On Fri, 2010-01-22 at 10:30 -0500, Rob Crittenden wrote:
> Martin Nagy wrote:
> > Hi,
> > these patches will allow one to specify an ip address of the replica to
> > ipa-replica-prepare. The dns records will then be added. This should
> > make life better for QA :)
> >
> > Martin
>
> nack, it shouldn't allow the option if DNS is not configured, or at
> least it shouldn't blow up:
>
> # ipa-replica-prepare --ip-address=192.168.166.9 replica4.example.com
> Directory Manager (existing master) password:
>
> Preparing replica for replica4.example.com from luna.example.com
> Creating SSL certificate for the Directory Server
> Creating SSL certificate for the Web Server
> Exporting RA certificate
> Copying additional files
> Finalizing configuration
> Packaging replica information into
> /var/lib/ipa/replica-info-replica4.example.com.gpg
> Adding DNS records for replica4.example.com
> preparation of replica failed: no such entry
> no such entry
> File "/usr/sbin/ipa-replica-prepare", line 338, in <module>
> main()
>
> File "/usr/sbin/ipa-replica-prepare", line 329, in main
> zone = add_zone(domain)
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py",
> line 73, in add_zone
> idnsupdatepolicy=unicode(update_policy))
>
> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 412,
> in __call__
> ret = self.run(*args, **options)
>
> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 680,
> in run
> return self.execute(*args, **options)
>
> File "/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py", line
> 203, in execute
> ldap.add_entry(dn, entry_attrs)
>
> File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 188,
> in new_f
> return f(*new_args, **kwargs)
>
> File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
> line 334, in add_entry
> _handle_errors(e, **{})
>
> File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
> line 71, in _handle_errors
> raise errors.NotFound(reason='no such entry')
>
> rob
Thanks, new patches attached.
Martin
>From 738dd1f022a946ff0b574128e9ed358efb5d3451 Mon Sep 17 00:00:00 2001
From: Martin Nagy <mn...@redhat.com>
Date: Mon, 8 Feb 2010 14:21:46 +0100
Subject: [PATCH 1/2] Get rid of ipapython.config in ipa-replica-prepare
Also get rid of functions get_host_name(), get_realm_name() and
get_domain_name(). They used the old ipapython.config. Instead, use the
variables from api.env. We also change them to bootstrap() and
finalize() correctly.
Additionally, we add the dns_container_exists() function that will be
used in ipa-replica-prepare (next patch).
---
install/tools/ipa-replica-install | 30 ++++++-------
install/tools/ipa-replica-prepare | 86 ++++++++++---------------------------
ipaserver/install/bindinstance.py | 52 ++++++++++++-----------
3 files changed, 63 insertions(+), 105 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index af7128c..4b348f6 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -311,12 +311,21 @@ def main():
except ldap.INVALID_CREDENTIALS, e :
sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name)
+ # Create the management framework config file
+ # Note: We must do this before bootstraping and finalizing ipalib.api
+ fd = open("/etc/ipa/default.conf", "w")
+ fd.write("[global]\n")
+ fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n")
+ fd.write("realm=" + config.realm_name + "\n")
+ fd.write("domain=" + config.domain_name + "\n")
+ fd.write("xmlrpc_uri=https://%s/ipa/xml\n"; % config.host_name)
+ fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(config.realm_name))
if ipautil.file_exists(config.dir + "/ca.p12"):
- ca_type = 'dogtag'
- else:
- ca_type = 'selfsign'
+ fd.write("enable_ra=True\n")
+ fd.write("ra_plugin=dogtag\n")
+ fd.close()
- api.bootstrap(in_server=True, ra_plugin=ca_type)
+ api.bootstrap(in_server=True)
api.finalize()
# Install CA cert so that we can do SSL connections with ldap
@@ -355,19 +364,6 @@ def main():
# generated
ds.add_cert_to_service()
- # Create the management framework config file
- fd = open("/etc/ipa/default.conf", "w")
- fd.write("[global]\n")
- fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n")
- fd.write("realm=" + config.realm_name + "\n")
- fd.write("domain=" + config.domain_name + "\n")
- fd.write("xmlrpc_uri=https://%s/ipa/xml\n"; % config.host_name)
- fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(config.realm_name))
- if ipautil.file_exists(config.dir + "/ca.p12"):
- fd.write("enable_ra=True\n")
- fd.write("ra_plugin=dogtag\n")
- fd.close()
-
# Apply any LDAP updates. Needs to be done after the replica is synced-up
service.print_msg("Applying LDAP updates")
ds.apply_updates()
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index f9977ec..d89d1a6 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -26,12 +26,10 @@ from ConfigParser import SafeConfigParser
import krbV
from optparse import OptionParser
-import ipapython.config
from ipapython import ipautil
from ipaserver.install import dsinstance, installutils, certs, httpinstance
from ipaserver import ipaldap
from ipapython import version
-from ipalib.constants import DEFAULT_CONFIG
from ipalib import api
from ipalib import util
import ldap
@@ -51,7 +49,6 @@ def parse_options():
parser.add_option("-p", "--password", dest="password",
help="Directory Manager (existing master) password")
- ipapython.config.add_standard_options(parser)
options, args = parser.parse_args()
# If any of the PKCS#12 options are selected, all are required. Create a
@@ -62,39 +59,16 @@ def parse_options():
if cnt > 0 and cnt < 4:
parser.error("All PKCS#12 options are required if any are used.")
+ if options.ip_address:
+ if not installutils.verify_ip_address(options.ip_address):
+ parser.error("Bad IP address")
+ sys.exit(1)
+
if len(args) != 1:
parser.error("must provide the fully-qualified name of the replica")
- ipapython.config.init_config(options)
-
return options, args
-def get_host_name():
- hostname = installutils.get_fqdn()
- try:
- installutils.verify_fqdn(hostname)
- except RuntimeError, e:
- logging.error(str(e))
- sys.exit(1)
-
- return hostname
-
-def get_realm_name():
- try:
- c = krbV.default_context()
- return c.default_realm
- except Exception, e:
- return None
-
-def get_domain_name():
- try:
- ipapython.config.init_config()
- domain_name = ipapython.config.config.get_domain()
- except Exception, e:
- return None
-
- return domain_name
-
def get_subject_base(host_name, dm_password, suffix):
try:
conn = ipaldap.IPAdmin(host_name)
@@ -130,8 +104,8 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec
# ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)))
# db.create_from_cacert(ca_db.cacert_fname)
# else:
-# ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name())
- ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name(), subject_base=subject_base)
+# ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host)
+ ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host, subject_base=subject_base)
db.create_from_cacert(ca_db.cacert_fname)
db.create_server_cert("Server-Cert", hostname, ca_db)
except Exception, e:
@@ -169,7 +143,7 @@ def export_ra_pkcs12(dir, dm_password):
try:
try:
- db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name())
+ db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host)
if db.has_nickname("ipaCert"):
pkcs12_fname = "%s/ra.p12" % dir
@@ -229,31 +203,18 @@ def main():
# Just initialize the environment. This is so the installer can have
# access to the plugin environment
- api.env._bootstrap()
- api.env._finalize_core(**dict(DEFAULT_CONFIG))
+ api.bootstrap(in_server=True)
+ api.finalize()
if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin:
sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
- print "Determining current realm name"
- realm_name = get_realm_name()
- if realm_name is None:
- print "Unable to determine default realm"
- sys.exit(1)
-
- check_ipa_configuration(realm_name)
-
- print "Getting domain name from LDAP"
- domain_name = get_domain_name()
- if domain_name is None:
- print "Unable to determine LDAP default domain"
- sys.exit(1)
+ check_ipa_configuration(api.env.realm)
- host_name = get_host_name()
- if host_name == replica_fqdn:
+ if api.env.host == replica_fqdn:
print "You can't create a replica on itself"
sys.exit(1)
- ds_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
+ ds_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(api.env.realm))
ds_user = get_ds_user(ds_dir)
# get the directory manager password
@@ -266,19 +227,19 @@ def main():
# Try out the password
try:
- conn = ipaldap.IPAdmin(host_name)
+ conn = ipaldap.IPAdmin(api.env.host)
conn.do_simple_bind(bindpw=dirman_password)
conn.unbind()
except ldap.CONNECT_ERROR, e:
- sys.exit("\nUnable to connect to LDAP server %s" % host_name)
+ sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
except ldap.SERVER_DOWN, e:
- sys.exit("\nUnable to connect to LDAP server %s" % host_name)
+ sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
except ldap.INVALID_CREDENTIALS, e :
- sys.exit("\nThe password provided is incorrect for LDAP server %s" % host_name)
+ sys.exit("\nThe password provided is incorrect for LDAP server %s" % api.env.host)
- print "Preparing replica for %s from %s" % (replica_fqdn, host_name)
+ print "Preparing replica for %s from %s" % (replica_fqdn, api.env.host)
- subject_base = get_subject_base(host_name, dirman_password, util.realm_to_suffix(realm_name))
+ subject_base = get_subject_base(api.env.host, dirman_password, util.realm_to_suffix(api.env.realm))
top_dir = tempfile.mkdtemp("ipa")
dir = top_dir + "/realm_info"
@@ -313,7 +274,7 @@ def main():
print "Copy failed %s" % e
sys.exit(1)
print "Creating SSL certificate for the Directory Server"
- export_certdb(realm_name, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
+ export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
if options.http_pin:
passwd = options.http_pin
@@ -334,15 +295,14 @@ def main():
sys.exit(1)
else:
print "Creating SSL certificate for the Web Server"
- export_certdb(realm_name, ds_dir, dir, passwd_fname, "httpcert", replica_fqdn, subject_base)
+ export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "httpcert", replica_fqdn, subject_base)
print "Exporting RA certificate"
export_ra_pkcs12(dir, dirman_password)
print "Copying additional files"
- copy_files(realm_name, dir)
-
+ copy_files(api.env.realm, dir)
print "Finalizing configuration"
- save_config(dir, realm_name, host_name, ds_user, domain_name, replica_fqdn, subject_base)
+ save_config(dir, api.env.realm, api.env.host, ds_user, api.env.domain, replica_fqdn, subject_base)
replicafile = "/var/lib/ipa/replica-info-" + replica_fqdn
encfile = replicafile+".gpg"
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 13e9e16..105cf4e 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -54,6 +54,31 @@ def check_inst(unattended):
return True
+def dns_container_exists(fqdn, realm):
+ """
+ Test whether the dns container exists.
+ """
+
+ def object_exists(dn):
+ """
+ Test whether the given object exists in LDAP.
+ """
+ try:
+ server.search_ext_s(dn, ldap.SCOPE_BASE)
+ except ldap.NO_SUCH_OBJECT:
+ return False
+ else:
+ return True
+
+ server = ldap.initialize("ldap://"; + fqdn)
+ server.simple_bind_s()
+
+ suffix = util.realm_to_suffix(realm)
+ ret = object_exists("cn=dns,%s" % suffix)
+ server.unbind_s()
+
+ return ret
+
def get_reverse_zone(ip_address):
tmp = ip_address.split(".")
tmp.reverse()
@@ -155,7 +180,8 @@ class BindInstance(service.Service):
except:
pass
- self.__add_zone_steps()
+ if not dns_container_exists(self.fqdn, self.suffix):
+ self.step("adding DNS container", self.__setup_dns_container)
self.step("setting up our zone", self.__setup_zone)
self.step("setting up reverse zone", self.__setup_reverse_zone)
@@ -168,30 +194,6 @@ class BindInstance(service.Service):
self.step("changing resolv.conf to point to ourselves", self.__setup_resolv_conf)
self.start_creation("Configuring named:")
- def __add_zone_steps(self):
- """
- Add a DNS container if it doesn't exist.
- """
-
- def object_exists(dn):
- """
- Test whether the given object exists in LDAP.
- """
- try:
- server.search_ext_s(dn, ldap.SCOPE_BASE)
- except ldap.NO_SUCH_OBJECT:
- return False
- else:
- return True
-
- server = ldap.initialize("ldap://"; + self.fqdn)
- server.simple_bind_s()
-
- if not object_exists("cn=dns,%s" % self.suffix):
- self.step("adding DNS container", self.__setup_dns_container)
-
- server.unbind_s()
-
def __start(self):
try:
self.backup_state("running", self.is_running())
--
1.6.2.5
>From c62879991a383d66e12af2f5097bdc387a780cba Mon Sep 17 00:00:00 2001
From: Martin Nagy <mn...@redhat.com>
Date: Mon, 23 Nov 2009 16:16:58 +0100
Subject: [PATCH 2/2] Add A and PTR records during ipa-replica-prepare
Fixes #528996
---
install/tools/ipa-replica-prepare | 23 ++++++++++++++++++++++-
install/tools/man/ipa-replica-prepare.1 | 3 +++
2 files changed, 25 insertions(+), 1 deletions(-)
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index d89d1a6..c9f1ad0 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -27,7 +27,8 @@ import krbV
from optparse import OptionParser
from ipapython import ipautil
-from ipaserver.install import dsinstance, installutils, certs, httpinstance
+from ipaserver.install import bindinstance, dsinstance, installutils, certs, httpinstance
+from ipaserver.install.bindinstance import add_zone, add_reverze_zone, add_rr, add_ptr_rr
from ipaserver import ipaldap
from ipapython import version
from ipalib import api
@@ -48,6 +49,8 @@ def parse_options():
help="PIN for the Apache Server PKCS#12 file")
parser.add_option("-p", "--password", dest="password",
help="Directory Manager (existing master) password")
+ parser.add_option("--ip-address", dest="ip_address",
+ help="Add A and PTR records of the future replica")
options, args = parser.parse_args()
@@ -206,6 +209,11 @@ def main():
api.bootstrap(in_server=True)
api.finalize()
+ if options.ip_address:
+ if not bindinstance.dns_container_exists(api.env.host, api.env.realm):
+ print "You can't add a DNS record because DNS is not set up."
+ sys.exit(1)
+
if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin:
sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
@@ -314,6 +322,19 @@ def main():
remove_file(replicafile)
shutil.rmtree(dir)
+ if options.ip_address:
+ print "Adding DNS records for %s" % replica_fqdn
+ api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=dirman_password)
+
+ domain = replica_fqdn.split(".")
+ name = domain.pop(0)
+ domain = ".".join(domain)
+
+ zone = add_zone(domain)
+ add_rr(zone, name, "A", options.ip_address)
+ add_reverze_zone(options.ip_address)
+ add_ptr_rr(options.ip_address, replica_fqdn)
+
try:
if not os.geteuid()==0:
sys.exit("\nYou must be root to run this script.\n")
diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1
index 8eb4944..5c0e0d1 100644
--- a/install/tools/man/ipa-replica-prepare.1
+++ b/install/tools/man/ipa-replica-prepare.1
@@ -42,6 +42,9 @@ The password of the Directory Server PKCS#12 file
.TP
\fB\-\-http_pin\fR=\fIHTTP_PIN\fR
The password of the Apache Server PKCS#12 file
+.TP
+\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
+IP address of the replica server. If you provide this option, the A and PTR records will be added to the DNS.
.SH "EXIT STATUS"
0 if the command was successful
--
1.6.2.5
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
