On 11/23/2015 04:43 PM, Jan Cholasta wrote: > Hi, > > On 23.11.2015 12:50, Tomas Babej wrote: >> Hi, >> >> this patch implements the single command replica promotion&enrollment >> for #5310. >> >> Tomas >> >> https://fedorahosted.org/freeipa/ticket/5310 > > 1) ensure_enrolled() should be called from promote_check() after the > client check is done: > > client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) > if not client_fstore.has_files(): > ensure_enrolled(installer) > > > 2) > > + server_name = Knob( > + str, None, > + description="fully qualified name of IPA server to enrooll to", > + cli_name='server', > + ) > > Please use the same identifier ipa-client-install uses, i.e. > s/server_name/server/. > > Also there is typo in the description: "enrooll".
Fixed. > > > 3) > > + host_name = Knob( > + str, None, > + description="fully qualified name of this host", > + cli_name='hostname', > + ) > > This knob is already defined in BaseServer, there's no need to redefine > it here (just remove the "host_name = None"). > > If you want to change the description, change it in BaseServer. Yep, that was the reasoning here. Changed in BaseServer. > > > 4) > > + keytab = Knob( > + str, None, > + description="path to backed up keytab from previous enrollment", > + cli_name='keytab', > + ) > > ipa-client-install uses the short name -k for the keytab option, it > should be used here as well. > Added. > > 5) The replica file argument conflicts with the --realm, --domain, > --server, --admin-password and --principal options. This should be > checked in Replica.__init__(). > > The --hostname option should either be conflicting as well or be > implemented properly for legacy replica install. > All of them now conflict --replica-file. > > 6) I think --admin-password should be renamed to --password and the > description changed, since it now also allows OTP enrollment. > I changed the requirements to mandate --principal when --password is used, as we discussed. The name of the option cannot really be changed, as it is already taken by the dm_password. > > Honza >
From 0ab612c75095f02fd5e63fddd7c873d3085299d7 Mon Sep 17 00:00:00 2001 From: Tomas Babej <[email protected]> Date: Mon, 23 Nov 2015 12:46:15 +0100 Subject: [PATCH] replicainstall: Add possiblity to install client in one command https://fedorahosted.org/freeipa/ticket/5310 --- ipaserver/install/server/common.py | 2 +- ipaserver/install/server/replicainstall.py | 114 ++++++++++++++++++++++++++--- 2 files changed, 106 insertions(+), 10 deletions(-) diff --git a/ipaserver/install/server/common.py b/ipaserver/install/server/common.py index 93c95dd8e8d2b24af193ee19368959188bcd6cb9..6116ebc25fc1d439a515d260feed82fc134f1d97 100644 --- a/ipaserver/install/server/common.py +++ b/ipaserver/install/server/common.py @@ -275,7 +275,7 @@ class BaseServer(common.Installable, common.Interactive, core.Composite): host_name = Knob( str, None, - description="fully qualified name of server", + description="fully qualified name of this host", cli_name='hostname', ) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 492ea72d88665cce50f359d15d3c45e267ed2f41..1bec281a50edb5000f071bc4121bd45db9c5be2e 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -4,6 +4,7 @@ from __future__ import print_function +import collections import dns.exception as dnsexception import dns.name as dnsname import dns.resolver as dnsresolver @@ -758,6 +759,54 @@ def install(installer): @common_cleanup +def ensure_enrolled(installer): + config = installer._config + + # Perform only if we have the necessary options + if not any([installer.principal and installer.admin_password, + installer.keytab]): + sys.exit("IPA client is not configured on this system.