Re: [Freeipa-devel] [PATCH 0069] ipa-replica-install support caless install with promotion.
On 2.12.2015 11:10, David Kupka wrote: On 02/12/15 07:58, Jan Cholasta wrote: On 1.12.2015 14:27, David Kupka wrote: On 30/11/15 17:24, Jan Cholasta wrote: Hi, On 27.11.2015 07:57, David Kupka wrote: On 26/11/15 15:22, David Kupka wrote: On 26/11/15 15:13, David Kupka wrote: On 26/11/15 15:01, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5441 Replaced accidentally inserted tabs. Fixed indentation I screwed up when replacing tabs :-/ 1) The deprecated --*_pkcs12 and --*_pin aliases should not be supported in ipa-replica-install. In ServerCA, inherit the knobs from BaseServerCA rather than BaseServer.ca. The "#pylint: disable=no-member" will no longer be necessary. In ipa-server-install help, there are 2 "certificate system" option groups. This is a shortcoming in the installer framework, which will be addressed in the future. For now, please inherit *all* knobs of BaseServerCA in ServerCA as a workaround. 2) This check from ipa-replica-prepare should be added to Replica.__init__() as well: # If any of the PKCS#12 options are selected, all are required. cert_file_req = (options.dirsrv_cert_files, options.http_cert_files) cert_file_opt = (options.pkinit_cert_files,) if any(cert_file_req + cert_file_opt) and not all(cert_file_req): self.option_parser.error( "--dirsrv-cert-file and --http-cert-file are required if any " "PKCS#12 options are used.") The check is done when replica file is specified in the patch, but it should be done only when replica file is *not* specified. 6) Please make the ca_is_enabled argument of install_replica_ds() and install_http() mandatory and fill as appropriate when called, it will make the code more readable. This bit in install_http() is redundant now: +if ca_is_configured is None: +ca_is_configured = ipautil.file_exists(config.dir + "/cacert.p12") 7) $ git diff -U0 | pep8 --diff ./ipaserver/install/server/replicainstall.py:99:80: E501 line too long (82 > 79 characters) ./ipaserver/install/server/replicainstall.py:161:80: E501 line too long (82 > 79 characters) ./ipaserver/install/server/replicainstall.py:1289:13: E265 block comment should start with '# ' ./ipaserver/install/server/replicainstall.py:1291:17: E125 continuation line with same indent as next logical line ./ipaserver/install/server/replicainstall.py:1291:17: E128 continuation line under-indented for visual indent $ git diff -U0 | pep8 --diff ./ipaserver/install/server/install.py:1142:1: E302 expected 2 blank lines, found 1 ./ipaserver/install/server/install.py:1143:5: E265 block comment should start with '# ' ./ipaserver/install/server/install.py:1160:17: E222 multiple spaces after operator ./ipaserver/install/server/install.py:1288:9: E265 block comment should start with '# ' ./ipaserver/install/server/replicainstall.py:100:80: E501 line too long (82 > 79 characters) ./ipaserver/install/server/replicainstall.py:162:80: E501 line too long (82 > 79 characters) ./ipaserver/install/server/replicainstall.py:697:41: E251 unexpected spaces around keyword / parameter equals ./ipaserver/install/server/replicainstall.py:697:43: E251 unexpected spaces around keyword / parameter equals ./ipaserver/install/server/replicainstall.py:922:9: E129 visually indented line with same indent as next logical line ./ipaserver/install/server/replicainstall.py:925:14: E131 continuation line unaligned for hanging indent ./ipaserver/install/server/replicainstall.py:1345:9: E265 block comment should start with '# ' ./ipaserver/install/server/replicainstall.py:1389:21: E128 continuation line under-indented for visual indent Thanks, updated patch attached. Thanks, ACK. The patch needed a rebase, see attachment. Pushed to master: 2f51f0dce2e804bc4661441f97c04dc84b84fa21 -- Jan Cholasta From b1d031b6df45fb237a905364dd642405577c7c58 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Thu, 26 Nov 2015 09:01:27 +0100 Subject: [PATCH] ipa-replica-install support caless install with promotion. https://fedorahosted.org/freeipa/ticket/5441 --- ipaserver/install/custodiainstance.py | 6 +- ipaserver/install/dsinstance.py| 3 +- ipaserver/install/server/common.py | 6 -- ipaserver/install/server/install.py| 58 +- ipaserver/install/server/replicainstall.py | 168 - 5 files changed, 199 insertions(+), 42 deletions(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index df99962..dbe36af 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -17,7 +17,7 @@ import tempfile class CustodiaInstance(SimpleServiceInstance): -def __init__(self, host_name=None, realm=None): +def __init__(self, host_name=None, realm=None, ca_is_configured=True): super(CustodiaInstance, self).__init__("ipa-custodia") self.config_file = paths
Re: [Freeipa-devel] [PATCH 0069] ipa-replica-install support caless install with promotion.
On 02/12/15 07:58, Jan Cholasta wrote: On 1.12.2015 14:27, David Kupka wrote: On 30/11/15 17:24, Jan Cholasta wrote: Hi, On 27.11.2015 07:57, David Kupka wrote: On 26/11/15 15:22, David Kupka wrote: On 26/11/15 15:13, David Kupka wrote: On 26/11/15 15:01, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5441 Replaced accidentally inserted tabs. Fixed indentation I screwed up when replacing tabs :-/ 1) The deprecated --*_pkcs12 and --*_pin aliases should not be supported in ipa-replica-install. In ServerCA, inherit the knobs from BaseServerCA rather than BaseServer.ca. The "#pylint: disable=no-member" will no longer be necessary. In ipa-server-install help, there are 2 "certificate system" option groups. This is a shortcoming in the installer framework, which will be addressed in the future. For now, please inherit *all* knobs of BaseServerCA in ServerCA as a workaround. 2) This check from ipa-replica-prepare should be added to Replica.__init__() as well: # If any of the PKCS#12 options are selected, all are required. cert_file_req = (options.dirsrv_cert_files, options.http_cert_files) cert_file_opt = (options.pkinit_cert_files,) if any(cert_file_req + cert_file_opt) and not all(cert_file_req): self.option_parser.error( "--dirsrv-cert-file and --http-cert-file are required if any " "PKCS#12 options are used.") The check is done when replica file is specified in the patch, but it should be done only when replica file is *not* specified. 6) Please make the ca_is_enabled argument of install_replica_ds() and install_http() mandatory and fill as appropriate when called, it will make the code more readable. This bit in install_http() is redundant now: +if ca_is_configured is None: +ca_is_configured = ipautil.file_exists(config.dir + "/cacert.p12") 7) $ git diff -U0 | pep8 --diff ./ipaserver/install/server/replicainstall.py:99:80: E501 line too long (82 > 79 characters) ./ipaserver/install/server/replicainstall.py:161:80: E501 line too long (82 > 79 characters) ./ipaserver/install/server/replicainstall.py:1289:13: E265 block comment should start with '# ' ./ipaserver/install/server/replicainstall.py:1291:17: E125 continuation line with same indent as next logical line ./ipaserver/install/server/replicainstall.py:1291:17: E128 continuation line under-indented for visual indent $ git diff -U0 | pep8 --diff ./ipaserver/install/server/install.py:1142:1: E302 expected 2 blank lines, found 1 ./ipaserver/install/server/install.py:1143:5: E265 block comment should start with '# ' ./ipaserver/install/server/install.py:1160:17: E222 multiple spaces after operator ./ipaserver/install/server/install.py:1288:9: E265 block comment should start with '# ' ./ipaserver/install/server/replicainstall.py:100:80: E501 line too long (82 > 79 characters) ./ipaserver/install/server/replicainstall.py:162:80: E501 line too long (82 > 79 characters) ./ipaserver/install/server/replicainstall.py:697:41: E251 unexpected spaces around keyword / parameter equals ./ipaserver/install/server/replicainstall.py:697:43: E251 unexpected spaces around keyword / parameter equals ./ipaserver/install/server/replicainstall.py:922:9: E129 visually indented line with same indent as next logical line ./ipaserver/install/server/replicainstall.py:925:14: E131 continuation line unaligned for hanging indent ./ipaserver/install/server/replicainstall.py:1345:9: E265 block comment should start with '# ' ./ipaserver/install/server/replicainstall.py:1389:21: E128 continuation line under-indented for visual indent Thanks, updated patch attached. -- David Kupka From c1e2259bb352e160e41deb8853bd615f1c9f3db1 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Thu, 26 Nov 2015 09:01:27 +0100 Subject: [PATCH] ipa-replica-install support caless install with promotion. https://fedorahosted.org/freeipa/ticket/5441 --- ipaserver/install/custodiainstance.py | 6 +- ipaserver/install/dsinstance.py| 3 +- ipaserver/install/server/common.py | 6 -- ipaserver/install/server/install.py| 58 +- ipaserver/install/server/replicainstall.py | 168 - 5 files changed, 199 insertions(+), 42 deletions(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index df99962a7e6e8ecac044ff4e8341a4a9913e4d4d..dbe36af6d7af23fa859dcb78f3dc24224fd8fd07 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -17,7 +17,7 @@ import tempfile class CustodiaInstance(SimpleServiceInstance): -def __init__(self, host_name=None, realm=None): +def __init__(self, host_name=None, realm=None, ca_is_configured=True): super(CustodiaInstance, self).__init__("ipa-custodia") self.config_file = paths.IPA_CUSTODIA_CONF self.server_keys = os.path.join(paths.IPA_CUSTODIA_CONF_DIR, @@ -2
Re: [Freeipa-devel] [PATCH 0069] ipa-replica-install support caless install with promotion.
On 1.12.2015 14:27, David Kupka wrote: On 30/11/15 17:24, Jan Cholasta wrote: Hi, On 27.11.2015 07:57, David Kupka wrote: On 26/11/15 15:22, David Kupka wrote: On 26/11/15 15:13, David Kupka wrote: On 26/11/15 15:01, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5441 Replaced accidentally inserted tabs. Fixed indentation I screwed up when replacing tabs :-/ 1) The deprecated --*_pkcs12 and --*_pin aliases should not be supported in ipa-replica-install. In ServerCA, inherit the knobs from BaseServerCA rather than BaseServer.ca. The "#pylint: disable=no-member" will no longer be necessary. In ipa-server-install help, there are 2 "certificate system" option groups. This is a shortcoming in the installer framework, which will be addressed in the future. For now, please inherit *all* knobs of BaseServerCA in ServerCA as a workaround. 2) This check from ipa-replica-prepare should be added to Replica.__init__() as well: # If any of the PKCS#12 options are selected, all are required. cert_file_req = (options.dirsrv_cert_files, options.http_cert_files) cert_file_opt = (options.pkinit_cert_files,) if any(cert_file_req + cert_file_opt) and not all(cert_file_req): self.option_parser.error( "--dirsrv-cert-file and --http-cert-file are required if any " "PKCS#12 options are used.") The check is done when replica file is specified in the patch, but it should be done only when replica file is *not* specified. 6) Please make the ca_is_enabled argument of install_replica_ds() and install_http() mandatory and fill as appropriate when called, it will make the code more readable. This bit in install_http() is redundant now: +if ca_is_configured is None: +ca_is_configured = ipautil.file_exists(config.dir + "/cacert.p12") 7) $ git diff -U0 | pep8 --diff ./ipaserver/install/server/replicainstall.py:99:80: E501 line too long (82 > 79 characters) ./ipaserver/install/server/replicainstall.py:161:80: E501 line too long (82 > 79 characters) ./ipaserver/install/server/replicainstall.py:1289:13: E265 block comment should start with '# ' ./ipaserver/install/server/replicainstall.py:1291:17: E125 continuation line with same indent as next logical line ./ipaserver/install/server/replicainstall.py:1291:17: E128 continuation line under-indented for visual indent $ git diff -U0 | pep8 --diff ./ipaserver/install/server/install.py:1142:1: E302 expected 2 blank lines, found 1 ./ipaserver/install/server/install.py:1143:5: E265 block comment should start with '# ' ./ipaserver/install/server/install.py:1160:17: E222 multiple spaces after operator ./ipaserver/install/server/install.py:1288:9: E265 block comment should start with '# ' ./ipaserver/install/server/replicainstall.py:100:80: E501 line too long (82 > 79 characters) ./ipaserver/install/server/replicainstall.py:162:80: E501 line too long (82 > 79 characters) ./ipaserver/install/server/replicainstall.py:697:41: E251 unexpected spaces around keyword / parameter equals ./ipaserver/install/server/replicainstall.py:697:43: E251 unexpected spaces around keyword / parameter equals ./ipaserver/install/server/replicainstall.py:922:9: E129 visually indented line with same indent as next logical line ./ipaserver/install/server/replicainstall.py:925:14: E131 continuation line unaligned for hanging indent ./ipaserver/install/server/replicainstall.py:1345:9: E265 block comment should start with '# ' ./ipaserver/install/server/replicainstall.py:1389:21: E128 continuation line under-indented for visual indent -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0069] ipa-replica-install support caless install with promotion.
On 30/11/15 17:24, Jan Cholasta wrote: Hi, On 27.11.2015 07:57, David Kupka wrote: On 26/11/15 15:22, David Kupka wrote: On 26/11/15 15:13, David Kupka wrote: On 26/11/15 15:01, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5441 Replaced accidentally inserted tabs. Fixed indentation I screwed up when replacing tabs :-/ 1) The deprecated --*_pkcs12 and --*_pin aliases should not be supported in ipa-replica-install. 2) This check from ipa-replica-prepare should be added to Replica.__init__() as well: # If any of the PKCS#12 options are selected, all are required. cert_file_req = (options.dirsrv_cert_files, options.http_cert_files) cert_file_opt = (options.pkinit_cert_files,) if any(cert_file_req + cert_file_opt) and not all(cert_file_req): self.option_parser.error( "--dirsrv-cert-file and --http-cert-file are required if any " "PKCS#12 options are used.") 3) This check from ipa-replica-prepare should be added below the pkcs12_info initialization block in promote_check(): if (options.http_cert_files and options.dirsrv_cert_files and http_ca_cert != dirsrv_ca_cert): raise admintool.ScriptError( "Apache Server SSL certificate and Directory Server SSL " "certificate are not signed by the same CA certificate") 4) This check should use the same message as ipa-replica-prepare: "Cannot issue certificates: a CA is not installed. Use the --http-cert-file, --dirsrv-cert-file options to provide custom certificates.": +if not options.dirsrv_cert_files: +root_logger.error("The remote master does not have a CA " + "installed, can't proceed without certs") +sys.exit(3) 5) Please use the common "You cannot specify a --option together with replica file" error message here: +if any(self.ca.dirsrv_pkcs12_file, self.ca.http_pkcs12_file, +self.ca.pkinit_pkcs12_file): +raise RuntimeError("You cannot provide certificates together " + "with replica file") 6) Please make the ca_is_enabled argument of install_replica_ds() and install_http() mandatory and fill as appropriate when called, it will make the code more readable. 7) $ git diff -U0 | pep8 --diff ./ipaserver/install/server/replicainstall.py:99:80: E501 line too long (82 > 79 characters) ./ipaserver/install/server/replicainstall.py:161:80: E501 line too long (82 > 79 characters) ./ipaserver/install/server/replicainstall.py:1289:13: E265 block comment should start with '# ' ./ipaserver/install/server/replicainstall.py:1291:17: E125 continuation line with same indent as next logical line ./ipaserver/install/server/replicainstall.py:1291:17: E128 continuation line under-indented for visual indent 8) Nitpicks: s/ca_configured/ca_is_configured/ in install_replica_ds(), for consistency. Set ca_enabled = False in the else branch rather than before the if statement in promote_check(). Put the "#pylint: disable=no-member" in Replica.__init__() in the same spot as it is in Server.__init__(). Honza Thank you for review. Updated and rebased patch attached. -- David Kupka From a74d05c51768b6562a898fbff37aec7fb1eac332 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Thu, 26 Nov 2015 09:01:27 +0100 Subject: [PATCH] ipa-replica-install support caless install with promotion. https://fedorahosted.org/freeipa/ticket/5441 --- ipaserver/install/custodiainstance.py | 6 +- ipaserver/install/dsinstance.py| 3 +- ipaserver/install/server/common.py | 6 - ipaserver/install/server/install.py| 45 +++- ipaserver/install/server/replicainstall.py | 170 - 5 files changed, 188 insertions(+), 42 deletions(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index df99962a7e6e8ecac044ff4e8341a4a9913e4d4d..dbe36af6d7af23fa859dcb78f3dc24224fd8fd07 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -17,7 +17,7 @@ import tempfile class CustodiaInstance(SimpleServiceInstance): -def __init__(self, host_name=None, realm=None): +def __init__(self, host_name=None, realm=None, ca_is_configured=True): super(CustodiaInstance, self).__init__("ipa-custodia") self.config_file = paths.IPA_CUSTODIA_CONF self.server_keys = os.path.join(paths.IPA_CUSTODIA_CONF_DIR, @@ -25,6 +25,7 @@ class CustodiaInstance(SimpleServiceInstance): self.ldap_uri = None self.fqdn = host_name self.realm = realm +self.ca_is_configured = ca_is_configured def __config_file(self): template_file = os.path.basename(self.config_file) + '.template' @@ -68,7 +69,8 @@ class CustodiaInstance(SimpleServiceInstance): self.step("Generating ipa-c
Re: [Freeipa-devel] [PATCH 0069] ipa-replica-install support caless install with promotion.
Hi, On 27.11.2015 07:57, David Kupka wrote: On 26/11/15 15:22, David Kupka wrote: On 26/11/15 15:13, David Kupka wrote: On 26/11/15 15:01, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5441 Replaced accidentally inserted tabs. Fixed indentation I screwed up when replacing tabs :-/ 1) The deprecated --*_pkcs12 and --*_pin aliases should not be supported in ipa-replica-install. 2) This check from ipa-replica-prepare should be added to Replica.__init__() as well: # If any of the PKCS#12 options are selected, all are required. cert_file_req = (options.dirsrv_cert_files, options.http_cert_files) cert_file_opt = (options.pkinit_cert_files,) if any(cert_file_req + cert_file_opt) and not all(cert_file_req): self.option_parser.error( "--dirsrv-cert-file and --http-cert-file are required if any " "PKCS#12 options are used.") 3) This check from ipa-replica-prepare should be added below the pkcs12_info initialization block in promote_check(): if (options.http_cert_files and options.dirsrv_cert_files and http_ca_cert != dirsrv_ca_cert): raise admintool.ScriptError( "Apache Server SSL certificate and Directory Server SSL " "certificate are not signed by the same CA certificate") 4) This check should use the same message as ipa-replica-prepare: "Cannot issue certificates: a CA is not installed. Use the --http-cert-file, --dirsrv-cert-file options to provide custom certificates.": +if not options.dirsrv_cert_files: +root_logger.error("The remote master does not have a CA " + "installed, can't proceed without certs") +sys.exit(3) 5) Please use the common "You cannot specify a --option together with replica file" error message here: +if any(self.ca.dirsrv_pkcs12_file, self.ca.http_pkcs12_file, +self.ca.pkinit_pkcs12_file): +raise RuntimeError("You cannot provide certificates together " + "with replica file") 6) Please make the ca_is_enabled argument of install_replica_ds() and install_http() mandatory and fill as appropriate when called, it will make the code more readable. 7) $ git diff -U0 | pep8 --diff ./ipaserver/install/server/replicainstall.py:99:80: E501 line too long (82 > 79 characters) ./ipaserver/install/server/replicainstall.py:161:80: E501 line too long (82 > 79 characters) ./ipaserver/install/server/replicainstall.py:1289:13: E265 block comment should start with '# ' ./ipaserver/install/server/replicainstall.py:1291:17: E125 continuation line with same indent as next logical line ./ipaserver/install/server/replicainstall.py:1291:17: E128 continuation line under-indented for visual indent 8) Nitpicks: s/ca_configured/ca_is_configured/ in install_replica_ds(), for consistency. Set ca_enabled = False in the else branch rather than before the if statement in promote_check(). Put the "#pylint: disable=no-member" in Replica.__init__() in the same spot as it is in Server.__init__(). Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0069] ipa-replica-install support caless install with promotion.
On 26/11/15 15:22, David Kupka wrote: On 26/11/15 15:13, David Kupka wrote: On 26/11/15 15:01, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5441 Replaced accidentally inserted tabs. Fixed indentation I screwed up when replacing tabs :-/ Hello everyone! I did not realize that not many people know how to verify this. You need (at least) 2 servers, master and replica and certificates for them. Easiest way to get the certificates is to use Honza's almighty script (attached). Before you run it, edit variables on first few lines to match your environment. When it is run it creates directory (nssdb in your `pwd` by default) populated by various certificate. Both certificates used (replica.p12 and server.p12) must be signed by the same CA (located in the same ca* subdirectory). To install CA-less IPA server on master: [master] # ipa-server-install -r EXAMPLE.TEST --http-cert-file /path/to//server.p12 --http-pin password --dirsrv-cert-file /path/to/server.p12 --dirsrv-pin password Since domain-level is set to 1 ipa-client must be installed first on future replica. [replica] # ipa-client-install Note: In case client can't auto-discover IPA server you need to provide --domain and --server options. After successful installation of ipa-client you can promote it to master: [replica] # ipa-replica-install --http-cert-file /path/to/replica.p12 --http-pin password --dirsrv-cert-file /path/to/replica.p12 --dirsrv-pin password -- David Kupka makepki.sh Description: application/shellscript -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0069] ipa-replica-install support caless install with promotion.
On 26/11/15 15:13, David Kupka wrote: On 26/11/15 15:01, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5441 Replaced accidentally inserted tabs. Fixed indentation I screwed up when replacing tabs :-/ -- David Kupka From 7716a6797b547ba01d189c1772a5896c7683 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Thu, 26 Nov 2015 09:01:27 +0100 Subject: [PATCH] ipa-replica-install support caless install with promotion. https://fedorahosted.org/freeipa/ticket/5441 --- ipaserver/install/custodiainstance.py | 6 +- ipaserver/install/dsinstance.py| 3 +- ipaserver/install/server/replicainstall.py | 145 - 3 files changed, 126 insertions(+), 28 deletions(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index c2ecd397063db3dfe27006232831023d865aac40..fbd9ddf1b39493538c33cb84c58f3292d2aeb0b0 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -16,7 +16,7 @@ import tempfile class CustodiaInstance(SimpleServiceInstance): -def __init__(self, host_name=None, realm=None): +def __init__(self, host_name=None, realm=None, ca_is_configured=True): super(CustodiaInstance, self).__init__("ipa-custodia") self.config_file = paths.IPA_CUSTODIA_CONF self.server_keys = os.path.join(paths.IPA_CUSTODIA_CONF_DIR, @@ -24,6 +24,7 @@ class CustodiaInstance(SimpleServiceInstance): self.ldap_uri = None self.fqdn = host_name self.realm = realm +self.ca_is_configured = ca_is_configured def __config_file(self): template_file = os.path.basename(self.config_file) + '.template' @@ -66,7 +67,8 @@ class CustodiaInstance(SimpleServiceInstance): self.step("Generating ipa-custodia config file", self.__config_file) self.step("Generating ipa-custodia keys", self.__gen_keys) -self.step("Importing RA Key", self.__import_ra_key) +if self.ca_is_configured: +self.step("Importing RA Key", self.__import_ra_key) super(CustodiaInstance, self).create_instance(gensvc_name='KEYS', fqdn=self.fqdn, ldap_suffix=suffix, diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index e47e85ca6f25c33e4327fc5ee1cd2e90e6c2ca4a..a58b0f7c2f1a6baae09e38695b8e569d7495d524 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -381,7 +381,8 @@ class DsInstance(service.Service): if self.promote: self.step("creating DS keytab", self.__get_ds_keytab) -self.step("retrieving DS Certificate", self.__get_ds_cert) +if self.ca_is_configured: +self.step("retrieving DS Certificate", self.__get_ds_cert) self.step("restarting directory server", self.__restart_instance) self.step("setting up initial replication", self.__setup_replica) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 4b811105be3409e7c673fb55f96c8b3e58be63b5..38d73872b739149e9ef81764f75e0730bb26cba0 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -32,6 +32,7 @@ from ipaserver.install import ( ntpinstance, otpdinstance, custodiainstance, service) from ipaserver.install.installutils import create_replica_config from ipaserver.install.installutils import ReplicaConfig +from ipaserver.install.installutils import load_pkcs12 from ipaserver.install.replication import ( ReplicationManager, replica_conn_check) import SSSDConfig @@ -87,13 +88,20 @@ def install_http_certs(config, fstore): # FIXME: need Signing-Cert too ? -def install_replica_ds(config, options, promote=False): +def install_replica_ds(config, options, promote=False, pkcs12_info=None, + ca_configured=False): dsinstance.check_ports() # if we have a pkcs12 file, create the cert db from # that. Otherwise the ds setup will create the CA # cert -pkcs12_info = make_pkcs12_info(config.dir, "dscert.p12", "dirsrv_pin.txt") +if pkcs12_info is None: +pkcs12_info = make_pkcs12_info(config.dir, "dscert.p12", "dirsrv_pin.txt") + +if promote: +ca_file = paths.IPA_CA_CRT +else: +ca_file = os.path.join(config.dir, "ca.crt") ds = dsinstance.DsInstance( config_ldif=options.dirsrv_config_file) @@ -105,8 +113,8 @@ def install_replica_ds(config, options, promote=False): dm_password=config.dirman_password, subject_base=config.subject_base, pkcs12_info=pkcs12_info, -ca_is_configured=ipautil.file_exists(config.dir + "/cacert.p12"), -ca_file=config.dir + "/ca.crt", +ca_is_configured=ca_configured, +ca_file=ca_file, promote=promote, )
Re: [Freeipa-devel] [PATCH 0069] ipa-replica-install support caless install with promotion.
On 26/11/15 15:01, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5441 Replaced accidentally inserted tabs. -- David Kupka From bae8482da29c97becbd1d5de58aed91c3e5f05d9 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Thu, 26 Nov 2015 09:01:27 +0100 Subject: [PATCH] ipa-replica-install support caless install with promotion. https://fedorahosted.org/freeipa/ticket/5441 --- ipaserver/install/custodiainstance.py | 8 +- ipaserver/install/dsinstance.py| 3 +- ipaserver/install/server/replicainstall.py | 145 - 3 files changed, 127 insertions(+), 29 deletions(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index c2ecd397063db3dfe27006232831023d865aac40..300733ce8b9919288a43336feabb8cb2cbaad2f2 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -16,7 +16,7 @@ import tempfile class CustodiaInstance(SimpleServiceInstance): -def __init__(self, host_name=None, realm=None): +def __init__(self, host_name=None, realm=None, ca_is_configured=True): super(CustodiaInstance, self).__init__("ipa-custodia") self.config_file = paths.IPA_CUSTODIA_CONF self.server_keys = os.path.join(paths.IPA_CUSTODIA_CONF_DIR, @@ -24,6 +24,7 @@ class CustodiaInstance(SimpleServiceInstance): self.ldap_uri = None self.fqdn = host_name self.realm = realm +self.ca_is_configured = ca_is_configured def __config_file(self): template_file = os.path.basename(self.config_file) + '.template' @@ -65,8 +66,9 @@ class CustodiaInstance(SimpleServiceInstance): self.master_host_name = master_host_name self.step("Generating ipa-custodia config file", self.__config_file) -self.step("Generating ipa-custodia keys", self.__gen_keys) -self.step("Importing RA Key", self.__import_ra_key) +self.step("Generating ipa-custodia keys", self.__gen_keys) +if self.ca_is_configured: +self.step("Importing RA Key", self.__import_ra_key) super(CustodiaInstance, self).create_instance(gensvc_name='KEYS', fqdn=self.fqdn, ldap_suffix=suffix, diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index e47e85ca6f25c33e4327fc5ee1cd2e90e6c2ca4a..a58b0f7c2f1a6baae09e38695b8e569d7495d524 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -381,7 +381,8 @@ class DsInstance(service.Service): if self.promote: self.step("creating DS keytab", self.__get_ds_keytab) -self.step("retrieving DS Certificate", self.__get_ds_cert) +if self.ca_is_configured: +self.step("retrieving DS Certificate", self.__get_ds_cert) self.step("restarting directory server", self.__restart_instance) self.step("setting up initial replication", self.__setup_replica) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 4b811105be3409e7c673fb55f96c8b3e58be63b5..447486bf0d4a1229733cef88d3fa3fece8473bb3 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -32,6 +32,7 @@ from ipaserver.install import ( ntpinstance, otpdinstance, custodiainstance, service) from ipaserver.install.installutils import create_replica_config from ipaserver.install.installutils import ReplicaConfig +from ipaserver.install.installutils import load_pkcs12 from ipaserver.install.replication import ( ReplicationManager, replica_conn_check) import SSSDConfig @@ -87,13 +88,20 @@ def install_http_certs(config, fstore): # FIXME: need Signing-Cert too ? -def install_replica_ds(config, options, promote=False): +def install_replica_ds(config, options, promote=False, pkcs12_info=None, + ca_configured=False): dsinstance.check_ports() # if we have a pkcs12 file, create the cert db from # that. Otherwise the ds setup will create the CA # cert -pkcs12_info = make_pkcs12_info(config.dir, "dscert.p12", "dirsrv_pin.txt") +if pkcs12_info is None: +pkcs12_info = make_pkcs12_info(config.dir, "dscert.p12", "dirsrv_pin.txt") + +if promote: +ca_file = paths.IPA_CA_CRT +else: +ca_file = os.path.join(config.dir, "ca.crt") ds = dsinstance.DsInstance( config_ldif=options.dirsrv_config_file) @@ -105,8 +113,8 @@ def install_replica_ds(config, options, promote=False): dm_password=config.dirman_password, subject_base=config.subject_base, pkcs12_info=pkcs12_info, -ca_is_configured=ipautil.file_exists(config.dir + "/cacert.p12"), -ca_file=config.dir + "/ca.crt", +ca_is_configured=ca_configured, +ca_file=ca_file, promote=promote,