[Freeipa-devel] [PATCH] Debian client support
Lukas Slebodnik
lslebodn at redhat.com
Thu Sep 5 21:25:17 UTC 2013
On (03/09/13 00:43), Timo Aaltonen wrote:
>
>This fixes https://fedorahosted.org/freeipa/ticket/1887
>and
>https://fedorahosted.org/freeipa/ticket/2455
>
>the first three patches fix some bugs in how python is used
>fourth patch checks if dbus is already running before trying to start it
>fifth fixes some compilation warnings
>sixth finally adds the Debian platform module
>
>
>
>there are also distro patches that aren't upstreamable as-is, that do
>stuff like
>- give--install-layout=deb to setup.py
>- disable make-testcert since it needs a server running
>- fix hardcoded NFS related paths and a variable in ipa-client-automount
>- fix ldap.conf path in ipa-client-install
>- fix ntpdate options in ntpconf.py (Debian doesn't patch ntpdate like
>Fedora)
>- change nss includes in ipa_pwd.c (<nss/..> not <nss3/..>)
Solution is simple. Use pkg-config generated NSS_CFLAGS
bash$ pkg-config --cflags nss
-I/usr/include/nss -I/usr/include/nspr
bash$ uname -a
Linux positron 3.10-2-686-pae #1 SMP Debian 3.10.5-1 (2013-08-07) i686 GNU/Linux
bash$pkg-config --cflags nss
-I/usr/include/nss3 -I/usr/include/nspr4
bash$uname -a
Linux unused-4-233.brq.redhat.com 3.10.10-200.fc19.x86_64 #1 SMP Thu Aug 29 19:05:45 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
It works in sssd. I can send a patch.
LS
>
>dunno what to do about those, the packaging can keep on carrying those
>but if you have ideas how to make them configurable so that upstream
>git/tarball could be used for development/testing on Debian then that
>would be nice.
>
>t
>From b08da1b7712f9621283719b190134586e59fb333 Mon Sep 17 00:00:00 2001
>From: Timo Aaltonen <tjaalton at ubuntu.com>
>Date: Tue, 3 Sep 2013 00:01:12 +0300
>Subject: [PATCH 1/6] Use /usr/bin/python as fallback python path
>
>---
> Makefile | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/Makefile b/Makefile
>index a21cf7e33275fd1a783e89baf237c8dcd8db6508..428f19b1a83da8c424893ea35c901f52dafaf546 100644
>--- a/Makefile
>+++ b/Makefile
>@@ -50,7 +50,7 @@ ifneq ($(DEVELOPER_MODE),0)
> LINT_OPTIONS=--no-fail
> endif
>
>-PYTHON ?= $(shell rpm -E %__python)
>+PYTHON ?= $(shell rpm -E %__python || echo /usr/bin/python)
>
> all: bootstrap-autogen server tests
> @for subdir in $(SUBDIRS); do \
>--
>1.8.3.2
>
>From 7360486d7ed343202062716c0eb4f731923bb509 Mon Sep 17 00:00:00 2001
>From: Timo Aaltonen <tjaalton at ubuntu.com>
>Date: Tue, 3 Sep 2013 00:03:12 +0300
>Subject: [PATCH 2/6] Don't search platform path
>
>Don't use Python.h from the platform specific path
>---
> ipapython/py_default_encoding/setup.py | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/ipapython/py_default_encoding/setup.py b/ipapython/py_default_encoding/setup.py
>index de2478c1962aba7a78919efdb266bf0600965905..6a1af628272c6cd3eaa755c5728a7a5d020050ec 100644
>--- a/ipapython/py_default_encoding/setup.py
