URL: https://github.com/freeipa/freeipa/pull/548 Author: MartinBasti Title: #548: ipa-server-install: add --setup-kra option Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/548/head:pr548 git checkout pr548
From 7e48767e475e3dfc804d1f721f0fe0bc6e51342e Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Thu, 2 Mar 2017 17:08:59 +0100 Subject: [PATCH 1/2] KRA: add --setup-kra to ipa-server-install This patch allows to install KRA on first IPA server in one step using ipa-server-install This option improves containers installation where ipa-server can be installed with KRA using one call without need to call docker exec. Please note the the original `kra.install()` calls in ipaserver/install/server/install.py were empty operations as it did nothing, so it is safe to move them out from CA block https://pagure.io/freeipa/issue/6731 --- .test_runner_config.yaml | 3 +-- install/tools/man/ipa-replica-install.1 | 6 ++++++ install/tools/man/ipa-server-install.1 | 5 +++++ ipaserver/install/server/__init__.py | 1 - ipaserver/install/server/install.py | 13 +++++++++---- 5 files changed, 21 insertions(+), 7 deletions(-) diff --git a/.test_runner_config.yaml b/.test_runner_config.yaml index e473d49..b7896c3 100644 --- a/.test_runner_config.yaml +++ b/.test_runner_config.yaml @@ -47,8 +47,7 @@ steps: - dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing install_server: - ipa-server-install -U --domain ${server_domain} --realm ${server_realm} -p ${server_password} - -a ${server_password} --setup-dns --auto-forwarders - - ipa-kra-install -p ${server_password} + -a ${server_password} --setup-dns --setup-kra --auto-forwarders lint: - PYTHON=/usr/bin/python2 make V=0 lint - PYTHON=/usr/bin/python3 make V=0 pylint diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index f9ebd87..960f102 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -146,6 +146,12 @@ Name of the Kerberos KDC SSL certificate to install \fB\-\-skip\-schema\-check\fR Skip check for updated CA DS schema on the remote master +.SS "SECRET MANAGEMENT OPTIONS" +.TP +\fB\-\-setup\-kra\fR +Install and configure a KRA on this replica. If a KRA is not configured then +vault operations will be forwarded to a master with a KRA installed. + .SS "DNS OPTIONS" .TP \fB\-\-setup\-dns\fR diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index cd68f72..dd4ee41 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -134,6 +134,11 @@ The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs ar \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. +.SS "SECRET MANAGEMENT OPTIONS" +.TP +\fB\-\-setup\-kra\fR +Install and configure a KRA on this server. + .SS "DNS OPTIONS" IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology. diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 65dfa21..5a079ee 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -533,7 +533,6 @@ class ServerMasterInstall(ServerMasterInstallInterface): host_password = None keytab = None setup_ca = True - setup_kra = False domain_name = knob( bases=ServerMasterInstallInterface.domain_name, diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 1e6aad9..1e67a16 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -367,9 +367,9 @@ def install_check(installer): if not setup_ca and options.subject_base: raise ScriptError( "--subject-base cannot be used with CA-less installation") - - # first instance of KRA must be installed by ipa-kra-install - options.setup_kra = False + if not setup_ca and options.setup_kra: + raise ScriptError( + "--setup-kra cannot be used with CA-less installation") print("=======================================" "=======================================") @@ -384,6 +384,8 @@ def install_check(installer): print(" * Create and configure an instance of Directory Server") print(" * Create and configure a Kerberos Key Distribution Center (KDC)") print(" * Configure Apache (httpd)") + if options.setup_kra: + print(" * Configure KRA (dogtag) for secret management") if options.setup_dns: print(" * Configure DNS (bind)") if options.setup_adtrust: @@ -598,6 +600,7 @@ def install_check(installer): if setup_ca: ca.install_check(False, None, options) + if options.setup_kra: kra.install_check(api, None, options) if options.setup_dns: @@ -802,7 +805,6 @@ def install(installer): if setup_ca: ca.install_step_1(False, None, options) - kra.install(api, None, options) # The DS instance is created before the keytab, add the SSL cert we # generated @@ -842,6 +844,9 @@ def install(installer): service.print_msg("Restarting the KDC") krb.restart() + if options.setup_kra: + kra.install(api, None, options) + if options.setup_dns: dns.install(False, False, options) else: From c6c529caf983076379ef9b93201efa82f1a27b0d Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Tue, 7 Mar 2017 17:44:17 +0100 Subject: [PATCH 2/2] tests: use --setup-kra in tests This will allow to test --setup-kra option together with ipa-server-install in install tests Separate installation using ipa-kra-install is already covered. https://pagure.io/freeipa/issue/6731 --- ipatests/test_integration/tasks.py | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index 6620d12..0f96f16 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -275,6 +275,8 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False, '--forwarder', host.config.dns_forwarder, '--auto-reverse' ]) + if setup_kra: + args.append('--setup-kra') if setup_adtrust: args.append('--setup-adtrust') @@ -284,13 +286,6 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False, if result.returncode == 0: enable_replication_debugging(host) setup_sssd_debugging(host) - if setup_kra: - args = [ - "ipa-kra-install", - "-p", host.config.dirman_password, - "-U", - ] - host.run_command(args) kinit_admin(host) return result
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code