Re: [Freeipa-devel] [PATCH 0098-0099] domain level 1 topology checks during IPA server uninstall
On 9.12.2015 16:22, Martin Babinsky wrote: On 12/09/2015 03:48 PM, Jan Cholasta wrote: On 2.12.2015 14:19, Martin Basti wrote: On 02.12.2015 14:10, Martin Basti wrote: On 02.12.2015 14:08, Martin Babinsky wrote: On 12/02/2015 10:45 AM, Martin Babinsky wrote: On 12/01/2015 02:40 PM, Martin Babinsky wrote: On 11/30/2015 08:34 PM, Martin Basti wrote: On 30.11.2015 18:41, Martin Babinsky wrote: On 11/30/2015 06:15 PM, Martin Basti wrote: On 30.11.2015 16:43, Martin Babinsky wrote: On 11/30/2015 12:31 PM, Jan Cholasta wrote: Hi, On 27.11.2015 14:58, Martin Babinsky wrote: On 11/19/2015 06:19 PM, Martin Babinsky wrote: These two patches fix the following tickets: https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 I have added a new option '--ignore-disconnected-topology' which forces IPA master uninstall despite reported errors in topology. I'm not quite sure if we want to flood ipa-server-install with uninstall-specific options, maybe it is better to skip the check in unattended mode and just print a warning about disconnected topology and what to do about it. I would like to hear your opinions about this. Attaching rebased and updated patches. Patch 0098: LGTM Patch 0099: a) This check should be done in Server.__init__() rather than install_check(): +if options.ignore_disconnected_topology: +print("'--ignore-disconnected-topology' is used only during " + "uninstallation") +sys.exit(1) b) s/--ignore-disconnected-topology/--ignore-topology-disconnect/, for consistency with other options, e.g. --no-ui-redirect. Maybe even shorten it to --ignore-topology? But we probably don't want people to use this option much, so it might be better to keep it long? I would rather leave it with the long option name, it is more apparent what this switch should be around. c) I'm fine with uninstall options, you can remove the TODO: +# TODO: ask jcholast about uninstallation options Honza Attaching updated patches. NACK ipa-server-install --uninstall 2015-11-30T17:14:30Z DEBUG Destroyed connection context.ldap2_140081152041808 2015-11-30T17:14:30Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 91, in _handle_exception super(Continuous, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 439, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 355, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 352, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 71, in _uninstall for nothing in self._uninstaller(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1409, in main uninstall_check(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 265, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1140, in uninstall_check api, masters, options.ignore_disconnected_topology) AttributeError: 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z ERROR 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z INFO The ipa-server-install command was successful Sorry I have failed horribly during option rename. Attaching patch that should actually work. functional ACK Attaching rebased patches reflecting the recent changes in the handling of managed topology suffixes handling. Jan had some more suggestions to the patches. Attaching updated version. Attaching updated patch 99 with fixed error message. Pushed to master: b8c619a7139bd7b65caa03b68431e22791ff19bf ACK :-) I was doing some unrelated testing with domain level 0 and forgot to remove --ignore-topology disconnect from my command line before uninstalling server, which gave me an error that the option cannot be used in domain level 0 and I had to re-run ipa-server-install --uninstall with the option removed. IMO it would be better for UX if the option was ignored in domain level 0, since topology
Re: [Freeipa-devel] [PATCH 0098-0099] domain level 1 topology checks during IPA server uninstall
On 2.12.2015 14:19, Martin Basti wrote: On 02.12.2015 14:10, Martin Basti wrote: On 02.12.2015 14:08, Martin Babinsky wrote: On 12/02/2015 10:45 AM, Martin Babinsky wrote: On 12/01/2015 02:40 PM, Martin Babinsky wrote: On 11/30/2015 08:34 PM, Martin Basti wrote: On 30.11.2015 18:41, Martin Babinsky wrote: On 11/30/2015 06:15 PM, Martin Basti wrote: On 30.11.2015 16:43, Martin Babinsky wrote: On 11/30/2015 12:31 PM, Jan Cholasta wrote: Hi, On 27.11.2015 14:58, Martin Babinsky wrote: On 11/19/2015 06:19 PM, Martin Babinsky wrote: These two patches fix the following tickets: https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 I have added a new option '--ignore-disconnected-topology' which forces IPA master uninstall despite reported errors in topology. I'm not quite sure if we want to flood ipa-server-install with uninstall-specific options, maybe it is better to skip the check in unattended mode and just print a warning about disconnected topology and what to do about it. I would like to hear your opinions about this. Attaching rebased and updated patches. Patch 0098: LGTM Patch 0099: a) This check should be done in Server.