreplica-manage:418:api.bootstrap(**api_env)``` - [X] ```install/tools/ipa-dns-install:139:api.bootstrap(**cfg)``` - [ ] ```install/tools/ipa-managed-entries:75:api.bootstrap(context='cli', debug=options.debug)``` - [X] ```install/tools/ipa-nis-manage:118:api.bootstrap(context='cli', debug=options.debug, in_server=True)``` - [X] ```install/tools/ipa-replica-manage:1512:api.bootstrap(**api_env)``` - [ ] ```ipaserver/dnssec/ldapkeydb.py:417: ipalib.api.bootstrap(in_server=True, log=None) # no logging to file``` - [ ] ```ipaserver/advise/base.py:238:api.bootstrap(in_server=False, context='cli')``` - [ ] ```ipaserver/advise/base.py:240: advise_api.bootstrap(in_server=False, context='cli')``` - [ ] ```ipaserver/install/ipa_cacert_manage.py:99: api.bootstrap(in_server=True)``` - [ ] ```ipaserver/install/ipa_kra_install.py:80: api.bootstrap(in_server=True)``` - [ ] ```ipaserver/install/ipa_otptoken_import.py:512: api.bootstrap(in_server=True)``` - [ ] ```ipaserver/install/ipa_replica_prepare.py:183: api.bootstrap(in_server=True)``` - [ ] ```ipaserver/install/ipa_server_certinstall.py:102: api.bootstrap(in_server=True)``` - [ ] ```ipatests/test_ipaserver/test_ldap.py:114: myapi.bootstrap(context='cli', in_server=True)``` - [ ] ```ipatests/test_ipaserver/test_serverroles.py:472: test_api.bootstrap(in_server=True, ldap_uri=api.env.ldap_uri)``` - [ ] ```lite-server.py:130:(options, args) = api.bootstrap_with_global_options(parser, context='lite')``` """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263861585 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements martbab commented: """ Installing python-wheel worked, thanks. I have discovered some other missing dependencies in minimal Docker container. I will investigate them some more and open a ticket. I think there is no need to add python-wheel to BuildRequires now. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263860989 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#285][comment] Check the result of cert request in replica installer
URL: https://github.com/freeipa/freeipa/pull/285 Title: #285: Check the result of cert request in replica installer tomaskrizek commented: """ Functional ACK. If it's possible, it would be nice to have a bit more info in the error msg as @mbasti-rh pointed out. """ See the full comment at https://github.com/freeipa/freeipa/pull/285#issuecomment-263859423 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese
URL: https://github.com/freeipa/freeipa/pull/286 Title: #286: fix miss translation in Chinese mbasti-rh commented: """ Thanks """ See the full comment at https://github.com/freeipa/freeipa/pull/286#issuecomment-263859193 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#288][comment] Fix missing translation string
URL: https://github.com/freeipa/freeipa/pull/288 Title: #288: Fix missing translation string mbasti-rh commented: """ Hello, could you please remove `fix miss translation in Chinese` and `Delete zh_CN.po` from this PR? """ See the full comment at https://github.com/freeipa/freeipa/pull/288#issuecomment-263858753 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ The bdist_wheel command requires the Python wheel package installed in the system. Since setup.py no longer contains ```setup_requires=["wheel"]```, the dependency is no longer resolved automatically by setuptools. Does it makes sense to include the dependency in freeipa.spec as build requirement? Technically it's not a build requirement for RPMs. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263857749 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements martbab commented: """ Thank you. It seems that 'bdist_wheel' target is broken in your PR: ``` # make bdist_wheel mkdir -p ./dist/wheels for dir in ipaclient ipalib ipaplatform ipapython; do \ make -C ${dir} bdist_wheel || exit 1; \ done make[1]: Entering directory '/freeipa/ipaclient' (cd .. && make ipasetup.py) make[2]: Entering directory '/freeipa' sed \ -e 's|@VERSION[@]|4.4.90.dev201611301151+git785f924|g' \ ipasetup.py.in > ipasetup.py make[2]: Leaving directory '/freeipa' rm -rf ../dist/wheels/ipaclient*.whl /usr/bin/python "./setup.py" bdist_wheel --dist-dir=../dist/wheels usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...] or: setup.py --help [cmd1 cmd2 ...] or: setup.py --help-commands or: setup.py cmd --help error: invalid command 'bdist_wheel' Makefile:586: recipe for target 'bdist_wheel' failed make[1]: *** [bdist_wheel] Error 1 make[1]: Leaving directory '/freeipa/ipaclient' Makefile:1172: recipe for target 'bdist_wheel' failed make: *** [bdist_wheel] Error 1 ``` Do i need some of your other pull-requests to build wheels or this is a genuine issue? """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263856069 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#291][opened] replica install: track the RA agent certificate again
URL: https://github.com/freeipa/freeipa/pull/291 Author: jcholast Title: #291: replica install: track the RA agent certificate again Action: opened PR body: """ During the rebase of commit 822e1bc82af3a6c1556546c4fbe96eeafad45762 on top of commit 808b1436b4158cb6f926ac2b5bd0979df6ea7e9f, the call to track the RA agent certificate with certmonger was accidentally removed from ipa-replica-install. Put the call back so that the certificate is tracked after replica install. https://fedorahosted.org/freeipa/ticket/6392 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/291/head:pr291 git checkout pr291 From 0de63c3588c09bde309a409ba57fd7778663850a Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 30 Nov 2016 12:25:24 +0100 Subject: [PATCH] replica install: track the RA agent certificate again During the rebase of commit 822e1bc82af3a6c1556546c4fbe96eeafad45762 on top of commit 808b1436b4158cb6f926ac2b5bd0979df6ea7e9f, the call to track the RA agent certificate with certmonger was accidentally removed from ipa-replica-install. Put the call back so that the certificate is tracked after replica install. https://fedorahosted.org/freeipa/ticket/6392 --- ipaserver/install/cainstance.