Re: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation

[Martin Kosek]

On Tue, 2011-06-07 at 14:42 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Martin Kosek wrote:
> >> On Sat, 2011-05-28 at 10:13 +0200, Martin Kosek wrote:
> >>> On Sat, 2011-05-28 at 00:10 -0400, Rob Crittenden wrote:
>  Martin Kosek wrote:
> > On Mon, 2011-05-23 at 16:41 -0400, Rob Crittenden wrote:
> >> Martin Kosek wrote:
> >>> This is a first version of connection checking program for replica
> >>> installation. See patch for program purpose description. Currently,
> >>> there is no man pages for the program.
> >>>
> >>> Note to Simo and Rob: I use password for logging as admin. Btw
> >>> would it
> >>> be safe to have an admin keytab in the replica file? Replica file
> >>> contents are lying freely in /tmp after the replica installation.
> >>>
> >>> Martin
> >>
> >> nack, you aren't including the new binary in the spec.
> >
> > Oh, thanks for this one.
> >
> >>
> >> You should also:
> >>
> >> - set KRB5CCNAME to a temporary ccache and remove that when the
> >> install
> >> exists (successful or not)
> >
> > Done.
> >
> >> - remove the temporary krb5.conf you create
> >
> > Done.
> >
> >> - be a bit more explicit what we are doing, at least more than "Run
> >> connection check to master".
> >
> > Actually, I am if you run the new script separately. I removed
> > "--quiet"
> > parameter passed to the script in ipa-replica-install so that it is
> > more
> > verbose. Plus, I improved texts sent to the user.
> >
> >> - yes, we should remove the replica file contents
> >
> > I enhanced ipa-replica-install to do that.
> >
> > Martin
> >
> 
>  Works great until the very end:
>  ...
>  ...
> 
>  Execute check on remote master
>  Check connection from master to remote replica 'slinky.greyoak.com':
>  Directory Service: unsecure port (389): FAILED
>  Directory Service: secure port (636): FAILED
>  Kerberos (88): OK
> 
>  Remote master check failed with following error message(s):
>  Could not chdir to home directory /home/admin: No such file or
>  directory
>  Port check failed! Unaccessible port(s): 389, 636
> 
>  Connection check failed with following error: None
> 
>  rob
> >>>
> >>> Right, I introduced this wrong error message in the last patch. I fixed
> >>> this one and also one typo. Updated patch attached.
> >>>
> >>> Martin
> >>
> >> I created a man page for the new program. Please feel free to
> >> fix/propose a fix for any language errors that may be there.
> >>
> >> Missing records in Makefile.am for both man page and the new program
> >> have been added.
> >>
> >> Martin
> >
> > ack
> >
> > rob
> 
> Oh, I forgot. Before you push can you clean up the trailing whitespace?
> 
> rob

Pushed to master, whitespaces cleaned. I sent a heads up to QE team. It
is true that this patch can break replica installation test.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation

[Rob Crittenden]

Rob Crittenden wrote:

Martin Kosek wrote:

On Sat, 2011-05-28 at 10:13 +0200, Martin Kosek wrote:

On Sat, 2011-05-28 at 00:10 -0400, Rob Crittenden wrote:

Martin Kosek wrote:

On Mon, 2011-05-23 at 16:41 -0400, Rob Crittenden wrote:

Martin Kosek wrote:

This is a first version of connection checking program for replica
installation. See patch for program purpose description. Currently,
there is no man pages for the program.

Note to Simo and Rob: I use password for logging as admin. Btw
would it
be safe to have an admin keytab in the replica file? Replica file
contents are lying freely in /tmp after the replica installation.

Martin


nack, you aren't including the new binary in the spec.


Oh, thanks for this one.



You should also:

- set KRB5CCNAME to a temporary ccache and remove that when the
install
exists (successful or not)


Done.


- remove the temporary krb5.conf you create


Done.


- be a bit more explicit what we are doing, at least more than "Run
connection check to master".


Actually, I am if you run the new script separately. I removed
"--quiet"
parameter passed to the script in ipa-replica-install so that it is
more
verbose. Plus, I improved texts sent to the user.


- yes, we should remove the replica file contents


I enhanced ipa-replica-install to do that.

Martin



Works great until the very end:
...
...

