From 7a482b7c7286f738f10e43ca70c94c35029398bc Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Jul 14 2017 13:55:59 +0000 Subject: logging: do not log into the root logger Deprecate `ipa_log_manager.root_logger` and replace all calls to it with module-level logger calls. Reviewed-By: Martin Basti --- diff --git a/client/ipa-client-automount b/client/ipa-client-automount index 2b1d8b9..55641d5 100755 --- a/client/ipa-client-automount +++ b/client/ipa-client-automount @@ -23,6 +23,7 @@ from __future__ import print_function +import logging import sys import os import time @@ -46,13 +47,16 @@ from ipalib import api, errors from ipalib.install import sysrestore from ipalib.install.kinit import kinit_keytab from ipapython import ipautil -from ipapython.ipa_log_manager import root_logger, standard_logging_setup +from ipapython.ipa_log_manager import standard_logging_setup from ipapython.dn import DN from ipaplatform.constants import constants from ipaplatform.tasks import tasks from ipaplatform import services from ipaplatform.paths import paths +logger = logging.getLogger(os.path.basename(__file__)) + + def parse_options(): usage = "%prog [options]\n" parser = OptionParser(usage=usage) @@ -95,7 +99,7 @@ def wait_for_sssd(): if not found: err_msg = ("Unable to find 'admin' user with " "'getent passwd admin@%s'!" % api.env.realm) - root_logger.debug(err_msg) + logger.debug('%s', err_msg) print(err_msg) print("This may mean that sssd didn't re-start properly after the configuration changes.") @@ -106,8 +110,8 @@ def configure_xml(fstore): try: tree = etree.parse(authconf) except IOError as e: - root_logger.debug('Unable to open file %s' % e) - root_logger.debug('Creating new from template') + logger.debug('Unable to open file %s', e) + logger.debug('Creating new from template') tree = etree.ElementTree( element=etree.Element('autofs_ldap_sasl_conf') ) @@ -161,10 +165,11 @@ def configure_autofs_sssd(fstore, statestore, autodiscover, options): except SSSDConfig.ServiceAlreadyExists: pass except SSSDConfig.ServiceNotRecognizedError: - root_logger.error("Unable to activate the Autofs service in SSSD config.") - root_logger.info( - "Please make sure you have SSSD built with autofs support installed.") - root_logger.info( + logger.error("Unable to activate the Autofs service in SSSD config.") + logger.info( + "Please make sure you have SSSD built with autofs support " + "installed.") + logger.info( "Configure autofs support manually in /etc/sssd/sssd.conf.") sys.exit("Cannot create the autofs service in sssd.conf") @@ -235,12 +240,13 @@ def configure_autofs_common(fstore, statestore, options): autofs.restart() print("Started %s" % autofs.service_name) except Exception as e: - root_logger.error("%s failed to restart: %s", autofs.service_name, e) + logger.error("%s failed to restart: %s", autofs.service_name, e) try: autofs.enable() except Exception as e: print("Failed to configure automatic startup of the %s daemon" % (autofs.service_name)) - root_logger.error("Failed to enable automatic startup of the %s daemon: %s" % (autofs.service_name, str(e))) + logger.error("Failed to enable automatic startup of the %s daemon: %s", + autofs.service_name, str(e)) def uninstall(fstore, statestore): print("Restoring configuration") @@ -286,7 +292,8 @@ def uninstall(fstore, statestore): wait_for_sssd() except Exception as e: print('Unable to restore SSSD configuration: %s' % str(e)) - root_logger.debug('Unable to restore SSSD configuration: %s' % str(e)) + logger.debug('Unable to restore SSSD configuration: %s', + str(e)) if statestore.has_state('rpcidmapd'): enabled = statestore.restore_state('rpcidmapd', 'enabled') running = statestore.restore_state('rpcidmapd', 'running') @@ -345,12 +352,13 @@ def configure_nfs(fstore, statestore): rpcidmapd.restart() print("Started %s" % rpcidmapd.service_name) except Exception as e: - root_logger.error("%s failed to restart: %s", rpcidmapd.service_name, e) + logger.error("%s failed to restart: %s", rpcidmapd.service_name, e) try: rpcidmapd.enable() except Exception as e: print("Failed to configure automatic startup of the %s daemon" % (rpcidmapd.service_name)) - root_logger.error("Failed to enable automatic startup of the %s daemon: %s" % (rpcidmapd.service_name, str(e))) + logger.error("Failed to enable automatic startup of the %s daemon: %s", + rpcidmapd.service_name, str(e)) rpcgssd = services.knownservices.rpcgssd statestore.backup_state('rpcgssd', 'enabled', rpcgssd.is_enabled()) @@ -359,12 +367,13 @@ def configure_nfs(fstore, statestore): rpcgssd.restart() print("Started %s" % rpcgssd.service_name) except Exception as e: - root_logger.error("%s failed to restart: %s", rpcgssd.service_name, e) + logger.error("%s failed to restart: %s", rpcgssd.service_name, e) try: rpcgssd.enable() except Exception as e: print("Failed to configure automatic startup of the %s daemon" % (rpcgssd.service_name)) - root_logger.error("Failed to enable automatic startup of the %s daemon: %s" % (rpcgssd.service_name, str(e))) + logger.error("Failed to enable automatic startup of the %s daemon: %s", + rpcgssd.service_name, str(e)) def main(): @@ -405,40 +414,41 @@ def main(): if not options.server: print("Searching for IPA server...") ret = ds.search(ca_cert_path=ca_cert_path) - root_logger.debug('Executing DNS discovery') + logger.debug('Executing DNS discovery') if ret == ipadiscovery.NO_LDAP_SERVER: - root_logger.debug('Autodiscovery did not find LDAP server') + logger.debug('Autodiscovery did not find LDAP server') s = urlsplit(api.env.xmlrpc_uri) server = [s.netloc] - root_logger.debug('Setting server to %s' % s.netloc) + logger.debug('Setting server to %s', s.netloc) else: autodiscover = True if not ds.servers: sys.exit('Autodiscovery was successful but didn\'t return a server') - root_logger.debug('Autodiscovery success, possible servers %s' % ','.join(ds.servers)) + logger.debug('Autodiscovery success, possible servers %s', + ','.join(ds.servers)) server = ds.servers[0] else: server = options.server - root_logger.debug("Verifying that %s is an IPA server" % server) + logger.debug("Verifying that %s is an IPA server", server) ldapret = ds.ipacheckldap(server, api.env.realm, ca_cert_path) if ldapret[0] == ipadiscovery.NO_ACCESS_TO_LDAP: print("Anonymous access to the LDAP server is disabled.") print("Proceeding without strict verification.") print("Note: This is not an error if anonymous access has been explicitly restricted.") elif ldapret[0] == ipadiscovery.NO_TLS_LDAP: - root_logger.warning("Unencrypted access to LDAP is not supported.") + logger.warning("Unencrypted access to LDAP is not supported.") elif ldapret[0] != 0: sys.exit('Unable to confirm that %s is an IPA server' % server) if not autodiscover: print("IPA server: %s" % server) - root_logger.debug('Using fixed server %s' % server) + logger.debug('Using fixed server %s', server) else: print("IPA server: DNS discovery") - root_logger.debug('Configuring to use DNS discovery') + logger.debug('Configuring to use DNS discovery') print("Location: %s" % options.location) - root_logger.debug('Using automount location %s' % options.location) + logger.debug('Using automount location %s', options.location) ccache_dir = tempfile.mkdtemp() ccache_name = os.path.join(ccache_dir, 'ccache') @@ -489,7 +499,7 @@ def main(): configure_autofs(fstore, statestore, autodiscover, server, options) configure_autofs_common(fstore, statestore, options) except Exception as e: - root_logger.debug('Raised exception %s' % e) + logger.debug('Raised exception %s', e) print("Installation failed. Rolling back changes.") uninstall(fstore, statestore) return 1 diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica index bc3e5a1..5a64b84 100755 --- a/daemons/dnssec/ipa-dnskeysync-replica +++ b/daemons/dnssec/ipa-dnskeysync-replica @@ -18,7 +18,7 @@ import ipalib from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL from ipalib.install.kinit import kinit_keytab from ipapython.dn import DN -from ipapython.ipa_log_manager import root_logger, standard_logging_setup +from ipapython.ipa_log_manager import standard_logging_setup from ipapython import ipaldap from ipaplatform.paths import paths from ipaserver.dnssec.abshsm import (sync_pkcs11_metadata, @@ -136,28 +136,27 @@ def ldap2replica_zone_keys_sync(ldapkeydb, localhsm): standard_logging_setup(verbose=True, debug=True) ipalib.api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True) ipalib.api.finalize() -log = root_logger # Kerberos initialization PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host)) -log.debug('Kerberos principal: %s', PRINCIPAL) +logger.debug('Kerberos principal: %s', PRINCIPAL) ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysync-replica.ccache') try: kinit_keytab(PRINCIPAL, paths.IPA_DNSKEYSYNCD_KEYTAB, ccache_filename, attempts=5) except GSSError as e: - log.critical('Kerberos authentication failed: %s', e) + logger.critical('Kerberos authentication failed: %s', e) sys.exit(1) os.environ['KRB5CCNAME'] = ccache_filename -log.debug('Got TGT') +logger.debug('Got TGT') # LDAP initialization ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri) -log.debug('Connecting to LDAP') +logger.debug('Connecting to LDAP') ldap.gssapi_bind() -log.debug('Connected') +logger.debug('Connected') ### DNSSEC master: key synchronization diff --git a/daemons/dnssec/ipa-dnskeysyncd b/daemons/dnssec/ipa-dnskeysyncd index e70aa8e..f0f4135 100755 --- a/daemons/dnssec/ipa-dnskeysyncd +++ b/daemons/dnssec/ipa-dnskeysyncd @@ -14,17 +14,20 @@ import time from ipalib import api from ipalib.install.kinit import kinit_keytab from ipapython.dn import DN -from ipapython.ipa_log_manager import root_logger, standard_logging_setup +from ipapython.ipa_log_manager import standard_logging_setup from ipapython import ipaldap from ipaplatform.paths import paths from ipaserver.dnssec.keysyncer import KeySyncer +logger = logging.getLogger(os.path.basename(__file__)) + + # IPA framework initialization standard_logging_setup(verbose=True) api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True) api.finalize() -log = root_logger if api.env.debug: + root_logger = logging.getLogger() root_logger.setLevel(logging.DEBUG) # Global state @@ -42,7 +45,7 @@ def commenceShutdown(signum, stack): global watcher_running global ldap_connection # pylint: disable=global-variable-not-assigned - log.info('Signal %s received: Shutting down!', signum) + logger.info('Signal %s received: Shutting down!', signum) # We are no longer running watcher_running = False @@ -64,12 +67,12 @@ signal.signal(signal.SIGINT, commenceShutdown) # Kerberos initialization PRINCIPAL = str('%s/%s' % (DAEMONNAME, api.env.host)) -log.debug('Kerberos principal: %s', PRINCIPAL) +logger.debug('Kerberos principal: %s', PRINCIPAL) ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysyncd.ccache') try: kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename, attempts=5) except Exception as ex: - log.critical("Kerberos authentication failed: %s", ex) + logger.critical("Kerberos authentication failed: %s", ex) # signal failure and let init system to restart the daemon sys.exit(1) os.environ['KRB5CCNAME'] = ccache_filename @@ -80,7 +83,7 @@ ldap_url = ldapurl.LDAPUrl(api.env.ldap_uri) ldap_url.dn = str(basedn) ldap_url.scope = ldapurl.LDAP_SCOPE_SUBTREE ldap_url.filterstr = '(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))' -log.debug('LDAP URL: %s', ldap_url.unparse()) +logger.debug('LDAP URL: %s', ldap_url.unparse()) # Real work while watcher_running: @@ -89,18 +92,18 @@ while watcher_running: # Now we login to the LDAP server try: - log.info('LDAP bind...') + logger.info('LDAP bind...') ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI) except ldap.INVALID_CREDENTIALS as e: - log.exception('Login to LDAP server failed: %s', e) + logger.exception('Login to LDAP server failed: %s', e) sys.exit(1) except ldap.SERVER_DOWN as e: - log.exception('LDAP server is down, going to retry: %s', e) + logger.exception('LDAP server is down, going to retry: %s', e) time.sleep(5) continue # Commence the syncing - log.info('Commencing sync process') + logger.info('Commencing sync process') ldap_search = ldap_connection.syncrepl_search( ldap_url.dn, ldap_url.scope, @@ -113,5 +116,5 @@ while watcher_running: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): pass except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR) as e: - log.exception('syncrepl_poll: LDAP error (%s)', e) + logger.exception('syncrepl_poll: LDAP error (%s)', e) sys.exit(1) diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter index efb4ab8..b1e69df 100755 --- a/daemons/dnssec/ipa-ods-exporter +++ b/daemons/dnssec/ipa-ods-exporter @@ -35,7 +35,6 @@ import ipalib from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL from ipalib.install.kinit import kinit_keytab from ipapython.dn import DN -from ipapython.ipa_log_manager import root_logger from ipapython import ipaldap from ipaplatform.paths import paths from ipaserver.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id @@ -617,8 +616,9 @@ def cleanup_ldap_zone(ldap, dns_dn, zone_name): logger.debug('%s: deleting key metadata "%s"', zone_name, ldap_key.dn) ldap.delete_entry(ldap_key) -log = root_logger + # this service is usually socket-activated +root_logger = logging.getLogger() root_logger.addHandler(systemd.journal.JournalHandler()) root_logger.setLevel(level=logging.DEBUG) @@ -636,25 +636,25 @@ ipalib.api.finalize() # Kerberos initialization PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host)) -log.debug('Kerberos principal: %s', PRINCIPAL) +logger.debug('Kerberos principal: %s', PRINCIPAL) ccache_name = paths.IPA_ODS_EXPORTER_CCACHE try: kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name, attempts=5) except GSSError as e: - log.critical('Kerberos authentication failed: %s', e) + logger.critical('Kerberos authentication failed: %s', e) sys.exit(1) os.environ['KRB5CCNAME'] = ccache_name -log.debug('Got TGT') +logger.debug('Got TGT') # LDAP initialization dns_dn = DN(ipalib.api.env.container_dns, ipalib.api.env.basedn) ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri) -log.debug('Connecting to LDAP') +logger.debug('Connecting to LDAP') ldap.gssapi_bind() -log.debug('Connected') +logger.debug('Connected') ### DNSSEC master: key material upload & synchronization (but not deletion) @@ -676,8 +676,8 @@ master2ldap_zone_keys_sync(ldapkeydb, localhsm) try: cmd, conn = receive_systemd_command() if len(sys.argv) != 1: - log.critical('No additional parameters are accepted when ' - 'socket activation is used.') + logger.critical('No additional parameters are accepted when ' + 'socket activation is used.') sys.exit(1) # Handle cases where somebody ran the program without systemd. except KeyError as e: @@ -693,10 +693,10 @@ exitcode, msg, zone_name, cmd = parse_command(cmd) if exitcode is not None: if conn: send_systemd_reply(conn, msg) - log.info(msg) + logger.info("%s", msg) sys.exit(exitcode) else: - log.debug(msg) + logger.debug("%s", msg) # Open DB directly and read key timestamps etc. db = None @@ -734,7 +734,7 @@ try: except Exception as ex: msg = "ipa-ods-exporter exception: %s" % traceback.format_exc(ex) - log.exception(ex) + logger.exception("%s", ex) raise ex finally: @@ -745,4 +745,4 @@ finally: if conn: send_systemd_reply(conn, msg) -log.debug('Done') +logger.debug('Done') diff --git a/install/migration/migration.py b/install/migration/migration.py index 73e4777..c0bddab 100644 --- a/install/migration/migration.py +++ b/install/migration/migration.py @@ -22,14 +22,17 @@ Password migration script import cgi import errno +import logging +import os.path from wsgiref.util import request_uri from ipaplatform.paths import paths -from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN from ipapython import ipaldap from ipalib import errors, create_api +logger = logging.getLogger(os.path.basename(__file__)) + def wsgi_redirect(start_response, loc): start_response('302 Found', [('Location', loc)]) @@ -45,19 +48,19 @@ def get_ui_url(environ): def bind(ldap_uri, base_dn, username, password): if not base_dn: - root_logger.error('migration unable to get base dn') + logger.error('migration unable to get base dn') raise IOError(errno.EIO, 'Cannot get Base DN') bind_dn = DN(('uid', username), ('cn', 'users'), ('cn', 'accounts'), base_dn) try: conn = ipaldap.LDAPClient(ldap_uri) conn.simple_bind(bind_dn, password) except (errors.ACIError, errors.DatabaseError, errors.NotFound) as e: - root_logger.error( - 'migration invalid credentials for %s: %s' % (bind_dn, e)) + logger.error( + 'migration invalid credentials for %s: %s', bind_dn, e) raise IOError( errno.EPERM, 'Invalid LDAP credentials for user %s' % username) except Exception as e: - root_logger.error('migration bind failed: %s' % e) + logger.error('migration bind failed: %s', e) raise IOError(errno.EIO, 'Bind error') finally: conn.unbind() diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 1484598..dc5b14e 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -23,6 +23,7 @@ from __future__ import print_function +import logging import os import sys @@ -42,11 +43,13 @@ from ipapython import ipautil from ipalib import api, errors, krb_utils from ipapython.config import IPAOptionParser from ipaplatform.paths import paths -from ipapython.ipa_log_manager import root_logger, standard_logging_setup +from ipapython.ipa_log_manager import standard_logging_setup if six.PY3: unicode = str +logger = logging.getLogger(os.path.basename(__file__)) + log_file_name = paths.IPASERVER_INSTALL_LOG @@ -125,11 +128,10 @@ def main(): print("\nThe log file for this installation can be found in %s" % log_file_name) - root_logger.debug('%s was invoked with options: %s' - % (sys.argv[0], safe_options)) - root_logger.debug( + logger.debug('%s was invoked with options: %s', sys.argv[0], safe_options) + logger.debug( "missing options might be asked for interactively later\n") - root_logger.debug('IPA version %s' % version.VENDOR_VERSION) + logger.debug('IPA version %s', version.VENDOR_VERSION) check_server_configuration() diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 36ae7d2..fc485c5 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -18,6 +18,7 @@ # along with this program. If not, see . # +import logging import sys import os import shutil @@ -35,9 +36,11 @@ from ipapython import version from ipalib import api from ipalib.constants import DOMAIN_LEVEL_0 from ipapython.config import IPAOptionParser -from ipapython.ipa_log_manager import root_logger, standard_logging_setup +from ipapython.ipa_log_manager import standard_logging_setup from ipaplatform.paths import paths +logger = logging.getLogger(os.path.basename(__file__)) + log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG REPLICA_INFO_TOP_DIR = None @@ -282,9 +285,9 @@ def main(): sys.exit("CA is already installed on this host.") standard_logging_setup(log_file_name, debug=options.debug) - root_logger.debug("%s was invoked with options: %s,%s", - sys.argv[0], safe_options, filename) - root_logger.debug("IPA version %s", version.VENDOR_VERSION) + logger.debug("%s was invoked with options: %s,%s", + sys.argv[0], safe_options, filename) + logger.debug("IPA version %s", version.VENDOR_VERSION) # override ra_plugin setting read from default.conf so that we have # functional dogtag backend plugins during CA install diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index 4c4cf3d..87f034d 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -22,11 +22,11 @@ from __future__ import print_function +import logging import sys import os from ipaplatform.paths import paths -from ipapython.ipa_log_manager import root_logger from ipaserver.install import (replication, installutils, bindinstance, cainstance) from ipalib import api, errors @@ -34,6 +34,8 @@ from ipalib.util import has_managed_topology from ipapython import ipautil, ipaldap, version from ipapython.dn import DN +logger = logging.getLogger(os.path.basename(__file__)) + # dict of command name and tuples of min/max num of args needed commands = { "list": (0, 1, "[master fqdn]", ""), @@ -354,10 +356,12 @@ def re_initialize(realm, options): entry = repl.conn.get_entries( DN(('cn', 'config')), repl.conn.SCOPE_SUBTREE, filter) except errors.NotFound: - root_logger.error("Unable to find %s -> %s replication agreement" % (options.fromhost, thishost)) + logger.error("Unable to find %s -> %s replication agreement", + options.fromhost, thishost) sys.exit(1) if len(entry) > 1: - root_logger.error("Found multiple agreements for %s. Only initializing the first one returned: %s" % (thishost, entry[0].dn)) + logger.error("Found multiple agreements for %s. Only initializing the " + "first one returned: %s", thishost, entry[0].dn) repl.hostnames = thisrepl.hostnames = [thishost, options.fromhost] thisrepl.enable_agreement(options.fromhost) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index cb6c5d8..099d165 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -21,6 +21,7 @@ from __future__ import print_function +import logging import os import sys @@ -33,10 +34,12 @@ from ipalib import api from ipaplatform.paths import paths from ipapython import ipautil from ipapython.config import IPAOptionParser -from ipapython.ipa_log_manager import standard_logging_setup, root_logger +from ipapython.ipa_log_manager import standard_logging_setup from ipaserver.install import dns as dns_installer +logger = logging.getLogger(os.path.basename(__file__)) + log_file_name = paths.IPASERVER_INSTALL_LOG def parse_options(): @@ -127,9 +130,9 @@ def main(): standard_logging_setup(log_file_name, debug=options.debug, filemode='a') print("\nThe log file for this installation can be found in %s" % log_file_name) - root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) - root_logger.debug("missing options might be asked for interactively later\n") - root_logger.debug('IPA version %s' % version.VENDOR_VERSION) + logger.debug('%s was invoked with options: %s', sys.argv[0], safe_options) + logger.debug("missing options might be asked for interactively later\n") + logger.debug('IPA version %s', version.VENDOR_VERSION) installutils.check_server_configuration() diff --git a/install/tools/ipa-managed-entries b/install/tools/ipa-managed-entries index 8ad74f2..5bf0e43 100755 --- a/install/tools/ipa-managed-entries +++ b/install/tools/ipa-managed-entries @@ -20,6 +20,7 @@ from __future__ import print_function +import logging import os import re import sys @@ -29,9 +30,12 @@ from ipaplatform.paths import paths from ipapython import config from ipaserver.install import installutils from ipalib import api, errors -from ipapython.ipa_log_manager import root_logger, standard_logging_setup +from ipapython.ipa_log_manager import standard_logging_setup from ipapython.dn import DN +logger = logging.getLogger(os.path.basename(__file__)) + + def parse_options(): usage = "%prog [options] \n" usage += "%prog [options]\n" @@ -101,7 +105,7 @@ def main(): entries = api.Backend.ldap2.get_entries( managed_entry_definitions_dn, api.Backend.ldap2.SCOPE_SUBTREE, filter) except Exception as e: - root_logger.debug("Search for managed entries failed: %s" % str(e)) + logger.debug("Search for managed entries failed: %s", str(e)) sys.exit("Unable to find managed entries at %s" % managed_entry_definitions_dn) managed_entries = [entry.single_value['cn'] for entry in entries] if managed_entries: diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 9b92de3..1a50c4b 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -20,6 +20,8 @@ from __future__ import print_function +import logging + import ipaclient.install.ipachangeconf from ipapython.config import IPAOptionParser from ipapython.dn import DN @@ -30,7 +32,7 @@ from ipaserver.install import installutils # pylint: disable=deprecated-module from optparse import OptionGroup, OptionValueError # pylint: enable=deprecated-module -from ipapython.ipa_log_manager import root_logger, standard_logging_setup +from ipapython.ipa_log_manager import standard_logging_setup import copy import sys import os @@ -47,6 +49,8 @@ from ipaplatform.paths import paths import gssapi from cryptography.hazmat.primitives import serialization +logger = logging.getLogger(os.path.basename(__file__)) + CONNECT_TIMEOUT = 5 RESPONDER = None QUIET = False @@ -266,8 +270,8 @@ def configure_krb5_conf(realm, kdc, filename): appopts = [{'name':'pam', 'type':'subsection', 'value':pamopts}] opts.append({'name':'appdefaults', 'type':'section', 'value':appopts}) - root_logger.debug("Writing temporary Kerberos configuration to %s:\n%s" - % (filename, krbconf.dump(opts))) + logger.debug("Writing temporary Kerberos configuration to %s:\n%s", + filename, krbconf.dump(opts)) krbconf.newConf(filename, opts) @@ -292,13 +296,13 @@ class PortResponder(threading.Thread): self.ports_open_cond = threading.Condition() def run(self): - root_logger.debug('Starting listening thread.') + logger.debug('Starting listening thread.') for port in self.ports: self._bind_to_port(port.port, port.port_type) with self.ports_open_cond: self.ports_opened = True - root_logger.debug('Ports opened, notify original thread') + logger.debug('Ports opened, notify original thread') self.ports_open_cond.notify() while not self._is_closing(): @@ -312,8 +316,7 @@ class PortResponder(threading.Thread): port = sock.getsockname()[1] proto = PortResponder.PROTO[sock.type] sock.close() - root_logger.debug('%(port)d %(proto)s: Stopped listening' % - dict(port=port, proto=proto)) + logger.debug('%d %s: Stopped listening', port, proto) def _is_closing(self): with self._close_lock: @@ -343,12 +346,10 @@ class PortResponder(threading.Thread): # connections. Thus a backlog size of at least 1 is needed. sock.listen(1) - root_logger.debug('%(port)d %(proto)s: Started listening' % - dict(port=port, proto=proto)) + logger.debug('%d %s: Started listening', port, proto) except socket.error as e: - root_logger.warning('%(port)d %(proto)s: Failed to bind' % - dict(port=port, proto=proto)) - root_logger.debug(traceback.format_exc(e)) + logger.warning('%d %s: Failed to bind', port, proto) + logger.debug("%s", traceback.format_exc(e)) else: self._sockets.append(sock) @@ -358,18 +359,16 @@ class PortResponder(threading.Thread): connection, addr = sock.accept() try: connection.sendall(self.responder_data) - root_logger.debug('%(port)d tcp: Responded to %(addr)s' % - dict(port=port, addr=addr[0])) + logger.debug('%d tcp: Responded to %s', port, addr[0]) finally: connection.close() elif sock.type == socket.SOCK_DGRAM: _data, addr = sock.recvfrom(1) sock.sendto(self.responder_data, addr) - root_logger.debug('%(port)d udp: Responded to %(addr)s' % - dict(port=port, addr=addr[0])) + logger.debug('%d udp: Responded to %s', port, addr[0]) def stop(self): - root_logger.debug('Stopping listening thread.') + logger.debug('Stopping listening thread.') with self._close_lock: self._close = True @@ -394,14 +393,14 @@ def port_check(host, port_list): else: ports_failed.append(port) result = "FAILED" - root_logger.info(" %s (%d): %s" % (port.description, port.port, result)) + logger.info(" %s (%d): %s", port.description, port.port, result) if ports_udp_warning: - root_logger.warning( + logger.warning( ("The following UDP ports could not be verified as open: %s\n" "This can happen if they are already bound to an application\n" - "and ipa-replica-conncheck cannot attach own UDP responder.") - % ", ".join(str(port.port) for port in ports_udp_warning)) + "and ipa-replica-conncheck cannot attach own UDP responder."), + ", ".join(str(port.port) for port in ports_udp_warning)) if ports_failed: msg_ports = [] @@ -417,9 +416,9 @@ def main(): safe_options, options = parse_options() logging_setup(options) - root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) - root_logger.debug("missing options might be asked for interactively later\n") - root_logger.debug('IPA version %s' % version.VENDOR_VERSION) + logger.debug('%s was invoked with options: %s', sys.argv[0], safe_options) + logger.debug("missing options might be asked for interactively later\n") + logger.debug('IPA version %s', version.VENDOR_VERSION) signal.signal(signal.SIGTERM, sigterm_handler) @@ -431,59 +430,59 @@ def main(): "PKI-CA: Directory Service port")) if options.replica: - root_logger.info("Check connection from master to remote replica '%s':" - % options.replica) + logger.info("Check connection from master to remote replica '%s':", + options.replica) port_check(options.replica, required_ports) - root_logger.info("\nConnection from master to replica is OK.") + logger.info("\nConnection from master to replica is OK.") # kinit to foreign master if options.master: # check ports on master first - root_logger.info("Check connection from replica to remote master '%s':" - % options.master) + logger.info("Check connection from replica to remote master '%s':", + options.master) tcp_ports = [ port for port in required_ports if port.port_type == SOCK_STREAM ] udp_ports = [ port for port in required_ports if port.port_type == SOCK_DGRAM ] port_check(options.master, tcp_ports) if udp_ports: - root_logger.info("\nThe following list of ports use UDP protocol" - "and would need to be\n" - "checked manually:") + logger.info("\nThe following list of ports use UDP protocol" + "and would need to be\n" + "checked manually:") for port in udp_ports: result = "SKIPPED" - root_logger.info(" %s (%d): %s" - % (port.description, port.port, result)) + logger.info(" %s (%d): %s", + port.description, port.port, result) - root_logger.info("\nConnection from replica to master is OK.") + logger.info("\nConnection from replica to master is OK.") # create listeners - root_logger.info("Start listening on required ports for remote " - "master check") + logger.info("Start listening on required ports for remote " + "master check") RESPONDER = PortResponder(required_ports) RESPONDER.start() with RESPONDER.ports_open_cond: if not RESPONDER.ports_opened: - root_logger.debug('Original thread stopped') + logger.debug('Original thread stopped') RESPONDER.ports_open_cond.wait() - root_logger.debug('Original thread resumed') + logger.debug('Original thread resumed') remote_check_opts = ['--replica %s' % options.hostname] if options.auto_master_check: - root_logger.info("Get credentials to log in to remote master") + logger.info("Get credentials to log in to remote master") cred = None if options.principal is None: # Check if ccache is available try: - root_logger.debug('KRB5CCNAME set to %s' % - os.environ.get('KRB5CCNAME', None)) + logger.debug('KRB5CCNAME set to %s', + os.environ.get('KRB5CCNAME', None)) # get default creds, will raise if none found cred = gssapi.creds.Credentials() principal = str(cred.name) except gssapi.raw.misc.GSSError as e: - root_logger.debug('Failed to find default ccache: %s' % e) + logger.debug('Failed to find default ccache: %s', e) # Use admin as the default principal principal = "admin" else: @@ -529,7 +528,7 @@ def main(): result.error_output) try: - root_logger.info("Check RPC connection to remote master") + logger.info("Check RPC connection to remote master") xmlrpc_uri = ('https://%s/ipa/xml' % ipautil.format_netloc(options.master)) @@ -561,11 +560,11 @@ def main(): api.Backend.rpcclient.connect() api.Command.ping() except Exception as e: - root_logger.info( - "Could not connect to the remote host: %s" % e) + logger.info( + "Could not connect to the remote host: %s", e) raise - root_logger.info("Execute check on remote master") + logger.info("Execute check on remote master") try: result = api.Backend.rpcclient.forward( 'server_conncheck', @@ -574,16 +573,16 @@ def main(): version=u'2.162', ) except (errors.CommandError, errors.NetworkError) as e: - root_logger.info( + logger.info( "Remote master does not support check over RPC: " - "%s" % e) + "%s", e) raise except errors.PublicError as e: returncode = 1 stderr = e else: for message in result['messages']: - root_logger.info(message['message']) + logger.info('%s', message['message']) returncode = int(not result['result']) stderr = ("ipa-replica-conncheck returned non-zero " "exit code") @@ -591,46 +590,46 @@ def main(): if api.Backend.rpcclient.isconnected(): api.Backend.rpcclient.disconnect() except Exception: - root_logger.info("Retrying using SSH...") + logger.info("Retrying using SSH...") # Ticket 5812 Always qualify requests for admin user = principal try: ssh = SshExec(user, options.master) except RuntimeError as e: - root_logger.warning("WARNING: %s, skipping ssh test" % e) + logger.warning("WARNING: %s, skipping ssh test", e) return 0 - root_logger.info("Check SSH connection to remote master") + logger.info("Check SSH connection to remote master") result = ssh('echo OK', verbose=True) if result.returncode != 0: - root_logger.debug(result.error_output) + logger.debug('%s', result.error_output) raise RuntimeError( 'Could not SSH to remote host.\n' 'See /var/log/ipareplica-conncheck.log for more ' 'information.') - root_logger.info("Execute check on remote master") + logger.info("Execute check on remote master") result = ssh( "/usr/sbin/ipa-replica-conncheck " + " ".join(remote_check_opts)) returncode = result.returncode stderr = result.error_output - root_logger.info(result.output) + logger.info('%s', result.output) if returncode != 0: raise RuntimeError( "Remote master check failed with following " "error message(s):\n%s" % stderr) else: # wait until user test is ready - root_logger.info( + logger.info( "Listeners are started. Use CTRL+C to terminate the listening " "part after the test.