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1aa6b8d..6b2b272 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -647,7 +647,7 @@ def enable_pkix(self): 'NSS_ENABLE_PKIX_VERIFY', '1', quotes=False, separator='=') -def import_ra_cert(self, rafile, configure_renewal=True): +def import_ra_cert(self, rafile): """ Cloned RAs will use the same RA agent cert as the master so we need to import from a PKCS#12 file. @@ -663,11 +663,15 @@ def import_ra_cert(self, rafile, configure_renewal=True): finally: os.remove(agent_name) +self.configure_agent_renewal() + def __import_ra_key(self): custodia = custodiainstance.CustodiaInstance(host_name=self.fqdn, realm=self.realm) custodia.import_ra_key(self.master_host) +self.configure_agent_renewal() + def __create_ca_agent(self): """ Create CA agent, assign a certificate, and add the user to -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#181][synchronized] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Author: gkaihorodova Title: #181: Tests : User Tracker creation of user with minimal values Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/181/head:pr181 git checkout pr181 From 65608285943b7c0a43dfc9e28a81e23ff58bdabc Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Mon, 24 Oct 2016 11:27:01 +0200 Subject: [PATCH] User Tracker: creation of user with minimal values Fix provide possibility to create user-add test with minimal values, where uid is not specified, to provide better coverage. Also provide check for non-empty unicode string for attributes required in init method https://fedorahosted.org/freeipa/ticket/6126 --- ipatests/test_xmlrpc/tracker/user_plugin.py | 40 + 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py index 4485fd9..669b9bb 100644 --- a/ipatests/test_xmlrpc/tracker/user_plugin.py +++ b/ipatests/test_xmlrpc/tracker/user_plugin.py @@ -62,22 +62,40 @@ class UserTracker(KerberosAliasMixin, Tracker): primary_keys = {u'uid', u'dn'} -def __init__(self, name, givenname, sn, **kwargs): +def __init__(self, name=None, givenname=None, sn=None, **kwargs): +""" Check for non-empty unicode string for the required attributes + in the init method """ + +if not isinstance(givenname, (str, unicode)) and len(givenname) > 0: +raise ValueError("No name provided: %s" % givenname) +if not isinstance(sn, (str, unicode)) and len(sn) > 0: +raise ValueError("No name provided: %s" % sn) + super(UserTracker, self).__init__(default_version=None) -self.uid = name -self.givenname = givenname -self.sn = sn +self.uid = unicode(name) +self.givenname = unicode(givenname) +self.sn = unicode(sn) self.dn = DN(('uid', self.uid), api.env.container_user, api.env.basedn) self.kwargs = kwargs -def make_create_command(self): -""" Make function that crates a user using user-add """ -return self.make_command( -'user_add', self.uid, -givenname=self.givenname, -sn=self.sn, **self.kwargs -) +def make_create_command(self, force=None): + +""" Make function that creates a user using user-add +with all set of attributes and with minimal values, +where uid is not specified """ + +if self.uid is not None: +return self.make_command( +'user_add', self.uid, +givenname=self.givenname, +sn=self.sn, **self.kwargs +) +else: +return self.make_command( +'user_add', givenname=self.givenname, +sn=self.sn, **self.kwargs +) def make_delete_command(self, no_preserve=True, preserve=False): """ Make function that deletes a user using user-del """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 From 074d38a611ee4d4edc2afa857563cf0e09527115 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 16 Aug 2016 13:16:58 +1000 Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 --- ipalib/x509.py | 23 +- ipapython/certdb.py | 9 ++- ipaserver/install/cainstance.py | 52 +++-- 3 files changed, 43 insertions(+), 41 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e1c3867..caf0ddc 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -48,7 +48,9 @@ from ipalib import api from ipalib import util from ipalib import errors +from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython import ipautil if six.PY3: unicode = str @@ -56,7 +58,9 @@ PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL) +PEM_REGEX = re.compile( +r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-', +re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -145,6 +149,23 @@ def load_certificate_list_from_file(filename): return load_certificate_list(f.read()) +def pkcs7_to_pems(data, datatype=PEM): +""" +Extract certificates from a PKCS #7 object. + +Return a ``list`` of X.509 PEM strings. + +May throw ``ipautil.CalledProcessError`` on invalid data. + +""" +cmd = [ +paths.OPENSSL, "pkcs7", "-print_certs", +"-inform", "PEM" if datatype == PEM else "DER", +] +result = ipautil.run(cmd, stdin=data, capture_output=True) +return PEM_REGEX.findall(result.output) + + def is_self_signed(certificate, datatype=PEM): cert = load_certificate(certificate, datatype) return cert.issuer == cert.subject diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 5344e37..9b989ef 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -237,13 +237,8 @@ def import_files(self, files, db_password_filename, import_keys=False, continue if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): -args = [ -OPENSSL, 'pkcs7', -'-print_certs', -] try: -result = ipautil.run( -args, stdin=body, capture_output=True) +certs = x509.pkcs7_to_pems(body) except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': root_logger.warning( @@ -255,7 +250,7 @@ def import_files(self, files, db_password_filename, import_keys=False, filename, line, e) continue else: -extracted_certs += result.output + '\n' +extracted_certs += '\n'.join(certs) + '\n' loaded = True continue diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 505232c..a3751d1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -745,44 +745,30 @@ def __import_ca_chain(self): # makes openssl throw up. data = base64.b64decode(chain) -result = ipautil.run( -[paths.OPENSSL, - "pkcs7", - "-inform", - "DER", - "-print_certs", - ], stdin=data, capture_output=True) -certlist = result.output +certlist = x509.pkcs7_to_pems(data, x509.DER) # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database -st = 1 -en = 0 -subid = 0 ca_dn = DN(('CN','Certificate Authority'), self.subject_base) -while st > 0: -st = certlist.find('-BEGIN', en) -en = certlist.find('-END', en+1) -if st > 0: -try: -(chain_fd, chain_name) = tempfile.mkstemp() -os.write(chain_fd, certlist[st:en+25]) -os.close(chain_fd) -(_rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25])
[Freeipa-devel] [freeipa PR#210][synchronized] Tests: Stage User Tracker implementation
URL: https://github.com/freeipa/freeipa/pull/210 Author: gkaihorodova Title: #210: Tests: Stage User Tracker implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/210/head:pr210 git checkout pr210 From 1a9ff854ae85667fc95cab8fc3a7a1ee6cfd2d94 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Wed, 2 Nov 2016 15:02:30 +0100 Subject: [PATCH 1/2] Tests: Stage User Tracker implementation Fix provide possibility of creation stage user with minimal values, with uid not specified and check for non-empty unicode string for attributes requested in init method https://fedorahosted.org/freeipa/ticket/6448 --- ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 36 ++-- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py index 82d7e06..10caff2 100644 --- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py +++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py @@ -61,23 +61,43 @@ class StageUserTracker(Tracker): find_keys = retrieve_keys - {u'has_keytab', u'has_password'} find_all_keys = retrieve_all_keys - {u'has_keytab', u'has_password'} -def __init__(self, name, givenname, sn, **kwargs): +def __init__(self, name=None, givenname=None, sn=None, **kwargs): +""" Check for non-empty unicode string for the required attributes +in the init method """ + +if not isinstance(givenname, (str, unicode)) and len(givenname) > 0: +raise ValueError("No name provided: %s" % givenname) +if not isinstance(sn, (str, unicode)) and len(sn) > 0: +raise ValueError("No name provided: %s" % givenname) + super(StageUserTracker, self).