Re: [Freeipa-devel] [PATCHES] 0264-0267 backup, restore: Don't overwrite /etc/{passwd, group}
On 08/26/2014 01:16 PM, Petr Viktorin wrote: On 07/30/2014 04:26 PM, Petr Viktorin wrote: On 07/29/2014 06:03 PM, Petr Viktorin wrote: On 07/29/2014 05:02 PM, Petr Viktorin wrote: Hello, The first patch here consolidates our system user creation code a bit. The second patch fixes an oversight in the restore script. The third changes the backup script to not include /etc/{passwd,group}, and the restore script to create the PKI user if a CA is being restored. Note that the DS user is already created early in the restore process. (In the future we may want a nice generic framework for restoring users, but I'd like to extrapolate from more than one data point when designing it.) Another note: tar uses owner user/group names by default, so no additional chowning is required even if the IDs change between backup restore. The fourth patch adds a log entry I find very useful in testing backup/restore. Rebased onto current master. Rebased again. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I like the approach, solves the issue quite neatly. I didn't find any issues in the changes themselves, or during the testing, so ACK from me for the whole patcheset (which means patches 624-627, despite the subject). -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0264-0267 backup, restore: Don't overwrite /etc/{passwd, group}
On 09/23/2014 12:10 PM, Tomas Babej wrote: On 08/26/2014 01:16 PM, Petr Viktorin wrote: On 07/30/2014 04:26 PM, Petr Viktorin wrote: On 07/29/2014 06:03 PM, Petr Viktorin wrote: On 07/29/2014 05:02 PM, Petr Viktorin wrote: Hello, The first patch here consolidates our system user creation code a bit. The second patch fixes an oversight in the restore script. The third changes the backup script to not include /etc/{passwd,group}, and the restore script to create the PKI user if a CA is being restored. Note that the DS user is already created early in the restore process. I like the approach, solves the issue quite neatly. I didn't find any issues in the changes themselves, or during the testing, so ACK from me for the whole patcheset (which means patches 624-627, despite the subject). Thanks! Pushed to: master: abba25c8269f4928d659cfcaf8363ad2491bd736 ipa-4-1: 127e7a1dcc2ed0624f65597292ac58535ccc0602 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0264-0267 backup, restore: Don't overwrite /etc/{passwd, group}
On 07/30/2014 04:26 PM, Petr Viktorin wrote: On 07/29/2014 06:03 PM, Petr Viktorin wrote: On 07/29/2014 05:02 PM, Petr Viktorin wrote: Hello, The first patch here consolidates our system user creation code a bit. The second patch fixes an oversight in the restore script. The third changes the backup script to not include /etc/{passwd,group}, and the restore script to create the PKI user if a CA is being restored. Note that the DS user is already created early in the restore process. (In the future we may want a nice generic framework for restoring users, but I'd like to extrapolate from more than one data point when designing it.) Another note: tar uses owner user/group names by default, so no additional chowning is required even if the IDs change between backup restore. The fourth patch adds a log entry I find very useful in testing backup/restore. Rebased onto current master. Rebased again. -- Petr³ From 3f5bed20eb014df99cbc5f101f1edac4a00debe7 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Tue, 15 Jul 2014 13:31:01 +0200 Subject: [PATCH] ipaserver.install: Consolidate system user creation Sytem users and their groups are always created together. Also, users groups should never be removed once they exist on the system (see comit a5a55ce). Use a single function for generic user creation, and specific funtions in dsinstance and cainstance. Remove code left over from when we used to delete the DS user. Preparation for: https://fedorahosted.org/freeipa/ticket/3866 --- install/tools/ipa-replica-install | 5 ++-- install/tools/ipa-server-install | 7 +++--- ipaserver/install/cainstance.py | 28 +- ipaserver/install/dsinstance.py | 50 ++- ipaserver/install/installutils.py | 44 +- ipaserver/install/ipa_restore.py | 3 +-- 6 files changed, 68 insertions(+), 69 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 7c9e27e2b9d248653681c85236d3541ec9ab0ec7..0445e59c23982b0d0e438f47c4e111fdb5dec977 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -573,9 +573,8 @@ def main(): api.bootstrap(in_server=True, context='installer') api.finalize() -# Create DS group if it doesn't exist yet -group_exists = dsinstance.create_ds_group() -sstore.backup_state(install, group_exists, group_exists) +# Create DS user/group if it doesn't exist yet +dsinstance.create_ds_user() #Automatically disable pkinit w/ dogtag until that is supported options.setup_pkinit = False diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 6e77b434a018faec36a2808626c99a54bd493908..73055840af783213f7f2ce0230bb619b5801385f 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -560,7 +560,8 @@ def uninstall(): ipaclient.ntpconf.restore_forced_ntpd(sstore) -group_exists = sstore.restore_state(install, group_exists) +# Clean up group_exists (unused since IPA 2.2, not being set since 4.1) +sstore.restore_state(install, group_exists) services.knownservices.ipa.disable() @@ -1060,8 +1061,8 @@ def main(): # configure /etc/sysconfig/network to contain the custom hostname tasks.backup_and_replace_hostname(fstore, sstore, host_name) -# Create DS group if it doesn't exist yet -dsinstance.create_ds_group() +# Create DS user/group if it doesn't exist yet +dsinstance.create_ds_user() # Create a directory server instance if external != 2: diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index e8bb7d701fb030e6cd11ad8637e51ca3b648e202..0998ee39101a86c396ef166bc67d19397f017346 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -249,6 +249,16 @@ def is_ca_installed_locally(): return os.path.exists(path) +def create_ca_user(): +Create PKI user/group if it doesn't exist yet. +installutils.create_system_user( +name=PKI_USER, +group=PKI_USER, +homedir=paths.VAR_LIB, +shell=paths.NOLOGIN, +) + + class CADSInstance(service.Service): Certificate Authority DS instance @@ -396,7 +406,7 @@ def configure_instance(self, host_name, domain, dm_password, self.cert_chain_file = cert_chain_file self.external = 2 -self.step(creating certificate server user, self.__create_ca_user) +self.step(creating certificate server user, create_ca_user) if self.dogtag_constants.DOGTAG_VERSION = 10: self.step(configuring certificate server instance, self.__spawn_instance) else: @@ -599,22 +609,6 @@ def create_instance(self): self.backup_state('installed', True) ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}) -def __create_ca_user(self): -try: -
Re: [Freeipa-devel] [PATCHES] 0264-0267 backup, restore: Don't overwrite /etc/{passwd, group}
On 07/29/2014 06:03 PM, Petr Viktorin wrote: On 07/29/2014 05:02 PM, Petr Viktorin wrote: Hello, The first patch here consolidates our system user creation code a bit. The second patch fixes an oversight in the restore script. The third changes the backup script to not include /etc/{passwd,group}, and the restore script to create the PKI user if a CA is being restored. Note that the DS user is already created early in the restore process. (In the future we may want a nice generic framework for restoring users, but I'd like to extrapolate from more than one data point when designing it.) Another note: tar uses owner user/group names by default, so no additional chowning is required even if the IDs change between backup restore. The fourth patch adds a log entry I find very useful in testing backup/restore. Rebased onto current master. -- Petr³ From 65f32453094c6ad74bcc2b298b091c6981163e9b Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Tue, 15 Jul 2014 13:31:01 +0200 Subject: [PATCH] ipaserver.install: Consolidate system user creation Sytem users and their groups are always created together. Also, users groups should never be removed once they exist on the system (see comit a5a55ce). Use a single function for generic user creation, and specific funtions in dsinstance and cainstance. Remove code left