__init__() rather than install_check(): +if options.ignore_disconnected_topology: +print("'--ignore-disconnected-topology' is used only during " + "uninstallation") +sys.exit(1) b) s/--ignore-disconnected-topology/--ignore-topology-disconnect/, for consistency with other options, e.g. --no-ui-redirect. Maybe even shorten it to --ignore-topology? But we probably don't want people to use this option much, so it might be better to keep it long? I would rather leave it with the long option name, it is more apparent what this switch should be around. c) I'm fine with uninstall options, you can remove the TODO: +# TODO: ask jcholast about uninstallation options Honza Attaching updated patches. NACK ipa-server-install --uninstall 2015-11-30T17:14:30Z DEBUG Destroyed connection context.ldap2_140081152041808 2015-11-30T17:14:30Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 91, in _handle_exception super(Continuous, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 439, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 355, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 352, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 71, in _uninstall for nothing in self._uninstaller(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1409, in main uninstall_check(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 265, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1140, in uninstall_check api, masters, options.ignore_disconnected_topology) AttributeError: 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z ERROR 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z INFO The ipa-server-install command was successful Sorry I have failed horribly during option rename. Attaching patch that should actually work. functional ACK Attaching rebased patches reflecting the recent changes in the handling of managed topology suffixes handling. Jan had some more suggestions to the patches. Attaching updated version. Attaching updated patch 99 with fixed error message. Pushed to master: b8c619a7139bd7b65caa03b68431e22791ff19bf ACK :-) I was doing some unrelated testing with domain level 0 and forgot to remove --ignore-topology disconnect from my command line before uninstalling server, which gave me an error that the option cannot be used in domain level 0 and I had to re-run ipa-server-install --uninstall with the option removed. IMO it would be better for UX if the option was ignored in domain level 0, since topology disconnects are *always* ignored in domain level 0. (Right?) The attached patch fixes that.
Re: [Freeipa-devel] [PATCH 0098-0099] domain level 1 topology checks during IPA server uninstall
On 12/09/2015 03:48 PM, Jan Cholasta wrote: On 2.12.2015 14:19, Martin Basti wrote: On 02.12.2015 14:10, Martin Basti wrote: On 02.12.2015 14:08, Martin Babinsky wrote: On 12/02/2015 10:45 AM, Martin Babinsky wrote: On 12/01/2015 02:40 PM, Martin Babinsky wrote: On 11/30/2015 08:34 PM, Martin Basti wrote: On 30.11.2015 18:41, Martin Babinsky wrote: On 11/30/2015 06:15 PM, Martin Basti wrote: On 30.11.2015 16:43, Martin Babinsky wrote: On 11/30/2015 12:31 PM, Jan Cholasta wrote: Hi, On 27.11.2015 14:58, Martin Babinsky wrote: On 11/19/2015 06:19 PM, Martin Babinsky wrote: These two patches fix the following tickets: https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 I have added a new option '--ignore-disconnected-topology' which forces IPA master uninstall despite reported errors in topology. I'm not quite sure if we want to flood ipa-server-install with uninstall-specific options, maybe it is better to skip the check in unattended mode and just print a warning about disconnected topology and what to do about it. I would like to hear your opinions about this. Attaching rebased and updated patches. Patch 0098: LGTM Patch 0099: a) This check should be done in Server.__init__() rather than install_check(): +if options.ignore_disconnected_topology: +print("'--ignore-disconnected-topology' is used only during " + "uninstallation") +sys.exit(1) b) s/--ignore-disconnected-topology/--ignore-topology-disconnect/, for consistency with other options, e.g. --no-ui-redirect. Maybe even shorten it to --ignore-topology? But we probably don't want people to use this option much, so it might be better to keep it long? I would rather leave it with the long option name, it is more apparent what this switch should be around. c) I'm fine with uninstall options, you can remove the TODO: +# TODO: ask jcholast about uninstallation options Honza Attaching updated patches. NACK ipa-server-install --uninstall 2015-11-30T17:14:30Z DEBUG Destroyed connection context.ldap2_140081152041808 2015-11-30T17:14:30Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 91, in _handle_exception super(Continuous, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 439, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 355, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 352, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 71, in _uninstall for nothing in self._uninstaller(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1409, in main uninstall_check(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 265, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1140, in uninstall_check api, masters, options.ignore_disconnected_topology) AttributeError: 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z ERROR 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z INFO The ipa-server-install command was successful Sorry I have failed horribly during option rename. Attaching patch that should actually work. functional ACK Attaching rebased patches reflecting the recent changes in the handling of managed topology suffixes handling. Jan had some more suggestions to the patches. Attaching updated version. Attaching updated patch 99 with fixed error message. Pushed to master: b8c619a7139bd7b65caa03b68431e22791ff19bf ACK :-) I was doing some unrelated testing with domain level 0 and forgot to remove --ignore-topology disconnect from my command line before uninstalling server, which gave me an error that the option cannot be used in domain level 0 and I had to re-run ipa-server-install --uninstall with the option removed. IMO it would be better for UX if the option was ignored in domain level 0, since topology disconnects are *always* ignored in domain level 0.
