def restore_all_files(self):
"""Restore the files in the inbdex to their original
location and delete the copy.
Returns #True if the file was restored, #False if there
was no backup file to restore
"""
if len(self.files) == 0:
return False
for (filename, value) in self.files.items():
(mode, uid, gid, path) = string.split(value, ',', 3)
backup_path = os.path.join(self._path, filename)
if not os.path.exists(backup_path):
root_logger.debug(" -> Not restoring - '%s' doesn't exist",
backup_path)
continue
shutil.move(backup_path, path)
os.chown(path, int(uid), int(gid))
os.chmod(path, int(mode))
ipaservices.restore_context(path)
#force file to be deleted
self.files = {}
self.save()
return True
def restore_all_files(self):
"""Restore the files in the inbdex to their original
location and delete the copy.
Returns #True if the file was restored, #False if there
was no backup file to restore
"""
if len(self.files) == 0:
return False
for (filename, value) in self.files.items():
(mode,uid,gid,path) = string.split(value, ',', 3)
backup_path = os.path.join(self._path, filename)
if not os.path.exists(backup_path):
root_logger.debug(" -> Not restoring - '%s' doesn't exist", backup_path)
continue
shutil.move(backup_path, path)
os.chown(path, int(uid), int(gid))
os.chmod(path, int(mode))
ipaservices.restore_context(path)
#force file to be deleted
self.files = {}
self.save()
return True
def restore_file(self, path, new_path=None):
"""Restore the copy of a file at @path to its original
location and delete the copy.
Takes optional parameter @new_path which specifies the
location where the file is to be restored.
Returns #True if the file was restored, #False if there
was no backup file to restore
"""
if new_path is None:
root_logger.debug("Restoring system configuration file '%s'", path)
else:
root_logger.debug(
"Restoring system configuration file '%s' to '%s'", path,
new_path)
if not os.path.isabs(path):
raise ValueError("Absolute path required")
if new_path is not None and not os.path.isabs(new_path):
raise ValueError("Absolute new path required")
mode = None
uid = None
gid = None
filename = None
for (key, value) in self.files.items():
(mode, uid, gid, filepath) = string.split(value, ',', 3)
if (filepath == path):
filename = key
break
if not filename:
raise ValueError("No such file name in the index")
backup_path = os.path.join(self._path, filename)
if not os.path.exists(backup_path):
root_logger.debug(" -> Not restoring - '%s' doesn't exist",
backup_path)
return False
if new_path is not None:
path = new_path
shutil.move(backup_path, path)
os.chown(path, int(uid), int(gid))
os.chmod(path, int(mode))
ipaservices.restore_context(path)
del self.files[filename]
self.save()
return True
def restore_file(self, path, new_path = None):
"""Restore the copy of a file at @path to its original
location and delete the copy.
Takes optional parameter @new_path which specifies the
location where the file is to be restored.
Returns #True if the file was restored, #False if there
was no backup file to restore
"""
if new_path is None:
root_logger.debug("Restoring system configuration file '%s'", path)
else:
root_logger.debug("Restoring system configuration file '%s' to '%s'", path, new_path)
if not os.path.isabs(path):
raise ValueError("Absolute path required")
if new_path is not None and not os.path.isabs(new_path):
raise ValueError("Absolute new path required")
mode = None
uid = None
gid = None
filename = None
for (key, value) in self.files.items():
(mode,uid,gid,filepath) = string.split(value, ',', 3)
if (filepath == path):
filename = key
break
if not filename:
raise ValueError("No such file name in the index")
backup_path = os.path.join(self._path, filename)
if not os.path.exists(backup_path):
