Re: [Freeipa-devel] [PATCHES] 0264-0267 backup, restore: Don't overwrite /etc/{passwd, group}
On 08/26/2014 01:16 PM, Petr Viktorin wrote:
On 07/30/2014 04:26 PM, Petr Viktorin wrote:
On 07/29/2014 06:03 PM, Petr Viktorin wrote:
On 07/29/2014 05:02 PM, Petr Viktorin wrote:
Hello,
The first patch here consolidates our system user creation code a bit.
The second patch fixes an oversight in the restore script.
The third changes the backup script to not include
/etc/{passwd,group},
and the restore script to create the PKI user if a CA is being
restored.
Note that the DS user is already created early in the restore process.
(In the future we may want a nice generic framework for restoring
users,
but I'd like to extrapolate from more than one data point when
designing
it.)
Another note: tar uses owner user/group names by default, so no
additional chowning is required even if the IDs change between backup
restore.
The fourth patch adds a log entry I find very useful in testing
backup/restore.
Rebased onto current master.
Rebased again.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I like the approach, solves the issue quite neatly. I didn't find any
issues in the changes themselves, or during the testing, so ACK from me
for the whole patcheset (which means patches 624-627, despite the subject).
--
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0264-0267 backup, restore: Don't overwrite /etc/{passwd, group}
On 09/23/2014 12:10 PM, Tomas Babej wrote:
On 08/26/2014 01:16 PM, Petr Viktorin wrote:
On 07/30/2014 04:26 PM, Petr Viktorin wrote:
On 07/29/2014 06:03 PM, Petr Viktorin wrote:
On 07/29/2014 05:02 PM, Petr Viktorin wrote:
Hello,
The first patch here consolidates our system user creation code a bit.
The second patch fixes an oversight in the restore script.
The third changes the backup script to not include
/etc/{passwd,group},
and the restore script to create the PKI user if a CA is being
restored.
Note that the DS user is already created early in the restore process.
I like the approach, solves the issue quite neatly. I didn't find any
issues in the changes themselves, or during the testing, so ACK from me
for the whole patcheset (which means patches 624-627, despite the subject).
Thanks! Pushed to:
master: abba25c8269f4928d659cfcaf8363ad2491bd736
ipa-4-1: 127e7a1dcc2ed0624f65597292ac58535ccc0602
--
Petr³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0264-0267 backup, restore: Don't overwrite /etc/{passwd, group}
On 07/30/2014 04:26 PM, Petr Viktorin wrote:
On 07/29/2014 06:03 PM, Petr Viktorin wrote:
On 07/29/2014 05:02 PM, Petr Viktorin wrote:
Hello,
The first patch here consolidates our system user creation code a bit.
The second patch fixes an oversight in the restore script.
The third changes the backup script to not include /etc/{passwd,group},
and the restore script to create the PKI user if a CA is being restored.
Note that the DS user is already created early in the restore process.
(In the future we may want a nice generic framework for restoring users,
but I'd like to extrapolate from more than one data point when designing
it.)
Another note: tar uses owner user/group names by default, so no
additional chowning is required even if the IDs change between backup
restore.
The fourth patch adds a log entry I find very useful in testing
backup/restore.
Rebased onto current master.
Rebased again.
--
Petr³
From 3f5bed20eb014df99cbc5f101f1edac4a00debe7 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Tue, 15 Jul 2014 13:31:01 +0200
Subject: [PATCH] ipaserver.install: Consolidate system user creation
Sytem users and their groups are always created together.
Also, users groups should never be removed once they exist
on the system (see comit a5a55ce).
Use a single function for generic user creation, and specific
funtions in dsinstance and cainstance.
Remove code left over from when we used to delete the DS user.