over from when we used to delete the DS user. Preparation for: https://fedorahosted.org/freeipa/ticket/3866 --- install/tools/ipa-replica-install | 5 ++-- install/tools/ipa-server-install | 7 +++--- ipaserver/install/cainstance.py | 28 + ipaserver/install/dsinstance.py | 51 ++- ipaserver/install/installutils.py | 44 - ipaserver/install/ipa_restore.py | 3 +-- 6 files changed, 68 insertions(+), 70 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index eca73441bfe037eefa93482b119c40956e201d4d..50c5927a73c4533406da4702880b9d0314e0c1a5 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -587,9 +587,8 @@ def main(): api.bootstrap(in_server=True, context='installer') api.finalize() -# Create DS group if it doesn't exist yet -group_exists = dsinstance.create_ds_group() -sstore.backup_state(install, group_exists, group_exists) +# Create DS user/group if it doesn't exist yet +dsinstance.create_ds_user() #Automatically disable pkinit w/ dogtag until that is supported options.setup_pkinit = False diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index dc3655b8e320d9f62047ebd1ea5a05c5e883e3bd..f7eaae7a22a04e0af92b9fece60975fd94e2c30b 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -550,7 +550,8 @@ def uninstall(): ipaclient.ntpconf.restore_forced_ntpd(sstore) -group_exists = sstore.restore_state(install, group_exists) +# Clean up group_exists (unused since IPA 2.2, not being set since 4.1) +sstore.restore_state(install, group_exists) services.knownservices.ipa.disable() @@ -1042,8 +1043,8 @@ def main(): # configure /etc/sysconfig/network to contain the custom hostname tasks.backup_and_replace_hostname(fstore, sstore, host_name) -# Create DS group if it doesn't exist yet -dsinstance.create_ds_group() +# Create DS user/group if it doesn't exist yet +dsinstance.create_ds_user() # Create a directory server instance if external != 2: diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index b64588c0f44a6ece350b43d73a618d31d21c19cb..fb3418d51c374c6bd0be87bc4066d77c254c7b4f 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -251,6 +251,16 @@ def is_step_one_done(): return False +def create_ca_user(): +Create PKI user/group if it doesn't exist yet. +installutils.create_system_user( +name=PKI_USER, +group=PKI_USER, +homedir=paths.VAR_LIB, +shell=paths.NOLOGIN, +) + + class CADSInstance(service.Service): Certificate Authority DS instance @@ -447,7 +457,7 @@ def configure_instance(self, host_name, domain, dm_password, self.cert_chain_file=cert_chain_file self.external=2 -self.step(creating certificate server user, self.__create_ca_user) +self.step(creating certificate server user, create_ca_user) if self.dogtag_constants.DOGTAG_VERSION = 10: self.step(configuring certificate server instance, self.__spawn_instance) else: @@ -665,22 +675,6 @@ def __enable(self): # We need to install DS before we can actually ldap_enable a service. # so actual enablement is delayed. -def __create_ca_user(self): -try: -pwd.getpwnam(PKI_USER) -root_logger.debug(ca user %s exists %
[Freeipa-devel] [PATCHES] 0264-0267 backup, restore: Don't overwrite /etc/{passwd, group}
Hello, The first patch here consolidates our system user creation code a bit. The second patch fixes an oversight in the restore script. The third changes the backup script to not include /etc/{passwd,group}, and the restore script to create the PKI user if a CA is being restored. Note that the DS user is already created early in the restore process. (In the future we may want a nice generic framework for restoring users, but I'd like to extrapolate from more than one data point when designing it.) The fourth patch adds a log entry I find very useful in testing backup/restore. -- Petr³ From 0f123ec9441b0189d334061865d0937ebe68a0ed Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Tue, 15 Jul 2014 13:31:01 +0200 Subject: [PATCH] ipaserver.install: Consolidate system user creation Sytem users and their groups are always created together. Also, users groups should never be removed once they exist on the system (see comit a5a55ce). Use a single function for generic user creation, and specific funtions