URL: https://github.com/freeipa/freeipa/pull/569 Author: MartinBasti Title: #569: Remove copy-schema-to-ca.py from master branch Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/569/head:pr569 git checkout pr569
From 6493e18e50220a01b50f2b6df8b75acc3745ec5f Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Fri, 10 Mar 2017 13:30:43 +0100 Subject: [PATCH 1/2] Remove copy-schema-to-ca.py from master branch This script is used only for IPA <3.1, so it must be compatible with ipa-3-0 branch, so it should be placed there https://pagure.io/freeipa/issue/6540 --- freeipa.spec.in | 1 - install/share/Makefile.am | 1 - install/share/copy-schema-to-ca.py | 126 ------------------------------------- ipaserver/install/cainstance.py | 6 +- 4 files changed, 2 insertions(+), 132 deletions(-) delete mode 100755 install/share/copy-schema-to-ca.py diff --git a/freeipa.spec.in b/freeipa.spec.in index db591e0..4d991d4 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1221,7 +1221,6 @@ fi # END %dir %{_usr}/share/ipa %{_usr}/share/ipa/wsgi.py* -%{_usr}/share/ipa/copy-schema-to-ca.py* %{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.uldif %{_usr}/share/ipa/*.template diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 1e8f0d5..9e539a3 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -81,7 +81,6 @@ dist_app_DATA = \ automember.ldif \ replica-automember.ldif \ replica-s4u2proxy.ldif \ - copy-schema-to-ca.py \ sasl-mapping-fallback.ldif \ schema-update.ldif \ vault.ldif \ diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py deleted file mode 100755 index 4daed6f..0000000 --- a/install/share/copy-schema-to-ca.py +++ /dev/null @@ -1,126 +0,0 @@ -#! /usr/bin/python2 - -"""Copy the IPA schema to the CA directory server instance - -You need to run this script to prepare a 2.2 or 3.0 IPA master for -installation of a 3.1 replica. - -Once a 3.1 replica is in the domain, every older CA master will emit schema -replication errors until this script is run on it. - -""" - -import os -import sys -import pwd -import shutil - -from hashlib import sha1 - -from ipaplatform.paths import paths -from ipapython import ipautil -from ipapython.ipa_log_manager import root_logger, standard_logging_setup -from ipaserver.install.dsinstance import schema_dirname -from ipalib import api - -try: - # BE CAREFUL when using the constants module - you need to define all - # the constants separately because of old IPA installations - from ipaplatform.constants import constants - PKI_USER = constants.PKI_USER - DS_USER = constants.DS_USER -except ImportError: - # oh dear, this is an old IPA (3.0+) - from ipaserver.install.dsinstance import DS_USER #pylint: disable=E0611 - from ipaserver.install.cainstance import PKI_USER #pylint: disable=E0611 - -try: - from ipaplatform import services -except ImportError: - from ipapython import services # pylint: disable=no-name-in-module - -SERVERID = "PKI-IPA" -SCHEMA_FILENAMES = ( - "60kerberos.ldif", - "60samba.ldif", - "60ipaconfig.ldif", - "60basev2.ldif", - "60basev3.ldif", - "60ipadns.ldif", - "61kerberos-ipav3.ldif", - "65ipacertstore.ldif", - "65ipasudo.ldif", - "70ipaotp.ldif", - "05rfc2247.ldif", -) - - -def _sha1_file(filename): - with open(filename, 'rb') as f: - return sha1(f.read()).hexdigest() - - -def add_ca_schema(): - """Copy IPA schema files into the CA DS instance - """ - pki_pent = pwd.getpwnam(PKI_USER) - ds_pent = pwd.getpwnam(DS_USER) - for schema_fname in SCHEMA_FILENAMES: - source_fname = os.path.join(paths.USR_SHARE_IPA_DIR, schema_fname) - target_fname = os.path.join(schema_dirname(SERVERID), schema_fname) - if not os.path.exists(source_fname): - root_logger.debug('File does not exist: %s', source_fname) - continue - if os.path.exists(target_fname): - target_sha1 = _sha1_file(target_fname) - source_sha1 = _sha1_file(source_fname) - if target_sha1 != source_sha1: - target_size = os.stat(target_fname).st_size - source_size = os.stat(source_fname).st_size - root_logger.info('Target file %s exists but the content is ' - 'different', target_fname) - root_logger.info('\tTarget file: sha1: %s, size: %s B', - target_sha1, target_size) - root_logger.info('\tSource file: sha1: %s, size: %s B', - source_sha1, source_size) - if not ipautil.user_input("Do you want replace %s file?" % - target_fname, True): - continue - - else: - root_logger.info( - 'Target exists, not overwriting: %s', target_fname) - continue - try: - shutil.copyfile(source_fname, target_fname) - except IOError as e: - root_logger.warning('Could not install %s: %s', target_fname, e) - else: - root_logger.info('Installed %s', target_fname) - os.chmod(target_fname, 0o440) # read access for dirsrv user/group - os.chown(target_fname, pki_pent.pw_uid, ds_pent.pw_gid) - - -def restart_pki_ds(): - """Restart the CA DS instance to pick up schema changes - """ - root_logger.info('Restarting CA DS') - services.service('dirsrv').restart(SERVERID) - - -def main(): - if os.getegid() != 0: - sys.exit("Must