Execute check on remote master
Check connection from master to remote replica 'slinky.greyoak.com':
Directory Service: unsecure port (389): FAILED
Directory Service: secure port (636): FAILED
Kerberos (88): OK

Remote master check failed with following error message(s):
Could not chdir to home directory /home/admin: No such file or
directory
Port check failed! Unaccessible port(s): 389, 636

Connection check failed with following error: None

rob


Right, I introduced this wrong error message in the last patch. I fixed
this one and also one typo. Updated patch attached.

Martin


I created a man page for the new program. Please feel free to
fix/propose a fix for any language errors that may be there.

Missing records in Makefile.am for both man page and the new program
have been added.

Martin


ack

rob


Oh, I forgot. Before you push can you clean up the trailing whitespace?

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation

[Rob Crittenden]

Martin Kosek wrote:

On Sat, 2011-05-28 at 10:13 +0200, Martin Kosek wrote:

On Sat, 2011-05-28 at 00:10 -0400, Rob Crittenden wrote:

Martin Kosek wrote:

On Mon, 2011-05-23 at 16:41 -0400, Rob Crittenden wrote:

Martin Kosek wrote:

This is a first version of connection checking program for replica
installation. See patch for program purpose description. Currently,
there is no man pages for the program.

Note to Simo and Rob: I use password for logging as admin. Btw would it
be safe to have an admin keytab in the replica file? Replica file
contents are lying freely in /tmp after the replica installation.

Martin


nack, you aren't including the new binary in the spec.


Oh, thanks for this one.



You should also:

- set KRB5CCNAME to a temporary ccache and remove that when the install
exists (successful or not)


Done.


- remove the temporary krb5.conf you create


Done.


- be a bit more explicit what we are doing, at least more than "Run
connection check to master".


Actually, I am if you run the new script separately. I removed "--quiet"
parameter passed to the script in ipa-replica-install so that it is more
verbose. Plus, I improved texts sent to the user.


- yes, we should remove the replica file contents


I enhanced ipa-replica-install to do that.

Martin



Works great until the very end:
...
...

Execute check on remote master
Check connection from master to remote replica 'slinky.greyoak.com':
 Directory Service: unsecure port (389): FAILED
 Directory Service: secure port (636): FAILED
 Kerberos (88): OK

Remote master check failed with following error message(s):
Could not chdir to home directory /home/admin: No such file or directory
Port check failed! Unaccessible port(s): 389, 636

Connection check failed with following error: None

rob


Right, I introduced this wrong error message in the last patch. I fixed
this one and also one typo. Updated patch attached.

Martin


I created a man page for the new program. Please feel free to
fix/propose a fix for any language errors that may be there.

Missing records in Makefile.am for both man page and the new program
have been added.

Martin


ack

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation

[Martin Kosek]

On Sat, 2011-05-28 at 10:13 +0200, Martin Kosek wrote:
> On Sat, 2011-05-28 at 00:10 -0400, Rob Crittenden wrote:
> > Martin Kosek wrote:
> > > On Mon, 2011-05-23 at 16:41 -0400, Rob Crittenden wrote:
> > >> Martin Kosek wrote:
> > >>> This is a first version of connection checking program for replica
> > >>> installation. See patch for program purpose description. Currently,
> > >>> there is no man pages for the program.
> > >>>
> > >>> Note to Simo and Rob: I use password for logging as admin. Btw would it
> > >>> be safe to have an admin keytab in the replica file? Replica file
> > >>> contents are lying freely in /tmp after the replica installation.
> > >>>
> > >>> Martin
> > >>
> > >> nack, you aren't including the new binary in the spec.
> > >
> > > Oh, thanks for this one.
> > >
> > >>
> > >> You should also:
> > >>
> > >> - set KRB5CCNAME to a temporary ccache and remove that when the install
> > >> exists (successful or not)
> > >
> > > Done.
> > >
> > >> - remove the temporary krb5.conf you create
> > >
> > > Done.
> > >
> > >> - be a bit more explicit what we are doing, at least more than "Run
> > >> connection check to master".
> > >
> > > Actually, I am if you run the new script separately. I removed "--quiet"
> > > parameter passed to the script in ipa-replica-install so that it is more
> > > verbose. Plus, I improved texts sent to the user.
> > >
> > >> - yes, we should remove the replica file contents
> > >
> > > I enhanced ipa-replica-install to do that.
> > >
> > > Martin
> > >
> > 
> > Works great until the very end:
> > ...
> > ...
> > 
> > Execute check on remote master
> > Check connection from master to remote replica 'slinky.greyoak.com':
> > Directory Service: unsecure port (389): FAILED
> > Directory Service: secure port (636): FAILED
> > Kerberos (88): OK
> > 
> > Remote master check failed with following error message(s):
> > Could not chdir to home directory /home/admin: No such file or directory
> > Port check failed! Unaccessible port(s): 389, 636
> > 
> > Connection check failed with following error: None
> > 
> > rob
> 
> Right, I introduced this wrong error message in the last patch. I fixed
> this one and also one typo. Updated patch attached.
> 
> Martin

I created a man page for the new program. Please feel free to
fix/propose a fix for any language errors that may be there.