Preparation for: https://fedorahosted.org/freeipa/ticket/3866
---
install/tools/ipa-replica-install | 5 ++--
install/tools/ipa-server-install | 7 +++---
ipaserver/install/cainstance.py | 28 +-
ipaserver/install/dsinstance.py | 50 ++-
ipaserver/install/installutils.py | 44 +-
ipaserver/install/ipa_restore.py | 3 +--
6 files changed, 68 insertions(+), 69 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 7c9e27e2b9d248653681c85236d3541ec9ab0ec7..0445e59c23982b0d0e438f47c4e111fdb5dec977 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -573,9 +573,8 @@ def main():
api.bootstrap(in_server=True, context='installer')
api.finalize()
-# Create DS group if it doesn't exist yet
-group_exists = dsinstance.create_ds_group()
-sstore.backup_state(install, group_exists, group_exists)
+# Create DS user/group if it doesn't exist yet
+dsinstance.create_ds_user()
#Automatically disable pkinit w/ dogtag until that is supported
options.setup_pkinit = False
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 6e77b434a018faec36a2808626c99a54bd493908..73055840af783213f7f2ce0230bb619b5801385f 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -560,7 +560,8 @@ def uninstall():
ipaclient.ntpconf.restore_forced_ntpd(sstore)
-group_exists = sstore.restore_state(install, group_exists)
+# Clean up group_exists (unused since IPA 2.2, not being set since 4.1)
+sstore.restore_state(install, group_exists)
services.knownservices.ipa.disable()
@@ -1060,8 +1061,8 @@ def main():
# configure /etc/sysconfig/network to contain the custom hostname
tasks.backup_and_replace_hostname(fstore, sstore, host_name)
-# Create DS group if it doesn't exist yet
-dsinstance.create_ds_group()
+# Create DS user/group if it doesn't exist yet
+dsinstance.create_ds_user()
# Create a directory server instance
if external != 2:
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index e8bb7d701fb030e6cd11ad8637e51ca3b648e202..0998ee39101a86c396ef166bc67d19397f017346 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -249,6 +249,16 @@ def is_ca_installed_locally():
return os.path.exists(path)
+def create_ca_user():
+Create PKI user/group if it doesn't exist yet.
+installutils.create_system_user(
+name=PKI_USER,
+group=PKI_USER,
+homedir=paths.VAR_LIB,
+shell=paths.NOLOGIN,
+)
+
+
class CADSInstance(service.Service):
Certificate Authority DS instance
@@ -396,7 +406,7 @@ def configure_instance(self, host_name, domain, dm_password,
self.cert_chain_file = cert_chain_file
self.external = 2
-self.step(creating certificate server user, self.__create_ca_user)
+self.step(creating certificate server user, create_ca_user)
if self.dogtag_constants.DOGTAG_VERSION = 10:
self.step(configuring certificate server instance, self.__spawn_instance)
else:
@@ -599,22 +609,6 @@ def create_instance(self):
self.backup_state('installed', True)
ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
-def __create_ca_user(self):
-try:
-
Re: [Freeipa-devel] [PATCHES] 0264-0267 backup, restore: Don't overwrite /etc/{passwd, group}
On 07/29/2014 06:03 PM, Petr Viktorin wrote:
On 07/29/2014 05:02 PM, Petr Viktorin wrote:
Hello,
The first patch here consolidates our system user creation code a bit.
The second patch fixes an oversight in the restore script.
The third changes the backup script to not include /etc/{passwd,group},
and the restore script to create the PKI user if a CA is being restored.
Note that the DS user is already created early in the restore process.
(In the future we may want a nice generic framework for restoring users,
but I'd like to extrapolate from more than one data point when designing
it.)
Another note: tar uses owner user/group names by default, so no
additional chowning is required even if the IDs change between backup
restore.
The fourth patch adds a log entry I find very useful in testing
backup/restore.
Rebased onto current master.
--
Petr³
From 65f32453094c6ad74bcc2b298b091c6981163e9b Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Tue, 15 Jul 2014 13:31:01 +0200
Subject: [PATCH] ipaserver.install: Consolidate system user creation
Sytem users and their groups are always created together.
Also, users groups should never be removed once they exist
on the system (see comit a5a55ce).
Use a single function for generic user creation, and specific
funtions in dsinstance and cainstance.
Remove code left over from when we used to delete the DS user.
