[Freeipa-devel] [PATCH, FreeIPA2.1] Review request for platform abstraction refactoring
Simo Sorce
simo at redhat.com
Thu Sep 1 19:41:46 UTC 2011
On Wed, 2011-08-31 at 22:02 +0300, Alexander Bokovoy wrote:
> Hi!
>
> In branch 'platform' of
> http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=summary
> you can find four commits which represent working code to address
> https://fedorahosted.org/freeipa/ticket/1605.
>
> What is done:
> 1. ipapython.services module represents system-agnostic way to
> communicate with platform-specific services management and other
> platform-specific functions.
>
> 2. ipapython.platform.* implements platform-specific functionality. The
> code is pulled in by ipapython.services module and should not be
> adressed directly.
>
> 3. ipapython.platform.redhat module (not to be called directly!) is what
> FreeIPA 2.1 has had previously -- current RHEL6 and Fedora14/15
> implementation.
>
> 4. Install tools, IPA client, and IPA server install code is converted
> to use ipapython.services.
>
> To facilitate more expressive way of working with often used services,
> ipapython.services module provides a shortcut to access them by name via
> ipapython.services.knownservices.<service>. A typical code change looks
> like this:
> ------------------------------------------------
> (from ipapython import services as ipaservices)
> - service.restart("dirsrv")
> - service.restart("krb5kdc")
> - service.restart("httpd")
> + ipaservices.knownservices.dirsrv.restart()
> + ipaservices.knownservices.krb5kdc.restart()
> + ipaservices.knownservices.httpd.restart()
> ------------------------------------------------
>
> Besides expression change this also makes more explicit to platform
> providers access to what services they have to implement. Service names
> are defined in ipapython.platform.base.wellknownservices and represent
> definitive names to access these services from FreeIPA code. Of course,
> platform provider should remap those names to platform-specific ones --
> for ipapython.platform.redhat provider mapping is identity.
>
> If code needs direct access to some unnamed service, one could use
> ipapython.services.service class:
> ------------------------------------------------
> for (order, svc) in sorted(svc_list):
> svc_name = service.SERVICE_LIST[svc][0]
> + svchandle = ipaservices.service(svc_name)
> try:
> print "Starting %s Service" % svc
> - service.start(svc_name,
> capture_output=get_capture_output(svc_name, options.debug))
> + svchandle.start(capture_output=get_capture_output(svc_name,
> options.debug))
> except:
> emit_err("Failed to start %s Service" % svc)
> ------------------------------------------------
>
> Server-side installation code depends on quite a delicate arrangement of
> Certificate Server, Directory Server, and is not really portable to
> other environments unless you do provide same packages as Fedora or RHEL
> have. However, I tried to abstract service-specific calls in such way
> that they all go through ipapython.platform.* so even here remapping of
> names is possible. Unfortunately, not for file paths yet.
>
> Client side is more ready for porting except authconfig(8) use.
> One of substantial issues for porting FreeIPA client code to platforms
> other than Red Hat's is use of authconfig(8) utility to configure
> authentication services. What I ended up is a flexible interface
> (ipapython.platform.base.AuthConfig) to specify options and execute
> external apps. As with knownservices, one step more is to make those
> options accessible as member attributes instead of strings but even with
> current approach this gives full isolation of implementation of
> authconfig replacement from FreeIPA code.
>
> Typical use for AuthConfig is via ipapython.services.authconfig class:
> ------------------------------------------------
> - run(["/usr/sbin/authconfig", "--disableldap", "--disablekrb5",
> "--disablesssd", "--disablesssdauth", "--disablemkhomedir", "--update"])
> + auth_config = ipaservices.authconfig()
> + auth_config.disable("ldap").\
> + disable("krb5").\
> + disable("sssd").\
> + disable("sssdauth").\
> + disable("mkhomedir").\
> + add_option("update")
> + auth_config.execute()
> ------------------------------------------------
> This should make porting much simpler -- less code to touch in core FreeIPA.
>
> Now good things: this all works! :)
>
> I tried on F15, doing ipa-server-install with different options and
> uninstalling as well, joining another client and removing it later. Of
> course, more testing is needed too.
Patches look good, and they mostly work fine on top of master but I got
this stack trace trying to uninstall:
# ipa-client-install --uninstall
Unenrolling client from IPA server
Unenrolling host failed: Error obtaining initial credentials:
Decrypt integrity check failed.
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Restoring client configuration files
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 1117, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 1099, in main
return uninstall(options, env)
File "/usr/sbin/ipa-client-install", line 295, in uninstall
nslcd = ipaservices.knownservices.nslcd
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line
167, in __getattr__
raise AttributeError('no magic attribute %r' % name)
AttributeError: no magic attribute 'nslcd'
If you resolve this issue we should be basically good to go.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list