URL: https://github.com/freeipa/freeipa/pull/437 Author: tomaskrizek Title: #437: FIPS: replica install check Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/437/head:pr437 git checkout pr437
From 0bd1d63ec30eff4583ff314edb6dfa38acf28f63 Mon Sep 17 00:00:00 2001 From: Tomas Krizek <tkri...@redhat.com> Date: Mon, 6 Feb 2017 13:08:11 +0100 Subject: [PATCH 1/3] Add fips_mode variabl to env Variable fips_mode indicating whether machine is running in FIPS-enabled mode was added to env. https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/config.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ipalib/config.py b/ipalib/config.py index 20591db..4002164 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -44,6 +44,7 @@ from ipalib.constants import CONFIG_SECTION from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR from ipalib import errors +from ipaplatform.tasks import tasks if six.PY3: unicode = str @@ -497,6 +498,10 @@ def _bootstrap(self, **overrides): if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli') + # Set fips_mode: + if 'fips_mode' not in self: + self.fips_mode = tasks.is_fips_enabled() + def _finalize_core(self, **defaults): """ Complete initialization of standard IPA environment. From 2da87d402bdecffbb3004c87312605453edcb01e Mon Sep 17 00:00:00 2001 From: Tomas Krizek <tkri...@redhat.com> Date: Mon, 6 Feb 2017 17:17:49 +0100 Subject: [PATCH 2/3] check_remote_version: update exception and string Refactor function to use i18n string and ScriptError exception. --- ipaserver/install/server/replicainstall.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 18222c8..06af62a 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -28,7 +28,7 @@ from ipaplatform import services from ipaplatform.tasks import tasks from ipaplatform.paths import paths -from ipalib import api, constants, create_api, errors, rpc, x509 +from ipalib import _, api, constants, create_api, errors, rpc, x509 from ipalib.config import Env from ipalib.util import ( network_ip_address_warning, @@ -518,12 +518,15 @@ def check_remote_version(api): finally: client.disconnect() + # Check version compatibility remote_version = parse_version(env['version']) api_version = parse_version(api.env.version) if remote_version > api_version: - raise RuntimeError( - "Cannot install replica of a server of higher version ({}) than" - "the local version ({})".format(remote_version, api_version)) + raise ScriptError( + _("Cannot install replica of a server of higher version " + "(%(remote_version)s) than the local version (%(api_version)s)") + % dict(remote_version=remote_version, api_version=api_version)) + def common_check(no_ntp): From 1dacf228b1bda1c4298203f8f80f3d4818eecb65 Mon Sep 17 00:00:00 2001 From: Tomas Krizek <tkri...@redhat.com> Date: Mon, 6 Feb 2017 17:31:56 +0100 Subject: [PATCH 3/3] FIPS: perform replica installation check Check status of remote server's FIPS mode and proceed with installation only if it matches the current replica's FIPS mode. https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/install/server/replicainstall.py | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 06af62a..64ffb9a 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -508,13 +508,20 @@ def promote_openldap_conf(hostname, master): root_logger.info("Failed to update {}: {}".format(ldap_conf, e)) -def check_remote_version(api): +def check_remote_compatibility(api): + """ + Perform a check to verify remote server's version and fips-mode + + :param api: remote api + + :raises: ``ScriptError`` if the checks fails + """ client = rpc.jsonclient(api) client.finalize() client.connect() try: - env = client.forward(u'env', u'version')['result'] + env = client.forward(u'env', u'version', u'fips_mode')['result'] finally: client.disconnect() @@ -527,6 +534,18 @@ def check_remote_version(api): "(%(remote_version)s) than the local version (%(api_version)s)") % dict(remote_version=remote_version, api_version=api_version)) + # Check FIPS mode compatibility + remote_fips_mode = env['fips_mode'] + fips_mode = tasks.is_fips_enabled() + if fips_mode != remote_fips_mode: + if fips_mode: + raise ScriptError( + _("Cannot join FIPS-enabled replica into existing topology: " + "FIPS is not enabled on the master server.")) + else: + raise ScriptError( + _("Cannot join replica into existing FIPS-enabled topology: " + "FIPS has to be enabled locally first.")) def common_check(no_ntp): @@ -1080,7 +1099,7 @@ def promote_check(installer): remote_api.finalize() installer._remote_api = remote_api - check_remote_version(remote_api) + check_remote_compatibility(remote_api) conn = remote_api.Backend.ldap2 replman = None
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code