\n\n" "Please run the following command on remote master:\n" - "/usr/sbin/ipa-replica-conncheck {opts}".format( - opts=" ".join(remote_check_opts))) + "/usr/sbin/ipa-replica-conncheck %s", + " ".join(remote_check_opts)) time.sleep(3600) - root_logger.info( + logger.info( "Connection check timeout: terminating listening program") @@ -638,10 +637,10 @@ if __name__ == "__main__": try: sys.exit(main()) except KeyboardInterrupt: - root_logger.info("\nCleaning up...") + logger.info("\nCleaning up...") sys.exit(1) except RuntimeError as e: - root_logger.error('ERROR: {ex}'.format(ex=e)) + logger.error('ERROR: %s', e) sys.exit(1) finally: if RESPONDER is not None: diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index f802201..c8b4cd0 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -20,6 +20,7 @@ from __future__ import print_function +import logging import sys import os @@ -41,11 +42,13 @@ from ipaserver.install import opendnssecinstance, dnskeysyncinstance from ipapython import version, ipaldap from ipalib import api, errors from ipalib.util import has_managed_topology, verify_host_resolvable -from ipapython.ipa_log_manager import root_logger, standard_logging_setup +from ipapython.ipa_log_manager import standard_logging_setup from ipapython.dn import DN from ipapython.config import IPAOptionParser from ipaplatform.paths import paths +logger = logging.getLogger(os.path.basename(__file__)) + # dict of command name and tuples of min/max num of args needed commands = { "list":(0, 1, "[master fqdn]", ""), @@ -371,7 +374,7 @@ def get_ruv(realm, host, dirman_passwd, nolookup=False, ca=False): else: thisrepl = replication.ReplicationManager(realm, host, dirman_passwd) except Exception as e: - root_logger.debug(traceback.format_exc()) + logger.debug("%s", traceback.format_exc()) raise RuntimeError("Failed to connect to server {host}: {err}" .format(host=host, err=e)) @@ -381,7 +384,7 @@ def get_ruv(realm, host, dirman_passwd, nolookup=False, ca=False): thisrepl.db_suffix, thisrepl.conn.SCOPE_SUBTREE, search_filter, ['nsds50ruv']) except errors.NotFound: - root_logger.debug(traceback.format_exc()) + logger.debug("%s", traceback.format_exc()) raise NoRUVsFound("No RUV records found.") servers = [] @@ -418,7 +421,7 @@ def get_ruv_both_suffixes(realm, host, dirman_passwd, verbose, nolookup=False): fail_gracefully = False if verbose: print(err) - root_logger.debug(err) + logger.debug('%s', err) try: ruvs['domain'] = get_ruv(realm, host, dirman_passwd, nolookup) except (NoRUVsFound, RuntimeError) as e: @@ -428,7 +431,7 @@ def get_ruv_both_suffixes(realm, host, dirman_passwd, verbose, nolookup=False): raise if verbose: print(err) - root_logger.debug(err) + logger.debug('%s', err) if not ruvs.keys(): raise NoRUVsFound("No RUV records found.") @@ -1091,10 +1094,11 @@ def add_link(realm, replica1, replica2, dirman_passwd, options): if options.winsync: if not options.binddn or not options.bindpw or not options.cacert or not options.passsync: - root_logger.error("The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement") + logger.error("The arguments --binddn, --bindpw, --passsync and " + "--cacert are required to create a winsync agreement") sys.exit(1) if os.getegid() != 0: - root_logger.error("winsync agreements need to be created as root") + logger.error("winsync agreements need to be created as root") sys.exit(1) elif has_managed_topology(api): exit_on_managed_topology("Creation of IPA replication agreement") diff --git a/install/wsgi/plugins.py b/install/wsgi/plugins.py index 74820c9..0c7f944 100644 --- a/install/wsgi/plugins.py +++ b/install/wsgi/plugins.py @@ -21,9 +21,12 @@ Plugin index generation script """ +import logging import os from ipaplatform.paths import paths -from ipapython.ipa_log_manager import root_logger + +logger = logging.getLogger(os.path.basename(__file__)) + def get_plugin_index(): @@ -46,7 +49,7 @@ def application(environ, start_response): index = get_plugin_index() status = '200 OK' except Exception as e: - root_logger.error('plugin index generation failed: %s' % e) + logger.error('plugin index generation failed: %s', e) status = '200 OK' index = get_failed() headers = [('Content-type', 'application/javascript'), diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 618e087..7a908f5 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -53,7 +53,6 @@ from ipapython.dn import DN from ipapython.install import typing from ipapython.install.core import group, knob, extend_knob from ipapython.install.common import step -from ipapython.ipa_log_manager import root_logger from ipapython.ipautil import ( CalledProcessError, dir_exists, @@ -69,6 +68,8 @@ from .ipachangeconf import IPAChangeConf NoneType = type(None) +logger = logging.getLogger(__name__) + SUCCESS = 0 CLIENT_INSTALL_ERROR = 1 CLIENT_NOT_CONFIGURED = 2 @@ -108,13 +109,13 @@ def remove_file(filename): if e.errno == 2: return - root_logger.error("Failed to remove file %s: %s", filename, e) - root_logger.error('Please remove %s manually, as it can cause ' - 'subsequent installation to fail.', filename) + logger.error("Failed to remove file %s: %s", filename, e) + logger.error('Please remove %s manually, as it can cause ' + 'subsequent installation to fail.', filename) def log_service_error(name, action, error): - root_logger.error("%s failed to %s: %s", name, action, str(error)) + logger.error("%s failed to %s: %s", name, action, str(error)) def get_cert_path(cert_path): @@ -151,7 +152,7 @@ def restore_state(service, statestore): try: service.enable() except Exception: - root_logger.warning( + logger.warning( "Failed to configure automatic startup of the %s daemon", service.service_name ) @@ -159,7 +160,7 @@ def restore_state(service, statestore): try: service.start() except Exception: - root_logger.warning( + logger.warning( "Failed to restart the %s daemon", service.service_name ) @@ -227,11 +228,11 @@ def delete_ipa_domain(): sssdconfig.delete_domain(ipa_domain_name) sssdconfig.write() else: - root_logger.warning( + logger.warning( "IPA domain could not be found in " "/etc/sssd/sssd.conf and therefore not deleted") except IOError: - root_logger.warning( + logger.warning( "IPA domain could not be deleted. " "No access to the /etc/sssd/sssd.conf file.") @@ -316,7 +317,7 @@ def configure_nsswitch_database(fstore, database, services, preserve=True, ] conf.changeConf(paths.NSSWITCH_CONF, opts) - root_logger.info("Configured %s in %s" % (database, paths.NSSWITCH_CONF)) + logger.info("Configured %s in %s", database, paths.NSSWITCH_CONF) def configure_ipa_conf( @@ -427,7 +428,7 @@ def configure_ldap_conf( fstore.backup_file(filename) ldapconf.newConf(filename, opts) except Exception as e: - root_logger.error("Creation of %s failed: %s", filename, str(e)) + logger.error("Creation of %s failed: %s", filename, str(e)) return (1, 'LDAP', filename) if files: @@ -478,7 +479,7 @@ def configure_nslcd_conf( fstore.backup_file(filename) nslcdconf.newConf(filename, opts) except Exception as e: - root_logger.error("Creation of %s failed: %s", filename, str(e)) + logger.error("Creation of %s failed: %s", filename, str(e)) return (1, None, None) nslcd = services.knownservices.nslcd @@ -491,11 +492,11 @@ def configure_nslcd_conf( try: nslcd.enable() except Exception as e: - root_logger.error( + logger.error( "Failed to enable automatic startup of the %s daemon: %s", nslcd.service_name, str(e)) else: - root_logger.debug( + logger.debug( "%s daemon is not installed, skip configuration", nslcd.service_name) return (0, None, None) @@ -585,15 +586,15 @@ def configure_openldap_conf(fstore, cli_basedn, cli_server): try: ldapconf.changeConf(target_fname, opts) except SyntaxError as e: - root_logger.info("Could not parse {path}".format(path=target_fname)) - root_logger.debug(error_msg.format(path=target_fname, err=str(e))) + logger.info("Could not parse %s", target_fname) + logger.debug('%s', error_msg.format(path=target_fname, err=str(e))) return False except IOError as e: - root_logger.info("{path} does not exist.".format(path=target_fname)) - root_logger.debug(error_msg.format(path=target_fname, err=str(e))) + logger.info("%s does not exist.", target_fname) + logger.debug('%s', error_msg.format(path=target_fname, err=str(e))) return False except Exception as e: # we do not want to fail in an optional step - root_logger.debug(error_msg.format(path=target_fname, err=str(e))) + logger.debug('%s', error_msg.format(path=target_fname, err=str(e))) return False os.chmod(target_fname, 0o644) @@ -619,7 +620,7 @@ def hardcode_ldap_server(cli_server): # Errors raised by this should be caught by the caller ldapconf.changeConf(paths.LDAP_CONF, opts) - root_logger.info( + logger.info( "Changed configuration of /etc/ldap.conf to use " "hardcoded server name: %s", cli_server[0]) @@ -689,7 +690,7 @@ def configure_krb5_conf( # Configure KEYRING CCACHE if supported if kernel_keyring.is_persistent_keyring_supported(): - root_logger.debug("Enabling persistent keyring CCACHE") + logger.debug("Enabling persistent keyring CCACHE") libopts.append(krbconf.setOption('default_ccache_name', 'KEYRING:persistent:%{uid}')) @@ -748,8 +749,8 @@ def configure_krb5_conf( krbconf.emptyLine() ]) - root_logger.debug("Writing Kerberos configuration to %s:", filename) - root_logger.debug("%s", krbconf.dump(opts)) + logger.debug("Writing Kerberos configuration to %s:", filename) + logger.debug("%s", krbconf.dump(opts)) krbconf.newConf(filename, opts) # umask applies when creating a new file but we want 0o644 here @@ -763,8 +764,8 @@ def configure_certmonger( return if not ca_enabled: - root_logger.warning("An RA is not configured on the server. " - "Not requesting host certificate.") + logger.warning("An RA is not configured on the server. " + "Not requesting host certificate.") return principal = 'host/%s@%s' % (hostname, cli_realm) @@ -778,10 +779,10 @@ def configure_certmonger( try: cmonger.enable() except Exception as e: - root_logger.error( + logger.error( "Failed to configure automatic startup of the %s daemon: %s", cmonger.service_name, str(e)) - root_logger.warning( + logger.warning( "Automatic certificate management will not be available") # Request our host cert @@ -793,7 +794,7 @@ def configure_certmonger( nickname='Local IPA host', subject=subject, dns=[hostname], principal=principal, passwd_fname=passwd_fname) except Exception as ex: - root_logger.error( + logger.error( "%s request for host certificate failed: %s", cmonger.service_name, ex) @@ -809,11 +810,11 @@ def configure_sssd_conf( # SSSD config is in place but we are unable to read it # In addition, we are instructed to preserve it # This all means we can't use it and have to bail out - root_logger.error( + logger.error( "SSSD config exists but cannot be parsed: %s", str(e)) - root_logger.error( + logger.error( "Was instructed to preserve existing SSSD config") - root_logger.info( + logger.info( "Correct errors in /etc/sssd/sssd.conf and re-run " "installation") return 1 @@ -830,25 +831,25 @@ def configure_sssd_conf( pass else: # It was not IOError so it must have been parsing error - root_logger.error( + logger.error( "Unable to parse existing SSSD config. " "As option --preserve-sssd was not specified, new config " "will override the old one.") - root_logger.info( + logger.info( "The old /etc/sssd/sssd.conf is backed up and " "will be restored during uninstall.") - root_logger.info("New SSSD config will be created") + logger.info("New SSSD config will be created") sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.new_config() try: domain = sssdconfig.new_domain(cli_domain) except SSSDConfig.DomainAlreadyExistsError: - root_logger.info( + logger.info( "Domain %s is already configured in existing SSSD " "config, creating a new one.", cli_domain) - root_logger.info( + logger.info( "The old /etc/sssd/sssd.conf is backed up and will be restored " "during uninstall.") sssdconfig = SSSDConfig.SSSDConfig() @@ -867,12 +868,12 @@ def configure_sssd_conf( except SSSDConfig.ServiceAlreadyExists: pass except SSSDConfig.ServiceNotRecognizedError: - root_logger.error( + logger.error( "Unable to activate the SSH service in SSSD config.") - root_logger.info( + logger.info( "Please make sure you have SSSD built with SSH support " "installed.") - root_logger.info( + logger.info( "Configure SSH support manually in /etc/sssd/sssd.conf.") sssdconfig.activate_service('ssh') @@ -884,7 +885,7 @@ def configure_sssd_conf( except SSSDConfig.ServiceAlreadyExists: pass except