>+++ b/ipapython/py_default_encoding/setup.py
>@@ -22,7 +22,7 @@ from distutils.sysconfig import get_python_inc
> import sys
> import os
>
>-python_header = os.path.join(get_python_inc(plat_specific=1), 'Python.h')
>+python_header = os.path.join(get_python_inc(plat_specific=0), 'Python.h')
> if not os.path.exists(python_header):
> sys.exit("Cannot find Python development packages that provide Python.h")
>
>--
>1.8.3.2
>
>From be86f0a9bbc3196aa8808243aba6d7e68c6d083b Mon Sep 17 00:00:00 2001
>From: Nick Hatch <nicholas.hatch at gmail.com>
>Date: Tue, 3 Sep 2013 00:08:13 +0300
>Subject: [PATCH 3/6] Don't exclude symlinks when loading plugins
>
>---
> ipalib/util.py | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/ipalib/util.py b/ipalib/util.py
>index 3c52e4fd9a3e08d160dd4ae7076590be8b869d2c..e14077487e979f077ddc1f9e925678884a64b5b5 100644
>--- a/ipalib/util.py
>+++ b/ipalib/util.py
>@@ -81,7 +81,7 @@ def find_modules_in_dir(src_dir):
> if not name.endswith(suffix):
> continue
> pyfile = os.path.join(src_dir, name)
>- if os.path.islink(pyfile) or not os.path.isfile(pyfile):
>+ if not os.path.isfile(pyfile):
> continue
> module = name[:-len(suffix)]
> if module == '__init__':
>--
>1.8.3.2
>
>From 34d002d5483b9853a8329215ab12c946b8df7525 Mon Sep 17 00:00:00 2001
>From: Nick Hatch <nicholas.hatch at gmail.com>
>Date: Tue, 3 Sep 2013 00:10:30 +0300
>Subject: [PATCH 4/6] Check dbus before starting it
>
>Check to see if the messagebus (dbus) is running before attempting to start it
>---
> ipa-client/ipa-install/ipa-client-install | 18 ++++++++++--------
> 1 file changed, 10 insertions(+), 8 deletions(-)
>
>diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
>index 280edd793326150c416fe1b82f9866435e9c6509..7241a3421e348666c47f03a9b4fdac472b2ccabb 100755
>--- a/ipa-client/ipa-install/ipa-client-install
>+++ b/ipa-client/ipa-install/ipa-client-install
>@@ -372,10 +372,11 @@ def uninstall(options, env):
> # Always start certmonger. We can't untrack something if it isn't
> # running
> messagebus = ipaservices.knownservices.messagebus
>- try:
>- messagebus.start()
>- except Exception, e:
>- log_service_error(messagebus.service_name, 'start', e)
>+ if not messagebus.is_running():
>+ try:
>+ messagebus.start()
>+ except Exception, e:
>+ log_service_error(messagebus.service_name, 'start', e)
>
> cmonger = ipaservices.knownservices.certmonger
> try:
>@@ -970,10 +971,11 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
> principal = 'host/%s@%s' % (hostname, cli_realm)
>
> messagebus = ipaservices.knownservices.messagebus
>- try:
>- messagebus.start()
>- except Exception, e:
>- log_service_error(messagebus.service_name, 'start', e)
>+ if not messagebus.is_running():
>+ try:
>+ messagebus.start()
>+ except Exception, e:
>+ log_service_error(messagebus.service_name, 'start', e)
>
> # Ensure that certmonger has been started at least once to generate the
> # cas files in /var/lib/certmonger/cas.