Re: [Freeipa-devel] [PATCH 0098-0099] domain level 1 topology checks during IPA server uninstall
On 12/01/2015 02:40 PM, Martin Babinsky wrote: On 11/30/2015 08:34 PM, Martin Basti wrote: On 30.11.2015 18:41, Martin Babinsky wrote: On 11/30/2015 06:15 PM, Martin Basti wrote: On 30.11.2015 16:43, Martin Babinsky wrote: On 11/30/2015 12:31 PM, Jan Cholasta wrote: Hi, On 27.11.2015 14:58, Martin Babinsky wrote: On 11/19/2015 06:19 PM, Martin Babinsky wrote: These two patches fix the following tickets: https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 I have added a new option '--ignore-disconnected-topology' which forces IPA master uninstall despite reported errors in topology. I'm not quite sure if we want to flood ipa-server-install with uninstall-specific options, maybe it is better to skip the check in unattended mode and just print a warning about disconnected topology and what to do about it. I would like to hear your opinions about this. Attaching rebased and updated patches. Patch 0098: LGTM Patch 0099: a) This check should be done in Server.__init__() rather than install_check(): +if options.ignore_disconnected_topology: +print("'--ignore-disconnected-topology' is used only during " + "uninstallation") +sys.exit(1) b) s/--ignore-disconnected-topology/--ignore-topology-disconnect/, for consistency with other options, e.g. --no-ui-redirect. Maybe even shorten it to --ignore-topology? But we probably don't want people to use this option much, so it might be better to keep it long? I would rather leave it with the long option name, it is more apparent what this switch should be around. c) I'm fine with uninstall options, you can remove the TODO: +# TODO: ask jcholast about uninstallation options Honza Attaching updated patches. NACK ipa-server-install --uninstall 2015-11-30T17:14:30Z DEBUG Destroyed connection context.ldap2_140081152041808 2015-11-30T17:14:30Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 91, in _handle_exception super(Continuous, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 439, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 355, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 352, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 71, in _uninstall for nothing in self._uninstaller(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1409, in main uninstall_check(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 265, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1140, in uninstall_check api, masters, options.ignore_disconnected_topology) AttributeError: 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z ERROR 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z INFO The ipa-server-install command was successful Sorry I have failed horribly during option rename. Attaching patch that should actually work. functional ACK Attaching rebased patches reflecting the recent changes in the handling of managed topology suffixes handling. Jan had some more suggestions to the patches. Attaching updated version. -- Martin^3 Babinsky From a6dfb5eb910c6bcc4c456a704ba499ba4037e7ca Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Thu, 19 Nov 2015 17:55:23 +0100 Subject: [PATCH 1/2] extract domain level 1 topology-checking code from ipa-replica-manage This facilitates reusability of this code in other components, e.g. IPA server uninstallers. https://fedorahosted.org/freeipa/ticket/5409 --- install/tools/ipa-replica-manage | 108 --- ipaserver/install/replication.py | 90 2 files changed, 101 insertions(+), 97 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 7bbef3593ef291b4af209d7f59c21e23d3d22944..6d303e6f008325648461287448ef3d2712e23911 100755 ---
Re: [Freeipa-devel] [PATCH 0098-0099] domain level 1 topology checks during IPA server uninstall
On 12/02/2015 10:45 AM, Martin Babinsky wrote: On 12/01/2015 02:40 PM, Martin Babinsky wrote: On 11/30/2015 08:34 PM, Martin Basti wrote: On 30.11.2015 18:41, Martin Babinsky wrote: On 11/30/2015 06:15 PM, Martin Basti wrote: On 30.11.2015 16:43, Martin Babinsky wrote: On 11/30/2015 12:31 PM, Jan Cholasta wrote: Hi, On 27.11.2015 14:58, Martin Babinsky wrote: On 11/19/2015 06:19 PM, Martin Babinsky wrote: These two patches fix the following tickets: https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 I have added a new option '--ignore-disconnected-topology' which forces IPA master uninstall despite reported errors in topology. I'm not quite sure if we want to flood ipa-server-install with uninstall-specific options, maybe it is better to skip the check in unattended mode and just print a warning about disconnected topology and what to do about it. I would like to hear your opinions about this. Attaching rebased and updated patches. Patch 0098: LGTM Patch 0099: a) This check should be done in Server.