SSSDConfig.ServiceNotRecognizedError: - root_logger.error( + logger.error( "Unable to activate the SUDO service in SSSD config.") sssdconfig.activate_service('sudo') @@ -966,12 +967,12 @@ def sssd_enable_service(sssdconfig, service): except SSSDConfig.ServiceAlreadyExists: pass except SSSDConfig.ServiceNotRecognizedError: - root_logger.error( + logger.error( "Unable to activate the %s service in SSSD config.", service) - root_logger.info( + logger.info( "Please make sure you have SSSD built with %s support " "installed.", service) - root_logger.info( + logger.info( "Configure %s support manually in /etc/sssd/sssd.conf.", service) sssdconfig.activate_service(service) @@ -984,7 +985,7 @@ def change_ssh_config(filename, changes, sections): try: f = open(filename, 'r') except IOError as e: - root_logger.error("Failed to open '%s': %s", filename, str(e)) + logger.error("Failed to open '%s': %s", filename, str(e)) return False change_keys = tuple(key.lower() for key in changes) @@ -1021,7 +1022,7 @@ def change_ssh_config(filename, changes, sections): try: f = open(filename, 'w') except IOError as e: - root_logger.error("Failed to open '%s': %s", filename, str(e)) + logger.error("Failed to open '%s': %s", filename, str(e)) return False f.write('\n'.join(lines)) @@ -1033,8 +1034,7 @@ def change_ssh_config(filename, changes, sections): def configure_ssh_config(fstore, options): if not file_exists(paths.SSH_CONFIG): - root_logger.info("%s not found, skipping configuration", - paths.SSH_CONFIG) + logger.info("%s not found, skipping configuration", paths.SSH_CONFIG) return fstore.backup_file(paths.SSH_CONFIG) @@ -1050,15 +1050,14 @@ def configure_ssh_config(fstore, options): changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss' change_ssh_config(paths.SSH_CONFIG, changes, ['Host', 'Match']) - root_logger.info('Configured %s', paths.SSH_CONFIG) + logger.info('Configured %s', paths.SSH_CONFIG) def configure_sshd_config(fstore, options): sshd = services.knownservices.sshd if not file_exists(paths.SSHD_CONFIG): - root_logger.info("%s not found, skipping configuration", - paths.SSHD_CONFIG) + logger.info("%s not found, skipping configuration", paths.SSHD_CONFIG) return fstore.backup_file(paths.SSHD_CONFIG) @@ -1103,13 +1102,13 @@ def configure_sshd_config(fstore, options): if authorized_keys_changes is not None: changes.update(authorized_keys_changes) else: - root_logger.warning( + logger.warning( "Installed OpenSSH server does not support dynamically " "loading authorized user keys. Public key authentication of " "IPA users will not be available.") change_ssh_config(paths.SSHD_CONFIG, changes, ['Match']) - root_logger.info('Configured %s', paths.SSHD_CONFIG) + logger.info('Configured %s', paths.SSHD_CONFIG) if sshd.is_running(): try: @@ -1119,7 +1118,7 @@ def configure_sshd_config(fstore, options): def configure_automount(options): - root_logger.info('\nConfiguring automount:') + logger.info('\nConfiguring automount:') args = [ 'ipa-client-automount', '--debug', '-U', '--location', @@ -1134,14 +1133,14 @@ def configure_automount(options): try: result = run(args) except Exception as e: - root_logger.error('Automount configuration failed: %s', str(e)) + logger.error('Automount configuration failed: %s', str(e)) else: - root_logger.info(result.output_log) + logger.info('%s', result.output_log) def configure_nisdomain(options, domain, statestore): domain = options.nisdomain or domain - root_logger.info('Configuring %s as NIS domain.' % domain) + logger.info('Configuring %s as NIS domain.', domain) nis_domain_name = '' @@ -1179,9 +1178,9 @@ def unconfigure_nisdomain(statestore): old_nisdomain = statestore.restore_state('network', 'nisdomain') or '' if old_nisdomain: - root_logger.info('Restoring %s as NIS domain.' % old_nisdomain) + logger.info('Restoring %s as NIS domain.', old_nisdomain) else: - root_logger.info('Unconfiguring the NIS domain.') + logger.info('Unconfiguring the NIS domain.') tasks.set_nisdomain(old_nisdomain) @@ -1215,15 +1214,15 @@ def get_local_ipaddresses(iface=None): for ip in if_addrs.get(family, []): try: ips.append(ipautil.CheckedIPAddress(ip['addr'])) - root_logger.debug('IP check successful: %s' % ip['addr']) + logger.debug('IP check successful: %s', ip['addr']) except ValueError as e: - root_logger.debug('IP check failed: %s' % e) + logger.debug('IP check failed: %s', e) return ips def do_nsupdate(update_txt): - root_logger.debug("Writing nsupdate commands to %s:", UPDATE_FILE) - root_logger.debug("%s", update_txt) + logger.debug("Writing nsupdate commands to %s:", UPDATE_FILE) + logger.debug("%s", update_txt) update_fd = open(UPDATE_FILE, "w") update_fd.write(update_txt) @@ -1235,7 +1234,7 @@ def do_nsupdate(update_txt): ipautil.run([paths.NSUPDATE, '-g', UPDATE_FILE]) result = True except CalledProcessError as e: - root_logger.debug('nsupdate failed: %s', str(e)) + logger.debug('nsupdate failed: %s', str(e)) try: os.remove(UPDATE_FILE) @@ -1278,8 +1277,8 @@ def update_dns(server, hostname, options): try: ips = get_local_ipaddresses() except CalledProcessError as e: - root_logger.error("Cannot update DNS records. %s" % e) - root_logger.debug("Unable to get local IP addresses.") + logger.error("Cannot update DNS records. %s", e) + logger.debug("Unable to get local IP addresses.") if options.all_ip_addresses: update_ips = ips @@ -1291,16 +1290,16 @@ def update_dns(server, hostname, options): try: iface = get_server_connection_interface(server) except RuntimeError as e: - root_logger.error("Cannot update DNS records. %s" % e) + logger.error("Cannot update DNS records. %s", e) return try: update_ips = get_local_ipaddresses(iface) except CalledProcessError as e: - root_logger.error("Cannot update DNS records. %s" % e) + logger.error("Cannot update DNS records. %s", e) return if not update_ips: - root_logger.info("Failed to determine this machine's ip address(es).") + logger.info("Failed to determine this machine's ip address(es).") return no_matching_interface_for_ip_address_warning(update_ips) @@ -1320,7 +1319,7 @@ def update_dns(server, hostname, options): update_txt += ipautil.template_str(template, sub_dict) if not do_nsupdate(update_txt): - root_logger.error("Failed to update DNS records.") + logger.error("Failed to update DNS records.") verify_dns_update(hostname, update_ips) @@ -1333,17 +1332,16 @@ def verify_dns_update(fqdn, ips): missing_ips = [str(ip) for ip in ips] extra_ips = [] for record_type in [dns.rdatatype.A, dns.rdatatype.AAAA]: - root_logger.debug('DNS resolver: Query: %s IN %s' % - (fqdn, dns.rdatatype.to_text(record_type))) + logger.debug('DNS resolver: Query: %s IN %s', + fqdn, dns.rdatatype.to_text(record_type)) try: answers = dns.resolver.query(fqdn, record_type) except (dns.resolver.NoAnswer, dns.resolver.NXDOMAIN): - root_logger.debug('DNS resolver: No record.') + logger.debug('DNS resolver: No record.') except dns.resolver.NoNameservers: - root_logger.debug('DNS resolver: No nameservers answered the' - 'query.') + logger.debug('DNS resolver: No nameservers answered the query.') except dns.exception.DNSException: - root_logger.debug('DNS resolver error.') + logger.debug('DNS resolver error.') else: for rdata in answers: try: @@ -1358,16 +1356,15 @@ def verify_dns_update(fqdn, ips): for ip in ips: ip_str = str(ip) addr = dns.reversename.from_address(ip_str) - root_logger.debug('DNS resolver: Query: %s IN PTR' % addr) + logger.debug('DNS resolver: Query: %s IN PTR', addr) try: answers = dns.resolver.query(addr, dns.rdatatype.PTR) except (dns.resolver.NoAnswer, dns.resolver.NXDOMAIN): - root_logger.debug('DNS resolver: No record.') + logger.debug('DNS resolver: No record.') except dns.resolver.NoNameservers: - root_logger.debug('DNS resolver: No nameservers answered the' - 'query.') + logger.debug('DNS resolver: No nameservers answered thequery.') except dns.exception.DNSException: - root_logger.debug('DNS resolver error.') + logger.debug('DNS resolver error.') else: missing_reverse.remove(ip_str) for rdata in answers: @@ -1375,20 +1372,20 @@ def verify_dns_update(fqdn, ips): wrong_reverse.setdefault(ip_str, []).append(rdata.target) if missing_ips: - root_logger.warning('Missing A/AAAA record(s) for host %s: %s.' % - (fqdn, ', '.join(missing_ips))) + logger.warning('Missing A/AAAA record(s) for host %s: %s.', + fqdn, ', '.join(missing_ips)) if extra_ips: - root_logger.warning('Extra A/AAAA record(s) for host %s: %s.' % - (fqdn, ', '.join(extra_ips))) + logger.warning('Extra A/AAAA record(s) for host %s: %s.', + fqdn, ', '.join(extra_ips)) if missing_reverse: - root_logger.warning('Missing reverse record(s) for address(es): %s.' % - ', '.join(missing_reverse)) + logger.warning('Missing reverse record(s) for address(es): %s.', + ', '.join(missing_reverse)) if wrong_reverse: - root_logger.warning('Incorrect reverse record(s):') + logger.warning('Incorrect reverse record(s):') for ip in wrong_reverse: for target in wrong_reverse[ip]: - root_logger.warning('%s is pointing to %s instead of %s' % - (ip, target, fqdn_name)) + logger.warning('%s is pointing to %s instead of %s', + ip, target, fqdn_name) def get_server_connection_interface(server): @@ -1430,12 +1427,12 @@ def client_dns(server, hostname, options): verify_host_resolvable(hostname) dns_ok = True except errors.DNSNotARecordError: - root_logger.warning("Hostname (%s) does not have A/AAAA record.", - hostname) + logger.warning("Hostname (%s) does not have A/AAAA record.", + hostname) dns_ok = False except errors.DNSResolverError as ex: - root_logger.warning("DNS resolution for hostname %s failed: %s", - hostname, ex) + logger.warning("DNS resolution for hostname %s failed: %s", + hostname, ex) dns_ok = False if ( @@ -1451,7 +1448,7 @@ def check_ip_addresses(options): try: ipautil.CheckedIPAddress(ip) except ValueError as e: - root_logger.error(e) + logger.error('%s', e) return False return True @@ -1469,7 +1466,7 @@ def update_ssh_keys(hostname, ssh_dir, create_sshfp): try: f = open(filename, 'r') except IOError as e: - root_logger.warning("Failed to open '%s': %s", filename, str(e)) + logger.warning("Failed to open '%s': %s", filename, str(e)) continue for line in f: @@ -1480,7 +1477,7 @@ def update_ssh_keys(hostname, ssh_dir, create_sshfp): pubkey = SSHPublicKey(line) except (ValueError, UnicodeDecodeError): continue - root_logger.info("Adding SSH public key from %s", filename) + logger.info("Adding SSH public key from %s", filename) pubkeys.append(pubkey) f.close() @@ -1497,8 +1494,8 @@ def update_ssh_keys(hostname, ssh_dir, create_sshfp): except errors.EmptyModlist: pass except Exception as e: - root_logger.info("host_mod: %s", str(e)) - root_logger.warning("Failed to upload host SSH public keys.") + logger.info("host_mod: %s", str(e)) + logger.warning("Failed to upload host SSH public keys.") return if create_sshfp: @@ -1518,11 +1515,11 @@ def update_ssh_keys(hostname, ssh_dir, create_sshfp): update_txt += 'show\nsend\n' if not do_nsupdate(update_txt): - root_logger.warning("Could not update DNS SSHFP records.") + logger.warning("Could not update DNS SSHFP records.") def print_port_conf_info(): - root_logger.info( + logger.info( "Please make sure the following ports are opened " "in the firewall settings:\n" " TCP: 80, 88, 389\n" @@ -1592,7 +1589,7 @@ def get_ca_certs_from_file(url): if not os.path.isfile(filename): raise errors.FileError(reason="file '%s' is not a file" % filename) - root_logger.debug("trying to retrieve CA cert from file %s", filename) + logger.debug("trying to retrieve CA cert from file %s", filename) try: certs = x509.load_certificate_list_from_file(filename) except Exception: @@ -1610,10 +1607,10 @@ def get_ca_certs_from_http(url, warn=True): """ if warn: - root_logger.warning("Downloading the CA certificate via HTTP, " + - "this is INSECURE") + logger.warning("Downloading the CA certificate via HTTP, " + "this is INSECURE") - root_logger.debug("trying to retrieve CA cert via HTTP from %s", url) + logger.debug("trying to retrieve CA cert via HTTP from %s", url) try: result = run([paths.BIN_CURL, "-o", "-", url], capture_output=True) @@ -1642,12 +1639,12 @@ def get_ca_certs_from_ldap(server, basedn, realm): Raises errors.FileError if unable to write cert. """ - root_logger.debug("trying to retrieve CA cert via LDAP from %s", server) + logger.debug("trying to retrieve CA cert via LDAP from %s", server) try: certs = get_certs_from_ldap(server, basedn, realm, False) except Exception as e: - root_logger.debug("get_ca_certs_from_ldap() error: %s", e) + logger.debug("get_ca_certs_from_ldap() error: %s", e) raise certs = [x509.load_certificate(c[0], x509.DER) for c in certs @@ -1659,28 +1656,31 @@ def get_ca_certs_from_ldap(server, basedn, realm): def validate_new_ca_certs(existing_ca_certs, new_ca_certs, ask, override=False): if existing_ca_certs is None: - root_logger.info( + logger.info( + "%s", cert_summary("Successfully retrieved CA cert", new_ca_certs)) return existing_ca_certs = set(existing_ca_certs) new_ca_certs = set(new_ca_certs) if existing_ca_certs > new_ca_certs: - root_logger.warning( + logger.warning( "The CA cert available from the IPA server does not match the\n" - "local certificate available at %s" % paths.IPA_CA_CRT) - root_logger.warning( + "local certificate available at %s", paths.IPA_CA_CRT) + logger.warning( + "%s", cert_summary("Existing CA cert:", existing_ca_certs)) - root_logger.warning( + logger.warning( + "%s", cert_summary("Retrieved CA cert:", new_ca_certs)) if override: - root_logger.warning("Overriding existing CA cert\n") + logger.warning("Overriding existing CA cert\n") elif not ask or not user_input( "Do you want to replace the local certificate with the CA\n" "certificate retrieved from the IPA server?", True): raise errors.CertificateInvalidError(name='Retrieved CA') else: - root_logger.debug( + logger.debug( "Existing CA cert and Retrieved CA cert are identical") @@ -1740,12 +1740,12 @@ def get_ca_certs(fstore, options, server, basedn, realm): try: ca_certs = get_ca_certs_from_file(url) except errors.FileError as e: - root_logger.debug(e) + logger.debug("%s", e) raise except Exception as e: - root_logger.debug(e) + logger.debug("%s", e) raise errors.NoCertificateError(entry=url) - root_logger.debug("CA cert provided by user, use it!") + logger.debug("CA cert provided by user, use it!") else: if os.path.exists(paths.IPA_CA_CRT): if os.path.isfile(paths.IPA_CA_CRT): @@ -1762,7 +1762,7 @@ def get_ca_certs(fstore, options, server, basedn, realm): if otp_auth: if existing_ca_certs: - root_logger.info("OTP case, CA cert preexisted, use it") + logger.info("OTP case, CA cert preexisted, use it") else: url = http_url() override = not interactive @@ -1775,7 +1775,7 @@ def get_ca_certs(fstore, options, server, basedn, realm): try: ca_certs = get_ca_certs_from_http(url, override) except Exception as e: - root_logger.debug(e) + logger.debug("%s", e) raise errors.NoCertificateError(entry=url) validate_new_ca_certs(existing_ca_certs, ca_certs, False, @@ -1787,13 +1787,13 @@ def get_ca_certs(fstore, options, server, basedn, realm): ca_certs = get_ca_certs_from_ldap(server, basedn, realm) validate_new_ca_certs(existing_ca_certs, ca_certs, interactive) except errors.FileError as e: - root_logger.debug(e) + logger.debug("%s", e) raise except (errors.NoCertificateError, errors.LDAPError) as e: - root_logger.debug(str(e)) + logger.debug("%s", str(e)) url = http_url() if existing_ca_certs: - root_logger.warning( + logger.warning( "Unable to download CA cert from LDAP\n" "but found preexisting cert, using it.\n") elif interactive and not user_input( @@ -1805,7 +1805,7 @@ def get_ca_certs(fstore, options, server, basedn, realm): message=u"HTTP " "certificate download declined by user") elif not interactive and not options.force: - root_logger.error( + logger.error( "In unattended mode without a One Time Password " "(OTP) or without --ca-cert-file\nYou must specify" " --force to retrieve the CA cert using HTTP") @@ -1816,12 +1816,12 @@ def get_ca_certs(fstore, options, server, basedn, realm): try: ca_certs = get_ca_certs_from_http(url) except Exception as e: - root_logger.debug(e) + logger.debug("%s", e) raise errors.NoCertificateError(entry=url) validate_new_ca_certs(existing_ca_certs, ca_certs, interactive) except Exception as e: - root_logger.debug(str(e)) + logger.debug("%s", str(e)) raise errors.NoCertificateError(entry=url) if ca_certs is None and existing_ca_certs is None: @@ -1840,7 +1840,7 @@ def get_ca_certs(fstore, options, server, basedn, realm): try: os.unlink(ca_file) except OSError as e: - root_logger.error( + logger.error( "Failed to remove '%s': %s", ca_file, e) raise errors.FileError( reason=u"cannot write certificate file '%s': %s" % ( @@ -1874,7 +1874,7 @@ FIREFOX_PREFERENCES_REL_PATH = "browser/defaults/preferences" def configure_firefox(options, statestore, domain): try: - root_logger.debug("Setting up Firefox configuration.") + logger.debug("Setting up Firefox configuration.") preferences_dir = None @@ -1885,7 +1885,7 @@ def configure_firefox(options, statestore, domain): if dir_exists(pref_path): preferences_dir = pref_path else: - root_logger.error("Directory '%s' does not exists.", pref_path) + logger.error("Directory '%s' does not exists.", pref_path) else: # test if firefox is installed if file_exists(paths.FIREFOX): @@ -1898,7 +1898,7 @@ def configure_firefox(options, statestore, domain): preferences_dir = pref_path break else: - root_logger.error( + logger.error( "Firefox configuration skipped (Firefox not found).") return @@ -1907,36 +1907,36 @@ def configure_firefox(options, statestore, domain): # user could specify relative path, we need to store absolute preferences_dir = os.path.abspath(preferences_dir) - root_logger.debug( + logger.debug( "Firefox preferences directory found '%s'.", preferences_dir) preferences_fname = os.path.join( preferences_dir, FIREFOX_PREFERENCES_FILENAME) update_txt = ipautil.template_str( FIREFOX_CONFIG_TEMPLATE, dict(DOMAIN=domain)) - root_logger.debug( + logger.debug( "Firefox trusted uris will be set as '.%s' domain.", domain) - root_logger.debug( + logger.debug( "Firefox configuration will be stored in '%s' file.", preferences_fname) try: with open(preferences_fname, 'w') as f: f.write(update_txt) - root_logger.info("Firefox sucessfully configured.") + logger.info("Firefox sucessfully configured.") statestore.backup_state( 'firefox', 'preferences_fname', preferences_fname) except Exception as e: - root_logger.debug( + logger.debug( "An error occured during creating preferences file: %s.", e) - root_logger.error("Firefox configuration failed.") + logger.error("Firefox configuration failed.") else: - root_logger.debug("Firefox preferences directory not found.") - root_logger.error("Firefox configuration failed.") + logger.debug("Firefox preferences directory not found.") + logger.error("Firefox configuration failed.") except Exception as e: - root_logger.debug(str(e)) - root_logger.error("Firefox configuration failed.") + logger.debug("%s", str(e)) + logger.error("Firefox configuration failed.") def purge_host_keytab(realm): @@ -1949,11 +1949,11 @@ def purge_host_keytab(realm): if e.returncode not in (3, 5): # 3 - Unable to open keytab # 5 - Principal name or realm not found in keytab - root_logger.error( + logger.error( "Error trying to clean keytab: " "/usr/sbin/ipa-rmkeytab returned %s", e.returncode) else: - root_logger.info( + logger.info( "Removed old keys for realm %s from %s", realm, paths.KRB5_KEYTAB) @@ -1984,9 +1984,9 @@ def install_check(options): tasks.check_selinux_status() if is_ipa_client_installed(fstore, on_master=options.on_master): - root_logger.error("IPA client is already configured on this system.") - root_logger.info( - "If you want to reinstall the IPA client, uninstall it first " + + logger.error("IPA client is already configured on this system.") + logger.info( + "If you want to reinstall the IPA client, uninstall it first " "using 'ipa-client-install --uninstall'.") raise ScriptError(rval=CLIENT_ALREADY_CONFIGURED) @@ -2056,16 +2056,15 @@ def install_check(options): rval=CLIENT_INSTALL_ERROR) if options.keytab and options.force_join: - root_logger.warning("Option 'force-join' has no additional effect " - "when used with together with option 'keytab'.") + logger.warning("Option 'force-join' has no additional effect " + "when used with together with option 'keytab'.") # Check if old certificate exist and show warning if ( not options.ca_cert_file and get_cert_path(options.ca_cert_file) == paths.IPA_CA_CRT ): - root_logger.warning("Using existing certificate '%s'.", - paths.IPA_CA_CRT) + logger.warning("Using existing certificate '%s'.", paths.IPA_CA_CRT) if not check_ip_addresses(options): raise ScriptError(rval=CLIENT_INSTALL_ERROR) @@ -2085,18 +2084,18 @@ def install_check(options): # There is no point to continue with installation as server list was # passed as a fixed list of server and thus we cannot discover any # better result - root_logger.error( + logger.error( "Failed to verify that %s is an IPA Server.", ', '.join(options.server)) - root_logger.error( + logger.error( "This may mean that the remote server is not up " "or is not reachable due to network or firewall settings.") print_port_conf_info() raise ScriptError(rval=CLIENT_INSTALL_ERROR) if ret == ipadiscovery.BAD_HOST_CONFIG: - root_logger.error("Can't get the fully qualified name of this host") - root_logger.info("Check that the client is properly configured") + logger.error("Can't get the fully qualified name of this host") + logger.info("Check that the client is properly configured") raise ScriptError(rval=CLIENT_INSTALL_ERROR) if ret == ipadiscovery.NOT_FQDN: raise ScriptError( @@ -2106,16 +2105,16 @@ def install_check(options): or not ds.domain: if ret == ipadiscovery.NO_LDAP_SERVER: if ds.server: - root_logger.debug("%s is not an LDAP server" % ds.server) + logger.debug("%s is not an LDAP server", ds.server) else: - root_logger.debug("No LDAP server found") + logger.debug("No LDAP server found") elif ret == ipadiscovery.NOT_IPA_SERVER: if ds.server: - root_logger.debug("%s is not an IPA server" % ds.server) + logger.debug("%s is not an IPA server", ds.server) else: - root_logger.debug("No IPA server found") + logger.debug("No IPA server found") else: - root_logger.debug("Domain not found") + logger.debug("Domain not found") if options.domain: cli_domain = options.domain cli_domain_source = 'Provided as option' @@ -2124,13 +2123,13 @@ def install_check(options): "Unable to discover domain, not provided on command line", rval=CLIENT_INSTALL_ERROR) else: - root_logger.info( + logger.info( "DNS discovery failed to determine your DNS domain") cli_domain = user_input( "Provide the domain name of your IPA server (ex: example.com)", allow_empty=False) cli_domain_source = 'Provided interactively' - root_logger.debug( + logger.debug( "will use interactively provided domain: %s", cli_domain) ret = ds.search( domain=cli_domain, @@ -2142,13 +2141,13 @@ def install_check(options): if ds.domain: cli_domain = ds.domain cli_domain_source = ds.domain_source - root_logger.debug("will use discovered domain: %s", cli_domain) + logger.debug("will use discovered domain: %s", cli_domain) client_domain = hostname[hostname.find(".")