__init__(default_version=None) -self.uid = name -self.givenname = givenname -self.sn = sn +self.uid = unicode(name) +self.givenname = unicode(givenname) +self.sn = unicode(sn) self.dn = DN( ('uid', self.uid), api.env.container_stageuser, api.env.basedn) self.kwargs = kwargs def make_create_command(self, options=None): -""" Make function that creates a staged user using stageuser-add """ +""" Make function that creates a staged user using stageuser-add +with all set of attributes and with minimal values, +where uid is not specified """ + if options is not None: self.kwargs = options -return self.make_command('stageuser_add', self.uid, - givenname=self.givenname, - sn=self.sn, **self.kwargs) +if self.uid is not None: +return self.make_command( +'stageuser_add', self.uid, +givenname=self.givenname, +sn=self.sn, **self.kwargs +) +else: +return self.make_command( +'stageuser_add', +givenname=self.givenname, +sn=self.sn, **self.kwargs +) def make_delete_command(self): """ Make function that deletes a staged user using stageuser-del """ From f82f208b0030edb7c605a1da3a41adf62bf82323 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Wed, 30 Nov 2016 11:27:34 +0100 Subject: [PATCH 2/2] Stage User: Test to create stage user with minimal values Test to create stage user with minimal values, where uid is not specified https://fedorahosted.org/freeipa/ticket/6448 --- ipatests/test_xmlrpc/test_stageuser_plugin.py | 11 +++ 1 file changed, 11 insertions(+) diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py index 4a859e8..95cb26a 100644 --- a/ipatests/test_xmlrpc/test_stageuser_plugin.py +++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py @@ -85,6 +85,11 @@ def stageduser(request): return tracker.make_fixture(request) +@pytest.fixture(scope='class') +def stageduser_min(request): +tracker = StageUserTracker(givenname=u'stagedmin', sn=u'usermin') +return tracker.make_fixture(request) + @pytest.fixture(scope='class', params=options_ok, ids=options_ids) def stageduser2(request): tracker = StageUserTracker(u'suser2', u'staged', u'user', **request.param) @@ -191,6 +196,12 @@ def test_activate_nonexistent(self, stageduser): @pytest.mark.tier1 class TestStagedUser(XMLRPC_test): +def test_create_with_min_values(self, stageduser_min): +""" Create user with uid not specified """ +stageduser_min.ensure_missing() +command = stageduser_min.make_create_command() +command() + def test_create_duplicate(self, stageduser): stageduser.ensure_exists() command = stageduser.make_create_command() -- Manage your subscription for the Freeipa-devel mailing list: ht
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements tiran commented: """ I opened PR #289 and #290. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263840863 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#182][synchronized] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/182 Author: tiran Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/182/head:pr182 git checkout pr182 From 3805dfba1dc222f3cd6cc6299bfe97c70e3e8bae Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 28 Nov 2016 16:24:33 +0100 Subject: [PATCH 1/2] Set explicit confdir option for global contexts Some API contexts are used to modify global state (e.g. files in /etc and /var). These contexts do not support confdir overrides. Initialize the API with an explicit confdir argument to paths.ETC_IPA. The special contexts are: * backup * cli_installer * installer * ipctl * renew * restore * server * updates The patch also corrects the context of the ipa-httpd-kdcproxy script to 'server'. https://fedorahosted.org/freeipa/ticket/6389 Signed-off-by: Christian Heimes --- client/ipa-client-automount | 1 + install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +- install/migration/migration.py | 3 ++- install/oddjob/com.redhat.idm.trust-fetch-domains | 4 +++- install/restart_scripts/renew_ca_cert | 2 +- install/restart_scripts/restart_dirsrv | 3 ++- install/restart_scripts/stop_pkicad | 3 ++- install/share/copy-schema-to-ca.py | 2 +- install/share/wsgi.py | 6 -- install/tools/ipa-httpd-kdcproxy| 3 ++- install/tools/ipa-replica-conncheck | 4 +++- install/tools/ipactl| 5 - ipaclient/install/client.py | 1 + ipaclient/install/ipa_certupdate.py | 2 +- ipaserver/install/ipa_backup.py | 2 +- ipaserver/install/ipa_ldap_updater.py | 2 +- ipaserver/install/ipa_restore.py| 1 + ipaserver/install/ipa_server_upgrade.py | 2 +- ipaserver/install/ipa_winsync_migrate.py| 3 ++- ipaserver/install/ldapupdate.py | 4 +++- ipaserver/install/server/install.py | 2 ++ ipaserver/install/server/replicainstall.py | 19 +-- 22 files changed, 52 insertions(+), 24 deletions(-) diff --git a/client/ipa-client-automount b/client/ipa-client-automount index 0dd15b3..18914bd 100755 --- a/client/ipa-client-automount +++ b/client/ipa-client-automount @@ -384,6 +384,7 @@ def main(): cfg = dict( context='cli_installer', +confdir=paths.ETC_IPA, in_server=False, debug=options.debug, verbose=0, diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 7389a5e..2e137ad 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -494,7 +494,7 @@ def main(): 'ipaCACertRenewal': renew_ca_cert, } -api.bootstrap(in_server=True, context='renew') +api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA) api.finalize() api.Backend.ldap2.connect() diff --git a/install/migration/migration.py b/install/migration/migration.py index 4743279..73e4777 100644 --- a/install/migration/migration.py +++ b/install/migration/migration.py @@ -24,6 +24,7 @@ import errno from wsgiref.util import request_uri +from ipaplatform.paths import paths from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN from ipapython import ipaldap @@ -72,7 +73,7 @@ def application(environ, start_response): # API object only for configuration, finalize() not needed api = create_api(mode=None) -api.bootstrap(context='server', in_server=True) +api.bootstrap(context='server', confdir=paths.ETC_IPA, in_server=True) try: bind(api.env.ldap_uri, api.env.basedn, form_data['username'].value, form_data['password'].value) diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index a0d8a31..e5c2e8c 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -8,6 +8,7 @@ from ipapython.dn import DN from ipalib.config import Env from ipalib.constants import DEFAULT_CONFIG from ipaplatform.constants import constants +from ipaplatform.paths import paths import sys import os import pwd @@ -95,7 +96,8 @@ env._bootstrap(debug=options.debug, log=None) env._finalize_core(**dict(DEFAULT_CONFIG)) # Initialize the API with the proper debug level -api.bootstrap(in_server=True, debug=env.debug, log=None, context='server') +api.bootstrap(in_server=True, debug=env.debug, log=None, + context='server', confdir=paths.ETC_IPA) api.finalize() #