__init__() rather than install_check(): +if options.ignore_disconnected_topology: +print("'--ignore-disconnected-topology' is used only during " + "uninstallation") +sys.exit(1) b) s/--ignore-disconnected-topology/--ignore-topology-disconnect/, for consistency with other options, e.g. --no-ui-redirect. Maybe even shorten it to --ignore-topology? But we probably don't want people to use this option much, so it might be better to keep it long? I would rather leave it with the long option name, it is more apparent what this switch should be around. c) I'm fine with uninstall options, you can remove the TODO: +# TODO: ask jcholast about uninstallation options Honza Attaching updated patches. NACK ipa-server-install --uninstall 2015-11-30T17:14:30Z DEBUG Destroyed connection context.ldap2_140081152041808 2015-11-30T17:14:30Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 91, in _handle_exception super(Continuous, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 439, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 355, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 352, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 71, in _uninstall for nothing in self._uninstaller(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1409, in main uninstall_check(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 265, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1140, in uninstall_check api, masters, options.ignore_disconnected_topology) AttributeError: 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z ERROR 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z INFO The ipa-server-install command was successful Sorry I have failed horribly during option rename. Attaching patch that should actually work. functional ACK Attaching rebased patches reflecting the recent changes in the handling of managed topology suffixes handling. Jan had some more suggestions to the patches. Attaching updated version. Attaching updated patch 99 with fixed error message. -- Martin^3 Babinsky From cd5eb8e2eaf7b632c3941c339b6ef9efb2940629 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Thu, 19 Nov 2015 17:58:44 +0100 Subject: [PATCH 2/2] implement domain level 1 specific topology checks into IPA server uninstaller When uninstalling domain level 1 master its removal from topology is checked on remote masters. The uninstaller also checks whether the uninstallation disconnects the topology and if yes aborts the procedure. The '--ignore-disconnected-topology' options skips this check. https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 --- install/tools/man/ipa-server-install.1 | 3 +
Re: [Freeipa-devel] [PATCH 0098-0099] domain level 1 topology checks during IPA server uninstall
On 02.12.2015 14:08, Martin Babinsky wrote: On 12/02/2015 10:45 AM, Martin Babinsky wrote: On 12/01/2015 02:40 PM, Martin Babinsky wrote: On 11/30/2015 08:34 PM, Martin Basti wrote: On 30.11.2015 18:41, Martin Babinsky wrote: On 11/30/2015 06:15 PM, Martin Basti wrote: On 30.11.2015 16:43, Martin Babinsky wrote: On 11/30/2015 12:31 PM, Jan Cholasta wrote: Hi, On 27.11.2015 14:58, Martin Babinsky wrote: On 11/19/2015 06:19 PM, Martin Babinsky wrote: These two patches fix the following tickets: https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 I have added a new option '--ignore-disconnected-topology' which forces IPA master uninstall despite reported errors in topology. I'm not quite sure if we want to flood ipa-server-install with uninstall-specific options, maybe it is better to skip the check in unattended mode and just print a warning about disconnected topology and what to do about it. I would like to hear your opinions about this. Attaching rebased and updated patches. Patch 0098: LGTM Patch 0099: a) This check should be done in Server.__init__() rather than install_check(): +if options.ignore_disconnected_topology: +print("'--ignore-disconnected-topology' is used only during " + "uninstallation") +sys.exit(1) b) s/--ignore-disconnected-topology/--ignore-topology-disconnect/, for consistency with other options, e.g. --no-ui-redirect. Maybe even shorten it to --ignore-topology? But we probably don't want people to use this option much, so it might be better to keep it long? I would rather leave it with the long option name, it is more apparent what this switch should be around. c) I'm fine with uninstall options, you can remove the TODO: +# TODO: ask jcholast about uninstallation options Honza Attaching updated patches. NACK ipa-server-install --uninstall 2015-11-30T17:14:30Z DEBUG Destroyed connection context.ldap2_140081152041808 2015-11-30T17:14:30Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 91, in _handle_exception super(Continuous, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 439, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 355, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 352, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 71, in _uninstall for nothing in self._uninstaller(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1409, in main uninstall_check(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 265, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1140, in uninstall_check api, masters, options.ignore_disconnected_topology) AttributeError: 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z ERROR 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z INFO The ipa-server-install command was successful Sorry I have failed horribly during option rename. Attaching patch that should actually work. functional ACK Attaching rebased patches reflecting the recent changes in the handling of managed topology suffixes handling. Jan had some more suggestions to the patches. Attaching updated version. Attaching updated patch 99 with fixed error message. Pushed to master: b8c619a7139bd7b65caa03b68431e22791ff19bf -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0098-0099] domain level 1 topology checks during IPA server uninstall