>--
>1.8.3.2
>
>From 926f2371eaa5166f39f1c25832bb502befca6d4e Mon Sep 17 00:00:00 2001
>From: Krzysztof Klimonda <kklimonda at syntaxhighlighted.com>
>Date: Tue, 3 Sep 2013 00:12:26 +0300
>Subject: [PATCH 5/6] Fix -Wformat-security warnings
>
>---
> daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c | 6 +++---
> daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 8 ++++----
> 2 files changed, 7 insertions(+), 7 deletions(-)
>
>diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
>index 9f884bd39233adf90b0f4eff1868885d587d351a..22c40f2bcfc527127b745e1efde5977b148c78a8 100644
>--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
>+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
>@@ -317,7 +317,7 @@ free_and_return:
>
> if (krbLastPwdChange) slapi_ch_free_string(&krbLastPwdChange);
>
>- LOG(errMesg ? errMesg : "success\n");
>+ LOG("%s", errMesg ? errMesg : "success\n");
> slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
>
> free(principal);
>@@ -344,7 +344,7 @@ ipaenrollment_extop(Slapi_PBlock *pb)
> if (slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid ) != 0) {
> errMesg = "Could not get OID and value from request.\n";
> rc = LDAP_OPERATIONS_ERROR;
>- LOG(errMesg);
>+ LOG("%s", errMesg);
> goto free_and_return;
> }
>
>@@ -357,7 +357,7 @@ ipaenrollment_extop(Slapi_PBlock *pb)
> rc = LDAP_OPERATIONS_ERROR;
>
> free_and_return:
>- LOG(errMesg);
>+ LOG("%s", errMesg);
> slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
>
> return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
>diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
>index 1058c313d1f2a193eb7fae621bc9c5d103fb6d5f..c3e0ebd9d90f393be031b26fadcedd00f6091a8d 100644
>--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
>+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
>@@ -573,7 +573,7 @@ free_and_return:
> if (targetEntry) slapi_entry_free(targetEntry);
> if (ber) ber_free(ber, 1);
>
>- LOG(errMesg ? errMesg : "success");
>+ LOG("%s", errMesg ? errMesg : "success");
> slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
>
> return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
>@@ -1143,7 +1143,7 @@ free_and_return:
>
> if (rc == LDAP_SUCCESS)
> errMesg = NULL;
>- LOG(errMesg ? errMesg : "success");
>+ LOG("%s", errMesg ? errMesg : "success");
> slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
>
> return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
>@@ -1170,7 +1170,7 @@ static int ipapwd_extop(Slapi_PBlock *pb)
> if (slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid) != 0) {
> errMesg = "Could not get OID value from request.\n";
> rc = LDAP_OPERATIONS_ERROR;
>- LOG(errMesg);
>+ LOG("%s", errMesg);
> goto free_and_return;
> } else {
> LOG("Received extended operation request with OID %s\n", oid);
>@@ -1193,7 +1193,7 @@ static int ipapwd_extop(Slapi_PBlock *pb)
> free_and_return:
> if (krbcfg) free_ipapwd_krbcfg(&krbcfg);
>
>- LOG(errMesg);
>+ LOG("%s", errMesg);
> slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
>
> return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
>--
>1.8.3.2
>
>From 9890f5ac23d927a668097f42a799219ea33b5cbc Mon Sep 17 00:00:00 2001
>From: Timo Aaltonen <tjaalton at ubuntu.com>
>Date: Tue, 3 Sep 2013 00:23:09 +0300
>Subject: [PATCH] Add Debian client platform support
>
>---
> ipapython/platform/debian/__init__.py | 43 ++++++++++++++
> ipapython/platform/debian/auth.py | 38 ++++++++++++
> ipapython/platform/debian/service.py | 107 ++++++++++++++++++++++++++++++++++
> ipapython/setup.py.in | 1 +
> 4 files changed, 189 insertions(+)
> create mode 100644 ipapython/platform/debian/__init__.py
> create mode 100644 ipapython/platform/debian/auth.py
> create mode 100644 ipapython/platform/debian/service.py
>
>diff --git a/ipapython/platform/debian/__init__.py b/ipapython/platform/debian/__init__.py
>new file mode 100644
>index 0000000000000000000000000000000000000000..0312b554521b314b9afe1a460ed3856b493de2bb
>--- /dev/null
>+++ b/ipapython/platform/debian/__init__.py
>@@ -0,0 +1,43 @@
>+import os
>+
>+from ipapython.platform import base, redhat, fedora18
>+from ipapython.platform.debian.auth import DebianAuthConfig
>+from ipapython.platform.debian.service import debian_service, DebianServices
>+
>+# All what we allow exporting directly from this module
>+# Everything else is made available through these symbols when they are
>+# directly imported into ipapython.services:
>+#
>+# authconfig -- class reference for platform-specific implementation of
>+# authconfig(8)
>+# service -- class reference for platform-specific implementation of a
>+# PlatformService class
>+# knownservices -- factory instance to access named services IPA cares about,
>+# names are ipapython.services.wellknownservices
>+# backup_and_replace_hostname -- platform-specific way to set hostname and
>+# make it persistent over reboots
>+# restore_network_configuration -- platform-specific way of restoring network
>+# configuration (e.g. static hostname)
>+# restore_context -- platform-sepcific way to restore security context, if
>+# applicable
>+# check_selinux_status -- platform-specific way to see if SELinux is enabled
>+# and restorecon is installed.
>+__all__ = ['authconfig', 'service', 'knownservices',
>+ 'backup_and_replace_hostname', 'restore_context', 'check_selinux_status',
>+ 'restore_network_configuration', 'timedate_services']
>+
>+# Just copy a referential list of timedate services
>+timedate_services = list(base.timedate_services)
>+
>+def restore_network_configuration(fstore, statestore):
>+ filepath = '/etc/hostname'
>+ if fstore.has_file(filepath):
>+ fstore.restore_file(filepath)
>+ hostname_was_configured = True
>+
>+authconfig = DebianAuthConfig
>+service = debian_service
>+knownservices = DebianServices()
>+backup_and_replace_hostname = fedora18.backup_and_replace_hostname
>+restore_context = redhat.restore_context
>+check_selinux_status = redhat.check_selinux_status
>diff --git a/ipapython/platform/debian/auth.py b/ipapython/platform/debian/auth.py
>new file mode 100644
>index 0000000000000000000000000000000000000000..76e5c90255dc4a0c4830062a54bd237f10d5ca1b
>--- /dev/null
>+++ b/ipapython/platform/debian/auth.py
>@@ -0,0 +1,38 @@
>+from ipapython.platform import base
>+
>+class DebianAuthConfig(base.AuthConfig):
>+ """
>+ Debian implementation of the AuthConfig class.
>+
>+ Debian doesn't provide a single application for changing both
>+ nss and pam configuration. PAM can be configured using debconf but there
>+ is currently no such solution for updating NSS database and every package
>+ does it by itself.
>+ """
>+
>+ def __build_args(self):
>+ args = ['--force']
>+ for (option, value) in self.parameters.items():
>+ if option == "sssdauth":
>+ option = "sss"
>+ # only sssd supported, filter the dupe
>+ elif option in ["sssd", "krb5", "ldap", "update"]:
>+ option = ""
>+ if type(value) is bool:
>+ if value:
>+ if not "package" in args:
>+ args.append("--package %s" % (option))
>+ else:
>+ args.append("%s" % (option))
>+ else:
>+ if not any("remove" in s for s in args):
>+ args.append("--remove %s" % (option))
>+ else:
>+ args.append("%s" % (option))
>+
>+
>+ def execute(self):
>+ env = "DEBCONF_FRONTEND=noninteractive"
>+ args = self.__build_args()
>+ ipautil.run(["/usr/sbin/pam-auth-update"]+args,env)
>+
>diff --git a/ipapython/platform/debian/service.py b/ipapython/platform/debian/service.py
>new file mode 100644
>index 0000000000000000000000000000000000000000..dadd250c4e8cf393453b2c7d6344a6e612c79ad3
>--- /dev/null
>+++ b/ipapython/platform/debian/service.py
>@@ -0,0 +1,107 @@
>+import time
>+
>+from ipapython import ipautil
>+from ipapython.ipa_log_manager import root_logger
>+from ipapython.platform import base
>+from ipalib import api
>+
>+class DebianService(base.PlatformService):
>+ def __wait_for_open_ports(self, instance_name=""):
>+ """
>+ If this is a service we need to wait for do so.
