On 11/23/2015 04:43 PM, Jan Cholasta wrote:
> Hi,
> 
> On 23.11.2015 12:50, Tomas Babej wrote:
>> Hi,
>>
>> this patch implements the single command replica promotion&enrollment
>> for #5310.
>>
>> Tomas
>>
>> https://fedorahosted.org/freeipa/ticket/5310
> 
> 1) ensure_enrolled() should be called from promote_check() after the
> client check is done:
> 
>     client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
>     if not client_fstore.has_files():
>         ensure_enrolled(installer)
> 
> 
> 2)
> 
> +    server_name = Knob(
> +        str, None,
> +        description="fully qualified name of IPA server to enrooll to",
> +        cli_name='server',
> +    )
> 
> Please use the same identifier ipa-client-install uses, i.e.
> s/server_name/server/.
> 
> Also there is typo in the description: "enrooll".

Fixed.

> 
> 
> 3)
> 
> +    host_name = Knob(
> +        str, None,
> +        description="fully qualified name of this host",
> +        cli_name='hostname',
> +    )
> 
> This knob is already defined in BaseServer, there's no need to redefine
> it here (just remove the "host_name = None").
> 
> If you want to change the description, change it in BaseServer.

Yep, that was the reasoning here. Changed in BaseServer.

> 
> 
> 4)
> 
> +    keytab = Knob(
> +        str, None,
> +        description="path to backed up keytab from previous enrollment",
> +        cli_name='keytab',
> +    )
> 
> ipa-client-install uses the short name -k for the keytab option, it
> should be used here as well.
> 

Added.

> 
> 5) The replica file argument conflicts with the --realm, --domain,
> --server, --admin-password and --principal options. This should be
> checked in Replica.__init__().
> 
> The --hostname option should either be conflicting as well or be
> implemented properly for legacy replica install.
> 

All of them now conflict --replica-file.

> 
> 6) I think --admin-password should be renamed to --password and the
> description changed, since it now also allows OTP enrollment.
> 

I changed the requirements to mandate --principal when --password is
used, as we discussed.

The name of the option cannot really be changed, as it is already taken
by the dm_password.


> 
> Honza
> 
From 0ab612c75095f02fd5e63fddd7c873d3085299d7 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Mon, 23 Nov 2015 12:46:15 +0100
Subject: [PATCH] replicainstall: Add possiblity to install client in one
 command

https://fedorahosted.org/freeipa/ticket/5310
---
 ipaserver/install/server/common.py         |   2 +-
 ipaserver/install/server/replicainstall.py | 114 ++++++++++++++++++++++++++---
 2 files changed, 106 insertions(+), 10 deletions(-)

diff --git a/ipaserver/install/server/common.py b/ipaserver/install/server/common.py
index 93c95dd8e8d2b24af193ee19368959188bcd6cb9..6116ebc25fc1d439a515d260feed82fc134f1d97 100644
--- a/ipaserver/install/server/common.py
+++ b/ipaserver/install/server/common.py
@@ -275,7 +275,7 @@ class BaseServer(common.Installable, common.Interactive, core.Composite):
 
     host_name = Knob(
         str, None,
-        description="fully qualified name of server",
+        description="fully qualified name of this host",
         cli_name='hostname',
     )
 
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 492ea72d88665cce50f359d15d3c45e267ed2f41..1bec281a50edb5000f071bc4121bd45db9c5be2e 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -4,6 +4,7 @@
 
 from __future__ import print_function
 
+import collections
 import dns.exception as dnsexception
 import dns.name as dnsname
 import dns.resolver as dnsresolver
@@ -758,6 +759,54 @@ def install(installer):
 
 
 @common_cleanup
+def ensure_enrolled(installer):
+    config = installer._config
+
+    # Perform only if we have the necessary options
+    if not any([installer.principal and installer.admin_password,
+                installer.keytab]):
+        sys.exit("IPA client is not configured on this system.\n"
+                 "You must use a replica file or join the system "
+                 "either by using by running 'ipa-client-install'. "
+                 "Alternatively, you may specify enrollment related options "
+                 "directly, see man ipa-replica-install.")
+
+    # Call client install script
+    service.print_msg("Configuring client side components")
+    try:
+        args = [paths.IPA_CLIENT_INSTALL, "--unattended"]
+        if installer.domain_name:
+            args.extend(["--domain", installer.domain_name])
+        if installer.server:
+            args.extend(["--server", installer.server])
+        if installer.realm_name:
+            args.extend(["--realm", installer.realm_name])
+        if installer.host_name:
+            args.extend(["--hostname", installer.host_name])
+
+        if installer.principal:
+            args.extend(["--principal", installer.principal])
+        if installer.admin_password:
+            args.extend(["--password", installer.admin_password])
+        if installer.keytab:
+            args.extend(["--keytab", installer.keytab])
+
+        if installer.no_dns_sshfp:
+            args.append("--no-dns-sshfp")
+        if installer.ssh_trust_dns:
+            args.append("--ssh-trust-dns")
+        if installer.no_ssh:
+            args.append("--no-ssh")
+        if installer.no_sshd:
+            args.append("--no-sshd")
+        if installer.mkhomedir:
+            args.append("--mkhomedir")
+        ipautil.run(args)
+    except Exception as e:
+        sys.exit("Configuration of client side components failed!\n"
+                 "ipa-client-install returned: " + str(e))
+
+@common_cleanup
 def promote_check(installer):
     options = installer
 
@@ -767,9 +816,7 @@ def promote_check(installer):
 
     client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
     if not client_fstore.has_files():
-        sys.exit("IPA client is not configured on this system.\n"
-                 "You must use a replica file or join the system "
-                 "using 'ipa-client-install'.")
+        ensure_enrolled(installer)
 
     sstore = sysrestore.StateFile(paths.SYSRESTORE)
 
@@ -1115,9 +1162,6 @@ class Replica(BaseServer):
         description="a file generated by ipa-replica-prepare",
     )
 
-    realm_name = None
-    domain_name = None
-
     setup_ca = Knob(BaseServer.setup_ca)
     setup_kra = Knob(BaseServer.setup_kra)
     setup_dns = Knob(BaseServer.setup_dns)
@@ -1137,12 +1181,23 @@ class Replica(BaseServer):
 
     admin_password = Knob(
         BaseServer.admin_password,
-        description="Admin user Kerberos password used for connection check",
+        description="Kerberos password for the specified admin principal",
         cli_short_name='w',
     )
 
+    server = Knob(
+        str, None,
+        description="fully qualified name of IPA server to enroll to",
+        cli_name='server',
+    )
+
+    host_name = Knob(
+        str, None,
+        description="fully qualified name of this host",
+        cli_name='hostname',
+    )
+
     mkhomedir = Knob(BaseServer.mkhomedir)
-    host_name = None
     no_host_dns = Knob(BaseServer.no_host_dns)
     no_ntp = Knob(BaseServer.no_ntp)
     no_pkinit = Knob(BaseServer.no_pkinit)
@@ -1160,10 +1215,18 @@ class Replica(BaseServer):
     principal = Knob(
         str, None,
         sensitive=True,
-        description="User Principal allowed to promote replicas",
+        description="User Principal allowed to promote replicas "
+                    "and join IPA realm",
         cli_short_name='P',
     )
 
+    keytab = Knob(
+        str, None,
+        description="path to backed up keytab from previous enrollment",
+        cli_name='keytab',
+        cli_short_name='k',
+    )
+
     promote = False
 
     # ca
@@ -1199,11 +1262,44 @@ class Replica(BaseServer):
 
         if self.replica_file is None:
             self.promote = True
+
+            # Make sure --password is not used without principal,
+            # that would mean OTP join for ipa-client-install
+
+            password_and_principal = [self.admin_password, self.principal]
+            if any(password_and_principal) and not all(password_and_principal):
+                raise RuntimeError(
+                    "The --password and --principal options must be used "
+                    "together."
+                )
+
         else:
             if not ipautil.file_exists(self.replica_file):
                 raise RuntimeError("Replica file %s does not exist"
                                    % self.replica_file)
 
+            CLIKnob = collections.namedtuple('CLIKnob', ('value', 'name'))
+
+            conflicting_knobs = (
+                CLIKnob(self.realm_name, '--realm'),
+                CLIKnob(self.domain_name, '--domain'),
+                CLIKnob(self.host_name, '--hostname'),
+                CLIKnob(self.server, '--server'),
+                CLIKnob(self.admin_password, '--admin-password'),
+                CLIKnob(self.principal, '--principal'),
+            )
+
+            if any([k.value is not None for k in conflicting_knobs]):
+                conflicting_knob_names = [
+                    knob.name for knob in conflicting_knobs
+                    if knob.value is not None
+                ]
+
+                raise RuntimeError(
+                    "The --replica-file options conflicts with '{0}' "
+                    "option(s).".format(", ".join(conflicting_knob_names))
+                    )
+
         if self.setup_dns:
             #pylint: disable=no-member
             if not self.dns.forwarders and not self.dns.no_forwarders:
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to