On 02.12.2015 14:10, Martin Basti wrote: On 02.12.2015 14:08, Martin Babinsky wrote: On 12/02/2015 10:45 AM, Martin Babinsky wrote: On 12/01/2015 02:40 PM, Martin Babinsky wrote: On 11/30/2015 08:34 PM, Martin Basti wrote: On 30.11.2015 18:41, Martin Babinsky wrote: On 11/30/2015 06:15 PM, Martin Basti wrote: On 30.11.2015 16:43, Martin Babinsky wrote: On 11/30/2015 12:31 PM, Jan Cholasta wrote: Hi, On 27.11.2015 14:58, Martin Babinsky wrote: On 11/19/2015 06:19 PM, Martin Babinsky wrote: These two patches fix the following tickets: https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 I have added a new option '--ignore-disconnected-topology' which forces IPA master uninstall despite reported errors in topology. I'm not quite sure if we want to flood ipa-server-install with uninstall-specific options, maybe it is better to skip the check in unattended mode and just print a warning about disconnected topology and what to do about it. I would like to hear your opinions about this. Attaching rebased and updated patches. Patch 0098: LGTM Patch 0099: a) This check should be done in Server.__init__() rather than install_check(): +if options.ignore_disconnected_topology: +print("'--ignore-disconnected-topology' is used only during " + "uninstallation") +sys.exit(1) b) s/--ignore-disconnected-topology/--ignore-topology-disconnect/, for consistency with other options, e.g. --no-ui-redirect. Maybe even shorten it to --ignore-topology? But we probably don't want people to use this option much, so it might be better to keep it long? I would rather leave it with the long option name, it is more apparent what this switch should be around. c) I'm fine with uninstall options, you can remove the TODO: +# TODO: ask jcholast about uninstallation options Honza Attaching updated patches. NACK ipa-server-install --uninstall 2015-11-30T17:14:30Z DEBUG Destroyed connection context.ldap2_140081152041808 2015-11-30T17:14:30Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 91, in _handle_exception super(Continuous, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 439, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 355, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 352, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 71, in _uninstall for nothing in self._uninstaller(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1409, in main uninstall_check(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 265, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1140, in uninstall_check api, masters, options.ignore_disconnected_topology) AttributeError: 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z ERROR 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z INFO The ipa-server-install command was successful Sorry I have failed horribly during option rename. Attaching patch that should actually work. functional ACK Attaching rebased patches reflecting the recent changes in the handling of managed topology suffixes handling. Jan had some more suggestions to the patches. Attaching updated version. Attaching updated patch 99 with fixed error message. Pushed to master: b8c619a7139bd7b65caa03b68431e22791ff19bf ACK :-) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0098-0099] domain level 1 topology checks during IPA server uninstall
On 11/30/2015 08:34 PM, Martin Basti wrote: On 30.11.2015 18:41, Martin Babinsky wrote: On 11/30/2015 06:15 PM, Martin Basti wrote: On 30.11.2015 16:43, Martin Babinsky wrote: On 11/30/2015 12:31 PM, Jan Cholasta wrote: Hi, On 27.11.2015 14:58, Martin Babinsky wrote: On 11/19/2015 06:19 PM, Martin Babinsky wrote: These two patches fix the following tickets: https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 I have added a new option '--ignore-disconnected-topology' which forces IPA master uninstall despite reported errors in topology. I'm not quite sure if we want to flood ipa-server-install with uninstall-specific options, maybe it is better to skip the check in unattended mode and just print a warning about disconnected topology and what to do about it. I would like to hear your opinions about this. Attaching rebased and updated patches. Patch 0098: LGTM Patch 0099: a) This check should be done in Server.__init__() rather than install_check(): +if options.ignore_disconnected_topology: +print("'--ignore-disconnected-topology' is used only during " + "uninstallation") +sys.exit(1) b) s/--ignore-disconnected-topology/--ignore-topology-disconnect/, for consistency with other options, e.g. --no-ui-redirect. Maybe even shorten it to --ignore-topology? But we probably don't want people to use this option much, so it might be better to keep it long? I would rather leave it with the long option name, it is more apparent what this switch should be around. c) I'm fine with uninstall options, you can remove the TODO: +# TODO: ask jcholast about uninstallation options Honza Attaching updated patches. NACK ipa-server-install --uninstall 2015-11-30T17:14:30Z DEBUG Destroyed connection context.ldap2_140081152041808 2015-11-30T17:14:30Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 91, in _handle_exception super(Continuous, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 439, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 355, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 352, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 71, in _uninstall for nothing in self._uninstaller(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1409, in main uninstall_check(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 265, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1140, in uninstall_check api, masters, options.ignore_disconnected_topology) AttributeError: 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z ERROR 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z INFO The ipa-server-install command was successful Sorry I have failed horribly during option rename. Attaching patch that should actually work. functional ACK Attaching rebased patches reflecting the recent changes in the handling of managed topology suffixes handling. -- Martin^3 Babinsky From 5e8f88ee3cd8b80d1e927303647d426f585309e8 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Thu, 19 Nov 2015 17:58:44 +0100 Subject: [PATCH 2/2] implement domain level 1 specific topology checks into IPA server uninstaller When uninstalling domain level 1 master its removal from topology is checked on remote masters. The uninstaller also checks whether the uninstallation disconnects the topology and if yes aborts the procedure. The '--ignore-disconnected-topology' options skips this check. https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 --- install/tools/man/ipa-server-install.1 | 3 + ipaserver/install/server/install.py| 193 - 2 files changed, 169 insertions(+), 27 deletions(-) diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index
Re: [Freeipa-devel] [PATCH 0098-0099] domain level 1 topology checks during IPA server uninstall
On 30.11.2015 16:43, Martin Babinsky wrote: On 11/30/2015 12:31 PM, Jan Cholasta wrote: Hi, On 27.11.2015 14:58, Martin Babinsky wrote: On 11/19/2015 06:19 PM, Martin Babinsky wrote: These two patches fix the following tickets: https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 I have added a new option '--ignore-disconnected-topology' which forces IPA master uninstall despite reported errors in topology. I'm not quite sure if we want to flood ipa-server-install with uninstall-specific options, maybe it is better to skip the check in unattended mode and just print a warning about disconnected topology and what to do about it. I would like to hear your opinions about this. Attaching rebased and updated patches. Patch 0098: LGTM Patch 0099: a) This check should be done in Server.__init__() rather than install_check(): +if options.ignore_disconnected_topology: +print("'--ignore-disconnected-topology' is used only during " + "uninstallation") +sys.exit(1) b) s/--ignore-disconnected-topology/--ignore-topology-disconnect/, for consistency with other options, e.g. --no-ui-redirect. Maybe even shorten it to --ignore-topology? But we probably don't want people to use this option much, so it might be better to keep it long? I would rather leave it with the long option name, it is more apparent what this switch should be around. c) I'm fine with uninstall options, you can remove the TODO: +# TODO: ask jcholast about uninstallation options Honza Attaching updated patches. NACK ipa-server-install --uninstall 2015-11-30T17:14:30Z DEBUG Destroyed connection context.ldap2_140081152041808 2015-11-30T17:14:30Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 91, in _handle_exception super(Continuous, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 439, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 355, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 352, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 71, in _uninstall for nothing in self._uninstaller(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1409, in main uninstall_check(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 265, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1140, in uninstall_check api, masters, options.ignore_disconnected_topology) AttributeError: 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z ERROR 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z INFO The ipa-server-install command was successful -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0098-0099] domain level 1 topology checks during IPA server uninstall
On 11/30/2015 12:31 PM, Jan Cholasta wrote: Hi, On 27.11.2015 14:58, Martin Babinsky wrote: On 11/19/2015 06:19 PM, Martin Babinsky wrote: These two patches fix the following tickets: https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 I have added a new option '--ignore-disconnected-topology' which forces IPA master uninstall despite reported errors in topology. I'm not quite sure if we want to flood ipa-server-install with uninstall-specific options, maybe it is better to skip the check in unattended mode and just print a warning about disconnected topology and what to do about it. I would like to hear your opinions about this. Attaching rebased and updated patches. Patch 0098: LGTM Patch 0099: a) This check should be done in Server.__init__() rather than install_check(): +if options.ignore_disconnected_topology: +print("'--ignore-disconnected-topology' is used only during " + "uninstallation") +sys.exit(1) b) s/--ignore-disconnected-topology/--ignore-topology-disconnect/, for consistency with other options, e.g. --no-ui-redirect. Maybe even shorten it to --ignore-topology? But we probably don't want people to use this option much, so it might be better to keep it long? I would rather leave it with the long option name, it is more apparent what this switch should be around. c) I'm fine with uninstall options, you can remove the TODO: +# TODO: ask jcholast about uninstallation options Honza Attaching updated patches. -- Martin^3 Babinsky From 9e997fbfa14e66740538f50eace51039226b51c0 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Thu, 19 Nov 2015 17:58:44 +0100 Subject: [PATCH 2/2] implement domain level 1 specific topology checks into IPA server uninstaller When uninstalling domain level 1 master its removal from topology is checked on remote masters. The uninstaller also checks whether the uninstallation disconnects the topology and if yes aborts the procedure. The '--ignore-disconnected-topology' options skips this check. https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 --- install/tools/man/ipa-server-install.1 | 3 + ipaserver/install/server/install.py| 193 - 2 files changed, 169 insertions(+), 27 