>+ """
>+ ports = None
>+ if instance_name in base.wellknownports:
>+ ports = base.wellknownports[instance_name]
>+ else:
>+ if self.service_name in base.wellknownports:
>+ ports = base.wellknownports[self.service_name]
>+ if ports:
>+ ipautil.wait_for_open_ports('localhost', ports, api.env.startup_timeout)
>+ def stop(self, instance_name='', capture_output=True):
>+ ipautil.run(["/usr/sbin/service", self.service_name, "stop",
>+ instance_name], capture_output=capture_output)
>+ if 'context' in api.env and api.env.context in ['ipactl', 'installer']:
>+ update_service_list = True
>+ else:
>+ update_service_list = False
>+ super(DebianService, self).stop(instance_name)
>+
>+ def start(self, instance_name='', capture_output=True, wait=True):
>+ ipautil.run(["/usr/sbin/service", self.service_name, "start",
>+ instance_name], capture_output=capture_output)
>+ if 'context' in api.env and api.env.context in ['ipactl', 'installer']:
>+ update_service_list = True
>+ else:
>+ update_service_list = False
>+ if wait and self.is_running(instance_name):
>+ self.__wait_for_open_ports(instance_name)
>+ super(DebianService, self).start(instance_name)
>+
>+ def restart(self, instance_name='', capture_output=True, wait=True):
>+ ipautil.run(["/usr/sbin/service", self.service_name, "restart",
>+ instance_name], capture_output=capture_output)
>+ if wait and self.is_running(instance_name):
>+ self.__wait_for_open_ports(instance_name)
>+
>+ def is_running(self, instance_name=""):
>+ ret = True
>+ try:
>+ (sout, serr, rcode) = ipautil.run(["/usr/sbin/service",
>+ self.service_name, "status",
>+ instance_name])
>+ if sout.find("NOT running") >= 0:
>+ ret = False
>+ if sout.find("stop") >= 0:
>+ ret = False
>+ except ipautil.CalledProcessError:
>+ ret = False
>+ return ret
>+
>+ def is_installed(self):
>+ installed = True
>+ try:
>+ ipautil.run(["/usr/sbin/service", self.service_name, "status"])
>+ except ipautil.CalledProcessError, e:
>+ if e.returncode == 1:
>+ # service is not installed or there is other serious issue
>+ installed = False
>+ return installed
>+
>+ def is_enabled(self, instance_name=""):
>+ # Services are always assumed to be enabled when installed
>+ return True
>+
>+ def enable(self):
>+ return True
>+
>+ def disable(self):
>+ return True
>+
>+ def install(self):
>+ return True
>+
>+ def remove(self):
>+ return True
>+
>+class DebianSSHService(DebianService):
>+ def get_config_dir(self, instance_name=""):
>+ return '/etc/ssh'
>+
>+def debian_service(name):
>+ if name == 'sshd':
>+ return DebianSSHService(name)
>+ return DebianService(name)
>+
>+class DebianServices(base.KnownServices):
>+ def __init__(self):
>+ services = dict()
>+ for s in base.wellknownservices:
>+ if s == "messagebus":
>+ services[s] = debian_service("dbus")
>+ elif s == "ntpd":
>+ services[s] = debian_service("ntp")
>+ else:
>+ services[s] = debian_service(s)
>+ # Call base class constructor. This will lock services to read-only
>+ super(DebianServices, self).__init__(services)
>diff --git a/ipapython/setup.py.in b/ipapython/setup.py.in
>index d3bbcaf1e46528d50731ca18a96a3384f6b49548..9ebd76bf14d6cd8033c7d3d4922d0a949475d3c0 100644
>--- a/ipapython/setup.py.in
>+++ b/ipapython/setup.py.in
>@@ -68,6 +68,7 @@ def setup_package():
> packages = [ "ipapython",
> "ipapython.platform",
> "ipapython.platform.base",
>+ "ipapython.platform.debian",
> "ipapython.platform.fedora16",
> "ipapython.platform.fedora18",
> "ipapython.platform.redhat" ],
>--
>1.8.3.2
>
>_______________________________________________
>Freeipa-devel mailing list
>Freeipa-devel at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list