URL: https://github.com/freeipa/freeipa/pull/548 Author: MartinBasti Title: #548: ipa-server-install: add --setup-kra option Action: opened
PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/548/head:pr548 git checkout pr548
From fd7806ec416c9f23d3423d717af4c9ef4be0865a Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Thu, 2 Mar 2017 17:08:59 +0100 Subject: [PATCH 1/3] KRA: add --setup-kra to ipa-server-install This patch allows to install KRA on first IPA server in one step using ipa-server-install This option improves containers installation where ipa-server can be installed with KRA using one call without need to call docker exec. Please note the the original `kra.install()` calls in ipaserver/install/server/install.py were empty operations as it did nothing, so it is safe to move them out from CA block https://pagure.io/freeipa/issue/6731 --- .test_runner_config.yaml | 3 +-- ipaserver/install/server/__init__.py | 2 -- ipaserver/install/server/install.py | 13 +++++++++---- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/.test_runner_config.yaml b/.test_runner_config.yaml index e473d49..b7896c3 100644 --- a/.test_runner_config.yaml +++ b/.test_runner_config.yaml @@ -47,8 +47,7 @@ steps: - dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing install_server: - ipa-server-install -U --domain ${server_domain} --realm ${server_realm} -p ${server_password} - -a ${server_password} --setup-dns --auto-forwarders - - ipa-kra-install -p ${server_password} + -a ${server_password} --setup-dns --setup-kra --auto-forwarders lint: - PYTHON=/usr/bin/python2 make V=0 lint - PYTHON=/usr/bin/python3 make V=0 pylint diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 65dfa21..ce74092 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -159,7 +159,6 @@ def domain_level(self, value): None, description="configure a dogtag KRA", ) - setup_kra = enroll_only(setup_kra) setup_dns = knob( None, @@ -533,7 +532,6 @@ class ServerMasterInstall(ServerMasterInstallInterface): host_password = None keytab = None setup_ca = True - setup_kra = False domain_name = knob( bases=ServerMasterInstallInterface.domain_name, diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 1e6aad9..1e67a16 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -367,9 +367,9 @@ def install_check(installer): if not setup_ca and options.subject_base: raise ScriptError( "--subject-base cannot be used with CA-less installation") - - # first instance of KRA must be installed by ipa-kra-install - options.setup_kra = False + if not setup_ca and options.setup_kra: + raise ScriptError( + "--setup-kra cannot be used with CA-less installation") print("=======================================" "=======================================") @@ -384,6 +384,8 @@ def install_check(installer): print(" * Create and configure an instance of Directory Server") print(" * Create and configure a Kerberos Key Distribution Center (KDC)") print(" * Configure Apache (httpd)") + if options.setup_kra: + print(" * Configure KRA (dogtag) for secret management") if options.setup_dns: print(" * Configure DNS (bind)") if options.setup_adtrust: @@ -598,6 +600,7 @@ def install_check(installer): if setup_ca: ca.install_check(False, None, options) + if options.setup_kra: kra.install_check(api, None, options) if options.setup_dns: @@ -802,7 +805,6 @@ def install(installer): if setup_ca: ca.install_step_1(False, None, options) - kra.install(api, None, options) # The DS instance is created before the keytab, add the SSL cert we # generated @@ -842,6 +844,9 @@ def install(installer): service.print_msg("Restarting the KDC") krb.restart() + if options.setup_kra: + kra.install(api, None, options) + if options.setup_dns: dns.install(False, False, options) else: From 29d3bdb3cc5b62837a41f681c3c70add69eb8bcb Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Tue, 7 Mar 2017 17:44:17 +0100 Subject: [PATCH 2/3] tests: use --setup-kra in tests This will allow to test --setup-kra option together with ipa-server-install in install tests Separate installation using ipa-kra-install is already covered. https://pagure.io/freeipa/issue/6731 --- ipatests/test_integration/tasks.py | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index 6620d12..0f96f16 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -275,6 +275,8 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False, '--forwarder', host.config.dns_forwarder, '--auto-reverse' ]) + if setup_kra: + args.append('--setup-kra') if setup_adtrust: args.append('--setup-adtrust') @@ -284,13 +286,6 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False, if result.returncode == 0: enable_replication_debugging(host) setup_sssd_debugging(host) - if setup_kra: - args = [ - "ipa-kra-install", - "-p", host.config.dirman_password, - "-U", - ] - host.run_command(args) kinit_admin(host) return result From b4dd3f5690d18b7ca002cf8534e0e450452336c6 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Tue, 7 Mar 2017 18:07:55 +0100 Subject: [PATCH 3/3] KRA: run install and install_check only when KRA should be installed KRA install should be executed only when user explicitly wanted to install KRA and this check can be done earlier and simplify the code. Install and install_check are NOOP without --setup-kra option, it makes only worse readability of code. https://pagure.io/freeipa/issue/6731 --- ipaserver/install/kra.py | 7 ------- ipaserver/install/server/replicainstall.py | 13 +++---------- 2 files changed, 3 insertions(+), 17 deletions(-) diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index 5a7a6ef..65faf7a 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -25,9 +25,6 @@ def install_check(api, replica_config, options): - if replica_config is not None and not replica_config.setup_kra: - return - kra = krainstance.KRAInstance(api.env.realm) if kra.is_installed(): raise RuntimeError("KRA is already installed.") @@ -69,8 +66,6 @@ def install_check(api, replica_config, options): def install(api, replica_config, options): if replica_config is None: - if not options.setup_kra: - return realm_name = api.env.realm dm_password = options.dm_password host_name = api.env.host @@ -80,8 +75,6 @@ def install(api, replica_config, options): master_host = None promote = False else: - if not replica_config.setup_kra: - return krafile = os.path.join(replica_config.dir, 'kracert.p12') if options.promote: custodia = custodiainstance.CustodiaInstance( diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 3757700..f5d629a 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -836,14 +836,12 @@ def install_check(installer): root_logger.debug('No IPA DNS servers, ' 'skipping forward/reverse resolution check') - kra_enabled = remote_api.Command.kra_is_enabled()['result'] - if ca_enabled: options.realm_name = config.realm_name options.host_name = config.host_name ca.install_check(False, config, options) - if kra_enabled: + if options.setup_kra: try: kra.install_check(remote_api, config, options) except RuntimeError as e: @@ -900,7 +898,6 @@ def install_check(installer): os.environ['KRB5CCNAME'] = ccache installer._ca_enabled = ca_enabled - installer._kra_enabled = kra_enabled installer._ca_file = cafile installer._fstore = fstore installer._sstore = sstore @@ -1254,20 +1251,18 @@ def promote_check(installer): 'KRA', conn, config.kra_host_name) if kra_host is not None: config.kra_host_name = kra_host - kra_enabled = True else: if options.setup_kra: root_logger.error("There is no KRA server in the domain, " "can't setup a KRA clone") raise ScriptError(rval=3) - kra_enabled = False if ca_enabled: options.realm_name = config.realm_name options.host_name = config.host_name ca.install_check(False, config, options) - if kra_enabled: + if options.setup_kra: try: kra.install_check(remote_api, config, options) except RuntimeError as e: @@ -1326,7 +1321,6 @@ def promote_check(installer): os.environ['KRB5CCNAME'] = ccache installer._ca_enabled = ca_enabled - installer._kra_enabled = kra_enabled installer._ca_file = cafile installer._fstore = fstore installer._sstore = sstore @@ -1344,7 +1338,6 @@ def promote_check(installer): def install(installer): options = installer ca_enabled = installer._ca_enabled - kra_enabled = installer._kra_enabled fstore = installer._fstore sstore = installer._sstore config = installer._config @@ -1464,7 +1457,7 @@ def install(installer): service.print_msg("Applying LDAP updates") ds.apply_updates() - if kra_enabled: + if options.setup_kra: kra.install(api, config, options) service.print_msg("Restarting the KDC")
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code