deletions(-) diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 5c601b123385a30a1bd6962663f8f97b528e805e..b11c9503982ece60b6fa862d2bebf201f49c3b86 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -61,6 +61,9 @@ The maximum user and group id number (default: idstart+19). If set to zero, \fB\-\-no_hbac_allow\fR Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production. .TP +\fB\-\-ignore-topology-disconnect\fR +Ignore errors reported when uninstallation of IPA server would lead to disconnected domain level 1 topology. +.TP \fB\-\-no\-ui\-redirect\fR Do not automatically redirect to the Web UI. .TP diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index bd07793bb295db9d3b03614f44b54ddd2ea20cb5..333697139a4d67cd89daa3713670a38657884570 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -26,7 +26,7 @@ from ipapython.ipautil import ( from ipaplatform import services from ipaplatform.paths import paths from ipaplatform.tasks import tasks -from ipalib import api, constants, errors, x509 +from ipalib import api, create_api, constants, errors, x509 from ipalib.constants import CACERT from ipalib.util import validate_domain_name import ipaclient.ntpconf @@ -290,6 +290,110 @@ def common_cleanup(func): return decorated +def check_master_deleted(api, masters, interactive): +try: +host_princ = api.Command.host_show(api.env.host)['result']['krbprincipalname'][0] +except Exception as e: +root_logger.warning( +"Failed to get host principal name: {0}".format(e) +) +return False + +ccache_path = os.path.join('/', 'tmp', 'krb5cc_host') +with ipautil.private_ccache(ccache_path): +try: +ipautil.kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_path) +except Exception as e: +root_logger.error( +"Kerberos authentication as '{0}' failed: {1}".format( +host_princ, e +) +) +return False + +last_server = True +for master in masters: +master_cn = master['cn'][0] +if api.env.host == master_cn: +continue + +last_server = False +master_ldap_uri = u'ldap://{0}'.format(master_cn) + +# initialize remote api +remote_api =
Re: [Freeipa-devel] [PATCH 0098-0099] domain level 1 topology checks during IPA server uninstall
On 11/30/2015 06:15 PM, Martin Basti wrote: On 30.11.2015 16:43, Martin Babinsky wrote: On 11/30/2015 12:31 PM, Jan Cholasta wrote: Hi, On 27.11.2015 14:58, Martin Babinsky wrote: On 11/19/2015 06:19 PM, Martin Babinsky wrote: These two patches fix the following tickets: https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 I have added a new option '--ignore-disconnected-topology' which forces IPA master uninstall despite reported errors in topology. I'm not quite sure if we want to flood ipa-server-install with uninstall-specific options, maybe it is better to skip the check in unattended mode and just print a warning about disconnected topology and what to do about it. I would like to hear your opinions about this. Attaching rebased and updated patches. Patch 0098: LGTM Patch 0099: a) This check should be done in Server.__init__() rather than install_check(): +if options.ignore_disconnected_topology: +print("'--ignore-disconnected-topology' is used only during " + "uninstallation") +sys.exit(1) b) s/--ignore-disconnected-topology/--ignore-topology-disconnect/, for consistency with other options, e.g. --no-ui-redirect. Maybe even shorten it to --ignore-topology? But we probably don't want people to use this option much, so it might be better to keep it long? I would rather leave it with the long option name, it is more apparent what this switch should be around. c) I'm fine with uninstall options, you can remove the TODO: +# TODO: ask jcholast about uninstallation options Honza Attaching updated patches. NACK ipa-server-install --uninstall 2015-11-30T17:14:30Z DEBUG Destroyed connection context.ldap2_140081152041808 2015-11-30T17:14:30Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 91, in _handle_exception super(Continuous, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 439, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 387, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 355, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 352, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 71, in _uninstall for nothing in self._uninstaller(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1409, in main uninstall_check(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 265, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1140, in uninstall_check api, masters, options.ignore_disconnected_topology) AttributeError: 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z ERROR 'uninstaller(Server)' object has no attribute 'ignore_disconnected_topology' 2015-11-30T17:14:30Z INFO The ipa-server-install command was successful Sorry I have failed horribly during option rename. Attaching patch that should actually work. -- Martin^3 Babinsky From 77866f7d7458e5f33ff185f17ba89bb4170cf2da Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Thu, 19 Nov 2015 17:58:44 +0100 Subject: [PATCH] implement domain level 1 specific topology checks into IPA server uninstaller When uninstalling domain level 1 master its removal from topology is checked on remote masters. The uninstaller also checks whether the uninstallation disconnects the topology and if yes aborts the procedure. The '--ignore-disconnected-topology' options skips this check. https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 --- install/tools/man/ipa-server-install.1 | 3 + ipaserver/install/server/install.py| 193 - 2 files changed, 169 insertions(+), 27 deletions(-) diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 5c601b123385a30a1bd6962663f8f97b528e805e..b11c9503982ece60b6fa862d2bebf201f49c3b86 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -61,6 +61,9 @@ The maximum user and group id number
Re: [Freeipa-devel] [PATCH 0098-0099] domain level 1 topology checks during IPA server uninstall
Hi, On 27.11.2015 14:58, Martin Babinsky wrote: On 11/19/2015 06:19 PM, Martin Babinsky wrote: These two patches fix the following tickets: https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 I have added a new option '--ignore-disconnected-topology' which forces IPA master uninstall despite reported errors in topology. I'm not quite sure if we want to flood ipa-server-install with uninstall-specific options, maybe it is better to skip the check in unattended mode and just print a warning about disconnected topology and what to do about it. I would like to hear your opinions about this. Attaching rebased and updated patches. Patch 0098: LGTM Patch 0099: a) This check should be done in Server.__init__() rather than install_check(): +if options.ignore_disconnected_topology: +print("'--ignore-disconnected-topology' is used only during " + "uninstallation") +sys.exit(1) b) s/--ignore-disconnected-topology/--ignore-topology-disconnect/, for consistency with other options, e.g. --no-ui-redirect. Maybe even shorten it to --ignore-topology? But we probably don't want people to use this option much, so it might be better to keep it long? c) I'm fine with uninstall options, you can remove the TODO: +# TODO: ask jcholast about uninstallation options Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0098-0099] domain level 1 topology checks during IPA server uninstall
On 11/19/2015 06:19 PM, Martin Babinsky wrote: These two patches fix the following tickets: https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 I have added a new option '--ignore-disconnected-topology' which forces IPA master uninstall despite reported errors in topology. I'm not quite sure if we want to flood ipa-server-install with uninstall-specific options, maybe it is better to skip the check in unattended mode and just print a warning about disconnected topology and what to do about it. I would like to hear your opinions about this. Attaching rebased and updated patches. -- Martin^3 Babinsky From 9c2e5ed10c110ffb5e3bce458468a6845a6dca57 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Thu, 19 Nov 2015 17:58:44 +0100 Subject: [PATCH 2/2] implement domain level 1 specific topology checks into IPA server uninstaller When uninstalling domain level 1 master its removal from topology is checked on remote masters. The uninstaller also checks whether the uninstallation disconnects the topology and if yes aborts the procedure. The '--ignore-disconnected-topology' options skips this check. https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 --- install/tools/man/ipa-server-install.1 | 3 + ipaserver/install/server/install.py| 194 - 2 files changed, 170 insertions(+), 27 deletions(-) diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 5c601b123385a30a1bd6962663f8f97b528e805e..7769d4f5116d262df05e7e7b0bbd0d2eb37f6266 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -61,6 +61,9 @@ The maximum user and group id number (default: idstart+19). If set to zero, \fB\-\-no_hbac_allow\fR Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production. .TP +\fB\-\-ignore-disconnected-topology\fR +Ignore errors reported when uninstallation of IPA server would lead to disconnected domain level 1 topology. +.TP \fB\-\-no\-ui\-redirect\fR Do not automatically redirect to the Web UI. .TP diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index bd07793bb295db9d3b03614f44b54ddd2ea20cb5..55d62a618e91c5968486317c5f57df862c1c7f52 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -26,7 +26,7 @@ from ipapython.ipautil import ( from ipaplatform import services from ipaplatform.paths import paths from ipaplatform.tasks import tasks -from ipalib import api, constants, errors, x509 +from ipalib import api, create_api, constants, errors, x509 from ipalib.constants import CACERT from ipalib.util import validate_domain_name import ipaclient.ntpconf @@ -290,6 +290,110 @@ def common_cleanup(func): return decorated +def check_master_deleted(api, masters, interactive): +try: +host_princ = api.Command.host_show(api.env.host)['result']['krbprincipalname'][0] +except Exception as e: +root_logger.warning( +"Failed to get host principal name: {0}".format(e) +) +return False + +ccache_path = os.path.join('/', 'tmp', 'krb5cc_host') +with ipautil.private_ccache(ccache_path): +try: +ipautil.kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_path) +except Exception as e: +root_logger.error( +"Kerberos authentication as '{0}' failed: {1}".format( +host_princ, e +) +) +return False + +last_server = True +for master in masters: +master_cn = master['cn'][0] +if api.env.host == master_cn: +continue + +last_server = False +master_ldap_uri = u'ldap://{0}'.format(master_cn) + +# initialize remote api +remote_api = create_api(mode=None) +remote_api.bootstrap(ldap_uri=master_ldap_uri, in_server=True) +remote_api.finalize() + +root_logger.debug("Connecting to '{0}'...".format(master_ldap_uri)) +try: +remote_api.Backend.ldap2.connect(ccache=ccache_path) +remote_api.Command.server_show(api.env.host) +root_logger.debug( +"Server entry '{0}' present on '{1}'".format( +api.env.host, master_cn +) +) +return False +except (errors.NotFound, errors.ACIError): +# this may occur because the node was already deleted from the +# topology and the host principal doesn't exist +root_logger.debug( +"'{0}' was removed from topology".format( +