in dsinstance and cainstance. Remove code left over from when we used to delete the DS user. Preparation for: https://fedorahosted.org/freeipa/ticket/3866 --- install/tools/ipa-replica-install | 5 ++-- install/tools/ipa-server-install | 7 +++--- ipaserver/install/cainstance.py | 28 + ipaserver/install/dsinstance.py | 51 ++- ipaserver/install/installutils.py | 44 - ipaserver/install/ipa_restore.py | 3 +-- 6 files changed, 68 insertions(+), 70 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 5bfd61ee69d4682823a57f4b99a0d9a054a56d22..a15642e5a3496ed49c7afb424c8d9704db0239ee 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -584,9 +584,8 @@ def main(): api.bootstrap(in_server=True, context='installer') api.finalize() -# Create DS group if it doesn't exist yet -group_exists = dsinstance.create_ds_group() -sstore.backup_state(install, group_exists, group_exists) +# Create DS user/group if it doesn't exist yet +dsinstance.create_ds_user() #Automatically disable pkinit w/ dogtag until that is supported options.setup_pkinit = False diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index da600413271cdf711767fb2d94b23f083bdeb1c3..e2e3c60eb3a80dd13687ae0a829caaeae2a1967e 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -551,7 +551,8 @@ def uninstall(): ipaclient.ntpconf.restore_forced_ntpd(sstore) -group_exists = sstore.restore_state(install, group_exists) +# Clean up group_exists (unused since IPA 2.2, not being set since 4.1) +sstore.restore_state(install, group_exists) services.knownservices.ipa.disable() @@ -1079,8 +1080,8 @@ def main(): # configure /etc/sysconfig/network to contain the custom hostname tasks.backup_and_replace_hostname(fstore, sstore, host_name) -# Create DS group if it doesn't exist yet -dsinstance.create_ds_group() +# Create DS user/group if it doesn't exist yet +dsinstance.create_ds_user() # Create a directory server instance if external != 2: diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 03aec95710d19b0f6cdc8eb6185ab0e832b28031..ce1c360acd7d453575f88f8b1ba1df06969d66dc 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -251,6 +251,16 @@ def is_step_one_done(): return False +def create_ca_user(): +Create PKI user/group if it doesn't exist yet. +installutils.create_system_user( +name=PKI_USER, +group=PKI_USER, +homedir=paths.VAR_LIB, +shell=paths.NOLOGIN, +) + + class CADSInstance(service.Service): Certificate Authority DS instance @@ -441,7 +451,7 @@ def configure_instance(self, host_name, domain, dm_password, self.cert_chain_file=cert_chain_file self.external=2 -self.step(creating certificate server user, self.__create_ca_user) +self.step(creating certificate server user, create_ca_user) if self.dogtag_constants.DOGTAG_VERSION = 10: self.step(configuring certificate server instance, self.__spawn_instance) else: @@ -658,22 +668,6 @@ def __enable(self): # We need to install DS before we can actually ldap_enable a service. # so actual enablement is delayed. -def __create_ca_user(self): -try: -pwd.getpwnam(PKI_USER) -root_logger.debug(ca user %s exists % PKI_USER) -except KeyError: -root_logger.debug(adding ca user %s % PKI_USER) -args = [paths.USERADD, -c, CA System User, - -d, paths.VAR_LIB, - -s,
Re: [Freeipa-devel] [PATCHES] 0264-0267 backup, restore: Don't overwrite /etc/{passwd, group}
On 07/29/2014 05:02 PM, Petr Viktorin wrote: Hello, The first patch here consolidates our system user creation code a bit. The second patch fixes an oversight in the restore script. The third changes the backup script to not include /etc/{passwd,group}, and the restore script to create the PKI user if a CA is being restored. Note that the DS user is already created early in the restore process. (In the future we may want a nice generic framework for restoring users, but I'd like to extrapolate from more than one data point when designing it.) Another note: tar uses owner user/group names by default, so no additional chowning is required even if the IDs change between backup restore. The fourth patch adds a log entry I find very useful in testing backup/restore. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel