def validate_options(self):
super(ServerUpgrade, self).validate_options(needs_root=True)
installutils.check_server_configuration()
if self.options.force:
self.options.skip_version_check = True
def validate_options(self, needs_root=True):
super(KRAInstall, self).validate_options(needs_root=True)
installutils.check_server_configuration()
api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
api.finalize()
def validate_options(self):
super(IpaAdvise, self).validate_options(needs_root=False)
installutils.check_server_configuration()
if len(self.args) > 1:
raise self.option_parser.error("You can only provide one "
"positional argument.")
def main(cls, argv):
"""
Sets up API and LDAP connection for the tool, then runs the rest of
the plumbing.
"""
# Check if the IPA server is configured before attempting to migrate
try:
installutils.check_server_configuration()
except RuntimeError as e:
sys.exit(e)
# Finalize API
api.bootstrap(in_server=True, context='server')
api.finalize()
# Setup LDAP connection
try:
api.Backend.ldap2.connect()
cls.ldap = api.Backend.ldap2
except gssapi.exceptions.GSSError as e:
sys.exit("Must have Kerberos credentials to migrate Winsync users. Error: %s" % e)
except errors.ACIError as e:
sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket.")
except errors.DatabaseError as e:
sys.exit("Cannot connect to the LDAP database. Please check if IPA is running.")
super(WinsyncMigrate, cls).main(argv)
def validate_options(self):
options = self.options
super(Backup, self).validate_options(needs_root=True)
installutils.check_server_configuration()
if options.gpg_keyring is not None:
print(
"--gpg-keyring is no longer supported, use GNUPGHOME "
"environment variable to use a custom GnuPG2 directory.",
file=sys.stderr
)
options.gpg = True
if options.online and not options.data_only:
self.option_parser.error("You cannot specify --online "
"without --data")
if options.gpg:
tmpfd = write_tmp_file('encryptme')
newfile = encrypt_file(tmpfd.name, False)
os.unlink(newfile)
if options.data_only and options.logs:
self.option_parser.error("You cannot specify --data "
"with --logs")
def validate_options(self):
super(IpaAdvise, self).validate_options(needs_root=False)
installutils.check_server_configuration()
if len(self.args) > 1:
raise self.option_parser.error("You can only provide one "
"positional argument.")
def initialize(self, framework, config, options=None):
super().initialize(framework, config)
installutils.check_server_configuration()
if not api.isdone('bootstrap'):
api.bootstrap(in_server=True, context='ipahealthcheck', log=None)
if not api.isdone('finalize'):
api.finalize()
def validate_options(self):
options = self.options
super(Backup, self).validate_options(needs_root=True)
installutils.check_server_configuration()
if options.gpg_keyring is not None:
print(
"--gpg-keyring is no longer supported, use GNUPGHOME "
"environment variable to use a custom GnuPG2 directory.",
file=sys.stderr
)
options.gpg = True
if options.online and not options.data_only:
self.option_parser.error("You cannot specify --online "
"without --data")
if options.gpg:
tmpfd = write_tmp_file('encryptme')
newfile = encrypt_file(tmpfd.name, False)
os.unlink(newfile)
if options.data_only and options.logs:
self.option_parser.error("You cannot specify --data "
"with --logs")
def main(cls, argv):
"""
Sets up API and LDAP connection for the tool, then runs the rest of
the plumbing.
"""
# Check if the IPA server is configured before attempting to migrate
try:
installutils.check_server_configuration()
except RuntimeError as e:
sys.exit(e)
# Finalize API
api.bootstrap(in_server=True, context='server', confdir=paths.ETC_IPA)
api.finalize()
# Setup LDAP connection
try:
api.Backend.ldap2.connect()
cls.ldap = api.Backend.ldap2
except gssapi.exceptions.GSSError as e:
sys.exit(
"Must have Kerberos credentials to migrate Winsync users. Error: %s"
% e)
except errors.ACIError as e:
sys.exit(
"Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket."
)
except errors.DatabaseError as e:
sys.exit(
"Cannot connect to the LDAP database. Please check if IPA is running."
)
super(WinsyncMigrate, cls).main(argv)
def validate_options(self):
super(ServerUpgrade, self).validate_options(needs_root=True)
installutils.check_server_configuration()
if self.options.force:
self.options.skip_version_check = True
def validate_options(self, needs_root=True):
super(KRAInstall, self).validate_options(needs_root=True)
installutils.check_server_configuration()
api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
api.finalize()
def validate_options(self):
super(ServerCertInstall, self).validate_options(needs_root=True)
installutils.check_server_configuration()
if not self.options.dirsrv and not self.options.http:
self.option_parser.error("you must specify dirsrv and/or http")
if not self.args:
self.option_parser.error("you must provide certificate filename")
def validate_options(self):
super(ServerCertInstall, self).validate_options(needs_root=True)
installutils.check_server_configuration()
if not self.options.dirsrv and not self.options.http:
self.option_parser.error("you must specify dirsrv and/or http")
if not self.args:
self.option_parser.error("you must provide certificate filename")
def validate_options(self):
super(ServerUpgrade, self).validate_options(needs_root=True)
if self.options.force:
self.options.skip_version_check = True
try:
installutils.check_server_configuration()
except RuntimeError as e:
print unicode(e)
sys.exit(1)
def validate_options(self):
super(ServerUpgrade, self).validate_options(needs_root=True)
if self.options.force:
self.options.skip_version_check = True
try:
installutils.check_server_configuration()
except RuntimeError as e:
print unicode(e)
sys.exit(1)
def validate_options(self, needs_root=True):
super(KRAInstall, self).validate_options(needs_root=True)
installutils.check_server_configuration()
if self.options.unattended and self.options.password is None:
self.option_parser.error(
"Directory Manager password must be specified using -p"
" in unattended mode")
api.bootstrap(in_server=True)
api.finalize()
def validate_options(self):
options = self.options
super(ReplicaPrepare, self).validate_options(needs_root=True)
installutils.check_server_configuration()
if not options.ip_address:
if options.reverse_zone:
self.option_parser.error("You cannot specify a --reverse-zone "
"option without the --ip-address option")
if options.no_reverse:
self.option_parser.error("You cannot specify a --no-reverse "
"option without the --ip-address option")
elif options.reverse_zone and options.no_reverse:
self.option_parser.error("You cannot specify a --reverse-zone "
"option together with --no-reverse")
#Automatically disable pkinit w/ dogtag until that is supported
options.setup_pkinit = False
# If any of the PKCS#12 options are selected, all are required.
pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
pkcs12_opt = (options.pkinit_pkcs12,)
if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req):
self.option_parser.error(
"--dirsrv_pkcs12 and --http_pkcs12 are required if any "
"PKCS#12 options are used.")
if len(self.args) < 1:
self.option_parser.error(
"must provide the fully-qualified name of the replica")
elif len(self.args) > 1:
self.option_parser.error(
"must provide exactly one name for the replica")
else:
[self.replica_fqdn] = self.args
api.bootstrap(in_server=True)
api.finalize()
if api.env.host == self.replica_fqdn:
raise admintool.ScriptError("You can't create a replica on itself")
if not api.env.enable_ra and not options.http_pkcs12:
raise admintool.ScriptError(
"Cannot issue certificates: a CA is not installed. Use the "
"--http_pkcs12, --dirsrv_pkcs12 options to provide custom "
"certificates.")
config_dir = dsinstance.config_dirname(
dsinstance.realm_to_serverid(api.env.realm))
if not ipautil.dir_exists(config_dir):
raise admintool.ScriptError(
"could not find directory instance: %s" % config_dir)
def validate_options(self):
options = self.options
super(ReplicaPrepare, self).validate_options(needs_root=True)
installutils.check_server_configuration()
if not options.ip_addresses:
if options.reverse_zones:
self.option_parser.error(
"You cannot specify a --reverse-zone "
"option without the --ip-address option")
if options.no_reverse:
self.option_parser.error(
"You cannot specify a --no-reverse "
"option without the --ip-address option")
elif options.reverse_zones and options.no_reverse:
self.option_parser.error("You cannot specify a --reverse-zone "
"option together with --no-reverse")
#Automatically disable pkinit w/ dogtag until that is supported
options.setup_pkinit = False
# If any of the PKCS#12 options are selected, all are required.
cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
cert_file_opt = (options.pkinit_cert_files, )
if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
self.option_parser.error(
"--dirsrv-cert-file and --http-cert-file are required if any "
"PKCS#12 options are used.")
if len(self.args) < 1:
self.option_parser.error(
"must provide the fully-qualified name of the replica")
elif len(self.args) > 1:
self.option_parser.error(
"must provide exactly one name for the replica")
else:
[self.replica_fqdn] = self.args
api.bootstrap(in_server=True)
api.finalize()
# Connect to LDAP, connection is closed at the end of run()
api.Backend.ldap2.connect()
self.check_for_supported_domain_level()
if api.env.host == self.replica_fqdn:
raise admintool.ScriptError("You can't create a replica on itself")
config_dir = dsinstance.config_dirname(
installutils.realm_to_serverid(api.env.realm))
if not ipautil.dir_exists(config_dir):
raise admintool.ScriptError(
"could not find directory instance: %s" % config_dir)
def validate_options(self, needs_root=True):
super(KRAInstall, self).validate_options(needs_root=True)
installutils.check_server_configuration()
if self.options.unattended and self.options.password is None:
self.option_parser.error(
"Directory Manager password must be specified using -p"
" in unattended mode"
)
api.bootstrap(in_server=True)
api.finalize()
def validate_options(self):
options = self.options
super(ReplicaPrepare, self).validate_options(needs_root=True)
installutils.check_server_configuration()
if not options.ip_addresses:
if options.reverse_zones:
self.option_parser.error("You cannot specify a --reverse-zone "
"option without the --ip-address option")
if options.no_reverse:
self.option_parser.error("You cannot specify a --no-reverse "
"option without the --ip-address option")
elif options.reverse_zones and options.no_reverse:
self.option_parser.error("You cannot specify a --reverse-zone "
"option together with --no-reverse")
#Automatically disable pkinit w/ dogtag until that is supported
options.setup_pkinit = False
# If any of the PKCS#12 options are selected, all are required.
cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
cert_file_opt = (options.pkinit_cert_files,)
if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
self.option_parser.error(
"--dirsrv-cert-file and --http-cert-file are required if any "
"PKCS#12 options are used.")
if len(self.args) < 1:
self.option_parser.error(
"must provide the fully-qualified name of the replica")
elif len(self.args) > 1:
self.option_parser.error(
"must provide exactly one name for the replica")
else:
[self.replica_fqdn] = self.args
api.bootstrap(in_server=True)
api.finalize()
# Connect to LDAP, connection is closed at the end of run()
api.Backend.ldap2.connect()
self.check_for_supported_domain_level()
if api.env.host == self.replica_fqdn:
raise admintool.ScriptError("You can't create a replica on itself")
config_dir = dsinstance.config_dirname(
installutils.realm_to_serverid(api.env.realm))
if not ipautil.dir_exists(config_dir):
raise admintool.ScriptError(
"could not find directory instance: %s" % config_dir)
def validate_options(self):
super(PKINITManage, self).validate_options(needs_root=True)
installutils.check_server_configuration()
option_parser = self.option_parser
if not self.args:
option_parser.error("action not specified")
elif len(self.args) > 1:
option_parser.error("too many arguments")
action = self.args[0]
if action not in {'enable', 'disable', 'status'}:
option_parser.error("unrecognized action '{}'".format(action))
def validate_options(self):
super(CRLGenManage, self).validate_options(needs_root=True)
installutils.check_server_configuration()
option_parser = self.option_parser
if not self.args:
option_parser.error("action not specified")
elif len(self.args) > 1:
option_parser.error("too many arguments")
action = self.args[0]
if action not in {'enable', 'disable', 'status'}:
option_parser.error("unrecognized action '{}'".format(action))
def initialize(self, framework, config, options=None):
super().initialize(framework, config)
# deferred import for mock
# pylint: disable=import-outside-toplevel
from ipaserver.servroles import ADtrustBasedRole, ServiceBasedRole
# pylint: enable=import-outside-toplevel
installutils.check_server_configuration()
if not api.isdone('finalize'):
if not api.isdone('bootstrap'):
api.bootstrap(in_server=True,
context='ipahealthcheck',
log=None)
if not api.isdone('finalize'):
api.finalize()
if not api.Backend.ldap2.isconnected():
try:
api.Backend.ldap2.connect()
except (errors.CCacheError, errors.NetworkError) as e:
logger.debug('Failed to connect to LDAP: %s', e)
return
ca = cainstance.CAInstance(api.env.realm, host_name=api.env.host)
self.ca_configured = ca.is_configured()
# This package is pulled in when the trust package is installed
# and is required to lookup trust users. If this is not installed
# then it can be inferred that trust is not enabled.
try:
# pylint: disable=unused-import,import-outside-toplevel
import pysss_nss_idmap # noqa: F401
# pylint: enable=unused-import,import-outside-toplevel
except ImportError:
return
roles = (
ADtrustBasedRole(u"ad_trust_agent_server", u"AD trust agent"),
ServiceBasedRole(u"ad_trust_controller_server",
u"AD trust controller",
component_services=['ADTRUST']),
)
role = roles[0].status(api)[0]
if role.get('status') == 'enabled':
self.trust_agent = True
role = roles[1].status(api)[0]
if role.get('status') == 'enabled':
self.trust_controller = True
def initialize(self, framework, config, options=None):
super().initialize(framework, config)
installutils.check_server_configuration()
if not api.isdone('bootstrap'):
api.bootstrap(in_server=True, context='ipahealthcheck', log=None)
if not api.isdone('finalize'):
api.finalize()
if not api.Backend.ldap2.isconnected():
try:
api.Backend.ldap2.connect()
except errors.CCacheError:
pass
except errors.NetworkError:
pass
def validate_options(self):
options = self.options
super(LDAPUpdater, self).validate_options(needs_root=True)
self.files = self.args
for filename in self.files:
if not os.path.exists(filename):
raise admintool.ScriptError("%s: file not found" % filename)
try:
installutils.check_server_configuration()
except RuntimeError, e:
print unicode(e)
sys.exit(1)
def validate_options(self):
options = self.options
super(LDAPUpdater, self).validate_options(needs_root=True)
self.files = self.args
for filename in self.files:
if not os.path.exists(filename):
raise admintool.ScriptError("%s: file not found" % filename)
try:
installutils.check_server_configuration()
except RuntimeError, e:
print unicode(e)
sys.exit(1)
def initialize(self, framework):
# deferred import for mock
from ipaserver.servroles import ADtrustBasedRole, ServiceBasedRole
installutils.check_server_configuration()
if not api.isdone('finalize'):
if not api.isdone('bootstrap'):
api.bootstrap(in_server=True,
context='ipahealthcheck',
log=None)
if not api.isdone('finalize'):
api.finalize()
if not api.Backend.ldap2.isconnected():
try:
api.Backend.ldap2.connect()
except (errors.CCacheError, errors.NetworkError) as e:
logging.debug('Failed to connect to LDAP: %s', e)
return
# This package is pulled in when the trust package is installed
# and is required to lookup trust users. If this is not installed
# then it can be inferred that trust is not enabled.
try:
import pysss_nss_idmap # noqa: F401
except ImportError:
return
roles = (
ADtrustBasedRole(u"ad_trust_agent_server",
u"AD trust agent"),
ServiceBasedRole(
u"ad_trust_controller_server",
u"AD trust controller",
component_services=['ADTRUST']
),
)
role = roles[0].status(api)[0]
if role.get('status') == 'enabled':
self.trust_agent = True
role = roles[1].status(api)[0]
if role.get('status') == 'enabled':
self.trust_controller = True
def validate_options(self):
options = self.options
super(LDAPUpdater, self).validate_options(needs_root=True)
self.files = self.args
if not (self.files or options.schema_files):
self.log.info("To execute overall IPA upgrade please use " "'ipa-server-upgrade' command")
raise admintool.ScriptError("No update files or schema file were " "specified")
for filename in self.files:
if not os.path.exists(filename):
raise admintool.ScriptError("%s: file not found" % filename)
try:
installutils.check_server_configuration()
except RuntimeError as e:
print(unicode(e))
sys.exit(1)
def validate_options(self):
super(CACertManage, self).validate_options(needs_root=True)
installutils.check_server_configuration()
parser = self.option_parser
if not self.args:
parser.error("command not provided")
command = self.command = self.args[0]
if command == 'renew':
pass
elif command == 'install':
if len(self.args) < 2:
parser.error("certificate file name not provided")
else:
parser.error("unknown command \"%s\"" % command)
def validate_options(self):
super(CACertManage, self).validate_options(needs_root=True)
installutils.check_server_configuration()
parser = self.option_parser
if not self.args:
parser.error("command not provided")
command = self.command = self.args[0]
if command == 'renew':
pass
elif command == 'install':
if len(self.args) < 2:
parser.error("certificate file name not provided")
else:
parser.error("unknown command \"%s\"" % command)
def validate_options(self):
options = self.options
super(LDAPUpdater, self).validate_options(needs_root=True)
self.files = self.args
if not (self.files or options.schema_files):
logger.info("To execute overall IPA upgrade please use "
"'ipa-server-upgrade' command")
raise admintool.ScriptError("No update files or schema file were "
"specified")
for filename in self.files:
if not os.path.exists(filename):
raise admintool.ScriptError("%s: file not found" % filename)
try:
installutils.check_server_configuration()
except RuntimeError as e:
raise admintool.ScriptError(e)
def validate_options(self):
options = self.options
super(Backup, self).validate_options(needs_root=True)
installutils.check_server_configuration()
if options.gpg_keyring is not None:
if not os.path.exists(options.gpg_keyring + '.pub'):
raise admintool.ScriptError('No such key %s' %
options.gpg_keyring)
options.gpg = True
if options.online and not options.data_only:
self.option_parser.error("You cannot specify --online "
"without --data")
if options.gpg:
tmpfd = write_tmp_file('encryptme')
newfile = encrypt_file(tmpfd.name, options.gpg_keyring, False)
os.unlink(newfile)
if options.data_only and options.logs:
self.option_parser.error("You cannot specify --data "
"with --logs")
def validate_options(self):
options = self.options
super(Backup, self).validate_options(needs_root=True)
installutils.check_server_configuration()
if options.gpg_keyring is not None:
if not os.path.exists(options.gpg_keyring + '.pub'):
raise admintool.ScriptError('No such key %s' %
options.gpg_keyring)
options.gpg = True
if options.online and not options.data_only:
self.option_parser.error("You cannot specify --online "
"without --data")
if options.gpg:
tmpfd = write_tmp_file('encryptme')
newfile = encrypt_file(tmpfd.name, options.gpg_keyring, False)
os.unlink(newfile)
if options.data_only and options.logs:
self.option_parser.error("You cannot specify --data "
"with --logs")
def validate_options(self):
options = self.options
super(Restore, self).validate_options(needs_root=True)
if options.data_only:
installutils.check_server_configuration()
if len(self.args) < 1:
self.option_parser.error(
"must provide the backup to restore")
elif len(self.args) > 1:
self.option_parser.error(
"must provide exactly one name for the backup")
dirname = self.args[0]
if not os.path.isabs(dirname):
self.backup_dir = os.path.join(BACKUP_DIR, dirname)
else:
self.backup_dir = dirname
if options.gpg_keyring:
if (not os.path.exists(options.gpg_keyring + '.pub') or
not os.path.exists(options.gpg_keyring + '.sec')):
raise admintool.ScriptError('No such key %s' %
options.gpg_keyring)
def run(self):
options = self.options
super(Restore, self).run()
self.backup_dir = self.args[0]
if not os.path.isabs(self.backup_dir):
self.backup_dir = os.path.join(paths.IPA_BACKUP_DIR, self.backup_dir)
logger.info("Preparing restore from %s on %s",
self.backup_dir, FQDN)
self.header = os.path.join(self.backup_dir, 'header')
try:
self.read_header()
except IOError as e:
raise admintool.ScriptError("Cannot read backup metadata: %s" % e)
if options.data_only:
restore_type = 'DATA'
else:
restore_type = self.backup_type
# These checks would normally be in the validate method but
# we need to know the type of backup we're dealing with.
if restore_type == 'FULL':
if options.online:
raise admintool.ScriptError(
"File restoration cannot be done online")
if options.instance or options.backend:
raise admintool.ScriptError(
"Restore must be in data-only mode when restoring a "
"specific instance or backend")
else:
installutils.check_server_configuration()
self.init_api()
if options.instance:
instance_dir = (paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE %
options.instance)
if not os.path.exists(instance_dir):
raise admintool.ScriptError(
"Instance %s does not exist" % options.instance)
self.instances = [options.instance]
if options.backend:
for instance in self.instances:
db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
(instance, options.backend))
if os.path.exists(db_dir):
break
else:
raise admintool.ScriptError(
"Backend %s does not exist" % options.backend)
self.backends = [options.backend]
for instance, backend in itertools.product(self.instances,
self.backends):
db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
(instance, backend))
if os.path.exists(db_dir):
break
else:
raise admintool.ScriptError(
"Cannot restore a data backup into an empty system")
logger.info("Performing %s restore from %s backup",
restore_type, self.backup_type)
if self.backup_host != FQDN:
raise admintool.ScriptError(
"Host name %s does not match backup name %s" %
(FQDN, self.backup_host))
if self.backup_ipa_version != str(version.VERSION):
logger.warning(
"Restoring data from a different release of IPA.\n"
"Data is version %s.\n"
"Server is running %s.",
self.backup_ipa_version, str(version.VERSION))
if (not options.unattended and
not user_input("Continue to restore?", False)):
raise admintool.ScriptError("Aborted")
pent = pwd.getpwnam(constants.DS_USER)
# Temporary directory for decrypting files before restoring
self.top_dir = tempfile.mkdtemp("ipa")
os.chown(self.top_dir, pent.pw_uid, pent.pw_gid)
os.chmod(self.top_dir, 0o750)
self.dir = os.path.join(self.top_dir, "ipa")
os.mkdir(self.dir)
os.chmod(self.dir, 0o750)
os.chown(self.dir, pent.pw_uid, pent.pw_gid)
cwd = os.getcwd()
logger.info("Temporary setting umask to 022")
old_umask = os.umask(0o022)
try:
dirsrv = services.knownservices.dirsrv
self.extract_backup(options.gpg_keyring)
if restore_type == 'FULL':
self.restore_default_conf()
self.init_api(confdir=self.dir + paths.ETC_IPA)
databases = []
for instance in self.instances:
for backend in self.backends:
database = (instance, backend)
ldiffile = os.path.join(self.dir, '%s-%s.ldif' % database)
if os.path.exists(ldiffile):
databases.append(database)
if options.instance:
for instance, backend in databases:
if instance == options.instance:
break
else:
raise admintool.ScriptError(
"Instance %s not found in backup" % options.instance)
if options.backend:
for instance, backend in databases:
if backend == options.backend:
break
else:
raise admintool.ScriptError(
"Backend %s not found in backup" % options.backend)
# Big fat warning
if (not options.unattended and
not user_input("Restoring data will overwrite existing live data. Continue to restore?", False)):
raise admintool.ScriptError("Aborted")
logger.info(
"Each master will individually need to be re-initialized or")
logger.info(
"re-created from this one. The replication agreements on")
logger.info(
"masters running IPA 3.1 or earlier will need to be manually")
logger.info(
"re-enabled. See the man page for details.")
logger.info("Disabling all replication.")
self.disable_agreements()
if restore_type != 'FULL':
if not options.online:
logger.info('Stopping Directory Server')
dirsrv.stop(capture_output=False)
else:
logger.info('Starting Directory Server')
dirsrv.start(capture_output=False)
else:
logger.info('Stopping IPA services')
result = run([paths.IPACTL, 'stop'], raiseonerr=False)
if result.returncode not in [0, 6]:
logger.warning('Stopping IPA failed: %s', result.error_log)
self.restore_selinux_booleans()
http = httpinstance.HTTPInstance()
# We do either a full file restore or we restore data.
if restore_type == 'FULL':
self.remove_old_files()
self.cert_restore_prepare()
self.file_restore(options.no_logs)
self.cert_restore()
if 'CA' in self.backup_services:
self.__create_dogtag_log_dirs()
# Always restore the data from ldif
# We need to restore both userRoot and ipaca.
for instance, backend in databases:
self.ldif2db(instance, backend, online=options.online)
if restore_type != 'FULL':
if not options.online:
logger.info('Starting Directory Server')
dirsrv.start(capture_output=False)
else:
# restore access controll configuration
auth_backup_path = os.path.join(paths.VAR_LIB_IPA, 'auth_backup')
if os.path.exists(auth_backup_path):
tasks.restore_auth_configuration(auth_backup_path)
# explicitly enable then disable the pki tomcatd service to
# re-register its instance. FIXME, this is really wierd.
services.knownservices.pki_tomcatd.enable()
services.knownservices.pki_tomcatd.disable()
logger.info('Restarting GSS-proxy')
gssproxy = services.service('gssproxy', api)
gssproxy.reload_or_restart()
logger.info('Starting IPA services')
run([paths.IPACTL, 'start'])
logger.info('Restarting SSSD')
sssd = services.service('sssd', api)
sssd.restart()
logger.info('Restarting oddjobd')
oddjobd = services.service('oddjobd', api)
if not oddjobd.is_enabled():
logger.info("Enabling oddjobd")
oddjobd.enable()
oddjobd.start()
http.remove_httpd_ccaches()
# have the daemons pick up their restored configs
run([paths.SYSTEMCTL, "--system", "daemon-reload"])
finally:
try:
os.chdir(cwd)
except Exception as e:
logger.error('Cannot change directory to %s: %s', cwd, e)
shutil.rmtree(self.top_dir)
logger.info("Restoring umask to %s", old_umask)
os.umask(old_umask)
def run(self):
options = self.options
super(Restore, self).run()
self.backup_dir = self.args[0]
if not os.path.isabs(self.backup_dir):
self.backup_dir = os.path.join(paths.IPA_BACKUP_DIR, self.backup_dir)
self.log.info("Preparing restore from %s on %s",
self.backup_dir, constants.FQDN)
self.header = os.path.join(self.backup_dir, 'header')
try:
self.read_header()
except IOError as e:
raise admintool.ScriptError("Cannot read backup metadata: %s" % e)
if options.data_only:
restore_type = 'DATA'
else:
restore_type = self.backup_type
# These checks would normally be in the validate method but
# we need to know the type of backup we're dealing with.
if restore_type == 'FULL':
if options.online:
raise admintool.ScriptError(
"File restoration cannot be done online")
if options.instance or options.backend:
raise admintool.ScriptError(
"Restore must be in data-only mode when restoring a "
"specific instance or backend")
else:
installutils.check_server_configuration()
self.init_api()
if options.instance:
instance_dir = (paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE %
options.instance)
if not os.path.exists(instance_dir):
raise admintool.ScriptError(
"Instance %s does not exist" % options.instance)
self.instances = [options.instance]
if options.backend:
for instance in self.instances:
db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
(instance, options.backend))
if os.path.exists(db_dir):
break
else:
raise admintool.ScriptError(
"Backend %s does not exist" % options.backend)
self.backends = [options.backend]
for instance, backend in itertools.product(self.instances,
self.backends):
db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
(instance, backend))
if os.path.exists(db_dir):
break
else:
raise admintool.ScriptError(
"Cannot restore a data backup into an empty system")
self.log.info("Performing %s restore from %s backup" %
(restore_type, self.backup_type))
if self.backup_host != constants.FQDN:
raise admintool.ScriptError(
"Host name %s does not match backup name %s" %
(constants.FQDN, self.backup_host))
if self.backup_ipa_version != str(version.VERSION):
self.log.warning(
"Restoring data from a different release of IPA.\n"
"Data is version %s.\n"
"Server is running %s." %
(self.backup_ipa_version, str(version.VERSION)))
if (not options.unattended and
not user_input("Continue to restore?", False)):
raise admintool.ScriptError("Aborted")
create_ds_user()
pent = pwd.getpwnam(DS_USER)
# Temporary directory for decrypting files before restoring
self.top_dir = tempfile.mkdtemp("ipa")
os.chown(self.top_dir, pent.pw_uid, pent.pw_gid)
os.chmod(self.top_dir, 0o750)
self.dir = os.path.join(self.top_dir, "ipa")
os.mkdir(self.dir, 0o750)
os.chown(self.dir, pent.pw_uid, pent.pw_gid)
cwd = os.getcwd()
try:
dirsrv = services.knownservices.dirsrv
self.extract_backup(options.gpg_keyring)
if restore_type == 'FULL':
self.restore_default_conf()
self.init_api(confdir=self.dir + paths.ETC_IPA)
databases = []
for instance in self.instances:
for backend in self.backends:
database = (instance, backend)
ldiffile = os.path.join(self.dir, '%s-%s.ldif' % database)
if os.path.exists(ldiffile):
databases.append(database)
if options.instance:
for instance, backend in databases:
if instance == options.instance:
break
else:
raise admintool.ScriptError(
"Instance %s not found in backup" % options.instance)
if options.backend:
for instance, backend in databases:
if backend == options.backend:
break
else:
raise admintool.ScriptError(
"Backend %s not found in backup" % options.backend)
# Big fat warning
if (not options.unattended and
not user_input("Restoring data will overwrite existing live data. Continue to restore?", False)):
raise admintool.ScriptError("Aborted")
self.log.info(
"Each master will individually need to be re-initialized or")
self.log.info(
"re-created from this one. The replication agreements on")
self.log.info(
"masters running IPA 3.1 or earlier will need to be manually")
self.log.info(
"re-enabled. See the man page for details.")
self.log.info("Disabling all replication.")
self.disable_agreements()
if restore_type != 'FULL':
if not options.online:
self.log.info('Stopping Directory Server')
dirsrv.stop(capture_output=False)
else:
self.log.info('Starting Directory Server')
dirsrv.start(capture_output=False)
else:
self.log.info('Stopping IPA services')
(stdout, stderr, rc) = run(['ipactl', 'stop'], raiseonerr=False)
if rc not in [0, 6]:
self.log.warn('Stopping IPA failed: %s' % stderr)
self.restore_selinux_booleans()
# We do either a full file restore or we restore data.
if restore_type == 'FULL':
if 'CA' in self.backup_services:
create_ca_user()
self.cert_restore_prepare()
self.file_restore(options.no_logs)
self.cert_restore()
if 'CA' in self.backup_services:
self.__create_dogtag_log_dirs()
# Always restore the data from ldif
# If we are restoring PKI-IPA then we need to restore the
# userRoot backend in it and the main IPA instance. If we
# have a unified instance we need to restore both userRoot and
# ipaca.
for instance, backend in databases:
self.ldif2db(instance, backend, online=options.online)
if restore_type != 'FULL':
if not options.online:
self.log.info('Starting Directory Server')
dirsrv.start(capture_output=False)
else:
# restore access controll configuration
auth_backup_path = os.path.join(paths.VAR_LIB_IPA, 'auth_backup')
if os.path.exists(auth_backup_path):
tasks.restore_auth_configuration(auth_backup_path)
# explicitly enable then disable the pki tomcatd service to
# re-register its instance. FIXME, this is really wierd.
services.knownservices.pki_tomcatd.enable()
services.knownservices.pki_tomcatd.disable()
self.log.info('Starting IPA services')
run(['ipactl', 'start'])
self.log.info('Restarting SSSD')
sssd = services.service('sssd')
sssd.restart()
http = httpinstance.HTTPInstance()
http.remove_httpd_ccache()
finally:
try:
os.chdir(cwd)
except Exception as e:
self.log.error('Cannot change directory to %s: %s' % (cwd, e))
shutil.rmtree(self.top_dir)
def validate_options(self):
super(IPATrustEnableAgent, self).validate_options(needs_root=True)
installutils.check_server_configuration()
