On Thu, 2012-01-05 at 16:36 -0500, Rob Crittenden wrote: > Martin Kosek wrote: > > Patches 185-186 are needed to make ipa-replica-install run without > > crashes. > > > > How to test: > > > > on server: > > 1) install the server (ipa.example.com is not resolvable) > > # ipa-server-install -p kokos123 -a kokos123 --no-host-dns > > --hostname=ipa.example.com > > > > 2) Add a record for replica.example.com to /etc/hosts > > 3) Prepare the replica (without 188 it refuses to create the replica > > file) > > # ipa-replica-prepare replica.example.com > > > > on replica: > > 1) Add a record for ipa.example.com to /etc/hosts > > 2) Install replica (replica.example.com is not resolvable) > > # ipa-replica-install --no-host-dns --ip-address=IP_ADDRESS REPLICA_FILE > > > > The installer now use IP_ADDRESS to create a record /etc/hosts and make > > the replica resolvable > > > > ---- > > Let ipa-replica-prepare and ipa-replica-install work without > > proper DNS records as records in /etc/hosts are sufficient for > > DS replication. > > > > 1) ipa-replica-prepare now just checks if the replica hostname > > is resolvable (DNS records are not required). It is now able > > to prepare a replica file even when the replica IP address is > > present in /etc/hosts only. > > 2) ipa-replica-install is now able to proceed when the hostname > > is not resolvable. It uses an IP address passed in a new > > option --ip-address to create a record in /etc/hosts in the > > same way as ipa-server-install does. > > > > https://fedorahosted.org/freeipa/ticket/2139 > > NACK on patch 185. The exceptions need to be changed to catch > DuplicateEntry instead of ALREADY_EXISTS > > Otherwise looks ok. > > rob
Good catch, Rob! Attaching an updated set of patches. Martin
>From 67bec667b2046f81015ee2149392588ba7fe63d2 Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Wed, 4 Jan 2012 19:47:52 +0100 Subject: [PATCH 1/4] Fix LDAP add calls in replication module Replace conn.add_s(entry) with conn.addEntry(entry) to avoid function calls with an invalid number of parameters. https://fedorahosted.org/freeipa/ticket/2139 --- ipaserver/install/replication.py | 22 +++++++++++----------- 1 files changed, 11 insertions(+), 11 deletions(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index a139fd0fbe7168193dcfa6ba5f4d19f20d395c52..74685ef0fdcd2f6a8c56e46619576a1ba74948e7 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -227,8 +227,8 @@ class ReplicationManager(object): ent.setValues("sn", "replication manager pseudo user") try: - conn.add_s(ent) - except ldap.ALREADY_EXISTS: + conn.addEntry(ent) + except errors.DuplicateEntry: conn.modify_s(dn, [(ldap.MOD_REPLACE, "userpassword", pw)]) pass @@ -277,7 +277,7 @@ class ReplicationManager(object): entry.setValues('nsds5replicabinddn', [replica_binddn]) entry.setValues('nsds5replicalegacyconsumer', "off") - conn.add_s(entry) + conn.addEntry(entry) def setup_changelog(self, conn): dn = "cn=changelog5, cn=config" @@ -287,8 +287,8 @@ class ReplicationManager(object): entry.setValues('cn', "changelog5") entry.setValues('nsslapd-changelogdir', dirpath) try: - conn.add_s(entry) - except ldap.ALREADY_EXISTS: + conn.addEntry(entry) + except errors.DuplicateEntry: return def setup_chaining_backend(self, conn): @@ -310,11 +310,11 @@ class ReplicationManager(object): entry.setValues('nsmultiplexorbinddn', self.repl_man_dn) entry.setValues('nsmultiplexorcredentials', self.repl_man_passwd) - self.conn.add_s(entry) + self.conn.addEntry(entry) done = True - except ldap.ALREADY_EXISTS: + except errors.DuplicateEntry: benum += 1 - except ldap.LDAPError, e: + except errors.ExecutionError, e: print "Could not add backend entry " + dn, e raise @@ -378,7 +378,7 @@ class ReplicationManager(object): entry.setValues("objectclass", ["account", "simplesecurityobject"]) entry.setValues("uid", "passsync") entry.setValues("userPassword", password) - conn.add_s(entry) + conn.addEntry(entry) # Add it to the list of users allowed to bypass password policy extop_dn = "cn=ipa_pwd_extop,cn=plugins,cn=config" @@ -476,7 +476,7 @@ class ReplicationManager(object): if iswinsync: self.setup_winsync_agmt(entry, win_subtree) - a_conn.add_s(entry) + a_conn.addEntry(entry) try: mod = [(ldap.MOD_ADD, 'nsDS5ReplicatedAttributeListTotal', @@ -765,7 +765,7 @@ class ReplicationManager(object): entry.setValues("ipaConfigString", "winsync:%s" % self.hostname) try: - self.conn.add_s(entry) + self.conn.addEntry(entry) except Exception, e: root_logger.info("Failed to create public entry for winsync replica") -- 1.7.7.5