Missing records in Makefile.am for both man page and the new program
have been added.

Martin
>From a9f7130c221d9657713b5f1140b1c745d2857140 Mon Sep 17 00:00:00 2001
From: Martin Kosek 
Date: Sun, 22 May 2011 19:17:07 +0200
Subject: [PATCH] Connection check program for replica installation

When connection between a master machine and future replica is not
sane, the replica installation may fail unexpectedly with
inconvenient error messages. One common problem is misconfigured
firewall.

This patch adds a program ipa-replica-conncheck which tests the
connection using the following procedure:

1) Execute the on-replica check testing the connection to master
2) Open required ports on local machine
3) Ask user to run the on-master part of the check OR run it
   automatically:
 a) kinit to master as default admin user with given password
 b) run the on-master part using ssh
4) When master part is executed, it checks connection back to
   the replica and prints the check result

This program is run by ipa-replica-install as mandatory part. It
can, however, be skipped using --skip-conncheck option.
ipa-replica-install now requires password for admin user to run
the command on remote master.

https://fedorahosted.org/freeipa/ticket/1107
---
 freeipa.spec.in   |2 +
 install/po/Makefile.in|1 +
 install/tools/Makefile.am |1 +
 install/tools/ipa-replica-conncheck   |  372 +
 install/tools/ipa-replica-install |   40 +++
 install/tools/man/Makefile.am |1 +
 install/tools/man/ipa-replica-conncheck.1 |   87 +++
 install/tools/man/ipa-replica-install.1   |6 +
 ipapython/ipautil.py  |   73 ++
 9 files changed, 583 insertions(+), 0 deletions(-)
 create mode 100755 install/tools/ipa-replica-conncheck
 create mode 100644 install/tools/man/ipa-replica-conncheck.1

diff --git a/freeipa.spec.in b/freeipa.spec.in
index fba2f31e5586457c74d84430d46e57190891d7d6..5c6c8a562e8c12791c059f96916c5519368385d2 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -358,6 +358,7 @@ fi
 %doc COPYING README Contributors.txt
 %{_sbindir}/ipa-dns-install
 %{_sbindir}/ipa-server-install
+%{_sbindir}/ipa-replica-conncheck
 %{_sbindir}/ipa-replica-install
 %{_sbindir}/ipa-replica-prepare
 %{_sbindir}/ipa-replica-manage
@@ -425,6 +426,7 @@ fi
 %dir %{_localstatedir}/cache/ipa
 %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions
 %attr(700,root,root) %dir %{_localstatedir}/cache/ipa/kpasswd
+%{_mandir}/man1/ipa-replica-conncheck.1.gz
 %{_mandir}/man1/

Re: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation

[Martin Kosek]

On Sat, 2011-05-28 at 00:10 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Mon, 2011-05-23 at 16:41 -0400, Rob Crittenden wrote:
> >> Martin Kosek wrote:
> >>> This is a first version of connection checking program for replica
> >>> installation. See patch for program purpose description. Currently,
> >>> there is no man pages for the program.
> >>>
> >>> Note to Simo and Rob: I use password for logging as admin. Btw would it
> >>> be safe to have an admin keytab in the replica file? Replica file
> >>> contents are lying freely in /tmp after the replica installation.
> >>>
> >>> Martin
> >>
> >> nack, you aren't including the new binary in the spec.
> >
> > Oh, thanks for this one.
> >
> >>
> >> You should also:
> >>
> >> - set KRB5CCNAME to a temporary ccache and remove that when the install
> >> exists (successful or not)
> >
> > Done.
> >
> >> - remove the temporary krb5.conf you create
> >
> > Done.
> >
> >> - be a bit more explicit what we are doing, at least more than "Run
> >> connection check to master".
> >
> > Actually, I am if you run the new script separately. I removed "--quiet"
> > parameter passed to the script in ipa-replica-install so that it is more
> > verbose. Plus, I improved texts sent to the user.
> >
> >> - yes, we should remove the replica file contents
> >
> > I enhanced ipa-replica-install to do that.
> >
> > Martin
> >
> 
> Works great until the very end:
> ...
> ...
> 
> Execute check on remote master
> Check connection from master to remote replica 'slinky.greyoak.com':
> Directory Service: unsecure port (389): FAILED
> Directory Service: secure port (636): FAILED
> Kerberos (88): OK
> 
> Remote master check failed with following error message(s):
> Could not chdir to home directory /home/admin: No such file or directory
> Port check failed! Unaccessible port(s): 389, 636
> 
> Connection check failed with following error: None
> 
> rob

Right, I introduced this wrong error message in the last patch. I fixed
this one and also one typo. Updated patch attached.

Martin
>From ac6c38804498480c472106b054121d4aafc8423a Mon Sep 17 00:00:00 2001
From: Martin Kosek 
Date: Sun, 22 May 2011 19:17:07 +0200
Subject: [PATCH] Connection check program for replica installation

When connection between a master machine and future replica is not
sane, the replica installation may fail unexpectedly with
inconvenient error messages. One common problem is misconfigured
firewall.

This patch adds a program ipa-replica-conncheck which tests the
connection using the following procedure:

1) Execute the on-replica check testing the connection to master
2) Open required ports on local machine
3) Ask user to run the on-master part of the check OR run it
   automatically:
 a) kinit to master as default admin user with given password
 b) run the on-master part using ssh
4) When master part is executed, it checks connection back to
   the replica and prints the check result

This program is run by ipa-replica-install as mandatory part. It
can, however, be skipped using --skip-conncheck option.
ipa-replica-install now requires password for admin user to run
the command on remote master.

https://fedorahosted.org/freeipa/ticket/1107
---
 freeipa.spec.in |1 +
 install/tools/ipa-replica-conncheck |  372 +++
 install/tools/ipa-replica-install   |   40 
 install/tools/man/ipa-replica-install.1 |6 +
 ipapython/ipautil.py|   73 ++
 5 files changed, 492 insertions(+), 0 deletions(-)
 create mode 100755 install/tools/ipa-replica-conncheck

diff --git a/freeipa.spec.in b/freeipa.spec.in
index b9366165a6efe9515e9b3527947d301948a714f5..5042bfe592014b49b0691081831e603e6156e8ce 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -357,6 +357,7 @@ fi
 %doc COPYING README Contributors.txt
 %{_sbindir}/ipa-dns-install
 %{_sbindir}/ipa-server-install
+%{_sbindir}/ipa-replica-conncheck
 %{_sbindir}/ipa-replica-install
 %{_sbindir}/ipa-replica-prepare
 %{_sbindir}/ipa-replica-manage
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
new file mode 100755
index ..5030e5da7866de3558d2ffa7fa4a89dcc2ccf70f
--- /dev/null
+++ b/install/tools/ipa-replica-conncheck
@@ -0,0 +1,372 @@
+#! /usr/bin/python -E
+# Authors: Martin Kosek 
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have rec

Re: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation

[Rob Crittenden]

Martin Kosek wrote:

On Mon, 2011-05-23 at 16:41 -0400, Rob Crittenden wrote:

Martin Kosek wrote:

This is a first version of connection checking program for replica
installation. See patch for program purpose description. Currently,
there is no man pages for the program.

Note to Simo and Rob: I use password for logging as admin. Btw would it
be safe to have an admin keytab in the replica file? Replica file
contents are lying freely in /tmp after the replica installation.

Martin


nack, you aren't including the new binary in the spec.


Oh, thanks for this one.



You should also:

- set KRB5CCNAME to a temporary ccache and remove that when the install
exists (successful or not)


Done.


- remove the temporary krb5.conf you create


Done.


- be a bit more explicit what we are doing, at least more than "Run
connection check to master".


Actually, I am if you run the new script separately. I removed "--quiet"
parameter passed to the script in ipa-replica-install so that it is more
verbose. Plus, I improved texts sent to the user.


- yes, we should remove the replica file contents


I enhanced ipa-replica-install to do that.

Martin



Works great until the very end:
...
...

Execute check on remote master
Check connection from master to remote replica 'slinky.greyoak.com':
   Directory Service: unsecure port (389): FAILED
   Directory Service: secure port (636): FAILED
   Kerberos (88): OK

Remote master check failed with following error message(s):
Could not chdir to home directory /home/admin: No such file or directory
Port check failed! Unaccessible port(s): 389, 636

Connection check failed with following error: None

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation

[Martin Kosek]

On Mon, 2011-05-23 at 16:41 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > This is a first version of connection checking program for replica
> > installation. See patch for program purpose description. Currently,
> > there is no man pages for the program.
> >
> > Note to Simo and Rob: I use password for logging as admin. Btw would it
> > be safe to have an admin keytab in the replica file? Replica file
> > contents are lying freely in /tmp after the replica installation.
> >
> > Martin
> 
> nack, you aren't including the new binary in the spec.

Oh, thanks for this one.

> 
> You should also:
> 
> - set KRB5CCNAME to a temporary ccache and remove that when the install 
> exists (successful or not)

Done.

> - remove the temporary krb5.conf you create

Done.

> - be a bit more explicit what we are doing, at least more than "Run 
> connection check to master".

Actually, I am if you run the new script separately. I removed "--quiet"
parameter passed to the script in ipa-replica-install so that it is more
verbose. Plus, I improved texts sent to the user.

> - yes, we should remove the replica file contents

I enhanced ipa-replica-install to do that.

Martin

>From 157e63026baf0c59cb3d5efacb1b6cfd4e268a89 Mon Sep 17 00:00:00 2001
From: Martin Kosek 
Date: Sun, 22 May 2011 19:17:07 +0200
Subject: [PATCH] Connection check program for replica installation

When connection between a master machine and future replica is not
sane, the replica installation may fail unexpectedly with
inconvenient error messages. One common problem is misconfigured
firewall.

This patch adds a program ipa-replica-conncheck which tests the
connection using the following procedure:

1) Execute the on-replica check testing the connection to master
2) Open required ports on local machine
3) Ask user to run the on-master part of the check OR run it
   automatically:
 a) kinit to master as default admin user with given password
 b) run the on-master part using ssh
4) When master part is executed, it checks connection back to
   the replica and prints the check result

This program is run by ipa-replica-install as mandatory part. It
can, however, be skipped using --skip-conncheck option.
ipa-replica-install now requires password for admin user to run
the command on remote master.

https://fedorahosted.org/freeipa/ticket/1107
---
 freeipa.spec.in |1 +
 install/tools/ipa-replica-conncheck |  372 +++
 install/tools/ipa-replica-install   |   38 +++
 install/tools/man/ipa-replica-install.1 |6 +
 ipapython/ipautil.py|   73 ++
 5 files changed, 490 insertions(+), 0 deletions(-)
 create mode 100755 install/tools/ipa-replica-conncheck

diff --git a/freeipa.spec.in b/freeipa.spec.in
index b9366165a6efe9515e9b3527947d301948a714f5..5042bfe592014b49b0691081831e603e6156e8ce 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -357,6 +357,7 @@ fi
 %doc COPYING README Contributors.txt
 %{_sbindir}/ipa-dns-install
 %{_sbindir}/ipa-server-install
+%{_sbindir}/ipa-replica-conncheck
 %{_sbindir}/ipa-replica-install
 %{_sbindir}/ipa-replica-prepare
 %{_sbindir}/ipa-replica-manage
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
new file mode 100755
index ..db1380491cc64e56daefb3cd23c2c3123a4c9cca
--- /dev/null
+++ b/install/tools/ipa-replica-conncheck
@@ -0,0 +1,372 @@
+#! /usr/bin/python -E
+# Authors: Martin Kosek 
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+#
+
+from ipapython.config import IPAOptionParser
+from ipapython import version
+from ipapython import ipautil
+from ipapython.ipautil import CalledProcessError
+import ipaclient.ipachangeconf
+from optparse import OptionGroup
+import logging
+import sys
+import os
+import signal
+import tempfile
+import getpass
+import socket
+import time
+import threading
+import errno
+
+CONNECT_TIMEOUT = 5
+RESPONDERS = [ ]
+QUIET = False
+CCACHE_FILE = "/etc/ipa/.conncheck_ccache"
+KRB5_CONFIG = None
+
+class CheckedPort(object):
+def __init__(self, port, stream, description):
+self.port = port
+self.stream = stream
+self.description = description
+
+BASE_PORTS = [ 
+CheckedPort(389, True, "Directory Service:

Re: [Freeipa-devel] [PATCH] 068 Connection check program for replica installation

[Rob Crittenden]

Martin Kosek wrote:

This is a first version of connection checking program for replica
installation. See patch for program purpose description. Currently,
there is no man pages for the program.

Note to Simo and Rob: I use password for logging as admin. Btw would it
be safe to have an admin keytab in the replica file? Replica file
contents are lying freely in /tmp after the replica installation.

Martin


nack, you aren't including the new binary in the spec.

You should also:

- set KRB5CCNAME to a temporary ccache and remove that when the install 
exists (successful or not)

- remove the temporary krb5.conf you create
- be a bit more explicit what we are doing, at least more than "Run 
connection check to master".

- yes, we should remove the replica file contents

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 068 Connection check program for replica installation

[Martin Kosek]

This is a first version of connection checking program for replica
installation. See patch for program purpose description. Currently,
there is no man pages for the program.

Note to Simo and Rob: I use password for logging as admin. Btw would it
be safe to have an admin keytab in the replica file? Replica file
contents are lying freely in /tmp after the replica installation.

Martin
>From b21881ede5e64f07ecd5a7570ee218b7305953ce Mon Sep 17 00:00:00 2001
From: Martin Kosek 
Date: Sun, 22 May 2011 19:17:07 +0200
Subject: [PATCH] Connection check program for replica installation

When connection between a master machine and future replica is not
sane, the replica installation may fail unexpectedly with
inconvenient error messages. One common problem is misconfigured
firewall.

This patch adds a program ipa-replica-conncheck which tests the
connection using the following procedure:

1) Execute the on-replica check testing the connection to master
2) Open required ports on local machine
3) Ask user to run the on-master part of the check OR run it
   automatically:
 a) kinit to master as default admin user with given password
 b) run the on-master part using ssh
4) When master part is executed, it checks connection back to
   the replica and prints the check result

This program is run by ipa-replica-install as mandatory part. It
can, however, be skipped using --skip-conncheck option.
ipa-replica-install now requires password for admin user to run
the command on remote master.

https://fedorahosted.org/freeipa/ticket/1107
---
 install/tools/ipa-replica-conncheck |  360 +++
 install/tools/ipa-replica-install   |   28 +++
 install/tools/man/ipa-replica-install.1 |6 +
 ipapython/ipautil.py|   73 +++
 4 files changed, 467 insertions(+), 0 deletions(-)
 create mode 100755 install/tools/ipa-replica-conncheck

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
new file mode 100755
index ..d6dde4ac982dd9a7cfe6b44461044c247fd31041
--- /dev/null
+++ b/install/tools/ipa-replica-conncheck
@@ -0,0 +1,360 @@
+#! /usr/bin/python -E
+# Authors: Martin Kosek 
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+#
+
+from ipapython.config import IPAOptionParser
+from ipapython import version
+from ipapython import ipautil
+from ipapython.ipautil import CalledProcessError
+import ipaclient.ipachangeconf
+from optparse import OptionGroup
+import logging
+import sys
+import os
+import signal
+import tempfile
+import getpass
+import socket
+import time
+import threading
+import errno
+
+CONNECT_TIMEOUT = 5
+RESPONDERS = [ ]
+QUIET = False
+
+class CheckedPort(object):
+def __init__(self, port, stream, description):
+self.port = port
+self.stream = stream
+self.description = description
+
+BASE_PORTS = [ 
+CheckedPort(389, True, "Directory Service: unsecure port"),
+CheckedPort(636, True, "Directory Service: secure port"),
+CheckedPort(88, False, "Kerberos"),
+ ]
+
+CA_PORTS  = [
+CheckedPort(7389, True, "PKI-CA: Directory Service"),
+CheckedPort(9444, True, "PKI-CA: EE Secure port"),
+CheckedPort(9445, True, "PKI-CA: Admin Secure port"),
+CheckedPort(9446, True, "PKI-CA: EE Secure Client Auth port"),
+CheckedPort(9180, True, "PKI-CA: Unsecure port"),
+]
+
+def print_info(msg):
+if not QUIET:
+print msg
+
+def parse_options():
+parser = IPAOptionParser(version=version.VERSION)
+
+replica_group = OptionGroup(parser, "on-replica options")
+replica_group.add_option("-m", "--master", dest="master",
+  help="Master address with running IPA for output connection check")
+replica_group.add_option("-a", "--auto-master-check", dest="auto_master_check",
+  action="store_true",
+  default=False,
+  help="Automatically execute connection check on master")
+replica_group.add_option("-r", "--realm", dest="realm",
+  help="Realm name")
+replica_group.add_option("-k", "--kdc", dest="kdc",
+  help="Mast