Preparation for: https://fedorahosted.org/freeipa/ticket/3866
---
install/tools/ipa-replica-install | 5 ++--
install/tools/ipa-server-install | 7 +++---
ipaserver/install/cainstance.py | 28 +
ipaserver/install/dsinstance.py | 51 ++-
ipaserver/install/installutils.py | 44 -
ipaserver/install/ipa_restore.py | 3 +--
6 files changed, 68 insertions(+), 70 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index eca73441bfe037eefa93482b119c40956e201d4d..50c5927a73c4533406da4702880b9d0314e0c1a5 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -587,9 +587,8 @@ def main():
api.bootstrap(in_server=True, context='installer')
api.finalize()
-# Create DS group if it doesn't exist yet
-group_exists = dsinstance.create_ds_group()
-sstore.backup_state(install, group_exists, group_exists)
+# Create DS user/group if it doesn't exist yet
+dsinstance.create_ds_user()
#Automatically disable pkinit w/ dogtag until that is supported
options.setup_pkinit = False
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index dc3655b8e320d9f62047ebd1ea5a05c5e883e3bd..f7eaae7a22a04e0af92b9fece60975fd94e2c30b 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -550,7 +550,8 @@ def uninstall():
ipaclient.ntpconf.restore_forced_ntpd(sstore)
-group_exists = sstore.restore_state(install, group_exists)
+# Clean up group_exists (unused since IPA 2.2, not being set since 4.1)
+sstore.restore_state(install, group_exists)
services.knownservices.ipa.disable()
@@ -1042,8 +1043,8 @@ def main():
# configure /etc/sysconfig/network to contain the custom hostname
tasks.backup_and_replace_hostname(fstore, sstore, host_name)
-# Create DS group if it doesn't exist yet
-dsinstance.create_ds_group()
+# Create DS user/group if it doesn't exist yet
+dsinstance.create_ds_user()
# Create a directory server instance
if external != 2:
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index b64588c0f44a6ece350b43d73a618d31d21c19cb..fb3418d51c374c6bd0be87bc4066d77c254c7b4f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -251,6 +251,16 @@ def is_step_one_done():
return False
+def create_ca_user():
+Create PKI user/group if it doesn't exist yet.
+installutils.create_system_user(
+name=PKI_USER,
+group=PKI_USER,
+homedir=paths.VAR_LIB,
+shell=paths.NOLOGIN,
+)
+
+
class CADSInstance(service.Service):
Certificate Authority DS instance
@@ -447,7 +457,7 @@ def configure_instance(self, host_name, domain, dm_password,
self.cert_chain_file=cert_chain_file
self.external=2
-self.step(creating certificate server user, self.__create_ca_user)
+self.step(creating certificate server user, create_ca_user)
if self.dogtag_constants.DOGTAG_VERSION = 10:
self.step(configuring certificate server instance, self.__spawn_instance)
else:
@@ -665,22 +675,6 @@ def __enable(self):
# We need to install DS before we can actually ldap_enable a service.
# so actual enablement is delayed.
-def __create_ca_user(self):
-try:
-pwd.getpwnam(PKI_USER)
-root_logger.debug(ca user %s exists %
[Freeipa-devel] [PATCHES] 0264-0267 backup, restore: Don't overwrite /etc/{passwd, group}
Hello,
The first patch here consolidates our system user creation code a bit.
The second patch fixes an oversight in the restore script.
The third changes the backup script to not include /etc/{passwd,group},
and the restore script to create the PKI user if a CA is being restored.
Note that the DS user is already created early in the restore process.
(In the future we may want a nice generic framework for restoring users,
but I'd like to extrapolate from more than one data point when designing
it.)
The fourth patch adds a log entry I find very useful in testing
backup/restore.
--
Petr³
From 0f123ec9441b0189d334061865d0937ebe68a0ed Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Tue, 15 Jul 2014 13:31:01 +0200
Subject: [PATCH] ipaserver.install: Consolidate system user creation
Sytem users and their groups are always created together.
Also, users groups should never be removed once they exist
on the system (see comit a5a55ce).
Use a single function for generic user creation, and specific
funtions in dsinstance and cainstance.
Remove code left over from when we used to delete the DS user.