be root to run this script") - standard_logging_setup(verbose=True) - - # In 3.0, restarting needs access to api.env - api.bootstrap_with_global_options(context='server', confdir=paths.ETC_IPA) - - add_ca_schema() - restart_pki_ds() - - root_logger.info('Schema updated successfully') - - -if __name__ == '__main__': - main() diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 0991883..0943430 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1285,11 +1285,9 @@ def replica_ca_install_check(config, promote): else: root_logger.critical( 'The master CA directory server does not have necessary schema. ' - 'Please copy the following script to all CA masters and run it ' - 'on them: %s\n' + 'Please run copy-schema-to-ca.py on all CA masters.\n' 'If you are certain that this is a false positive, use ' - '--skip-schema-check.', - os.path.join(paths.USR_SHARE_IPA_DIR, 'copy-schema-to-ca.py')) + '--skip-schema-check.') exit('IPA schema missing on master CA directory server') From 0964985586597c9fc32e373e805b0b73d0aae575 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Fri, 10 Mar 2017 15:22:07 +0100 Subject: [PATCH 2/2] Add copy-schema-to-ca for RHEL6 to contrib/ Fixed version that works on RHEL6. Adding it to contrib to avoid loosing it. https://pagure.io/freeipa/issue/6540 --- contrib/copy-schema-to-ca-RHEL6.py | 118 +++++++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100755 contrib/copy-schema-to-ca-RHEL6.py diff --git a/contrib/copy-schema-to-ca-RHEL6.py b/contrib/copy-schema-to-ca-RHEL6.py new file mode 100755 index 0000000..048be6f --- /dev/null +++ b/contrib/copy-schema-to-ca-RHEL6.py @@ -0,0 +1,118 @@ +#! /usr/bin/python2 + +"""Copy the IPA schema to the CA directory server instance + +You need to run this script to prepare a 2.2 or 3.0 IPA master for +installation of a 3.1 replica. + +Once a 3.1 replica is in the domain, every older CA master will emit schema +replication errors until this script is run on it. + +""" + +# DO NOT TOUCH THIS CODE, IT MUST BE COMPATIBLE WITH RHEL6 +# disable pylint because current codebase didn't match RHEL6 code +# pylint: disable=all + +import os +import sys +import pwd +import shutil + +from hashlib import sha1 + +from ipapython import ipautil +from ipapython.ipa_log_manager import root_logger, standard_logging_setup +from ipaserver.install.dsinstance import schema_dirname +from ipalib import api + +# oh dear, this is an old IPA (3.0+) +from ipaserver.install.dsinstance import DS_USER +from ipaserver.install.cainstance import PKI_USER +from ipapython import services + +SERVERID = "PKI-IPA" +SCHEMA_FILENAMES = ( + "60kerberos.ldif", + "60samba.ldif", + "60ipaconfig.ldif", + "60basev2.ldif", + "60basev3.ldif", + "60ipadns.ldif", + "61kerberos-ipav3.ldif", + "65ipacertstore.ldif", + "65ipasudo.ldif", + "70ipaotp.ldif", + "05rfc2247.ldif", +) + + +def _sha1_file(filename): + with open(filename, 'rb') as f: + return sha1(f.read()).hexdigest() + + +def add_ca_schema(): + """Copy IPA schema files into the CA DS instance + """ + pki_pent = pwd.getpwnam(PKI_USER) + ds_pent = pwd.getpwnam(DS_USER) + for schema_fname in SCHEMA_FILENAMES: + source_fname = os.path.join(ipautil.SHARE_DIR, schema_fname) + target_fname = os.path.join(schema_dirname(SERVERID), schema_fname) + if not os.path.exists(source_fname): + root_logger.debug('File does not exist: %s', source_fname) + continue + if os.path.exists(target_fname): + target_sha1 = _sha1_file(target_fname) + source_sha1 = _sha1_file(source_fname) + if target_sha1 != source_sha1: + target_size = os.stat(target_fname).st_size + source_size = os.stat(source_fname).st_size + root_logger.info('Target file %s exists but the content is ' + 'different', target_fname) + root_logger.info('\tTarget file: sha1: %s, size: %s B', + target_sha1, target_size) + root_logger.info('\tSource file: sha1: %s, size: %s B', + source_sha1, source_size) + if not ipautil.user_input("Do you want replace %s file?" % + target_fname, True): + continue + + else: + root_logger.info( + 'Target exists, not overwriting: %s', target_fname) + continue + try: + shutil.copyfile(source_fname, target_fname) + except IOError as e: + root_logger.warning('Could not install %s: %s', target_fname, e) + else: + root_logger.info('Installed %s', target_fname) + os.chmod(target_fname, 0o440) # read access for dirsrv user/group + os.chown(target_fname, pki_pent.pw_uid, ds_pent.pw_gid) + + +def restart_pki_ds(): + """Restart the CA DS instance to pick up schema changes + """ + root_logger.info('Restarting CA DS') + services.service('dirsrv').restart(SERVERID) + + +def main(): + if os.getegid() != 0: + sys.exit("Must be root to run this script") + standard_logging_setup(verbose=True) + + # In 3.0, restarting needs access to api.env + api.bootstrap_with_global_options(context='server') + + add_ca_schema() + restart_pki_ds() + + root_logger.info('Schema updated successfully') + + +main() +
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