[Freeipa-devel] [freeipa PR#255][synchronized] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Author: tiran Title: #255: Adjustments for setup requirements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/255/head:pr255 git checkout pr255 From 785f924cab5eab2473aeef4ea57e0a31f5f0b222 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 17 Nov 2016 16:43:17 +0100 Subject: [PATCH] Adjustments for setup requirements * Fix some typos, missing or surplus dependencies. * Remove setup requirement on wheel since it triggers download. ipatests is now installable. Tests need further changes to be runable. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes --- ipaclient/setup.py | 7 +++ ipalib/setup.py | 1 + ipaplatform/setup.py | 3 --- ipapython/setup.py | 4 +--- ipaserver/setup.py | 2 +- ipasetup.py.in | 4 ++-- ipatests/setup.py| 18 +- 7 files changed, 17 insertions(+), 22 deletions(-) diff --git a/ipaclient/setup.py b/ipaclient/setup.py index fb6ed0d..0183aaf 100644 --- a/ipaclient/setup.py +++ b/ipaclient/setup.py @@ -48,13 +48,12 @@ "ipalib", "ipapython", "python-nss", +"python-yubico", +"pyusb", "qrcode", "six", ], -setup_requires=[ -"wheel", -], -extra_requires={ +extras_require={ "ipaclient.install": ["ipaplatform"], "otptoken_yubikey": ["yubico", "usb"] } diff --git a/ipalib/setup.py b/ipalib/setup.py index 85932fc..4be3eb1 100644 --- a/ipalib/setup.py +++ b/ipalib/setup.py @@ -40,6 +40,7 @@ "ipapython", "netaddr", "pyasn1", +"pyasn1-modules", "python-nss", "six", ], diff --git a/ipaplatform/setup.py b/ipaplatform/setup.py index b28ac8c..9c47da7 100644 --- a/ipaplatform/setup.py +++ b/ipaplatform/setup.py @@ -47,7 +47,4 @@ "python-nss", "six", ], -setup_requires=[ -"wheel", -], ) diff --git a/ipapython/setup.py b/ipapython/setup.py index c413ffa..86e4131 100755 --- a/ipapython/setup.py +++ b/ipapython/setup.py @@ -51,10 +51,8 @@ "requests", "six", ], -setup_requires=[ -"wheel", -], extras_require={ ":python_version<'3'": ["enum34"], +"install": ["dbus-python"], # for certmonger }, ) diff --git a/ipaserver/setup.py b/ipaserver/setup.py index 3635832..528b901 100755 --- a/ipaserver/setup.py +++ b/ipaserver/setup.py @@ -56,9 +56,9 @@ "ipapython", "lxml", "netaddr", -"memcache", "pyasn1", "pyldap", +"python-memcached", "python-nss", "six", # not available on PyPI diff --git a/ipasetup.py.in b/ipasetup.py.in index 1db4857..0d11135 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -62,10 +62,10 @@ PACKAGE_VERSION = { 'ipaserver': 'ipaserver == @VERSION@', 'kdcproxy': 'kdcproxy >= 0.3', 'netifaces': 'netifaces >= 0.10.4', -'python-nss': 'python-nss >= 0.16', 'pyldap': 'pyldap >= 2.4.15', +'python-nss': 'python-nss >= 0.16', +'python-yubico': 'python-yubico >= 1.2.3', 'qrcode': 'qrcode >= 5.0', -# 'yubico': 'yubico >= 1.2.3', } diff --git a/ipatests/setup.py b/ipatests/setup.py index 26f0124..2b592cd 100644 --- a/ipatests/setup.py +++ b/ipatests/setup.py @@ -59,24 +59,24 @@ }, install_requires=[ "cryptography", -"dbus-python", "dnspython", -"dogtag-pki", +"gssapi", "ipaclient", "ipalib", "ipaplatform", "ipapython", -"ipaserver", "nose", +"polib", "pyldap", "pytest", -"python-gssapi", +"pytest_multihost", "python-nss", -"selenium", "six", -"yaml", -], -setup_requires=[ -"wheel", ], +extras_require={ +"integration": ["dbus-python", "pyyaml", "ipaserver"], +"ipaserver": ["ipaserver"], +"webui": ["selenium", "pyyaml", "ipaserver"], +"xmlrpc": ["ipaserver"], +} ) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#210][synchronized] Tests: Stage User Tracker implementation
URL: https://github.com/freeipa/freeipa/pull/210 Author: gkaihorodova Title: #210: Tests: Stage User Tracker implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/210/head:pr210 git checkout pr210 From 1a9ff854ae85667fc95cab8fc3a7a1ee6cfd2d94 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Wed, 2 Nov 2016 15:02:30 +0100 Subject: [PATCH] Tests: Stage User Tracker implementation Fix provide possibility of creation stage user with minimal values, with uid not specified and check for non-empty unicode string for attributes requested in init method https://fedorahosted.org/freeipa/ticket/6448 --- ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 36 ++-- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py index 82d7e06..10caff2 100644 --- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py +++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py @@ -61,23 +61,43 @@ class StageUserTracker(Tracker): find_keys = retrieve_keys - {u'has_keytab', u'has_password'} find_all_keys = retrieve_all_keys - {u'has_keytab', u'has_password'} -def __init__(self, name, givenname, sn, **kwargs): +def __init__(self, name=None, givenname=None, sn=None, **kwargs): +""" Check for non-empty unicode string for the required attributes +in the init method """ + +if not isinstance(givenname, (str, unicode)) and len(givenname) > 0: +raise ValueError("No name provided: %s" % givenname) +if not isinstance(sn, (str, unicode)) and len(sn) > 0: +raise ValueError("No name provided: %s" % givenname) + super(StageUserTracker, self).__init__(default_version=None) -self.uid = name -self.givenname = givenname -self.sn = sn +self.uid = unicode(name) +self.givenname = unicode(givenname) +self.sn = unicode(sn) self.dn = DN( ('uid', self.uid), api.env.container_stageuser, api.env.basedn) self.kwargs = kwargs def make_create_command(self, options=None): -""" Make function that creates a staged user using stageuser-add """ +""" Make function that creates a staged user using stageuser-add +with all set of attributes and with minimal values, +where uid is not specified """ + if options is not None: self.kwargs = options -return self.make_command('stageuser_add', self.uid, - givenname=self.givenname, - sn=self.sn, **self.kwargs) +if self.uid is not None: +return self.make_command( +'stageuser_add', self.uid, +givenname=self.givenname, +sn=self.sn, **self.kwargs +) +else: +return self.make_command( +'stageuser_add', +givenname=self.givenname, +sn=self.sn, **self.kwargs +) def make_delete_command(self): """ Make function that deletes a staged user using stageuser-del """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#290][opened] Require python-cryptography >= 1.3.1
URL: https://github.com/freeipa/freeipa/pull/290 Author: tiran Title: #290: Require python-cryptography >= 1.3.1 Action: opened PR body: """ python-cryptography versions < 1.3 no longer compile with recent OpenSSL 1.0.2 versions. In order to build wheels, a more recent version of cryptography is required. 1.3.1 is the oldest well tested version (RHEL 7.3) that is known to work with FreeIPA. Bump up in freeipa.spec is not required for technical reasons. The problem only affects PyPI packages. It's policy to keep requirements in sync. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/290/head:pr290 git checkout pr290 From fb4700e12572d8fbf8ac6019d5c2ac0d0dcdd22c Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 30 Nov 2016 11:10:36 +0100 Subject: [PATCH] Require python-cryptography >= 1.3.1 python-cryptography versions < 1.3 no longer compile with recent OpenSSL 1.0.2 versions. In order to build wheels, a more recent version of cryptography is required. 1.3.1 is the oldest well tested version (RHEL 7.3) that is known to work with FreeIPA. Bump up in freeipa.spec is not required for technical reasons. The problem only affects PyPI packages. It's policy to keep requirements in sync. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes --- freeipa.spec.in | 12 ++-- ipasetup.py.in | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 6847bed..ae08d0c 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -113,8 +113,8 @@ BuildRequires: python-cffi %if 0%{?with_lint} BuildRequires: samba-python BuildRequires: python-setuptools -# 0.6: serialization.load_pem_private_key, load_pem_public_key -BuildRequires: python-cryptography >= 0.6 +# 1.3: oldest PyPI version that still compiles with recent OpenSSL +BuildRequires: python-cryptography >= 1.3.1 BuildRequires: python-gssapi BuildRequires: pylint >= 1.0 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -510,7 +510,7 @@ Requires: gnupg Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 -Requires: python-cryptography >= 0.9 +Requires: python-cryptography >= 1.3.1 Requires: python-netaddr Requires: python-libipa_hbac Requires: python-qrcode-core >= 5.0.0 @@ -559,7 +559,7 @@ Requires: gnupg Requires: keyutils Requires: python3-pyOpenSSL Requires: python3-nss >= 0.16 -Requires: python3-cryptography +Requires: python3-cryptography >= 1.3.1 Requires: python3-netaddr Requires: python3-libipa_hbac Requires: python3-qrcode-core >= 5.0.0 @@ -633,7 +633,7 @@ Requires: python-pytest-multihost >= 0.5 Requires: python-pytest-sourceorder Requires: ldns-utils Requires: python-sssdconfig -Requires: python2-cryptography +Requires: python2-cryptography >= 1.3.1 Provides: %{alt_name}-tests = %{version} Conflicts: %{alt_name}-tests @@ -667,7 +667,7 @@ Requires: python3-pytest-multihost >= 0.5 Requires: python3-pytest-sourceorder Requires: ldns-utils Requires: python3-sssdconfig -Requires: python3-cryptography +Requires: python3-cryptography >= 1.3.1 %description -n python3-ipatests IPA is an integrated solution to provide centrally managed Identity (users, diff --git a/ipasetup.py.in b/ipasetup.py.in index 1db4857..2220b97 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -52,7 +52,7 @@ class build_py(setuptools_build_py): PACKAGE_VERSION = { -'cryptography': 'cryptography >= 0.9', +'cryptography': 'cryptography >= 1.3.1', 'dnspython': 'dnspython >= 1.13', 'gssapi': 'gssapi > 1.1.2', 'ipaclient': 'ipaclient == @VERSION@', -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#289][opened] Require python-gssapi >= 1.2.0
URL: https://github.com/freeipa/freeipa/pull/289 Author: tiran Title: #289: Require python-gssapi >= 1.2.0 Action: opened PR body: """ The PyPI package for python-gssapi 1.1.x has a packaging bug. It depends on enum34 for Python 3 although it is only required for 2.7. 1.2.0 is the oldest version that has been tested at length by QE. It's know to work. Bump up in freeipa.spec is not required for technical reasons. The packaging bug only affects PyPI packages. It's policy to keep requirements in sync. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/289/head:pr289 git checkout pr289 From 28d4a1f245bb53c842d112bf1cf5b574cc1fa2bc Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 30 Nov 2016 11:01:57 +0100 Subject: [PATCH] Require python-gssapi >= 1.2.0 The PyPI package for python-gssapi 1.1.x has a packaging bug. It depends on enum34 for Python 3 although it is only required for 2.7. 1.2.0 is the oldest version that has been tested at length by QE. It's know to work. Bump up in freeipa.spec is not required for technical reasons. The packaging bug only affects PyPI packages. It's policy to keep requirements in sync. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes --- freeipa.spec.in | 12 ++-- ipasetup.py.in | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 6847bed..bdf510f 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -115,7 +115,7 @@ BuildRequires: samba-python BuildRequires: python-setuptools # 0.6: serialization.load_pem_private_key, load_pem_public_key BuildRequires: python-cryptography >= 0.6 -BuildRequires: python-gssapi +BuildRequires: python-gssapi >= 1.2.0 BuildRequires: pylint >= 1.0 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 BuildRequires: python2-polib @@ -187,7 +187,7 @@ Requires: mod_wsgi Requires: mod_auth_gssapi >= 1.4.0 Requires: mod_nss >= 1.0.8-26 Requires: python-ldap >= 2.4.15 -Requires: python-gssapi >= 1.1.2 +Requires: python-gssapi >= 1.2.0 Requires: acl Requires: memcached Requires: python-memcached @@ -250,7 +250,7 @@ Requires: %{name}-common = %{version}-%{release} Requires: python2-ipaclient = %{version}-%{release} Requires: python-ldap >= 2.4.15 Requires: python-lxml -Requires: python-gssapi >= 1.1.2 +Requires: python-gssapi >= 1.2.0 Requires: python-sssdconfig Requires: python-pyasn1 Requires: dbus-python @@ -374,7 +374,7 @@ Requires: certmonger >= 0.78 Requires: nss-tools Requires: bind-utils Requires: oddjob-mkhomedir -Requires: python-gssapi >= 1.1.2 +Requires: python-gssapi >= 1.2.0 Requires: libsss_autofs Requires: autofs Requires: libnfsidmap @@ -505,7 +505,7 @@ Provides: python2-ipapython = %{version}-%{release} Provides: python2-ipaplatform = %{version}-%{release} %{?python_provide:%python_provide python2-ipaplatform} Requires: %{name}-common = %{version}-%{release} -Requires: python-gssapi >= 1.1.2 +Requires: python-gssapi >= 1.2.0 Requires: gnupg Requires: keyutils Requires: pyOpenSSL @@ -554,7 +554,7 @@ Provides: python3-ipapython = %{version}-%{release} Provides: python3-ipaplatform = %{version}-%{release} %{?python_provide:%python_provide python3-ipaplatform} Requires: %{name}-common = %{version}-%{release} -Requires: python3-gssapi >= 1.1.2 +Requires: python3-gssapi >= 1.2.0 Requires: gnupg Requires: keyutils Requires: python3-pyOpenSSL diff --git a/ipasetup.py.in b/ipasetup.py.in index 1db4857..7d326c8 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -54,7 +54,7 @@ class build_py(setuptools_build_py): PACKAGE_VERSION = { 'cryptography': 'cryptography >= 0.9', 'dnspython': 'dnspython >= 1.13', -'gssapi': 'gssapi > 1.1.2', +'gssapi': 'gssapi > 1.2.0', 'ipaclient': 'ipaclient == @VERSION@', 'ipalib': 'ipalib == @VERSION@', 'ipaplatform': 'ipaplatform == @VERSION@', -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese
URL: https://github.com/freeipa/freeipa/pull/286 Title: #286: fix miss translation in Chinese shanyin commented: """ Ok, I have just sent a PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/286#issuecomment-263831788 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] NTP in FreeIPA
On 29/11/16 18:10, Alexander Bokovoy wrote: On ti, 29 marras 2016, Petr Spacek wrote: On 29.11.2016 16:02, Rob Crittenden wrote: Petr Spacek wrote: On 29.11.2016 09:11, Jan Cholasta wrote: On 28.11.2016 20:57, Rob Crittenden wrote: David Kupka wrote: On 22/11/16 23:15, Gabe Alford wrote: I would say that it is worth keeping in FreeIPA. I know myself and some customers use its functionality by having the clients sync to the IPA servers and have the servers sync to the NTP source. This way if the NTP source ever gets disrupted for long periods of time (which has happened in my environment) the client time drifts with the authentication source. This is the way that AD often works and is configured. Hello Gabe, I agree that it's common practice to synchronize all nodes in network with single source in order to have the same time and save bandwidth. Also I understand that it's comfortable to let FreeIPA installer take care of it. But I don't think FreeIPA should do it IMO this is job for Ansible or similar tool. Also the problem is that in some situations FreeIPA installer makes it worse. Example: 1. Install FreeIPA server (ipa1.example.org) 2. Install FreeIPA client on all nodes in network 3. Install replica (ipa2.example.org) of FreeIPA server to increase redundancy Now all the clients have ipa1.example.org as the only server in /etc/ntp.conf. If the first FreeIPA server becomes unreachable all clients will be able to contact KDC on the other server thanks to DNS autodiscovery in libkrb5 but will be unable to synchronize time. Remember that the goal of IPA was to herd together a bunch of software to make hard things easier. This included dealing with the 5-minute Kerberos window so ntp was configured on the client and server (which is less of any issue now). When making changes you have to ask yourself who are you making this easier for: you or the user. Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms of success? I'd think so. I If someone wants to configure it using Ansible they can use the --no-ntp. If they want to use different time servers they can pass in --ntp-server. But by default IMHO it should do something sane to give a good experience. I think to do something sane is exactly the point of this, and the sanest thing we can do is to not touch NTP configuration at all: * if the NTP configuration obtained via DHCP works, we can't make it any better by touching it, only worse, * if the default NTP configuration shipped with the distribution works, we again can't make it any better by touching it, * if we are running inside container, time is synchronized by other means and we should not touch NTP configuration at all, * if neither the default NTP configuration nor the NTP configuration obtained via DHCP works and we are not running inside container, we may attempt to fix the configuration, but it will not be permanent and will work only for this specific host. I think the first 3 points cover 99% of real-life deployments, and yet we are optimized towards the remaining 1%, with the potential of breaking the configuration for the 99%. This is far from sane IMHO. +1 for Honza's point. Current NTP code is works only for initial setup and silently breaks synchronization later on. Most importantly it breaks synchronization as soon as admin removes old replicas and replaces them with new ones - there is no mechanism to update the records in the client configuration (and SRV discovery is not supported by clients). I.e. when admin decommission replicas which were around at the time of client installation, the NTP on client will silently break. This would not happen if you did not touch it. (This also implicitly means that IPA-configured NTP is broken on all clients in topologies which were completely migrated from RHEL 6 to RHEL 7.) Either DHCP or default distro config would solve the problem better. That's fair but where are the huge pile of bugs, tickets and user e-mails complaining about time? Or has nobody noticed yet? Hard to say. There might be multiple reasons for this. E.g. - Starting with Fedora 16, there is Chronyd installed by default. IPA client installer does not configure Chronyd by default so there is nothing to break. - DHCP integration still modifies IPA-generated ntp.conf. - Users who care might use configuration management tool. Still, bug reports and users' complaints is the only external measure we have. There are close to nothing in complaints about NTP functionality, other than requests to support chronyd and a better discover of existing NTP setups. I don't think that requires dramatic action like removal of NTP support at all. As Petr already pointed out, since Fedora 16 chronyd is enabled by default and ipa-client-install doesn't configure time synchronization when chronyd is enabled. I believe that majority of users haven't used '--force-ntpd' and since it still worked they haven't filed any ticket. IMO in
[Freeipa-devel] [freeipa PR#280][synchronized] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Author: tiran Title: #280: Set explicit confdir option for global contexts Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/280/head:pr280 git checkout pr280 From 86ddbbe5f69519b07f24d825507cff84f86407d9 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 28 Nov 2016 16:24:33 +0100 Subject: [PATCH 1/2] Set explicit confdir option for global contexts Some API contexts are used to modify global state (e.g. files in /etc and /var). These contexts do not support confdir overrides. Initialize the API with an explicit confdir argument to paths.ETC_IPA. The special contexts are: * backup * cli_installer * installer * ipctl * renew * restore * server * updates The patch also corrects the context of the ipa-httpd-kdcproxy script to 'server'. https://fedorahosted.org/freeipa/ticket/6389 Signed-off-by: Christian Heimes --- client/ipa-client-automount | 1 + install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +- install/migration/migration.py | 3 ++- install/oddjob/com.redhat.idm.trust-fetch-domains | 4 +++- install/restart_scripts/renew_ca_cert | 2 +- install/restart_scripts/restart_dirsrv | 3 ++- install/restart_scripts/stop_pkicad | 3 ++- install/share/copy-schema-to-ca.py | 2 +- install/share/wsgi.py | 6 -- install/tools/ipa-httpd-kdcproxy| 3 ++- install/tools/ipa-replica-conncheck | 4 +++- install/tools/ipactl| 5 - ipaclient/install/client.py | 1 + ipaclient/install/ipa_certupdate.py | 2 +- ipaserver/install/ipa_backup.py | 2 +- ipaserver/install/ipa_ldap_updater.py | 2 +- ipaserver/install/ipa_restore.py| 1 + ipaserver/install/ipa_server_upgrade.py | 2 +- ipaserver/install/ipa_winsync_migrate.py| 3 ++- ipaserver/install/ldapupdate.py | 4 +++- ipaserver/install/server/install.py | 2 ++ ipaserver/install/server/replicainstall.py | 19 +-- 22 files changed, 52 insertions(+), 24 deletions(-) diff --git a/client/ipa-client-automount b/client/ipa-client-automount index 0dd15b3..18914bd 100755 --- a/client/ipa-client-automount +++ b/client/ipa-client-automount @@ -384,6 +384,7 @@ def main(): cfg = dict( context='cli_installer', +confdir=paths.ETC_IPA, in_server=False, debug=options.debug, verbose=0, diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 7389a5e..2e137ad 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -494,7 +494,7 @@ def main(): 'ipaCACertRenewal': renew_ca_cert, } -api.bootstrap(in_server=True, context='renew') +api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA) api.finalize() api.Backend.ldap2.connect() diff --git a/install/migration/migration.py b/install/migration/migration.py index 4743279..73e4777 100644 --- a/install/migration/migration.py +++ b/install/migration/migration.py @@ -24,6 +24,7 @@ import errno from wsgiref.util import request_uri +from ipaplatform.paths import paths from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN from ipapython import ipaldap @@ -72,7 +73,7 @@ def application(environ, start_response): # API object only for configuration, finalize() not needed api = create_api(mode=None) -api.bootstrap(context='server', in_server=True) +api.bootstrap(context='server', confdir=paths.ETC_IPA, in_server=True) try: bind(api.env.ldap_uri, api.env.basedn, form_data['username'].value, form_data['password'].value) diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index a0d8a31..e5c2e8c 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -8,6 +8,7 @@ from ipapython.dn import DN from ipalib.config import Env from ipalib.constants import DEFAULT_CONFIG from ipaplatform.constants import constants +from ipaplatform.paths import paths import sys import os import pwd @@ -95,7 +96,8 @@ env._bootstrap(debug=options.debug, log=None) env._finalize_core(**dict(DEFAULT_CONFIG)) # Initialize the API with the proper debug level -api.bootstrap(in_server=True, debug=env.debug, log=None, context='server') +api.bootstrap(in_server=True, debug=env.debug, log=None, + context='server', confdir=paths.ETC_IPA) api.finalize() # Only impo
[Freeipa-devel] [freeipa PR#285][comment] Check the result of cert request in replica installer
URL: https://github.com/freeipa/freeipa/pull/285 Title: #285: Check the result of cert request in replica installer mbasti-rh commented: """ Can we add cert state to error message? `raise RuntimeError("Certificate issuance failed")` is not too much detailed in `request_and_wait_for_cert`. Something like: ``` "Certificate issuance failed (CA_UNREACHABLE)" ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/285#issuecomment-263825114 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension tomaskrizek commented: """ @frasertweedale Oh, I didn't realize the DN in SAN matches the LDAP DN, while the Subject DN does not. In that case, this PR makes sense to me as is. I also don't see the need to validate Subject DN and SAN DN differently, since they use different representation (subject is a more generic identifier, as @tiran pointed out; while SAN DN should be the unique LDAP DN identifier). """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263550747 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#287][comment] Wheel bundles fixes
URL: https://github.com/freeipa/freeipa/pull/287 Title: #287: Wheel bundles fixes tiran commented: """ Fixup for #271 """ See the full comment at https://github.com/freeipa/freeipa/pull/287#issuecomment-263823717 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#287][opened] Wheel bundles fixes
URL: https://github.com/freeipa/freeipa/pull/287 Author: tiran Title: #287: Wheel bundles fixes Action: opened PR body: """ * make wheel_bundle no longer bundles ipaplatform * ipaclient and ipalib use a consistent extra tag for the install subpackage. `pip install ipalib[ipalib.install]` looks a bit silly. https://fedorahosted.org/freeipa/ticket/6474 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/287/head:pr287 git checkout pr287 From 2d79fd4050539cc4c2d095cf37320b55b7a62313 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 30 Nov 2016 10:19:18 +0100 Subject: [PATCH] Wheel bundles fixes * make wheel_bundle no longer bundles ipaplatform * ipaclient and ipalib use a consistent extra tag for the install subpackage. `pip install ipalib[ipalib.install]` looks a bit silly. https://fedorahosted.org/freeipa/ticket/6474 Signed-off-by: Christian Heimes --- Makefile.am| 4 ++-- ipaclient/setup.py | 2 +- ipalib/setup.py| 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile.am b/Makefile.am index f9922bb..a7c74b0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,7 +1,7 @@ ACLOCAL_AMFLAGS = -I m4 -IPACLIENT_SUBDIRS = ipaclient ipalib ipaplatform ipapython -SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaserver ipatests po +IPACLIENT_SUBDIRS = ipaclient ipalib ipapython +SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ignore_import_errors.pyc ignore_import_errors.pyo \ diff --git a/ipaclient/setup.py b/ipaclient/setup.py index fb6ed0d..cd7a2c5 100644 --- a/ipaclient/setup.py +++ b/ipaclient/setup.py @@ -55,7 +55,7 @@ "wheel", ], extra_requires={ -"ipaclient.install": ["ipaplatform"], +"install": ["ipaplatform"], "otptoken_yubikey": ["yubico", "usb"] } ) diff --git a/ipalib/setup.py b/ipalib/setup.py index 85932fc..1dc5214 100644 --- a/ipalib/setup.py +++ b/ipalib/setup.py @@ -47,6 +47,6 @@ "wheel", ], extras_require={ -"ipalib.install": ["ipaplatform"], +"install": ["ipaplatform"], }, ) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#276][synchronized] replica-conncheck: improve error msg + logging
URL: https://github.com/freeipa/freeipa/pull/276 Author: tomaskrizek Title: #276: replica-conncheck: improve error msg + logging Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/276/head:pr276 git checkout pr276 From d46e1a38bb65e20439a6772fbba08df7c4fcef11 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Fri, 25 Nov 2016 17:23:29 +0100 Subject: [PATCH 1/2] replica-conncheck: improve error message during replicainstall Replica conncheck may fail for other reasons then network misconfiguration. For example, an incorrect admin password might be provided. Since conncheck is ran as a separate script in quiet mode, no insightful error message can be displayed. https://fedorahosted.org/freeipa/ticket/6497 --- ipaserver/install/replication.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index ba35c49..35066c2 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -105,7 +105,7 @@ def replica_conn_check(master_host, host_name, realm, check_ca, if result.returncode != 0: raise ScriptError( "Connection check failed!" -"\nPlease fix your network settings according to error messages above." +"\nSee /var/log/ipareplica-conncheck.log for more information." "\nIf the check results are not valid it can be skipped with --skip-conncheck parameter.") else: print("Connection check OK") From 91b20a812cf699f9fedb1be63006369f58e4e0e6 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Fri, 25 Nov 2016 17:27:16 +0100 Subject: [PATCH 2/2] replica-conncheck: improve message logging Make sure all messages displayed on screen to the user can be found in the log as well. The messages are also logged if the script is ran in quiet mode. https://fedorahosted.org/freeipa/ticket/6497 --- install/tools/ipa-replica-conncheck | 98 +++-- 1 file changed, 51 insertions(+), 47 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 7ec1ef8..083aa07 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -47,7 +47,6 @@ from cryptography.hazmat.primitives import serialization CONNECT_TIMEOUT = 5 RESPONDERS = [ ] -QUIET = False CCACHE_FILE = None KRB5_CONFIG = None @@ -60,7 +59,7 @@ class SshExec(object): def __call__(self, command, verbose=False): # Bail if ssh is not installed if self.cmd is None: -print("WARNING: ssh not installed, skipping ssh test") +root_logger.warning("WARNING: ssh not installed, skipping ssh test") return ('', '', 0) tmpf = tempfile.NamedTemporaryFile() @@ -108,10 +107,6 @@ BASE_PORTS = [ ] -def print_info(msg): -if not QUIET: -print(msg) - def parse_options(): def ca_cert_file_callback(option, opt, value, parser): if not os.path.exists(value): @@ -205,10 +200,6 @@ def parse_options(): if not options.hostname: options.hostname = socket.getfqdn() -if options.quiet: -global QUIET -QUIET = True - return safe_options, options def logging_setup(options): @@ -217,7 +208,8 @@ def logging_setup(options): if os.getegid() == 0 and options.log_to_file: log_file = paths.IPAREPLICA_CONNCHECK_LOG -standard_logging_setup(log_file, debug=options.debug) +standard_logging_setup(log_file, verbose=(not options.quiet), + debug=options.debug, console_format='%(message)s') def clean_responders(responders): if not responders: @@ -328,13 +320,14 @@ def port_check(host, port_list): else: ports_failed.append(port) result = "FAILED" -print_info(" %s (%d): %s" % (port.description, port.port, result)) +root_logger.info(" %s (%d): %s" % (port.description, port.port, result)) if ports_udp_warning: -print("The following UDP ports could not be verified as open: %s" \ -% ", ".join(str(port.port) for port in ports_udp_warning)) -print("This can happen if they are already bound to an application") -print("and ipa-replica-conncheck cannot attach own UDP responder.") +root_logger.warning( +("The following UDP ports could not be verified as open: %s\n" + "This can happen if they are already bound to an application\n" + "and ipa-replica-conncheck cannot attach own UDP responder.") +% ", ".join(str(port.port) for port in ports_udp_warning)) if ports_failed: msg_ports = [] @@ -362,29 +355,34 @@ def main(): "PKI-CA: Directory Service port")) if options.replica: -print_info("Check connection
[Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese
URL: https://github.com/freeipa/freeipa/pull/286 Title: #286: fix miss translation in Chinese mbasti-rh commented: """ This: ``` -label='Group search fields',  +label=_('Group search fields'), ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/286#issuecomment-263819271 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese
URL: https://github.com/freeipa/freeipa/pull/286 Title: #286: fix miss translation in Chinese shanyin commented: """ Ok, it was already translated in zanata. But what do you mean about you said "what I meant was to send fixing of missing translations strings as separated PR" in #174? """ See the full comment at https://github.com/freeipa/freeipa/pull/286#issuecomment-263817736 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#286][+rejected] fix miss translation in Chinese
URL: https://github.com/freeipa/freeipa/pull/286 Title: #286: fix miss translation in Chinese Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese
URL: https://github.com/freeipa/freeipa/pull/286 Title: #286: fix miss translation in Chinese mbasti-rh commented: """ We automatically add translations to IPA from zanata before releasing. If it is translated in zanata it will appear in next release. """ See the full comment at https://github.com/freeipa/freeipa/pull/286#issuecomment-263815960 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#286][closed] fix miss translation in Chinese
URL: https://github.com/freeipa/freeipa/pull/286 Author: shanyin Title: #286: fix miss translation in Chinese Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/286/head:pr286 git checkout pr286 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#275][comment] Enhance __repr__ method of Principal
URL: https://github.com/freeipa/freeipa/pull/275 Title: #275: Enhance __repr__ method of Principal martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/38cc40ddb5bf965801500bb4f66fd965b12e3c88 """ See the full comment at https://github.com/freeipa/freeipa/pull/275#issuecomment-263814999 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#275][closed] Enhance __repr__ method of Principal
URL: https://github.com/freeipa/freeipa/pull/275 Author: martbab Title: #275: Enhance __repr__ method of Principal Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/275/head:pr275 git checkout pr275 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#275][+pushed] Enhance __repr__ method of Principal
URL: https://github.com/freeipa/freeipa/pull/275 Title: #275: Enhance __repr__ method of Principal Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements
URL: https://github.com/freeipa/freeipa/pull/255 Title: #255: Adjustments for setup requirements martbab commented: """ As I said, if 0.9 break your PyPI work feel freee to bump it but please split the version bumps into a separate commit on top of ipasetup fixes. """ See the full comment at https://github.com/freeipa/freeipa/pull/255#issuecomment-263813183 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient mbasti-rh commented: """ master: 9117a5d5a6ae7b3b97407e46f81a06c387974d7f paths: remove DEV_NULL 8e5d2c7014ff6371a3b306e666c301aea1f7a488 custodiainstance: automatic restart on config file update a1f260d021bf5d018e634438fde6b7c81ebbbcef ipapython: move dnssec, p11helper and secrets to ipaserver 26c46a447f82b4cf37a5076b72cf6328857d5f35 ipapython: move certmonger and sysrestore to ipalib.install f919ab4ee0ec26d77ee6978e75de5daba4073402 certdb: use a temporary file to pass password to pk12util d6b755e3fcaf32158f4ee36d45e3344b4a03fbc2 ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR 7b966e8577fdb56f069cf26a6ab4d6c77b8743b9 ipautil: remove get_domain_name() d911f493482d29829199cce2f91f88a9b53369e1 ipautil: remove the timeout argument of run() 75b70e3f0d52a9c98f443d3fc2f7cef92bdc7b1a ipautil: move is_fips_enabled() to ipaplatform.tasks 7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1 ipautil: move kinit functions to ipalib.install 6e50fae9ec6dea35e12a65dbc46228a1e6276e07 ipautil: move file encryption functions to installutils 528012fe8a8976961203021ef36353b7a4c3b8a8 ipapython: remove hard dependency on ipaplatform a2c58889735c794cd1e93331c755b6f9ba273773 ipalib: move certstore to the install subpackage 977050c66bccd7b8cf468c115d73250505a01034 constants: remove CACERT d43b57d2ce8552ed4977dcc33667b4226feb ipalib: remove hard dependency on ipapython 70c3cd7f482bee7d5ad12062daa7ad6181a29094 ipaclient: move install modules to the install subpackage a260fd8058d757b631dd4eb39ee8a58b91cf2efb ipaclient: remove hard dependency on ipaplatform """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263810669 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][closed] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Author: jcholast Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/271/head:pr271 git checkout pr271 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code