From 84dba1780d4abe52ed871605267f885fc0dcbdad Mon Sep 17 00:00:00 2001 From: William Brown Date: Feb 01 2019 00:51:59 +0000 Subject: Ticket 50140 - Use high ports in container installs Bug Description: Out of the box, linux and containers don't have the required root permissions to use ports below 1024. We can't expect admins to change this, so we should configure ourselves on high ports in container installs. Fix Description: Add containised argument to slapd2base options, and pass it as required for example file and installer sections. https://pagure.io/389-ds-base/issue/50140 Author: William Brown Review by: ??? --- diff --git a/src/lib389/cli/dscreate b/src/lib389/cli/dscreate index 8dd145d..ee78141 100755 --- a/src/lib389/cli/dscreate +++ b/src/lib389/cli/dscreate @@ -28,7 +28,7 @@ fromfile_parser = subparsers.add_parser('from-file', help="Create an instance of fromfile_parser.add_argument('file', help="Inf file to use with prepared answers. You can generate an example of this with 'dscreate create-template'") fromfile_parser.add_argument('-n', '--dryrun', help="Validate system and configurations only. Do not alter the system.", action='store_true', default=False) -fromfile_parser.add_argument('-c', '--containerised', help="Indicate to the installer that this is running in a container. Used to disable systemd native components, even if they are installed.", +fromfile_parser.add_argument('-c', '--containerized', help="Indicate to the installer that this is running in a container. Used to disable systemd native components, even if they are installed.", action='store_true', default=False) fromfile_parser.set_defaults(func=cli_instance.instance_create) @@ -36,6 +36,8 @@ interactive_parser = subparsers.add_parser('interactive', help="Start interactiv interactive_parser.set_defaults(func=cli_instance.instance_create_interactive) template_parser = subparsers.add_parser('create-template', help="Display an example inf answer file, or provide a file name to write it to disk.") +template_parser.add_argument('-c', '--containerized', help="Indicate to the installer that this is running in a container. Used to disable systemd native components, even if they are installed.", + action='store_true', default=False) template_parser.add_argument('template_file', nargs="?", default=None, help="Write example template to this file") template_parser.set_defaults(func=cli_instance.instance_example) diff --git a/src/lib389/lib389/cli_ctl/instance.py b/src/lib389/lib389/cli_ctl/instance.py index b70ec7c..5f11ecc 100644 --- a/src/lib389/lib389/cli_ctl/instance.py +++ b/src/lib389/lib389/cli_ctl/instance.py @@ -63,10 +63,10 @@ def instance_create_interactive(inst, log, args): def instance_create(inst, log, args): - if args.containerised: - log.debug("Containerised features requested.") + if args.containerized: + log.debug("Containerized features requested.") - sd = SetupDs(args.verbose, args.dryrun, log, args.containerised) + sd = SetupDs(args.verbose, args.dryrun, log, args.containerized) if sd.create_from_inf(args.file): # print("Successfully created instance") return True @@ -76,15 +76,11 @@ def instance_create(inst, log, args): def instance_example(inst, log, args): - gpl_copyright = """ -; --- BEGIN COPYRIGHT BLOCK --- -; Copyright (C) 2018 Red Hat, Inc. -; All rights reserved. -; -; License: GPL (version 3 or any later version). -; See LICENSE for details. -; --- END COPYRIGHT BLOCK --- + if args.containerized: + log.debug("Containerized features requested.") + header = """ +; ; This is a version 2 ds setup inf file. ; It is used by the python versions of setup-ds-* ; Most options map 1 to 1 to the original .inf file. @@ -101,7 +97,7 @@ def instance_example(inst, log, args): """ g2b = General2Base(log) - s2b = Slapd2Base(log) + s2b = Slapd2Base(log, args.containerized) b2b = Backend2Base(log, "backend-userroot") if args.template_file: @@ -113,7 +109,7 @@ def instance_example(inst, log, args): # Open file and populate it template_file = open(args.template_file, 'w') - template_file.write(gpl_copyright) + template_file.write(header) template_file.write(g2b.collect_help()) template_file.write(s2b.collect_help()) template_file.write(b2b.collect_help()) @@ -122,7 +118,7 @@ def instance_example(inst, log, args): log.error("Failed trying to create template file ({}), error: {}".format(args.template_file, str(e))) return False else: - print(gpl_copyright) + print(header) print(g2b.collect_help()) print(s2b.collect_help()) print(b2b.collect_help()) diff --git a/src/lib389/lib389/instance/options.py b/src/lib389/lib389/instance/options.py index a1be9b6..fa09c24 100644 --- a/src/lib389/lib389/instance/options.py +++ b/src/lib389/lib389/instance/options.py @@ -137,7 +137,7 @@ class General2Base(Options2): class Slapd2Base(Options2): - def __init__(self, log): + def __init__(self, log, container=False): super(Slapd2Base, self).__init__(log) self._section = 'slapd' @@ -169,11 +169,17 @@ class Slapd2Base(Options2): self._type['prefix'] = str self._helptext['prefix'] = "Sets the file system prefix for all other directories. You can refer to this value in other fields using the {prefix} variable or the $PREFIX environment variable. Only set this parameter in a development environment." - self._options['port'] = 389 + if container: + self._options['port'] = 3389 + else: + self._options['port'] = 389 self._type['port'] = int self._helptext['port'] = "Sets the TCP port the instance uses for LDAP connections." - self._options['secure_port'] = 636 + if container: + self._options['secure_port'] = 3636 + else: + self._options['secure_port'] = 636 self._type['secure_port'] = int self._helptext['secure_port'] = "Sets the TCP port the instance uses for TLS-secured LDAP connections (LDAPS)." diff --git a/src/lib389/lib389/instance/setup.py b/src/lib389/lib389/instance/setup.py index 1e3e891..6f3317f 100644 --- a/src/lib389/lib389/instance/setup.py +++ b/src/lib389/lib389/instance/setup.py @@ -145,7 +145,7 @@ class SetupDs(object): self.log.debug("Configuration general %s", general) - slapd_options = Slapd2Base(self.log) + slapd_options = Slapd2Base(self.log, self.containerised) slapd_options.parse_inf_config(config) slapd_options.verify() slapd = slapd_options.collect() @@ -583,10 +583,16 @@ class SetupDs(object): self.log.debug("PASSED: root user checking") assert_c(slapd['port'] is not None, "Configuration port in section [slapd] not found") - assert_c(socket_check_open('::1', slapd['port']) is False, "port %s is already in use" % slapd['port']) + + if self.containerised: + if slapd['port'] <= 1024: + self.log.warning("WARNING: slapd port %s may not work without NET_BIND_SERVICE in containers" % slapd['port']) + if slapd['secure_port'] <= 1024: + self.log.warning("WARNING: slapd secure_port %s may not work without NET_BIND_SERVICE in containers" % slapd['secure_port']) + assert_c(socket_check_open('::1', slapd['port']) is False, "port %s is already in use, or missing NET_BIND_SERVICE" % slapd['port']) # We enable secure port by default. assert_c(slapd['secure_port'] is not None, "Configuration secure_port in section [slapd] not found") - assert_c(socket_check_open('::1', slapd['secure_port']) is False, "secure_port %s is already in use" % slapd['secure_port']) + assert_c(socket_check_open('::1', slapd['secure_port']) is False, "secure_port %s is already in use, or missing NET_BIND_SERVICE" % slapd['secure_port']) self.log.debug("PASSED: network avaliability checking") # Make assertions of the paths?