root_logger.debug(" -> Not restoring - '%s' doesn't exist", backup_path)
return False
if new_path is not None:
path = new_path
shutil.move(backup_path, path)
os.chown(path, int(uid), int(gid))
os.chmod(path, int(mode))
ipaservices.restore_context(path)
del self.files[filename]
self.save()
return True
def configure_dirsrv_ccache(self):
pent = pwd.getpwnam("dirsrv")
ccache = '/tmp/krb5cc_%d' % pent.pw_uid
filepath = '/etc/sysconfig/dirsrv'
if not os.path.exists(filepath):
# file doesn't exist; create it with correct ownership & mode
open(filepath, 'a').close()
os.chmod(filepath,
stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
os.chown(filepath, 0, 0)
replacevars = {'KRB5CCNAME': ccache}
old_values = ipautil.backup_config_and_replace_variables(
self.fstore, filepath, replacevars=replacevars)
ipaservices.restore_context(filepath)
def __setup_ssl(self):
fqdn = self.fqdn
ca_db = certs.CertDB(self.realm, host_name=fqdn, subject_base=self.subject_base)
db = certs.CertDB(self.realm, subject_base=self.subject_base)
if self.pkcs12_info:
db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
passwd=None, ca_file=self.ca_file)
server_certs = db.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
db.create_password_conf()
# We only handle one server cert
nickname = server_certs[0][0]
self.dercert = db.get_cert_from_db(nickname, pem=False)
if api.env.enable_ra:
db.track_server_cert(nickname, self.principal, db.passwd_fname, 'restart_httpd')
self.__set_mod_nss_nickname(nickname)
else:
db.create_password_conf()
self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn,
ca_db)
db.track_server_cert(self.cert_nickname, self.principal,
db.passwd_fname, 'restart_httpd')
db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
# Fix the database permissions
os.chmod(certs.NSS_DIR + "/cert8.db", 0660)
os.chmod(certs.NSS_DIR + "/key3.db", 0660)
os.chmod(certs.NSS_DIR + "/secmod.db", 0660)
os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0660)
pent = pwd.getpwnam("apache")
os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid )
# Fix SELinux permissions on the database
ipaservices.restore_context(certs.NSS_DIR + "/cert8.db")
ipaservices.restore_context(certs.NSS_DIR + "/key3.db")
def __create_dogtag_log_dirs(self):
"""
If we are doing a full restore and the dogtag log directories do
not exist then tomcat will fail to start.
The directory is different depending on whether we have a d9-based
or a d10-based installation. We can tell based on whether there is
a PKI-IPA 389-ds instance.
"""
if os.path.exists('/etc/dirsrv/slapd-PKI-IPA'): # dogtag 9
topdir = '/var/log/pki-ca'
dirs = [topdir,
'/var/log/pki-ca/signedAudit,']
else: # dogtag 10
topdir = '/var/log/pki/pki-tomcat'
dirs = [topdir,
'/var/log/pki/pki-tomcat/ca',
'/var/log/pki/pki-tomcat/ca/archive',
'/var/log/pki/pki-tomcat/ca/signedAudit',]
if os.path.exists(topdir):
return
try:
pent = pwd.getpwnam(PKI_USER)
except KeyError:
self.log.debug("No %s user exists, skipping CA directory creation" % PKI_USER)
return
self.log.debug('Creating log directories for dogtag')
for dir in dirs:
try:
self.log.debug('Creating %s' % dir)
os.mkdir(dir, 0770)
os.chown(dir, pent.pw_uid, pent.pw_gid)
ipaservices.restore_context(dir)
except Exception, e:
# This isn't so fatal as to side-track the restore
self.log.error('Problem with %s: %s' % (dir, e))
def config_ntp(server_fqdn, fstore = None, sysstore = None):
path_step_tickers = "/etc/ntp/step-tickers"
path_ntp_conf = "/etc/ntp.conf"
path_ntp_sysconfig = "/etc/sysconfig/ntpd"
sub_dict = { }
sub_dict["SERVER"] = server_fqdn
nc = ipautil.template_str(ntp_conf, sub_dict)
config_step_tickers = False
if os.path.exists(path_step_tickers):
config_step_tickers = True
ns = ipautil.template_str(ntp_step_tickers, sub_dict)
__backup_config(path_step_tickers, fstore)
__write_config(path_step_tickers, ns)
ipaservices.restore_context(path_step_tickers)
if sysstore:
module = 'ntp'
sysstore.backup_state(module, "enabled", ipaservices.knownservices.ntpd.is_enabled())
if config_step_tickers:
sysstore.backup_state(module, "step-tickers", True)
__backup_config(path_ntp_conf, fstore)
__write_config(path_ntp_conf, nc)
ipaservices.restore_context(path_ntp_conf)
__backup_config(path_ntp_sysconfig, fstore)
__write_config(path_ntp_sysconfig, ntp_sysconfig)
ipaservices.restore_context(path_ntp_sysconfig)
# Set the ntpd to start on boot
ipaservices.knownservices.ntpd.enable()
# Restart ntpd
ipaservices.knownservices.ntpd.restart()
def config_ntp(server_fqdn, fstore=None, sysstore=None):
path_step_tickers = "/etc/ntp/step-tickers"
path_ntp_conf = "/etc/ntp.conf"
path_ntp_sysconfig = "/etc/sysconfig/ntpd"
sub_dict = {}
sub_dict["SERVER"] = server_fqdn
nc = ipautil.template_str(ntp_conf, sub_dict)
config_step_tickers = False
if os.path.exists(path_step_tickers):
config_step_tickers = True
ns = ipautil.template_str(ntp_step_tickers, sub_dict)
__backup_config(path_step_tickers, fstore)
__write_config(path_step_tickers, ns)
ipaservices.restore_context(path_step_tickers)
if sysstore:
module = 'ntp'
sysstore.backup_state(module, "enabled",
ipaservices.knownservices.ntpd.is_enabled())
if config_step_tickers:
sysstore.backup_state(module, "step-tickers", True)
__backup_config(path_ntp_conf, fstore)
__write_config(path_ntp_conf, nc)
ipaservices.restore_context(path_ntp_conf)
__backup_config(path_ntp_sysconfig, fstore)
__write_config(path_ntp_sysconfig, ntp_sysconfig)
ipaservices.restore_context(path_ntp_sysconfig)
# Set the ntpd to start on boot
ipaservices.knownservices.ntpd.enable()
# Restart ntpd
ipaservices.knownservices.ntpd.restart()
def __setup_ssl(self):
fqdn = None
if not self.self_signed_ca:
fqdn = self.fqdn
ca_db = certs.CertDB(self.realm,
host_name=fqdn,
subject_base=self.subject_base)
db = certs.CertDB(self.realm, subject_base=self.subject_base)
if self.pkcs12_info:
db.create_from_pkcs12(self.pkcs12_info[0],
self.pkcs12_info[1],
passwd=None)
server_certs = db.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError(
"Could not find a suitable server cert in import in %s" %
self.pkcs12_info[0])
db.create_password_conf()
# We only handle one server cert
nickname = server_certs[0][0]
self.dercert = db.get_cert_from_db(nickname, pem=False)
db.track_server_cert(nickname, self.principal, db.passwd_fname,
'restart_httpd')
self.__set_mod_nss_nickname(nickname)
else:
if self.self_signed_ca:
db.create_from_cacert(ca_db.cacert_fname)
db.create_password_conf()
self.dercert = db.create_server_cert("Server-Cert", self.fqdn,
ca_db)
db.track_server_cert("Server-Cert", self.principal,
db.passwd_fname, 'restart_httpd')
db.create_signing_cert("Signing-Cert", "Object Signing Cert",
ca_db)
# Fix the database permissions
os.chmod(certs.NSS_DIR + "/cert8.db", 0660)
os.chmod(certs.NSS_DIR + "/key3.db", 0660)
os.chmod(certs.NSS_DIR + "/secmod.db", 0660)
os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0660)
pent = pwd.getpwnam("apache")
os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid)
os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid)
os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid)
os.chown(certs.NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid)
# Fix SELinux permissions on the database
ipaservices.restore_context(certs.NSS_DIR + "/cert8.db")
ipaservices.restore_context(certs.NSS_DIR + "/key3.db")
# In case this got generated as part of the install, reset the
# context
if ipautil.file_exists(certs.CA_SERIALNO):
ipaservices.restore_context(certs.CA_SERIALNO)
os.chown(certs.CA_SERIALNO, 0, pent.pw_gid)
os.chmod(certs.CA_SERIALNO, 0664)