URL: https://github.com/freeipa/freeipa/pull/2360 Author: t-woerner Title: #2360: [Backport][ipa-4-7] DL0 removal: 1st step hide DL0 specific options and commands Action: opened
PR body: """ This PR was opened manually because PR #2223 was pushed to master and backport to ipa-4-7 has been proposed. The direct follow-up will be the back port of PR #2234 (Disable DL0 specific tests) and maybe PR #2350 (DL0 removal 2nd step). Please vote for 4.7 inclusion. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2360/head:pr2360 git checkout pr2360
From c230b3784197d1970d0d7208425b948e9e50738a Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Tue, 7 Aug 2018 10:59:38 +0200 Subject: [PATCH 01/15] Do not install ipa-replica-prepare ipa-replica-prepare (script and man page) is only needed for DL0 support. The script and man page are not installed anymore and also removed from the spec file. See: https://pagure.io/freeipa/issue/7669 Signed-off-by: Thomas Woerner <twoer...@redhat.com> Reviewed-By: Christian Heimes <chei...@redhat.com> --- freeipa.spec.in | 2 -- install/tools/Makefile.am | 1 - install/tools/man/Makefile.am | 1 - 3 files changed, 4 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 0d453baf84..342a81a263 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1302,7 +1302,6 @@ fi %{_sbindir}/ipa-server-install %{_sbindir}/ipa-replica-conncheck %{_sbindir}/ipa-replica-install -%{_sbindir}/ipa-replica-prepare %{_sbindir}/ipa-replica-manage %{_sbindir}/ipa-csreplica-manage %{_sbindir}/ipa-server-certinstall @@ -1358,7 +1357,6 @@ fi %{_mandir}/man1/ipa-replica-install.1* %{_mandir}/man1/ipa-replica-manage.1* %{_mandir}/man1/ipa-csreplica-manage.1* -%{_mandir}/man1/ipa-replica-prepare.1* %{_mandir}/man1/ipa-server-certinstall.1* %{_mandir}/man1/ipa-server-install.1* %{_mandir}/man1/ipa-server-upgrade.1* diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 7167b3875e..727b3b80eb 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -43,7 +43,6 @@ nodist_sbin_SCRIPTS = \ ipa-adtrust-install \ ipa-replica-conncheck \ ipa-replica-install \ - ipa-replica-prepare \ ipa-replica-manage \ ipa-csreplica-manage \ ipa-server-certinstall \ diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am index 2dac9ac716..f488aae1c7 100644 --- a/install/tools/man/Makefile.am +++ b/install/tools/man/Makefile.am @@ -9,7 +9,6 @@ dist_man1_MANS = \ ipa-replica-install.1 \ ipa-replica-manage.1 \ ipa-csreplica-manage.1 \ - ipa-replica-prepare.1 \ ipa-server-certinstall.1 \ ipa-server-install.1 \ ipa-server-upgrade.1 \ From 56234e45378507d421b6cf1a1030fb0453d89b27 Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Tue, 7 Aug 2018 11:03:17 +0200 Subject: [PATCH 02/15] Increase MIN_DOMAIN_LEVEL to DOMAIN_LEVEL_1 With increasing the minimal domain level to 1 ipa-replica-install will refuse to install if the domain has domain level 0. See: https://pagure.io/freeipa/issue/7669 Signed-off-by: Thomas Woerner <twoer...@redhat.com> Reviewed-By: Christian Heimes <chei...@redhat.com> --- ipalib/constants.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index b128b022ca..41da33cf4c 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -255,7 +255,7 @@ DOMAIN_LEVEL_0 = 0 # compat DOMAIN_LEVEL_1 = 1 # replica promotion, topology plugin -MIN_DOMAIN_LEVEL = DOMAIN_LEVEL_0 +MIN_DOMAIN_LEVEL = DOMAIN_LEVEL_1 MAX_DOMAIN_LEVEL = DOMAIN_LEVEL_1 # Constants used in generation of replication agreements and as topology From 6b87821fe76e821e5b2b8be1cfdae60b4a25be2c Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Tue, 7 Aug 2018 11:05:20 +0200 Subject: [PATCH 03/15] Mark replica_file option as deprecated The replica_file option is only supported for DL0. The option will be marked deprecated for now. See: https://pagure.io/freeipa/issue/7669 Signed-off-by: Thomas Woerner <twoer...@redhat.com> Reviewed-By: Christian Heimes <chei...@redhat.com> --- ipalib/install/service.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipalib/install/service.py b/ipalib/install/service.py index a101b7ca60..e3c446a266 100644 --- a/ipalib/install/service.py +++ b/ipalib/install/service.py @@ -153,6 +153,7 @@ def realm_name(self, value): replica_file = knob( str, None, description="a file generated by ipa-replica-prepare", + deprecated=True ) replica_file = replica_install_only(replica_file) From be3cd139339ae881c219c9bb39e8a3367538f0dc Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Tue, 7 Aug 2018 11:07:30 +0200 Subject: [PATCH 04/15] Raise error if DL is set to 0 or DL0 options are used In the case that the domain level is set to 0 or replica_file is set (not None) an error will be raised. See: https://pagure.io/freeipa/issue/7669 Signed-off-by: Thomas Woerner <twoer...@redhat.com> Reviewed-By: Christian Heimes <chei...@redhat.com> --- ipaserver/install/server/__init__.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index af046e80c8..7c9d6293c7 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -338,6 +338,11 @@ def _is_promote(self): def __init__(self, **kwargs): super(ServerInstallInterface, self).__init__(**kwargs) + # Domain level 0 is not supported anymore + if not self._is_promote(): + raise RuntimeError( + "Domain level 0 is not supported anymore.") + # pkinit is not supported on DL0, don't allow related options if not self._is_promote(): if (self.no_pkinit or self.pkinit_cert_files is not None or @@ -501,6 +506,8 @@ def __init__(self, **kwargs): "domain via the --domain option") else: + # Domain level 0 is not supported anymore + if not os.path.isfile(self.replica_file): raise RuntimeError( "Replica file %s does not exist" % self.replica_file) @@ -636,6 +643,9 @@ def main(self): if self.replica_file is None: replica_promote_check(self) else: + # Domain level 0 is not supported anymore + raise RuntimeError( + "Domain level 0 is not supported anymore.") replica_install_check(self) yield replica_install(self) From 3c6c0a83ad04ea2aed29d557b38f61153705f1f8 Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Tue, 7 Aug 2018 11:14:51 +0200 Subject: [PATCH 05/15] Remove support for replica_file option from ipa-ca-install Raise "Domain level 0 is not supported anymore" error if there are remainaing args after parsing. Remove all "DOMAIN LEVEL 0" and "DOMAIN LEVEL 1" prefixes from the man page. See: https://pagure.io/freeipa/issue/7669 Signed-off-by: Thomas Woerner <twoer...@redhat.com> Reviewed-By: Christian Heimes <chei...@redhat.com> --- install/tools/ipa-ca-install.in | 3 ++- install/tools/man/ipa-ca-install.1 | 9 ++------- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/install/tools/ipa-ca-install.in b/install/tools/ipa-ca-install.in index e955d0a912..1de822501a 100644 --- a/install/tools/ipa-ca-install.in +++ b/install/tools/ipa-ca-install.in @@ -49,7 +49,7 @@ log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG REPLICA_INFO_TOP_DIR = None def parse_options(): - usage = "%prog [options] [REPLICA_FILE]" + usage = "%prog [options]" parser = IPAOptionParser(usage=usage, version=version.VERSION) parser.add_option("-d", "--debug", dest="debug", action="store_true", default=False, help="gather extra debugging information") @@ -105,6 +105,7 @@ def parse_options(): safe_options = parser.get_safe_opts(options) if args: + parser.error("Domain level 0 is not supported anymore") filename = args[0] if len(args) != 1: diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1 index 99ff918789..5ac7e2b754 100644 --- a/install/tools/man/ipa-ca-install.1 +++ b/install/tools/man/ipa-ca-install.1 @@ -20,20 +20,15 @@ .SH "NAME" ipa\-ca\-install \- Install a CA on a server .SH "SYNOPSIS" -.SS "DOMAIN LEVEL 0" -.TP -ipa\-ca\-install [\fIOPTION\fR]... [replica_file] -.SS "DOMAIN LEVEL 1" .TP ipa\-ca\-install [\fIOPTION\fR]... .SH "DESCRIPTION" Adds a CA as an IPA\-managed service. This requires that the IPA server is already installed and configured. -In a domain at domain level 0, you can run ipa\-ca\-install without replica_file to upgrade from CA-less to CA-full, or with replica_file to install the CA service on the replica. +ipa\-ca\-install can be used to upgrade from CA-less to CA-full or to install the CA service on a replica. -The replica_file is created using the ipa\-replica\-prepare utility and should be the same one used when originally installing the replica. +Domain level 0 is not supported anymore. -In a domain at domain level 1, ipa\-ca\-install can be used to upgrade from CA-less to CA-full or to install the CA service on a replica, and does not require any replica file. .SH "OPTIONS" \fB\-d\fR, \fB\-\-debug\fR Enable debug logging when more verbose output is needed From 2f56e528f4f52742a9f6ce037395a80f4e9c026f Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Tue, 7 Aug 2018 11:17:23 +0200 Subject: [PATCH 06/15] Remove support for replica_file option from ipa-kra-install Raise "Domain level 0 is not supported anymore" error if there are remainaing args after parsing. Remove all "DOMAIN LEVEL 0" and "DOMAIN LEVEL 1" prefixes from the man page. See: https://pagure.io/freeipa/issue/7669 Signed-off-by: Thomas Woerner <twoer...@redhat.com> Reviewed-By: Christian Heimes <chei...@redhat.com> --- install/tools/man/ipa-kra-install.1 | 11 ++--------- ipaserver/install/ipa_kra_install.py | 7 ++++++- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/install/tools/man/ipa-kra-install.1 b/install/tools/man/ipa-kra-install.1 index 51afaac647..b7661f7cc8 100644 --- a/install/tools/man/ipa-kra-install.1 +++ b/install/tools/man/ipa-kra-install.1 @@ -20,10 +20,6 @@ .SH "NAME" ipa\-kra\-install \- Install a KRA on a server .SH "SYNOPSIS" -.SS "DOMAIN LEVEL 0" -.TP -ipa\-kra\-install [\fIOPTION\fR]... [replica_file] -.SS "DOMAIN LEVEL 1" .TP ipa\-kra\-install [\fIOPTION\fR]... .SH "DESCRIPTION" @@ -31,12 +27,9 @@ Adds a KRA as an IPA\-managed service. This requires that the IPA server is alre The KRA (Key Recovery Authority) is a component used to securely store secrets such as passwords, symmetric keys and private asymmetric keys. It is used as the back-end repository for the IPA Password Vault. -In a domain at domain level 0, ipa\-kra\-install can be run without replica_file to add KRA to the existing CA, or with replica_file to install the KRA service on the replica. -ipa\-kra\-install will contact the CA to determine if a KRA has already been installed on another replica, and if so, will exit indicating that a replica_file is required. - -The replica_file is created using the ipa\-replica\-prepare utility. A new replica_file should be generated on the master IPA server after the KRA has been installed and configured, so that the replica_file will contain the master KRA configuration and system certificates. +Domain level 0 is not supported anymore. -In a domain at domain level 1, ipa\-kra\-install can be used to add KRA to the existing CA, or to install the KRA service on a replica, and does not require any replica file. +ipa\-kra\-install can be used to add KRA to the existing CA, or to install the KRA service on a replica. KRA can only be removed along with the entire server using ipa\-server\-install \-\-uninstall. .SH "OPTIONS" diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py index 29f54239c3..ac5a27b32e 100644 --- a/ipaserver/install/ipa_kra_install.py +++ b/ipaserver/install/ipa_kra_install.py @@ -48,7 +48,7 @@ class KRAInstall(admintool.AdminTool): command_name = 'ipa-kra-install' - usage = "%prog [options] [replica_file]" + usage = "%prog [options]" description = "Install a master or replica KRA." @@ -121,6 +121,8 @@ def validate_options(self, needs_root=True): if len(self.args) > 1: self.option_parser.error("Too many arguments provided") elif len(self.args) == 1: + # Domain level 0 is not supported anymore + self.option_parser.error("Domain level 0 is not supported anymore") self.replica_file = self.args[0] if not os.path.isfile(self.replica_file): self.option_parser.error( @@ -191,6 +193,9 @@ def run(self): config.top_dir = tempfile.mkdtemp("ipa") config.dir = config.top_dir else: + # Domain level 0 is not supported anymore + raise admintool.ScriptError( + "Domain level 0 is not supported anymore") config = create_replica_config( self.options.password, self.replica_file, From ba0d81c77be9e3f87a6e7fa5911465539f95a8e3 Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Tue, 7 Aug 2018 11:20:25 +0200 Subject: [PATCH 07/15] Remove DL0 specific sections from ipa-replica-install man page Remove replica_file option and all "DOMAIN LEVEL 0" and "DOMAIN LEVEL 1" prefixes and also sections specific to DL0 form the man page. See: https://pagure.io/freeipa/issue/7669 Signed-off-by: Thomas Woerner <twoer...@redhat.com> Reviewed-By: Christian Heimes <chei...@redhat.com> --- install/tools/man/ipa-replica-install.1 | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index 2ac52210f7..7f6ca57e50 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -5,22 +5,18 @@ .SH "NAME" ipa\-replica\-install \- Create an IPA replica .SH "SYNOPSIS" -.SS "DOMAIN LEVEL 0" -.TP -ipa\-replica\-install [\fIOPTION\fR]... [replica_file] -.SS "DOMAIN LEVEL 1" .TP ipa\-replica\-install [\fIOPTION\fR]... .SH "DESCRIPTION" Configures a new IPA server that is a replica of the server. Once it has been created it is an exact copy of the original IPA server and is an equal master. Changes made to any master are automatically replicated to other masters. -To create a replica in a domain at domain level 0, you need to provide an replica file. The replica_file is created using the ipa\-replica\-prepare utility. +Domain level 0 is not supported anymore. -To create a replica in a domain at domain level 1, you don't have to provide a replica file, the machine only needs to be enrolled in the FreeIPA domain first. This process of turning the IPA client into a replica is also referred to as replica promotion. +To create a replica, the machine only needs to be enrolled in the FreeIPA domain first. This process of turning the IPA client into a replica is also referred to as replica promotion. If you're starting with an existing IPA client, simply run ipa\-replica\-install to have it promoted into a replica. -To promote a blank machine into a replica, you have two options, you can either run ipa\-client\-install in a separate step, or pass the enrollment related options to the ipa\-replica\-install (see DOMAIN LEVEL 1 CLIENT ENROLLMENT OPTIONS). In the latter case, ipa\-replica\-install will join the machine to the IPA realm automatically and will proceed with the promotion step. +To promote a blank machine into a replica, you have two options, you can either run ipa\-client\-install in a separate step, or pass the enrollment related options to the ipa\-replica\-install (see CLIENT ENROLLMENT OPTIONS). In the latter case, ipa\-replica\-install will join the machine to the IPA realm automatically and will proceed with the promotion step. If the installation fails you may need to run ipa\-server\-install \-\-uninstall and ipa\-client\-install before running ipa\-replica\-install again. @@ -28,7 +24,7 @@ The installation will fail if the host you are installing the replica on exists A replica should only be installed on the same or higher version of IPA on the remote system. .SH "OPTIONS" -.SS "DOMAIN LEVEL 1 OPTIONS" +.SS "OPTIONS" .TP \fB\-P\fR, \fB\-\-principal\fR The user principal which will be used to promote the client to the replica and enroll the client itself, if necessary. @@ -36,7 +32,7 @@ The user principal which will be used to promote the client to the replica and e \fB\-w\fR, \fB\-\-admin\-password\fR The Kerberos password for the given principal. -.SS "DOMAIN LEVEL 1 CLIENT ENROLLMENT OPTIONS" +.SS "CLIENT ENROLLMENT OPTIONS" To install client and promote it to replica using a host keytab or One Time Password, the host needs to be a member of ipaservers group. This requires to create a host entry and add it to the host group prior replica installation. \-\-server, \-\-domain, \-\-realm options are autodiscovered via DNS records by default. See manual page @@ -66,14 +62,6 @@ The hostname of this machine (FQDN). If specified, the hostname will be set and \fB\-\-force\-join\fR Join the host even if it is already enrolled. -.SS "DOMAIN LEVEL 0 OPTIONS" -.TP -\fB\-p\fR \fIPASSWORD\fR, \fB\-\-password\fR=\fIPASSWORD\fR -Directory Manager (existing master) password -.TP -\fB\-w\fR, \fB\-\-admin\-password\fR -Admin user Kerberos password used for connection check - .SS "BASIC OPTIONS" .TP \fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR @@ -123,7 +111,7 @@ Install and configure a CA on this replica. If a CA is not configured then certificate operations will be forwarded to a master with a CA installed. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. +Disables pkinit setup steps. .TP \fB\-\-dirsrv\-cert\-file\fR=FILE File containing the Directory Server SSL certificate and private key From 7ba050e10d0d88f3a97e52f72209244a2a1d4692 Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Tue, 7 Aug 2018 11:24:48 +0200 Subject: [PATCH 08/15] Remove "at DL1" from ipa-replica-manage man page As there is currently only DL1, there is no need to have extra sentences for "at domain level 1". See: https://pagure.io/freeipa/issue/7669 Signed-off-by: Thomas Woerner <twoer...@redhat.com> Reviewed-By: Christian Heimes <chei...@redhat.com> --- install/tools/man/ipa-replica-manage.1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1 index f87184b19a..239f1591c4 100644 --- a/install/tools/man/ipa-replica-manage.1 +++ b/install/tools/man/ipa-replica-manage.1 @@ -24,19 +24,19 @@ ipa\-replica\-manage [\fIOPTION\fR]... [COMMAND] .SH "DESCRIPTION" Manages the replication agreements of an IPA server. -To manage IPA replication agreements in a domain at domain level 1, use IPA CLI +To manage IPA replication agreements in a domain, use IPA CLI or Web UI, see `ipa help topology` for additional information. The available commands are: .TP \fBconnect\fR [SERVER_A] <SERVER_B> -\- Adds a new replication agreement between SERVER_A/localhost and SERVER_B. At domain level 1 applicable only for winsync agreements. +\- Adds a new replication agreement between SERVER_A/localhost and SERVER_B. Applicable only for winsync agreements. .TP \fBdisconnect\fR [SERVER_A] <SERVER_B> -\- Removes a replication agreement between SERVER_A/localhost and SERVER_B. At domain level 1 applicable only for winsync agreements. +\- Removes a replication agreement between SERVER_A/localhost and SERVER_B. Applicable only for winsync agreements. .TP \fBdel\fR <SERVER> -\- Removes all replication agreements and data about SERVER. At domain level 1 it removes data and agreements for both suffixes - domain and ca. +\- Removes all replication agreements and data about SERVER. Removes data and agreements for both suffixes - domain and ca. .TP \fBlist\fR [SERVER] \- Lists all the servers or the list of agreements of SERVER From 001b611e24d690f15a1108bc41883578c19c7793 Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Tue, 7 Aug 2018 11:29:17 +0200 Subject: [PATCH 09/15] Remove "at DL1" from ipa-server-install man page As there is currently only DL1, there is no need to have extra sentences for "at domain level 1". See: https://pagure.io/freeipa/issue/7669 Signed-off-by: Thomas Woerner <twoer...@redhat.com> Reviewed-By: Christian Heimes <chei...@redhat.com> --- install/tools/man/ipa-server-install.1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 6fb0a68b6f..019c157fa6 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -63,10 +63,10 @@ The maximum user and group id number (default: idstart+199999). If set to zero, Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production. .TP \fB\-\-ignore-topology-disconnect\fR -Ignore errors reported when IPA server uninstall would lead to disconnected topology. This option can be used only when domain level is 1 or more. +Ignore errors reported when IPA server uninstall would lead to disconnected topology. .TP \fB\-\-ignore-last-of-role\fR -Ignore errors reported when IPA server uninstall would lead to removal of last CA/DNS server or DNSSec master. This option can be used only when domain level is 1 or more. +Ignore errors reported when IPA server uninstall would lead to removal of last CA/DNS server or DNSSec master. .TP \fB\-\-no\-ui\-redirect\fR Do not automatically redirect to the Web UI. @@ -120,7 +120,7 @@ If no template is specified, the template name "SubCA" is used. File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. +Disables pkinit setup steps. .TP \fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. From dbb5509a6a27781c62efa537e28042358afbab13 Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Tue, 7 Aug 2018 15:44:56 +0200 Subject: [PATCH 10/15] Move DL0 raises outside if existing conditionals to calm down pylint This pull should not remove code, therefore it is needed to add addtional conditionals to calm down pylint beacuse of unreachable code. See: https://pagure.io/freeipa/issue/7669 Signed-off-by: Thomas Woerner <twoer...@redhat.com> Reviewed-By: Christian Heimes <chei...@redhat.com> --- ipaserver/install/ipa_kra_install.py | 8 +++++--- ipaserver/install/server/__init__.py | 7 ++++--- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py index ac5a27b32e..96831716d0 100644 --- a/ipaserver/install/ipa_kra_install.py +++ b/ipaserver/install/ipa_kra_install.py @@ -182,6 +182,11 @@ def run(self): api.Backend.ldap2.connect() if self.installing_replica: + if not self.options.promote: + # Domain level 0 is not supported anymore + raise admintool.ScriptError( + "Domain level 0 is not supported anymore") + if self.options.promote: config = ReplicaConfig() config.kra_host_name = None @@ -193,9 +198,6 @@ def run(self): config.top_dir = tempfile.mkdtemp("ipa") config.dir = config.top_dir else: - # Domain level 0 is not supported anymore - raise admintool.ScriptError( - "Domain level 0 is not supported anymore") config = create_replica_config( self.options.password, self.replica_file, diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 7c9d6293c7..94f0862970 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -640,12 +640,13 @@ def __init__(self, **kwargs): @step() def main(self): - if self.replica_file is None: - replica_promote_check(self) - else: + if self.replica_file is not None: # Domain level 0 is not supported anymore raise RuntimeError( "Domain level 0 is not supported anymore.") + if self.replica_file is None: + replica_promote_check(self) + else: replica_install_check(self) yield replica_install(self) From c1ea0a38c01999a98ca15e5fb68a2edbe6076132 Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Tue, 7 Aug 2018 17:51:28 +0200 Subject: [PATCH 11/15] ipatests: Drop test_password_option_DL0 DL0 is not supported anymore therefore this test is failing. See: https://pagure.io/freeipa/issue/7669 Signed-off-by: Thomas Woerner <twoer...@redhat.com> Reviewed-By: Christian Heimes <chei...@redhat.com> --- .../test_install/test_installer.py | 28 ------------------- 1 file changed, 28 deletions(-) diff --git a/ipatests/test_ipaserver/test_install/test_installer.py b/ipatests/test_ipaserver/test_install/test_installer.py index a33680422d..d5365d43b8 100644 --- a/ipatests/test_ipaserver/test_install/test_installer.py +++ b/ipatests/test_ipaserver/test_install/test_installer.py @@ -146,31 +146,3 @@ def test_password_option_DL1(self): assert_equal(ic.password, self.PASSWORD.value) assert_equal(ic.principal, self.PRINCIPAL.value) assert_equal(ic.admin_password, self.ADMIN_PASSWORD.value) - - def test_password_option_DL0(self): - with tempfile.NamedTemporaryFile() as repl_file: - REPLICA_FILE_PATH = repl_file.name - # when --password is set in DL0 installation, it sets both - # password and dm_password attributes - for passwd_opt in self.all_option_permutations(self.PASSWORD): - ic = self.get_installer_instance( - self.combine_options(passwd_opt, REPLICA_FILE_PATH) - ) - assert_equal(ic.password, self.PASSWORD.value) - assert_equal(ic.dm_password, self.PASSWORD.value) - assert_equal(ic.admin_password, None) - assert_equal(ic.principal, None) - - # try adding admin_password just to see it is set correctly - for passwd_opt, adm_password_opt in ( - self.all_option_permutations( - self.PASSWORD, self.ADMIN_PASSWORD) - ): - ic = self.get_installer_instance( - self.combine_options(passwd_opt, adm_password_opt, - REPLICA_FILE_PATH) - ) - assert_equal(ic.password, self.PASSWORD.value) - assert_equal(ic.admin_password, self.ADMIN_PASSWORD.value) - assert_equal(ic.dm_password, self.PASSWORD.value) - assert_equal(ic.principal, None) From 28f60e71975cb122ff27ebc7b65a2eb8e731183e Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Wed, 8 Aug 2018 08:44:32 +0200 Subject: [PATCH 12/15] ipatests/test_ipaserver/test_install/test_installer.py: Drop tempfile import This is not needed anymore due to the removal of the DL0 test See: https://pagure.io/freeipa/issue/7669 Signed-off-by: Thomas Woerner <twoer...@redhat.com> Reviewed-By: Christian Heimes <chei...@redhat.com> --- ipatests/test_ipaserver/test_install/test_installer.py | 1 - 1 file changed, 1 deletion(-) diff --git a/ipatests/test_ipaserver/test_install/test_installer.py b/ipatests/test_ipaserver/test_install/test_installer.py index d5365d43b8..b7e9c62faf 100644 --- a/ipatests/test_ipaserver/test_install/test_installer.py +++ b/ipatests/test_ipaserver/test_install/test_installer.py @@ -8,7 +8,6 @@ from abc import ABCMeta, abstractproperty from collections import namedtuple import itertools -import tempfile from ipatests.util import assert_equal from ipaserver.install.ipa_replica_install import ReplicaInstall From 0a5063d92076f0cc2bdff3b565bc1656d3e9e824 Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Wed, 8 Aug 2018 09:52:23 +0200 Subject: [PATCH 13/15] ipaserver/install/adtrust.py: Do not use DOMAIN_LEVEL_0 for minimum As there is the minimal domain level setting MIN_DOMAIN_LEVEL, it should be used instead of DOMAIN_LEVEL_0. See: https://pagure.io/freeipa/issue/7669 Signed-off-by: Thomas Woerner <twoer...@redhat.com> Reviewed-By: Christian Heimes <chei...@redhat.com> --- ipaserver/install/adtrust.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py index f4496adb0e..e9ae3fa3ed 100644 --- a/ipaserver/install/adtrust.py +++ b/ipaserver/install/adtrust.py @@ -13,7 +13,7 @@ import six -from ipalib.constants import DOMAIN_LEVEL_0 +from ipalib.constants import MIN_DOMAIN_LEVEL from ipalib import errors from ipalib.install.service import ServiceAdminInstallInterface from ipalib.install.service import replica_install_only @@ -258,7 +258,7 @@ def retrieve_potential_adtrust_agents(api): # because only these masters will have SSSD recent enough # to support AD trust agents dl_enabled_masters = api.Command.server_find( - ipamindomainlevel=DOMAIN_LEVEL_0, all=True)['result'] + ipamindomainlevel=MIN_DOMAIN_LEVEL, all=True)['result'] except (errors.DatabaseError, errors.NetworkError) as e: logger.error( "Could not retrieve a list of existing IPA masters: %s", e) From 5346d8259c0c12f538d0403e78855da1570718c3 Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Wed, 8 Aug 2018 11:12:09 +0200 Subject: [PATCH 14/15] ipatests/test_xmlrpc/tracker/server_plugin.py: Increase hard coded mindomainlevel The hard coded mindomainlevel needs to be increased to 1. See: https://pagure.io/freeipa/issue/7669 Signed-off-by: Thomas Woerner <twoer...@redhat.com> Reviewed-By: Christian Heimes <chei...@redhat.com> --- ipatests/test_xmlrpc/tracker/server_plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/test_xmlrpc/tracker/server_plugin.py b/ipatests/test_xmlrpc/tracker/server_plugin.py index 872aec99dd..69f5f4b501 100644 --- a/ipatests/test_xmlrpc/tracker/server_plugin.py +++ b/ipatests/test_xmlrpc/tracker/server_plugin.py @@ -50,7 +50,7 @@ def __init__(self, name): u"ipaSupportedDomainLevelConfig" ], ipamaxdomainlevel=[u"1"], - ipamindomainlevel=[u"0"], + ipamindomainlevel=[u"1"], ) self.exists = True From 26fb831b5333449abf82fb369222c314cc7b7dc9 Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Wed, 8 Aug 2018 14:05:21 +0200 Subject: [PATCH 15/15] replicainstall: Make sure that domain fulfills minimal domain level requirement The old domain level check to suggest to use ipa-replica-prepare has been converted to make sure that domain fulfills minimal domain level requirement (no DL0). See: https://pagure.io/freeipa/issue/7669 Signed-off-by: Thomas Woerner <twoer...@redhat.com> Reviewed-By: Christian Heimes <chei...@redhat.com> --- ipaserver/install/server/replicainstall.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 412e9a924a..e9006b6499 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1159,13 +1159,17 @@ def promote_check(installer): promotion_check_ipa_domain(conn, remote_api.env.basedn) + # Make sure that domain fulfills minimal domain level + # requirement domain_level = current_domain_level(remote_api) check_domain_level_is_supported(domain_level) - if domain_level < constants.DOMAIN_LEVEL_1: + if domain_level < constants.MIN_DOMAIN_LEVEL: raise RuntimeError( - "You must provide a file generated by ipa-replica-prepare to " - "create a replica when the domain is at level 0." - ) + "Cannot promote this client to a replica. The domain level " + "must be raised to {mindomainlevel} before the replica can be " + "installed".format( + mindomainlevel=constants.MIN_DOMAIN_LEVEL + )) # Check authorization result = remote_api.Command['hostgroup_find'](
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