>From 162d1d5e8829ad8ba365d366ab97fbd6fbef251c Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Wed, 4 Jan 2012 19:53:18 +0100 Subject: [PATCH 2/4] Prevent service restart failures in ipa-replica-install Call restart() methods of appropriate services instead of calling the system service restart command directly as service() method has a capability to wait until the service is fully up. Without this patch ipa-replica-install crashed on F-16 because krb5kdc service was started before dirsrv service was fully up. https://fedorahosted.org/freeipa/ticket/2139 --- install/tools/ipa-replica-install | 21 ++++++++++++++++----- 1 files changed, 16 insertions(+), 5 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index fd772e5719986bf196cee2278d78a4fc0bb29d19..dcf86620283f5eb1632534e0ba4b476cd95367a4 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -152,6 +152,8 @@ def install_krb(config, setup_pkinit=False): config.domain_name, config.dirman_password, setup_pkinit, pkcs12_info) + return krb + def install_ca_cert(config): cafile = config.dir + "/ca.crt" if not ipautil.file_exists(cafile): @@ -185,6 +187,8 @@ def install_http(config, auto_redirect): print "error copying files: " + str(e) sys.exit(1) + return http + def install_bind(config, options): api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=config.dirman_password) @@ -420,8 +424,8 @@ def main(): cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name)) cs.add_cert_to_service() - install_krb(config, setup_pkinit=options.setup_pkinit) - install_http(config, auto_redirect=options.ui_redirect) + krb = install_krb(config, setup_pkinit=options.setup_pkinit) + http = install_http(config, auto_redirect=options.ui_redirect) if CA: CA.import_ra_cert(dir + "/ra.p12") CA.fix_ra_perms() @@ -435,9 +439,16 @@ def main(): service.print_msg("Applying LDAP updates") ds.apply_updates() - ipaservices.knownservices.dirsrv.restart() - ipaservices.knownservices.krb5kdc.restart() - ipaservices.knownservices.httpd.restart() + # Restart ds and krb after configurations have been changed + service.print_msg("Restarting the directory server") + ds.restart() + + service.print_msg("Restarting the KDC") + krb.restart() + + # Restart httpd to pick up the new IPA configuration + service.print_msg("Restarting the web server") + http.restart() if options.setup_dns: install_bind(config, options) -- 1.7.7.5
>From a841aea40962bc1655c08824e292b3c051da1e5d Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Wed, 4 Jan 2012 19:58:33 +0100 Subject: [PATCH 3/4] Fix LDAP updates in ipa-replica-install ipalib API needs to be bootstrapped in 'installer' context otherwise LDAP update plugins don't get initialized and ipa-replica-install crashes. https://fedorahosted.org/freeipa/ticket/2139 --- install/tools/ipa-replica-install | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index dcf86620283f5eb1632534e0ba4b476cd95367a4..ece60e16d22c87c7c26a194a62aa36882de57833 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -354,7 +354,7 @@ def main(): finally: os.umask(old_umask) - api.bootstrap(in_server=True) + api.bootstrap(in_server=True, context='installer') api.finalize() # Create DS group if it doesn't exist yet -- 1.7.7.5
>From a123f2afbe17afb1e840ea8c03998a63a0461d65 Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Wed, 4 Jan 2012 20:04:21 +0100 Subject: [PATCH 4/4] Let replicas install without DNS Let ipa-replica-prepare and ipa-replica-install work without proper DNS records as records in /etc/hosts are sufficient for DS replication. 1) ipa-replica-prepare now just checks if the replica hostname is resolvable (DNS records are not required). It is now able to prepare a replica file even when the replica IP address is present in /etc/hosts only. 2) ipa-replica-install is now able to proceed when the hostname is not resolvable. It uses an IP address passed in a new option --ip-address to create a record in /etc/hosts in the same way as ipa-server-install does. https://fedorahosted.org/freeipa/ticket/2139 --- install/tools/ipa-replica-install | 9 ++++ install/tools/ipa-replica-prepare | 6 --- install/tools/ipa-server-install | 58 +---------------------------- install/tools/man/ipa-replica-install.1 | 3 + install/tools/man/ipa-server-install.1 | 2 +- ipaserver/install/installutils.py | 62 +++++++++++++++++++++++++++++++ 6 files changed, 76 insertions(+), 64 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index ece60e16d22c87c7c26a194a62aa36882de57833..34c787b1919b89bd1e9ad4aaec1ace7daaebc36e 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -52,6 +52,9 @@ def parse_options(): basic_group = OptionGroup(parser, "basic options") basic_group.add_option("--setup-ca", dest="setup_ca", action="store_true", default=False, help="configure a dogtag CA") + basic_group.add_option("--ip-address", dest="ip_address", + type="ip", ip_local=True, + help="Replica server IP Address") basic_group.add_option("-p", "--password", dest="password", sensitive=True, help="Directory Manager (existing master) password") basic_group.add_option("-w", "--admin-password", dest="admin_password", sensitive=True, @@ -284,6 +287,9 @@ def main(): global sstore sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore') + global fstore + fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + # check the bind is installed if options.setup_dns: check_bind() @@ -334,6 +340,9 @@ def main(): if not options.skip_conncheck: replica_conn_check(config.master_host_name, config.host_name, config.realm_name, options.setup_ca, options.admin_password) + # check replica host IP resolution + ip = installutils.get_server_ip_address(config.host_name, fstore, True, options) + # Create the management framework config file # Note: We must do this before bootstraping and finalizing ipalib.api old_umask = os.umask(022) # must be readable for httpd diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 269fe5f46bb5784f83e7405b50cdad678aae2ba6..c54aa62b8e0e49fcc30d1359423dfa8615cc9cfe 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -298,12 +298,6 @@ def main(): check_ipa_configuration(api.env.realm) - if not options.ip_address: - try: - api.Command['dns_resolve'](replica_fqdn.decode('utf-8')) - except errors.NotFound: - sys.exit("Neither an A nor AAAA record for host '%s' does not exist in DNS.\nUse the --ip-address option to add DNS entries for the replica." % replica_fqdn) - if api.env.host == replica_fqdn: print "You can't create a replica on itself" sys.exit(1) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 7a2e2aa1d5f2f3acb753581aff5db5d5b26d0592..b91343850c016428b059faefa1d36de1ff10fe51 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -730,65 +730,9 @@ def main(): domain_name = domain_name.lower() - # Check we have a public IP that is associated with the hostname - try: - hostaddr = resolve_host(host_name) - except HostnameLocalhost: - print >> sys.stderr, "The hostname resolves to the localhost address (127.0.0.1/::1)" - print >> sys.stderr, "Please change your /etc/hosts file so that the hostname" - print >> sys.stderr, "resolves to the ip address of your network interface." - print >> sys.stderr, "The KDC service does not listen on localhost" - print >> sys.stderr, "" - print >> sys.stderr, "Please fix your /etc/hosts file and restart the setup program" - sys.exit(1) - - ip_add_to_hosts = False - if hostaddr is not None: - ip = CheckedIPAddress(hostaddr, match_local=True) - else: - # hostname is not resolvable - ip = options.ip_address - ip_add_to_hosts = True - - if ip is None: - print "Unable to resolve IP address for host name" - if options.unattended: - sys.exit(1) - - if options.ip_address: - if options.ip_address != ip and not options.setup_dns: - print >>sys.stderr, "Error: the hostname resolves to an IP address that is different" - print >>sys.stderr, "from the one provided on the command line. Please fix your DNS" - print >>sys.stderr, "or /etc/hosts file and restart the installation." - return 1 - - ip = options.ip_address - - if ip is None: - ip = read_ip_address(host_name, fstore) - root_logger.debug("read ip_address: %s\n" % str(ip)) - + ip = get_server_ip_address(host_name, fstore, options.unattended, options) ip_address = str(ip) - # check /etc/hosts sanity, add a record when needed - hosts_record = record_in_hosts(ip_address) - - if hosts_record is None: - if ip_add_to_hosts: - print "Adding ["+ip_address+" "+host_name+"] to your /etc/hosts file" - fstore.backup_file("/etc/hosts") - add_record_to_hosts(ip_address, host_name) - else: - primary_host = hosts_record[1][0] - if primary_host != host_name: - print >>sys.stderr, "Error: there is already a record in /etc/hosts for IP address %s:" \ - % ip_address - print >>sys.stderr, hosts_record[0], " ".join(hosts_record[1]) - print >>sys.stderr, "Chosen hostname %s does not match configured canonical hostname %s" \ - % (host_name, primary_host) - print >>sys.stderr, "Please fix your /etc/hosts file and restart the installation." - return 1 - if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, ip): sys.exit(1) diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index c82b4a6b01f384cdbf060a4ed4d61cec6d04277e..f8fa148d076b2e4a53682b1d48e08e57380892d7 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -32,6 +32,9 @@ The replica_file is created using the ipa\-replica\-prepare utility. Install and configure a CA on this replica. If a CA is not configured then certificate operations will be forwarded to a master with a CA installed. .TP +\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR +The IP address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts. +.TP \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR Directory Manager (existing master) password .TP diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 920c1345007cf65fae1b8bb57e9a28cac3d36b96..6f1e59e75dfd016361dd5865ae99407b10b99a54 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -46,7 +46,7 @@ The password for the IPA admin user The fully\-qualified DNS name of this server. If the hostname does not match system hostname, the system hostname will be updated accordingly to prevent service failures. .TP \fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR -The IP address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation will fail. +The IP address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts. .TP \fB\-N\fR, \fB\-\-no\-ntp\fR Do not configure NTP diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 817308f1d22e3970e72d2d9ffbcc685d7759e6e6..e2cabf69b6d90c20daf8848d69a062b301b2204e 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -520,6 +520,68 @@ def get_host_name(no_host_dns): verify_fqdn(hostname, no_host_dns) return hostname +def get_server_ip_address(host_name, fstore, unattended, options): + # Check we have a public IP that is associated with the hostname + try: + hostaddr = resolve_host(host_name) + except HostnameLocalhost: + print >> sys.stderr, "The hostname resolves to the localhost address (127.0.0.1/::1)" + print >> sys.stderr, "Please change your /etc/hosts file so that the hostname" + print >> sys.stderr, "resolves to the ip address of your network interface." + print >> sys.stderr, "The KDC service does not listen on localhost" + print >> sys.stderr, "" + print >> sys.stderr, "Please fix your /etc/hosts file and restart the setup program" + sys.exit(1) + + ip_add_to_hosts = False + if hostaddr is not None: + ip = ipautil.CheckedIPAddress(hostaddr, match_local=True) + else: + # hostname is not resolvable + ip = options.ip_address + ip_add_to_hosts = True + + if ip is None: + print "Unable to resolve IP address for host name" + if unattended: + sys.exit(1) + + if options.ip_address: + if options.ip_address != ip and not options.setup_dns: + print >>sys.stderr, "Error: the hostname resolves to an IP address that is different" + print >>sys.stderr, "from the one provided on the command line. Please fix your DNS" + print >>sys.stderr, "or /etc/hosts file and restart the installation." + sys.exit(1) + + ip = options.ip_address + + if ip is None: + ip = read_ip_address(host_name, fstore) + root_logger.debug("read ip_address: %s\n" % str(ip)) + + ip_address = str(ip) + + # check /etc/hosts sanity, add a record when needed + hosts_record = record_in_hosts(ip_address) + + if hosts_record is None: + if ip_add_to_hosts: + print "Adding ["+ip_address+" "+host_name+"] to your /etc/hosts file" + fstore.backup_file("/etc/hosts") + add_record_to_hosts(ip_address, host_name) + else: + primary_host = hosts_record[1][0] + if primary_host != host_name: + print >>sys.stderr, "Error: there is already a record in /etc/hosts for IP address %s:" \ + % ip_address + print >>sys.stderr, hosts_record[0], " ".join(hosts_record[1]) + print >>sys.stderr, "Chosen hostname %s does not match configured canonical hostname %s" \ + % (host_name, primary_host) + print >>sys.stderr, "Please fix your /etc/hosts file and restart the installation." + sys.exit(1) + + return ip + def expand_replica_info(filename, password): """ Decrypt and expand a replica installation file into a temporary -- 1.7.7.5
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel