def validate_options(self): super(ServerUpgrade, self).validate_options(needs_root=True) installutils.check_server_configuration() if self.options.force: self.options.skip_version_check = True
def validate_options(self, needs_root=True): super(KRAInstall, self).validate_options(needs_root=True) installutils.check_server_configuration() api.bootstrap(in_server=True, confdir=paths.ETC_IPA) api.finalize()
def validate_options(self): super(IpaAdvise, self).validate_options(needs_root=False) installutils.check_server_configuration() if len(self.args) > 1: raise self.option_parser.error("You can only provide one " "positional argument.")
def main(cls, argv): """ Sets up API and LDAP connection for the tool, then runs the rest of the plumbing. """ # Check if the IPA server is configured before attempting to migrate try: installutils.check_server_configuration() except RuntimeError as e: sys.exit(e) # Finalize API api.bootstrap(in_server=True, context='server') api.finalize() # Setup LDAP connection try: api.Backend.ldap2.connect() cls.ldap = api.Backend.ldap2 except gssapi.exceptions.GSSError as e: sys.exit("Must have Kerberos credentials to migrate Winsync users. Error: %s" % e) except errors.ACIError as e: sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket.") except errors.DatabaseError as e: sys.exit("Cannot connect to the LDAP database. Please check if IPA is running.") super(WinsyncMigrate, cls).main(argv)
def validate_options(self): options = self.options super(Backup, self).validate_options(needs_root=True) installutils.check_server_configuration() if options.gpg_keyring is not None: print( "--gpg-keyring is no longer supported, use GNUPGHOME " "environment variable to use a custom GnuPG2 directory.", file=sys.stderr ) options.gpg = True if options.online and not options.data_only: self.option_parser.error("You cannot specify --online " "without --data") if options.gpg: tmpfd = write_tmp_file('encryptme') newfile = encrypt_file(tmpfd.name, False) os.unlink(newfile) if options.data_only and options.logs: self.option_parser.error("You cannot specify --data " "with --logs")
def validate_options(self): super(IpaAdvise, self).validate_options(needs_root=False) installutils.check_server_configuration() if len(self.args) > 1: raise self.option_parser.error("You can only provide one " "positional argument.")
def initialize(self, framework, config, options=None): super().initialize(framework, config) installutils.check_server_configuration() if not api.isdone('bootstrap'): api.bootstrap(in_server=True, context='ipahealthcheck', log=None) if not api.isdone('finalize'): api.finalize()
def validate_options(self): options = self.options super(Backup, self).validate_options(needs_root=True) installutils.check_server_configuration() if options.gpg_keyring is not None: print( "--gpg-keyring is no longer supported, use GNUPGHOME " "environment variable to use a custom GnuPG2 directory.", file=sys.stderr ) options.gpg = True if options.online and not options.data_only: self.option_parser.error("You cannot specify --online " "without --data") if options.gpg: tmpfd = write_tmp_file('encryptme') newfile = encrypt_file(tmpfd.name, False) os.unlink(newfile) if options.data_only and options.logs: self.option_parser.error("You cannot specify --data " "with --logs")
def main(cls, argv): """ Sets up API and LDAP connection for the tool, then runs the rest of the plumbing. """ # Check if the IPA server is configured before attempting to migrate try: installutils.check_server_configuration() except RuntimeError as e: sys.exit(e) # Finalize API api.bootstrap(in_server=True, context='server', confdir=paths.ETC_IPA) api.finalize() # Setup LDAP connection try: api.Backend.ldap2.connect() cls.ldap = api.Backend.ldap2 except gssapi.exceptions.GSSError as e: sys.exit( "Must have Kerberos credentials to migrate Winsync users. Error: %s" % e) except errors.ACIError as e: sys.exit( "Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket." ) except errors.DatabaseError as e: sys.exit( "Cannot connect to the LDAP database. Please check if IPA is running." ) super(WinsyncMigrate, cls).main(argv)
def validate_options(self): super(ServerUpgrade, self).validate_options(needs_root=True) installutils.check_server_configuration() if self.options.force: self.options.skip_version_check = True
def validate_options(self, needs_root=True): super(KRAInstall, self).validate_options(needs_root=True) installutils.check_server_configuration() api.bootstrap(in_server=True, confdir=paths.ETC_IPA) api.finalize()
def validate_options(self): super(ServerCertInstall, self).validate_options(needs_root=True) installutils.check_server_configuration() if not self.options.dirsrv and not self.options.http: self.option_parser.error("you must specify dirsrv and/or http") if not self.args: self.option_parser.error("you must provide certificate filename")
def validate_options(self): super(ServerCertInstall, self).validate_options(needs_root=True) installutils.check_server_configuration() if not self.options.dirsrv and not self.options.http: self.option_parser.error("you must specify dirsrv and/or http") if not self.args: self.option_parser.error("you must provide certificate filename")
def validate_options(self): super(ServerUpgrade, self).validate_options(needs_root=True) if self.options.force: self.options.skip_version_check = True try: installutils.check_server_configuration() except RuntimeError as e: print unicode(e) sys.exit(1)
def validate_options(self): super(ServerUpgrade, self).validate_options(needs_root=True) if self.options.force: self.options.skip_version_check = True try: installutils.check_server_configuration() except RuntimeError as e: print unicode(e) sys.exit(1)
def validate_options(self, needs_root=True): super(KRAInstall, self).validate_options(needs_root=True) installutils.check_server_configuration() if self.options.unattended and self.options.password is None: self.option_parser.error( "Directory Manager password must be specified using -p" " in unattended mode") api.bootstrap(in_server=True) api.finalize()
def validate_options(self): options = self.options super(ReplicaPrepare, self).validate_options(needs_root=True) installutils.check_server_configuration() if not options.ip_address: if options.reverse_zone: self.option_parser.error("You cannot specify a --reverse-zone " "option without the --ip-address option") if options.no_reverse: self.option_parser.error("You cannot specify a --no-reverse " "option without the --ip-address option") elif options.reverse_zone and options.no_reverse: self.option_parser.error("You cannot specify a --reverse-zone " "option together with --no-reverse") #Automatically disable pkinit w/ dogtag until that is supported options.setup_pkinit = False # If any of the PKCS#12 options are selected, all are required. pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) pkcs12_opt = (options.pkinit_pkcs12,) if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req): self.option_parser.error( "--dirsrv_pkcs12 and --http_pkcs12 are required if any " "PKCS#12 options are used.") if len(self.args) < 1: self.option_parser.error( "must provide the fully-qualified name of the replica") elif len(self.args) > 1: self.option_parser.error( "must provide exactly one name for the replica") else: [self.replica_fqdn] = self.args api.bootstrap(in_server=True) api.finalize() if api.env.host == self.replica_fqdn: raise admintool.ScriptError("You can't create a replica on itself") if not api.env.enable_ra and not options.http_pkcs12: raise admintool.ScriptError( "Cannot issue certificates: a CA is not installed. Use the " "--http_pkcs12, --dirsrv_pkcs12 options to provide custom " "certificates.") config_dir = dsinstance.config_dirname( dsinstance.realm_to_serverid(api.env.realm)) if not ipautil.dir_exists(config_dir): raise admintool.ScriptError( "could not find directory instance: %s" % config_dir)
def validate_options(self): options = self.options super(ReplicaPrepare, self).validate_options(needs_root=True) installutils.check_server_configuration() if not options.ip_addresses: if options.reverse_zones: self.option_parser.error( "You cannot specify a --reverse-zone " "option without the --ip-address option") if options.no_reverse: self.option_parser.error( "You cannot specify a --no-reverse " "option without the --ip-address option") elif options.reverse_zones and options.no_reverse: self.option_parser.error("You cannot specify a --reverse-zone " "option together with --no-reverse") #Automatically disable pkinit w/ dogtag until that is supported options.setup_pkinit = False # If any of the PKCS#12 options are selected, all are required. cert_file_req = (options.dirsrv_cert_files, options.http_cert_files) cert_file_opt = (options.pkinit_cert_files, ) if any(cert_file_req + cert_file_opt) and not all(cert_file_req): self.option_parser.error( "--dirsrv-cert-file and --http-cert-file are required if any " "PKCS#12 options are used.") if len(self.args) < 1: self.option_parser.error( "must provide the fully-qualified name of the replica") elif len(self.args) > 1: self.option_parser.error( "must provide exactly one name for the replica") else: [self.replica_fqdn] = self.args api.bootstrap(in_server=True) api.finalize() # Connect to LDAP, connection is closed at the end of run() api.Backend.ldap2.connect() self.check_for_supported_domain_level() if api.env.host == self.replica_fqdn: raise admintool.ScriptError("You can't create a replica on itself") config_dir = dsinstance.config_dirname( installutils.realm_to_serverid(api.env.realm)) if not ipautil.dir_exists(config_dir): raise admintool.ScriptError( "could not find directory instance: %s" % config_dir)
def validate_options(self, needs_root=True): super(KRAInstall, self).validate_options(needs_root=True) installutils.check_server_configuration() if self.options.unattended and self.options.password is None: self.option_parser.error( "Directory Manager password must be specified using -p" " in unattended mode" ) api.bootstrap(in_server=True) api.finalize()
def validate_options(self): options = self.options super(ReplicaPrepare, self).validate_options(needs_root=True) installutils.check_server_configuration() if not options.ip_addresses: if options.reverse_zones: self.option_parser.error("You cannot specify a --reverse-zone " "option without the --ip-address option") if options.no_reverse: self.option_parser.error("You cannot specify a --no-reverse " "option without the --ip-address option") elif options.reverse_zones and options.no_reverse: self.option_parser.error("You cannot specify a --reverse-zone " "option together with --no-reverse") #Automatically disable pkinit w/ dogtag until that is supported options.setup_pkinit = False # If any of the PKCS#12 options are selected, all are required. cert_file_req = (options.dirsrv_cert_files, options.http_cert_files) cert_file_opt = (options.pkinit_cert_files,) if any(cert_file_req + cert_file_opt) and not all(cert_file_req): self.option_parser.error( "--dirsrv-cert-file and --http-cert-file are required if any " "PKCS#12 options are used.") if len(self.args) < 1: self.option_parser.error( "must provide the fully-qualified name of the replica") elif len(self.args) > 1: self.option_parser.error( "must provide exactly one name for the replica") else: [self.replica_fqdn] = self.args api.bootstrap(in_server=True) api.finalize() # Connect to LDAP, connection is closed at the end of run() api.Backend.ldap2.connect() self.check_for_supported_domain_level() if api.env.host == self.replica_fqdn: raise admintool.ScriptError("You can't create a replica on itself") config_dir = dsinstance.config_dirname( installutils.realm_to_serverid(api.env.realm)) if not ipautil.dir_exists(config_dir): raise admintool.ScriptError( "could not find directory instance: %s" % config_dir)
def validate_options(self): super(PKINITManage, self).validate_options(needs_root=True) installutils.check_server_configuration() option_parser = self.option_parser if not self.args: option_parser.error("action not specified") elif len(self.args) > 1: option_parser.error("too many arguments") action = self.args[0] if action not in {'enable', 'disable', 'status'}: option_parser.error("unrecognized action '{}'".format(action))
def validate_options(self): super(CRLGenManage, self).validate_options(needs_root=True) installutils.check_server_configuration() option_parser = self.option_parser if not self.args: option_parser.error("action not specified") elif len(self.args) > 1: option_parser.error("too many arguments") action = self.args[0] if action not in {'enable', 'disable', 'status'}: option_parser.error("unrecognized action '{}'".format(action))
def initialize(self, framework, config, options=None): super().initialize(framework, config) # deferred import for mock # pylint: disable=import-outside-toplevel from ipaserver.servroles import ADtrustBasedRole, ServiceBasedRole # pylint: enable=import-outside-toplevel installutils.check_server_configuration() if not api.isdone('finalize'): if not api.isdone('bootstrap'): api.bootstrap(in_server=True, context='ipahealthcheck', log=None) if not api.isdone('finalize'): api.finalize() if not api.Backend.ldap2.isconnected(): try: api.Backend.ldap2.connect() except (errors.CCacheError, errors.NetworkError) as e: logger.debug('Failed to connect to LDAP: %s', e) return ca = cainstance.CAInstance(api.env.realm, host_name=api.env.host) self.ca_configured = ca.is_configured() # This package is pulled in when the trust package is installed # and is required to lookup trust users. If this is not installed # then it can be inferred that trust is not enabled. try: # pylint: disable=unused-import,import-outside-toplevel import pysss_nss_idmap # noqa: F401 # pylint: enable=unused-import,import-outside-toplevel except ImportError: return roles = ( ADtrustBasedRole(u"ad_trust_agent_server", u"AD trust agent"), ServiceBasedRole(u"ad_trust_controller_server", u"AD trust controller", component_services=['ADTRUST']), ) role = roles[0].status(api)[0] if role.get('status') == 'enabled': self.trust_agent = True role = roles[1].status(api)[0] if role.get('status') == 'enabled': self.trust_controller = True
def initialize(self, framework, config, options=None): super().initialize(framework, config) installutils.check_server_configuration() if not api.isdone('bootstrap'): api.bootstrap(in_server=True, context='ipahealthcheck', log=None) if not api.isdone('finalize'): api.finalize() if not api.Backend.ldap2.isconnected(): try: api.Backend.ldap2.connect() except errors.CCacheError: pass except errors.NetworkError: pass
def validate_options(self): options = self.options super(LDAPUpdater, self).validate_options(needs_root=True) self.files = self.args for filename in self.files: if not os.path.exists(filename): raise admintool.ScriptError("%s: file not found" % filename) try: installutils.check_server_configuration() except RuntimeError, e: print unicode(e) sys.exit(1)
def validate_options(self): options = self.options super(LDAPUpdater, self).validate_options(needs_root=True) self.files = self.args for filename in self.files: if not os.path.exists(filename): raise admintool.ScriptError("%s: file not found" % filename) try: installutils.check_server_configuration() except RuntimeError, e: print unicode(e) sys.exit(1)
def initialize(self, framework): # deferred import for mock from ipaserver.servroles import ADtrustBasedRole, ServiceBasedRole installutils.check_server_configuration() if not api.isdone('finalize'): if not api.isdone('bootstrap'): api.bootstrap(in_server=True, context='ipahealthcheck', log=None) if not api.isdone('finalize'): api.finalize() if not api.Backend.ldap2.isconnected(): try: api.Backend.ldap2.connect() except (errors.CCacheError, errors.NetworkError) as e: logging.debug('Failed to connect to LDAP: %s', e) return # This package is pulled in when the trust package is installed # and is required to lookup trust users. If this is not installed # then it can be inferred that trust is not enabled. try: import pysss_nss_idmap # noqa: F401 except ImportError: return roles = ( ADtrustBasedRole(u"ad_trust_agent_server", u"AD trust agent"), ServiceBasedRole( u"ad_trust_controller_server", u"AD trust controller", component_services=['ADTRUST'] ), ) role = roles[0].status(api)[0] if role.get('status') == 'enabled': self.trust_agent = True role = roles[1].status(api)[0] if role.get('status') == 'enabled': self.trust_controller = True
def validate_options(self): options = self.options super(LDAPUpdater, self).validate_options(needs_root=True) self.files = self.args if not (self.files or options.schema_files): self.log.info("To execute overall IPA upgrade please use " "'ipa-server-upgrade' command") raise admintool.ScriptError("No update files or schema file were " "specified") for filename in self.files: if not os.path.exists(filename): raise admintool.ScriptError("%s: file not found" % filename) try: installutils.check_server_configuration() except RuntimeError as e: print(unicode(e)) sys.exit(1)
def validate_options(self): super(CACertManage, self).validate_options(needs_root=True) installutils.check_server_configuration() parser = self.option_parser if not self.args: parser.error("command not provided") command = self.command = self.args[0] if command == 'renew': pass elif command == 'install': if len(self.args) < 2: parser.error("certificate file name not provided") else: parser.error("unknown command \"%s\"" % command)
def validate_options(self): super(CACertManage, self).validate_options(needs_root=True) installutils.check_server_configuration() parser = self.option_parser if not self.args: parser.error("command not provided") command = self.command = self.args[0] if command == 'renew': pass elif command == 'install': if len(self.args) < 2: parser.error("certificate file name not provided") else: parser.error("unknown command \"%s\"" % command)
def validate_options(self): options = self.options super(LDAPUpdater, self).validate_options(needs_root=True) self.files = self.args if not (self.files or options.schema_files): logger.info("To execute overall IPA upgrade please use " "'ipa-server-upgrade' command") raise admintool.ScriptError("No update files or schema file were " "specified") for filename in self.files: if not os.path.exists(filename): raise admintool.ScriptError("%s: file not found" % filename) try: installutils.check_server_configuration() except RuntimeError as e: raise admintool.ScriptError(e)
def validate_options(self): options = self.options super(Backup, self).validate_options(needs_root=True) installutils.check_server_configuration() if options.gpg_keyring is not None: if not os.path.exists(options.gpg_keyring + '.pub'): raise admintool.ScriptError('No such key %s' % options.gpg_keyring) options.gpg = True if options.online and not options.data_only: self.option_parser.error("You cannot specify --online " "without --data") if options.gpg: tmpfd = write_tmp_file('encryptme') newfile = encrypt_file(tmpfd.name, options.gpg_keyring, False) os.unlink(newfile) if options.data_only and options.logs: self.option_parser.error("You cannot specify --data " "with --logs")
def validate_options(self): options = self.options super(Backup, self).validate_options(needs_root=True) installutils.check_server_configuration() if options.gpg_keyring is not None: if not os.path.exists(options.gpg_keyring + '.pub'): raise admintool.ScriptError('No such key %s' % options.gpg_keyring) options.gpg = True if options.online and not options.data_only: self.option_parser.error("You cannot specify --online " "without --data") if options.gpg: tmpfd = write_tmp_file('encryptme') newfile = encrypt_file(tmpfd.name, options.gpg_keyring, False) os.unlink(newfile) if options.data_only and options.logs: self.option_parser.error("You cannot specify --data " "with --logs")
def validate_options(self): options = self.options super(Restore, self).validate_options(needs_root=True) if options.data_only: installutils.check_server_configuration() if len(self.args) < 1: self.option_parser.error( "must provide the backup to restore") elif len(self.args) > 1: self.option_parser.error( "must provide exactly one name for the backup") dirname = self.args[0] if not os.path.isabs(dirname): self.backup_dir = os.path.join(BACKUP_DIR, dirname) else: self.backup_dir = dirname if options.gpg_keyring: if (not os.path.exists(options.gpg_keyring + '.pub') or not os.path.exists(options.gpg_keyring + '.sec')): raise admintool.ScriptError('No such key %s' % options.gpg_keyring)
def run(self): options = self.options super(Restore, self).run() self.backup_dir = self.args[0] if not os.path.isabs(self.backup_dir): self.backup_dir = os.path.join(paths.IPA_BACKUP_DIR, self.backup_dir) logger.info("Preparing restore from %s on %s", self.backup_dir, FQDN) self.header = os.path.join(self.backup_dir, 'header') try: self.read_header() except IOError as e: raise admintool.ScriptError("Cannot read backup metadata: %s" % e) if options.data_only: restore_type = 'DATA' else: restore_type = self.backup_type # These checks would normally be in the validate method but # we need to know the type of backup we're dealing with. if restore_type == 'FULL': if options.online: raise admintool.ScriptError( "File restoration cannot be done online") if options.instance or options.backend: raise admintool.ScriptError( "Restore must be in data-only mode when restoring a " "specific instance or backend") else: installutils.check_server_configuration() self.init_api() if options.instance: instance_dir = (paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % options.instance) if not os.path.exists(instance_dir): raise admintool.ScriptError( "Instance %s does not exist" % options.instance) self.instances = [options.instance] if options.backend: for instance in self.instances: db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE % (instance, options.backend)) if os.path.exists(db_dir): break else: raise admintool.ScriptError( "Backend %s does not exist" % options.backend) self.backends = [options.backend] for instance, backend in itertools.product(self.instances, self.backends): db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE % (instance, backend)) if os.path.exists(db_dir): break else: raise admintool.ScriptError( "Cannot restore a data backup into an empty system") logger.info("Performing %s restore from %s backup", restore_type, self.backup_type) if self.backup_host != FQDN: raise admintool.ScriptError( "Host name %s does not match backup name %s" % (FQDN, self.backup_host)) if self.backup_ipa_version != str(version.VERSION): logger.warning( "Restoring data from a different release of IPA.\n" "Data is version %s.\n" "Server is running %s.", self.backup_ipa_version, str(version.VERSION)) if (not options.unattended and not user_input("Continue to restore?", False)): raise admintool.ScriptError("Aborted") pent = pwd.getpwnam(constants.DS_USER) # Temporary directory for decrypting files before restoring self.top_dir = tempfile.mkdtemp("ipa") os.chown(self.top_dir, pent.pw_uid, pent.pw_gid) os.chmod(self.top_dir, 0o750) self.dir = os.path.join(self.top_dir, "ipa") os.mkdir(self.dir) os.chmod(self.dir, 0o750) os.chown(self.dir, pent.pw_uid, pent.pw_gid) cwd = os.getcwd() logger.info("Temporary setting umask to 022") old_umask = os.umask(0o022) try: dirsrv = services.knownservices.dirsrv self.extract_backup(options.gpg_keyring) if restore_type == 'FULL': self.restore_default_conf() self.init_api(confdir=self.dir + paths.ETC_IPA) databases = [] for instance in self.instances: for backend in self.backends: database = (instance, backend) ldiffile = os.path.join(self.dir, '%s-%s.ldif' % database) if os.path.exists(ldiffile): databases.append(database) if options.instance: for instance, backend in databases: if instance == options.instance: break else: raise admintool.ScriptError( "Instance %s not found in backup" % options.instance) if options.backend: for instance, backend in databases: if backend == options.backend: break else: raise admintool.ScriptError( "Backend %s not found in backup" % options.backend) # Big fat warning if (not options.unattended and not user_input("Restoring data will overwrite existing live data. Continue to restore?", False)): raise admintool.ScriptError("Aborted") logger.info( "Each master will individually need to be re-initialized or") logger.info( "re-created from this one. The replication agreements on") logger.info( "masters running IPA 3.1 or earlier will need to be manually") logger.info( "re-enabled. See the man page for details.") logger.info("Disabling all replication.") self.disable_agreements() if restore_type != 'FULL': if not options.online: logger.info('Stopping Directory Server') dirsrv.stop(capture_output=False) else: logger.info('Starting Directory Server') dirsrv.start(capture_output=False) else: logger.info('Stopping IPA services') result = run([paths.IPACTL, 'stop'], raiseonerr=False) if result.returncode not in [0, 6]: logger.warning('Stopping IPA failed: %s', result.error_log) self.restore_selinux_booleans() http = httpinstance.HTTPInstance() # We do either a full file restore or we restore data. if restore_type == 'FULL': self.remove_old_files() self.cert_restore_prepare() self.file_restore(options.no_logs) self.cert_restore() if 'CA' in self.backup_services: self.__create_dogtag_log_dirs() # Always restore the data from ldif # We need to restore both userRoot and ipaca. for instance, backend in databases: self.ldif2db(instance, backend, online=options.online) if restore_type != 'FULL': if not options.online: logger.info('Starting Directory Server') dirsrv.start(capture_output=False) else: # restore access controll configuration auth_backup_path = os.path.join(paths.VAR_LIB_IPA, 'auth_backup') if os.path.exists(auth_backup_path): tasks.restore_auth_configuration(auth_backup_path) # explicitly enable then disable the pki tomcatd service to # re-register its instance. FIXME, this is really wierd. services.knownservices.pki_tomcatd.enable() services.knownservices.pki_tomcatd.disable() logger.info('Restarting GSS-proxy') gssproxy = services.service('gssproxy', api) gssproxy.reload_or_restart() logger.info('Starting IPA services') run([paths.IPACTL, 'start']) logger.info('Restarting SSSD') sssd = services.service('sssd', api) sssd.restart() logger.info('Restarting oddjobd') oddjobd = services.service('oddjobd', api) if not oddjobd.is_enabled(): logger.info("Enabling oddjobd") oddjobd.enable() oddjobd.start() http.remove_httpd_ccaches() # have the daemons pick up their restored configs run([paths.SYSTEMCTL, "--system", "daemon-reload"]) finally: try: os.chdir(cwd) except Exception as e: logger.error('Cannot change directory to %s: %s', cwd, e) shutil.rmtree(self.top_dir) logger.info("Restoring umask to %s", old_umask) os.umask(old_umask)
def run(self): options = self.options super(Restore, self).run() self.backup_dir = self.args[0] if not os.path.isabs(self.backup_dir): self.backup_dir = os.path.join(paths.IPA_BACKUP_DIR, self.backup_dir) self.log.info("Preparing restore from %s on %s", self.backup_dir, constants.FQDN) self.header = os.path.join(self.backup_dir, 'header') try: self.read_header() except IOError as e: raise admintool.ScriptError("Cannot read backup metadata: %s" % e) if options.data_only: restore_type = 'DATA' else: restore_type = self.backup_type # These checks would normally be in the validate method but # we need to know the type of backup we're dealing with. if restore_type == 'FULL': if options.online: raise admintool.ScriptError( "File restoration cannot be done online") if options.instance or options.backend: raise admintool.ScriptError( "Restore must be in data-only mode when restoring a " "specific instance or backend") else: installutils.check_server_configuration() self.init_api() if options.instance: instance_dir = (paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % options.instance) if not os.path.exists(instance_dir): raise admintool.ScriptError( "Instance %s does not exist" % options.instance) self.instances = [options.instance] if options.backend: for instance in self.instances: db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE % (instance, options.backend)) if os.path.exists(db_dir): break else: raise admintool.ScriptError( "Backend %s does not exist" % options.backend) self.backends = [options.backend] for instance, backend in itertools.product(self.instances, self.backends): db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE % (instance, backend)) if os.path.exists(db_dir): break else: raise admintool.ScriptError( "Cannot restore a data backup into an empty system") self.log.info("Performing %s restore from %s backup" % (restore_type, self.backup_type)) if self.backup_host != constants.FQDN: raise admintool.ScriptError( "Host name %s does not match backup name %s" % (constants.FQDN, self.backup_host)) if self.backup_ipa_version != str(version.VERSION): self.log.warning( "Restoring data from a different release of IPA.\n" "Data is version %s.\n" "Server is running %s." % (self.backup_ipa_version, str(version.VERSION))) if (not options.unattended and not user_input("Continue to restore?", False)): raise admintool.ScriptError("Aborted") create_ds_user() pent = pwd.getpwnam(DS_USER) # Temporary directory for decrypting files before restoring self.top_dir = tempfile.mkdtemp("ipa") os.chown(self.top_dir, pent.pw_uid, pent.pw_gid) os.chmod(self.top_dir, 0o750) self.dir = os.path.join(self.top_dir, "ipa") os.mkdir(self.dir, 0o750) os.chown(self.dir, pent.pw_uid, pent.pw_gid) cwd = os.getcwd() try: dirsrv = services.knownservices.dirsrv self.extract_backup(options.gpg_keyring) if restore_type == 'FULL': self.restore_default_conf() self.init_api(confdir=self.dir + paths.ETC_IPA) databases = [] for instance in self.instances: for backend in self.backends: database = (instance, backend) ldiffile = os.path.join(self.dir, '%s-%s.ldif' % database) if os.path.exists(ldiffile): databases.append(database) if options.instance: for instance, backend in databases: if instance == options.instance: break else: raise admintool.ScriptError( "Instance %s not found in backup" % options.instance) if options.backend: for instance, backend in databases: if backend == options.backend: break else: raise admintool.ScriptError( "Backend %s not found in backup" % options.backend) # Big fat warning if (not options.unattended and not user_input("Restoring data will overwrite existing live data. Continue to restore?", False)): raise admintool.ScriptError("Aborted") self.log.info( "Each master will individually need to be re-initialized or") self.log.info( "re-created from this one. The replication agreements on") self.log.info( "masters running IPA 3.1 or earlier will need to be manually") self.log.info( "re-enabled. See the man page for details.") self.log.info("Disabling all replication.") self.disable_agreements() if restore_type != 'FULL': if not options.online: self.log.info('Stopping Directory Server') dirsrv.stop(capture_output=False) else: self.log.info('Starting Directory Server') dirsrv.start(capture_output=False) else: self.log.info('Stopping IPA services') (stdout, stderr, rc) = run(['ipactl', 'stop'], raiseonerr=False) if rc not in [0, 6]: self.log.warn('Stopping IPA failed: %s' % stderr) self.restore_selinux_booleans() # We do either a full file restore or we restore data. if restore_type == 'FULL': if 'CA' in self.backup_services: create_ca_user() self.cert_restore_prepare() self.file_restore(options.no_logs) self.cert_restore() if 'CA' in self.backup_services: self.__create_dogtag_log_dirs() # Always restore the data from ldif # If we are restoring PKI-IPA then we need to restore the # userRoot backend in it and the main IPA instance. If we # have a unified instance we need to restore both userRoot and # ipaca. for instance, backend in databases: self.ldif2db(instance, backend, online=options.online) if restore_type != 'FULL': if not options.online: self.log.info('Starting Directory Server') dirsrv.start(capture_output=False) else: # restore access controll configuration auth_backup_path = os.path.join(paths.VAR_LIB_IPA, 'auth_backup') if os.path.exists(auth_backup_path): tasks.restore_auth_configuration(auth_backup_path) # explicitly enable then disable the pki tomcatd service to # re-register its instance. FIXME, this is really wierd. services.knownservices.pki_tomcatd.enable() services.knownservices.pki_tomcatd.disable() self.log.info('Starting IPA services') run(['ipactl', 'start']) self.log.info('Restarting SSSD') sssd = services.service('sssd') sssd.restart() http = httpinstance.HTTPInstance() http.remove_httpd_ccache() finally: try: os.chdir(cwd) except Exception as e: self.log.error('Cannot change directory to %s: %s' % (cwd, e)) shutil.rmtree(self.top_dir)
def validate_options(self): super(IPATrustEnableAgent, self).validate_options(needs_root=True) installutils.check_server_configuration()