Preparation for: https://fedorahosted.org/freeipa/ticket/3866
---
install/tools/ipa-replica-install | 5 ++--
install/tools/ipa-server-install | 7 +++---
ipaserver/install/cainstance.py | 28 +
ipaserver/install/dsinstance.py | 51 ++-
ipaserver/install/installutils.py | 44 -
ipaserver/install/ipa_restore.py | 3 +--
6 files changed, 68 insertions(+), 70 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 5bfd61ee69d4682823a57f4b99a0d9a054a56d22..a15642e5a3496ed49c7afb424c8d9704db0239ee 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -584,9 +584,8 @@ def main():
api.bootstrap(in_server=True, context='installer')
api.finalize()
-# Create DS group if it doesn't exist yet
-group_exists = dsinstance.create_ds_group()
-sstore.backup_state(install, group_exists, group_exists)
+# Create DS user/group if it doesn't exist yet
+dsinstance.create_ds_user()
#Automatically disable pkinit w/ dogtag until that is supported
options.setup_pkinit = False
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index da600413271cdf711767fb2d94b23f083bdeb1c3..e2e3c60eb3a80dd13687ae0a829caaeae2a1967e 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -551,7 +551,8 @@ def uninstall():
ipaclient.ntpconf.restore_forced_ntpd(sstore)
-group_exists = sstore.restore_state(install, group_exists)
+# Clean up group_exists (unused since IPA 2.2, not being set since 4.1)
+sstore.restore_state(install, group_exists)
services.knownservices.ipa.disable()
@@ -1079,8 +1080,8 @@ def main():
# configure /etc/sysconfig/network to contain the custom hostname
tasks.backup_and_replace_hostname(fstore, sstore, host_name)
-# Create DS group if it doesn't exist yet
-dsinstance.create_ds_group()
+# Create DS user/group if it doesn't exist yet
+dsinstance.create_ds_user()
# Create a directory server instance
if external != 2:
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 03aec95710d19b0f6cdc8eb6185ab0e832b28031..ce1c360acd7d453575f88f8b1ba1df06969d66dc 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -251,6 +251,16 @@ def is_step_one_done():
return False
+def create_ca_user():
+Create PKI user/group if it doesn't exist yet.
+installutils.create_system_user(
+name=PKI_USER,
+group=PKI_USER,
+homedir=paths.VAR_LIB,
+shell=paths.NOLOGIN,
+)
+
+
class CADSInstance(service.Service):
Certificate Authority DS instance
@@ -441,7 +451,7 @@ def configure_instance(self, host_name, domain, dm_password,
self.cert_chain_file=cert_chain_file
self.external=2
-self.step(creating certificate server user, self.__create_ca_user)
+self.step(creating certificate server user, create_ca_user)
if self.dogtag_constants.DOGTAG_VERSION = 10:
self.step(configuring certificate server instance, self.__spawn_instance)
else:
@@ -658,22 +668,6 @@ def __enable(self):
# We need to install DS before we can actually ldap_enable a service.
# so actual enablement is delayed.
-def __create_ca_user(self):
-try:
-pwd.getpwnam(PKI_USER)
-root_logger.debug(ca user %s exists % PKI_USER)
-except KeyError:
-root_logger.debug(adding ca user %s % PKI_USER)
-args = [paths.USERADD, -c, CA System User,
- -d, paths.VAR_LIB,
- -s,
Re: [Freeipa-devel] [PATCHES] 0264-0267 backup, restore: Don't overwrite /etc/{passwd, group}
On 07/29/2014 05:02 PM, Petr Viktorin wrote:
Hello,
The first patch here consolidates our system user creation code a bit.
The second patch fixes an oversight in the restore script.
The third changes the backup script to not include /etc/{passwd,group},
and the restore script to create the PKI user if a CA is being restored.
Note that the DS user is already created early in the restore process.
(In the future we may want a nice generic framework for restoring users,
but I'd like to extrapolate from more than one data point when designing
it.)
Another note: tar uses owner user/group names by default, so no
additional chowning is required even if the IDs change between backup
restore.
The fourth patch adds a log entry I find very useful in testing
backup/restore.
--
Petr³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