\n" + "You must use a replica file or join the system " + "either by using by running 'ipa-client-install'. " + "Alternatively, you may specify enrollment related options " + "directly, see man ipa-replica-install.") + + # Call client install script + service.print_msg("Configuring client side components") + try: + args = [paths.IPA_CLIENT_INSTALL, "--unattended"] + if installer.domain_name: + args.extend(["--domain", installer.domain_name]) + if installer.server: + args.extend(["--server", installer.server]) + if installer.realm_name: + args.extend(["--realm", installer.realm_name]) + if installer.host_name: + args.extend(["--hostname", installer.host_name]) + + if installer.principal: + args.extend(["--principal", installer.principal]) + if installer.admin_password: + args.extend(["--password", installer.admin_password]) + if installer.keytab: + args.extend(["--keytab", installer.keytab]) + + if installer.no_dns_sshfp: + args.append("--no-dns-sshfp") + if installer.ssh_trust_dns: + args.append("--ssh-trust-dns") + if installer.no_ssh: + args.append("--no-ssh") + if installer.no_sshd: + args.append("--no-sshd") + if installer.mkhomedir: + args.append("--mkhomedir") + ipautil.run(args) + except Exception as e: + sys.exit("Configuration of client side components failed!\n" + "ipa-client-install returned: " + str(e)) + +@common_cleanup def promote_check(installer): options = installer @@ -767,9 +816,7 @@ def promote_check(installer): client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) if not client_fstore.has_files(): - sys.exit("IPA client is not configured on this system.\n" - "You must use a replica file or join the system " - "using 'ipa-client-install'.") + ensure_enrolled(installer) sstore = sysrestore.StateFile(paths.SYSRESTORE) @@ -1115,9 +1162,6 @@ class Replica(BaseServer): description="a file generated by ipa-replica-prepare", ) - realm_name = None - domain_name = None - setup_ca = Knob(BaseServer.setup_ca) setup_kra = Knob(BaseServer.setup_kra) setup_dns = Knob(BaseServer.setup_dns) @@ -1137,12 +1181,23 @@ class Replica(BaseServer): admin_password = Knob( BaseServer.admin_password, - description="Admin user Kerberos password used for connection check", + description="Kerberos password for the specified admin principal", cli_short_name='w', ) + server = Knob( + str, None, + description="fully qualified name of IPA server to enroll to", + cli_name='server', + ) + + host_name = Knob( + str, None, + description="fully qualified name of this host", + cli_name='hostname', + ) + mkhomedir = Knob(BaseServer.mkhomedir) - host_name = None no_host_dns = Knob(BaseServer.no_host_dns) no_ntp = Knob(BaseServer.no_ntp) no_pkinit = Knob(BaseServer.no_pkinit) @@ -1160,10 +1215,18 @@ class Replica(BaseServer): principal = Knob( str, None, sensitive=True, - description="User Principal allowed to promote replicas", + description="User Principal allowed to promote replicas " + "and join IPA realm", cli_short_name='P', ) + keytab = Knob( + str, None, + description="path to backed up keytab from previous enrollment", + cli_name='keytab', + cli_short_name='k', + ) + promote = False # ca @@ -1199,11 +1262,44 @@ class Replica(BaseServer): if self.replica_file is None: self.promote = True + + # Make sure --password is not used without principal, + # that would mean OTP join for ipa-client-install + + password_and_principal = [self.admin_password, self.principal] + if any(password_and_principal) and not all(password_and_principal): + raise RuntimeError( + "The --password and --principal options must be used " + "together." + ) + else: if not ipautil.file_exists(self.replica_file): raise RuntimeError("Replica file %s does not exist" % self.replica_file) + CLIKnob = collections.namedtuple('CLIKnob', ('value', 'name')) + + conflicting_knobs = ( + CLIKnob(self.realm_name, '--realm'), + CLIKnob(self.domain_name, '--domain'), + CLIKnob(self.host_name, '--hostname'), + CLIKnob(self.server, '--server'), + CLIKnob(self.admin_password, '--admin-password'), + CLIKnob(self.principal, '--principal'), + ) + + if any([k.value is not None for k in conflicting_knobs]): + conflicting_knob_names = [ + knob.name for knob in conflicting_knobs + if knob.value is not None + ] + + raise RuntimeError( + "The --replica-file options conflicts with '{0}' " + "option(s).".format(", ".join(conflicting_knob_names)) + ) + if self.setup_dns: #pylint: disable=no-member if not self.dns.forwarders and not self.dns.no_forwarders: -- 2.5.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