+1:] if ret in (ipadiscovery.NO_LDAP_SERVER, ipadiscovery.NOT_IPA_SERVER) \ or not ds.server: - root_logger.debug("IPA Server not found") + logger.debug("IPA Server not found") if options.server: cli_server = options.server cli_server_source = 'Provided as option' @@ -2157,14 +2156,14 @@ def install_check(options): "Unable to find IPA Server to join", rval=CLIENT_INSTALL_ERROR) else: - root_logger.debug("DNS discovery failed to find the IPA Server") + logger.debug("DNS discovery failed to find the IPA Server") cli_server = [ user_input( "Provide your IPA server name (ex: ipa.example.com)", allow_empty=False) ] cli_server_source = 'Provided interactively' - root_logger.debug( + logger.debug( "will use interactively provided server: %s", cli_server[0]) ret = ds.search( domain=cli_domain, @@ -2179,76 +2178,76 @@ def install_check(options): (server, domain) = ds.check_domain( ds.domain, set(), "Validating DNS Discovery") if server and domain: - root_logger.debug("DNS validated, enabling discovery") + logger.debug("DNS validated, enabling discovery") dnsok = True else: - root_logger.debug("DNS discovery failed, disabling discovery") + logger.debug("DNS discovery failed, disabling discovery") else: - root_logger.debug( + logger.debug( "Using servers from command line, disabling DNS discovery") if not cli_server: if options.server: cli_server = ds.servers cli_server_source = 'Provided as option' - root_logger.debug( + logger.debug( "will use provided server: %s", ', '.join(options.server)) elif ds.server: cli_server = ds.servers cli_server_source = ds.server_source - root_logger.debug("will use discovered server: %s", cli_server[0]) + logger.debug("will use discovered server: %s", cli_server[0]) if ret == ipadiscovery.NOT_IPA_SERVER: - root_logger.error("%s is not an IPA v2 Server.", cli_server[0]) + logger.error("%s is not an IPA v2 Server.", cli_server[0]) print_port_conf_info() - root_logger.debug("(%s: %s)", cli_server[0], cli_server_source) + logger.debug("(%s: %s)", cli_server[0], cli_server_source) raise ScriptError(rval=CLIENT_INSTALL_ERROR) if ret == ipadiscovery.NO_ACCESS_TO_LDAP: - root_logger.warning("Anonymous access to the LDAP server is disabled.") - root_logger.info("Proceeding without strict verification.") - root_logger.info( + logger.warning("Anonymous access to the LDAP server is disabled.") + logger.info("Proceeding without strict verification.") + logger.info( "Note: This is not an error if anonymous access " "has been explicitly restricted.") ret = 0 if ret == ipadiscovery.NO_TLS_LDAP: - root_logger.warning( + logger.warning( "The LDAP server requires TLS is but we do not have the CA.") - root_logger.info("Proceeding without strict verification.") + logger.info("Proceeding without strict verification.") ret = 0 if ret != 0: - root_logger.error( + logger.error( "Failed to verify that %s is an IPA Server.", cli_server[0]) - root_logger.error( + logger.error( "This may mean that the remote server is not up " "or is not reachable due to network or firewall settings.") print_port_conf_info() - root_logger.debug("(%s: %s)", cli_server[0], cli_server_source) + logger.debug("(%s: %s)", cli_server[0], cli_server_source) raise ScriptError(rval=CLIENT_INSTALL_ERROR) cli_kdc = ds.kdc if dnsok and not cli_kdc: - root_logger.error( + logger.error( "DNS domain '%s' is not configured for automatic " "KDC address lookup.", ds.realm.lower()) - root_logger.debug("(%s: %s)", ds.realm, ds.realm_source) - root_logger.error("KDC address will be set to fixed value.") + logger.debug("(%s: %s)", ds.realm, ds.realm_source) + logger.error("KDC address will be set to fixed value.") if dnsok: - root_logger.info("Discovery was successful!") + logger.info("Discovery was successful!") elif not options.unattended: if not options.server: - root_logger.warning( + logger.warning( "The failure to use DNS to find your IPA " "server indicates that your resolv.conf file is not properly " "configured.") - root_logger.info( + logger.info( "Autodiscovery of servers for failover cannot work " "with this configuration.") - root_logger.info( + logger.info( "If you proceed with the installation, services " "will be configured to always access the discovered server for " "all operations and will not fail over to other servers in case " @@ -2259,30 +2258,30 @@ def install_check(options): cli_realm = ds.realm cli_realm_source = ds.realm_source - root_logger.debug("will use discovered realm: %s", cli_realm) + logger.debug("will use discovered realm: %s", cli_realm) if options.realm_name and options.realm_name != cli_realm: - root_logger.error( + logger.error( "The provided realm name [%s] does not match discovered one [%s]", options.realm_name, cli_realm) - root_logger.debug("(%s: %s)", cli_realm, cli_realm_source) + logger.debug("(%s: %s)", cli_realm, cli_realm_source) raise ScriptError(rval=CLIENT_INSTALL_ERROR) cli_basedn = ds.basedn cli_basedn_source = ds.basedn_source - root_logger.debug("will use discovered basedn: %s", cli_basedn) + logger.debug("will use discovered basedn: %s", cli_basedn) subject_base = DN(('O', cli_realm)) - root_logger.info("Client hostname: %s", hostname) - root_logger.debug("Hostname source: %s", hostname_source) - root_logger.info("Realm: %s", cli_realm) - root_logger.debug("Realm source: %s", cli_realm_source) - root_logger.info("DNS Domain: %s", cli_domain) - root_logger.debug("DNS Domain source: %s", cli_domain_source) - root_logger.info("IPA Server: %s", ', '.join(cli_server)) - root_logger.debug("IPA Server source: %s", cli_server_source) - root_logger.info("BaseDN: %s", cli_basedn) - root_logger.debug("BaseDN source: %s", cli_basedn_source) + logger.info("Client hostname: %s", hostname) + logger.debug("Hostname source: %s", hostname_source) + logger.info("Realm: %s", cli_realm) + logger.debug("Realm source: %s", cli_realm_source) + logger.info("DNS Domain: %s", cli_domain) + logger.debug("DNS Domain source: %s", cli_domain_source) + logger.info("IPA Server: %s", ', '.join(cli_server)) + logger.debug("IPA Server source: %s", cli_server_source) + logger.info("BaseDN: %s", cli_basedn) + logger.debug("BaseDN source: %s", cli_basedn_source) # ipa-join would fail with IP address instead of a FQDN for srv in cli_server: @@ -2298,7 +2297,7 @@ def install_check(options): if is_ipaddr: print() - root_logger.warning( + logger.warning( "It seems that you are using an IP address " "instead of FQDN as an argument to --server. The " "installation may fail.") @@ -2355,21 +2354,21 @@ def install(options): except ScriptError as e: if e.rval == CLIENT_INSTALL_ERROR: if options.force: - root_logger.warning( + logger.warning( "Installation failed. Force set so not rolling back " "changes.") elif options.on_master: - root_logger.warning( + logger.warning( "Installation failed. As this is IPA server, changes will " "not be rolled back.") else: - root_logger.error("Installation failed. Rolling back changes.") + logger.error("Installation failed. Rolling back changes.") options.unattended = True try: uninstall(options) except Exception as ex: - root_logger.debug(traceback.format_exc()) - root_logger.error(ex) + logger.debug("%s", traceback.format_exc()) + logger.error("%s", ex) raise finally: try: @@ -2402,7 +2401,7 @@ def _install(options): # in the DNS. # If that fails, we try to sync directly with IPA server, # assuming it runs NTP - root_logger.info('Synchronizing time with KDC...') + logger.info('Synchronizing time with KDC...') ds = ipadiscovery.IPADiscovery() ntp_srv_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp', None, break_on_first=False) @@ -2421,19 +2420,19 @@ def _install(options): if not synced_ntp and not options.ntp_servers: synced_ntp = ntpconf.synconce_ntp(cli_server[0], options.debug) if not synced_ntp: - root_logger.warning( + logger.warning( "Unable to sync time with NTP " "server, assuming the time is in sync. Please check " "that 123 UDP port is opened.") else: - root_logger.info('Skipping synchronizing time with NTP server.') + logger.info('Skipping synchronizing time with NTP server.') if not options.unattended: if (options.principal is None and options.password is None and options.prompt_password is False and options.keytab is None): options.principal = user_input("User authorized to enroll " "computers", allow_empty=False) - root_logger.debug( + logger.debug( "will use principal provided as option: %s", options.principal) host_principal = 'host/%s@%s' % (hostname, cli_realm) @@ -2487,10 +2486,10 @@ def _install(options): rval=CLIENT_INSTALL_ERROR) else: if sys.stdin.isatty(): - root_logger.error( + logger.error( "Password must be provided in " "non-interactive mode.") - root_logger.info( + logger.info( "This can be done via " "echo password | ipa-client-install ... " "or with the -w option.") @@ -2554,10 +2553,10 @@ def _install(options): cli_realm) del os.environ['KRB5_CONFIG'] except errors.FileError as e: - root_logger.error(e) + logger.error('%s', e) raise ScriptError(rval=CLIENT_INSTALL_ERROR) except Exception as e: - root_logger.error("Cannot obtain CA certificate\n%s", e) + logger.error("Cannot obtain CA certificate\n%s", e) raise ScriptError(rval=CLIENT_INSTALL_ERROR) # Now join the domain @@ -2567,18 +2566,18 @@ def _install(options): stderr = result.error_output if result.returncode != 0: - root_logger.error("Joining realm failed: %s", stderr) + logger.error("Joining realm failed: %s", stderr) if not options.force: if result.returncode == 13: - root_logger.info( + logger.info( "Use --force-join option to override the host " "entry on the server and force client enrollment.") raise ScriptError(rval=CLIENT_INSTALL_ERROR) - root_logger.info( + logger.info( "Use ipa-getkeytab to obtain a host " "principal for this server.") else: - root_logger.info("Enrolled in IPA realm %s", cli_realm) + logger.info("Enrolled in IPA realm %s", cli_realm) start = stderr.find('Certificate subject base is: ') if start >= 0: @@ -2601,7 +2600,7 @@ def _install(options): env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = CCACHE_FILE except gssapi.exceptions.GSSError as e: print_port_conf_info() - root_logger.error("Failed to obtain host TGT: %s" % e) + logger.error("Failed to obtain host TGT: %s", e) # failure to get ticket makes it impossible to login and bind # from sssd to LDAP, abort installation and rollback changes raise ScriptError(rval=CLIENT_INSTALL_ERROR) @@ -2610,7 +2609,7 @@ def _install(options): try: os.remove(krb_name) except OSError: - root_logger.error("Could not remove %s", krb_name) + logger.error("Could not remove %s", krb_name) try: os.rmdir(ccache_dir) except OSError: @@ -2618,13 +2617,13 @@ def _install(options): try: os.remove(krb_name + ".ipabkp") except OSError: - root_logger.error("Could not remove %s.ipabkp", krb_name) + logger.error("Could not remove %s.ipabkp", krb_name) # Configure ipa.conf if not options.on_master: configure_ipa_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, hostname) - root_logger.info("Created /etc/ipa/default.conf") + logger.info("Created /etc/ipa/default.conf") with certdb.NSSDatabase() as tmp_db: api.bootstrap(context='cli_installer', @@ -2643,7 +2642,7 @@ def _install(options): if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, hostname): raise ScriptError(rval=CLIENT_INSTALL_ERROR) - root_logger.info("Configured /etc/sssd/sssd.conf") + logger.info("Configured /etc/sssd/sssd.conf") if options.on_master: # If on master assume kerberos is already configured properly. @@ -2653,7 +2652,7 @@ def _install(options): attempts=options.kinit_attempts) os.environ['KRB5CCNAME'] = CCACHE_FILE except gssapi.exceptions.GSSError as e: - root_logger.error("Failed to obtain host TGT: %s" % e) + logger.error("Failed to obtain host TGT: %s", e) raise ScriptError(rval=CLIENT_INSTALL_ERROR) else: # Configure krb5.conf @@ -2670,7 +2669,7 @@ def _install(options): configure_sssd=options.sssd, force=options.force) - root_logger.info( + logger.info( "Configured /etc/krb5.conf for IPA realm %s", cli_realm) # Clear out any current session keyring information @@ -2704,32 +2703,32 @@ def _install(options): try: api.Backend.rpcclient.connect() connected = True - root_logger.debug("Try RPC connection") + logger.debug("Try RPC connection") api.Backend.rpcclient.forward('ping') except errors.KerberosError as e: if connected: api.Backend.rpcclient.disconnect() - root_logger.info( + logger.info( "Cannot connect to the server due to Kerberos error: %s. " "Trying with delegate=True", e) try: api.Backend.rpcclient.connect(delegate=True) - root_logger.debug("Try RPC connection") + logger.debug("Try RPC connection") api.Backend.rpcclient.forward('ping') - root_logger.info("Connection with delegate=True successful") + logger.info("Connection with delegate=True successful") # The remote server is not capable of Kerberos S4U2Proxy # delegation. This features is implemented in IPA server # version 2.2 and higher - root_logger.warning( + logger.warning( "Target IPA server has a lower version than the enrolled " "client") - root_logger.warning( + logger.warning( "Some capabilities including the ipa command capability " "may not be available") except errors.PublicError as e2: - root_logger.warning( + logger.warning( "Second connect with delegate=True also failed: %s", e2) raise ScriptError( "Cannot connect to the IPA server RPC interface: %s" % e2, @@ -2786,7 +2785,7 @@ def _install(options): paths.CA_BUNDLE_PEM) # Add the CA certificates to the IPA NSS database - root_logger.debug("Adding CA certificates to the IPA NSS database.") + logger.debug("Adding CA certificates to the IPA NSS database.") ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) for cert, nickname, trust_flags in ca_certs_trust: try: @@ -2825,11 +2824,11 @@ def _install(options): nscd_service_action = 'restart' nscd.restart() except Exception: - root_logger.warning( + logger.warning( "Failed to %s the %s daemon", nscd_service_action, nscd.service_name) if not options.sssd: - root_logger.warning( + logger.warning( "Caching of users/groups will not be available") try: @@ -2839,21 +2838,21 @@ def _install(options): nscd.enable() except Exception: if not options.sssd: - root_logger.warning( + logger.warning( "Failed to configure automatic startup of the %s daemon", nscd.service_name) - root_logger.info( + logger.info( "Caching of users/groups will not be " "available after reboot") else: - root_logger.warning( + logger.warning( "Failed to disable %s daemon. Disable it manually.", nscd.service_name) else: # this is optional service, just log if not options.sssd: - root_logger.info( + logger.info( "%s daemon is not installed, skip configuration", nscd.service_name) @@ -2869,25 +2868,25 @@ def _install(options): mkhomedir=options.mkhomedir, statestore=statestore) - root_logger.info("%s enabled", "SSSD" if options.sssd else "LDAP") + logger.info("%s enabled", "SSSD" if options.sssd else "LDAP") if options.sssd: sssd = services.service('sssd', api) try: sssd.restart() except CalledProcessError: - root_logger.warning("SSSD service restart was unsuccessful.") + logger.warning("SSSD service restart was unsuccessful.") try: sssd.enable() except CalledProcessError as e: - root_logger.warning( + logger.warning( "Failed to enable automatic startup of the SSSD daemon: " "%s", e) if not options.sssd: tasks.modify_pam_to_use_krb5(statestore) - root_logger.info("Kerberos 5 enabled") + logger.info("Kerberos 5 enabled") # Update non-SSSD LDAP configuration after authconfig calls as it would # change its configuration otherways @@ -2900,23 +2899,23 @@ def _install(options): if retcode: raise ScriptError(rval=CLIENT_INSTALL_ERROR) if conf: - root_logger.info( + logger.info( "%s configured using configuration file(s) %s", conf, filenames) if configure_openldap_conf(fstore, cli_basedn, cli_server): - root_logger.info("Configured /etc/openldap/ldap.conf") + logger.info("Configured /etc/openldap/ldap.conf") else: - root_logger.info("Failed to configure /etc/openldap/ldap.conf") + logger.info("Failed to configure /etc/openldap/ldap.conf") # Check that nss is working properly if not options.on_master: user = options.principal if user is None: user = "admin@%s" % cli_domain - root_logger.info("Principal is not set when enrolling with OTP" - "; using principal '%s' for 'getent passwd'", - user) + logger.info("Principal is not set when enrolling with OTP" + "; using principal '%s' for 'getent passwd'", + user) elif '@' not in user: user = "%s@%s" % (user, cli_domain) n = 0 @@ -2934,19 +2933,19 @@ def _install(options): n = n + 1 if not found: - root_logger.error("Unable to find '%s' user with 'getent " - "passwd %s'!" % (user.split("@")[0], user)) + logger.error("Unable to find '%s' user with 'getent " + "passwd %s'!", user.split("@")[0], user) if conf: - root_logger.info("Recognized configuration: %s", conf) + logger.info("Recognized configuration: %s", conf) else: - root_logger.error( + logger.error( "Unable to reliably detect " "configuration. Check NSS setup manually.") try: hardcode_ldap_server(cli_server) except Exception as e: - root_logger.error( + logger.error( "Adding hardcoded server name to " "/etc/ldap.conf failed: %s", str(e)) @@ -2960,12 +2959,12 @@ def _install(options): elif ntp_srv_servers: ntp_servers = ntp_srv_servers else: - root_logger.warning("No SRV records of NTP servers found. IPA " - "server address will be used") + logger.warning("No SRV records of NTP servers found. IPA " + "server address will be used") ntp_servers = cli_server ntpconf.config_ntp(ntp_servers, fstore, statestore) - root_logger.info("NTP enabled") + logger.info("NTP enabled") if options.conf_ssh: configure_ssh_config(fstore, options) @@ -2983,7 +2982,7 @@ def _install(options): configure_nisdomain( options=options, domain=cli_domain, statestore=statestore) - root_logger.info('Client configuration complete.') + logger.info('Client configuration complete.') def uninstall_check(options): @@ -2996,9 +2995,9 @@ def uninstall_check(options): server_fstore = sysrestore.FileStore(paths.SYSRESTORE) if server_fstore.has_files() and not options.on_master: - root_logger.error( + logger.error( "IPA client is configured as a part of IPA server on this system.") - root_logger.info("Refer to ipa-server-install for uninstallation.") + logger.info("Refer to ipa-server-install for uninstallation.") raise ScriptError(rval=CLIENT_NOT_CONFIGURED) @@ -3011,7 +3010,7 @@ def uninstall(options): try: run(["ipa-client-automount", "--uninstall", "--debug"]) except Exception as e: - root_logger.error( + logger.error( "Unconfigured automount client failed: %s", str(e)) # Reload the state as automount unconfigure may have modified it @@ -3069,8 +3068,8 @@ def uninstall(options): certmonger.stop_tracking(paths.IPA_NSSDB_DIR, nickname='Local IPA host') except RuntimeError as e: - root_logger.error("%s failed to stop tracking certificate: %s", - cmonger.service_name, e) + logger.error("%s failed to stop tracking certificate: %s", + cmonger.service_name, e) client_nss_nickname = 'IPA Machine Certificate - %s' % hostname if sys_db.has_nickname(client_nss_nickname): @@ -3078,8 +3077,8 @@ def uninstall(options): certmonger.stop_tracking(paths.NSS_DB_DIR, nickname=client_nss_nickname) except RuntimeError as e: - root_logger.error("%s failed to stop tracking certificate: %s", - cmonger.service_name, e) + logger.error("%s failed to stop tracking certificate: %s", + cmonger.service_name, e) for filename in (os.path.join(ipa_db.secdir, 'cert8.db'), os.path.join(ipa_db.secdir, 'key3.db'), @@ -3098,22 +3097,22 @@ def uninstall(options): try: cmonger.disable() except Exception as e: - root_logger.error( + logger.error( "Failed to disable automatic startup of the %s service: %s", cmonger.service_name, str(e)) if not options.on_master and os.path.exists(paths.IPA_DEFAULT_CONF): - root_logger.info("Unenrolling client from IPA server") + logger.info("Unenrolling client from IPA server") join_args = [paths.SBIN_IPA_JOIN, "--unenroll", "-h", hostname] if options.debug: join_args.append("-d") env['XMLRPC_TRACE_CURL'] = 'yes' result = run(join_args, raiseonerr=False, env=env) if result.returncode != 0: - root_logger.error("Unenrolling host failed: %s", result.error_log) + logger.error("Unenrolling host failed: %s", result.error_log) if os.path.exists(paths.IPA_DEFAULT_CONF): - root_logger.info( + logger.info( "Removing Kerberos service principals from /etc/krb5.keytab") try: parser = RawConfigParser() @@ -3126,14 +3125,14 @@ def uninstall(options): if err.returncode != 5: # 5 means Principal name or realm not found in keytab # and can be ignored - root_logger.error( + logger.error( "Failed to remove Kerberos service principals: %s", str(err)) except Exception as e: - root_logger.error( + logger.error( "Failed to remove Kerberos service principals: %s", str(e)) - root_logger.info("Disabling client Kerberos and LDAP configurations") + logger.info("Disabling client Kerberos and LDAP configurations") was_sssd_installed = False was_sshd_configured = False if fstore.has_files(): @@ -3172,7 +3171,7 @@ def uninstall(options): # found, restore backed up sssd.conf to sssd.conf.bkp and remove IPA # domain from the current sssd.conf if was_sssd_installed and was_sssd_configured: - root_logger.info( + logger.info( "The original configuration of SSSD included other domains than " "the IPA-based one.") @@ -3183,27 +3182,27 @@ def uninstall(options): restored = fstore.restore_file( paths.SSSD_CONF, paths.SSSD_CONF_BKP) except OSError: - root_logger.debug( + logger.debug( "Error while restoring pre-IPA /etc/sssd/sssd.conf.") if restored: - root_logger.info( + logger.info( "Original pre-IPA SSSD configuration file was " "restored to /etc/sssd/sssd.conf.bkp.") - root_logger.info( + logger.info( "IPA domain removed from current one, restarting SSSD service") sssd = services.service('sssd', api) try: sssd.restart() except CalledProcessError: - root_logger.warning("SSSD service restart was unsuccessful.") + logger.warning("SSSD service restart was unsuccessful.") # SSSD was not installed before our installation, but other domains found, # delete IPA domain, but leave other domains intact elif not was_sssd_installed and was_sssd_configured: delete_ipa_domain() - root_logger.info( + logger.info( "Other domains than IPA domain found, IPA domain was removed " "from /etc/sssd/sssd.conf.") @@ -3211,7 +3210,7 @@ def uninstall(options): try: sssd.restart() except CalledProcessError: - root_logger.warning("SSSD service restart was unsuccessful.") + logger.warning("SSSD service restart was unsuccessful.") # SSSD was not installed before our installation, and no other domains # than IPA are configured in sssd.conf - make sure config file is removed @@ -3219,10 +3218,10 @@ def uninstall(options): try: os.rename(paths.SSSD_CONF, paths.SSSD_CONF_DELETED) except OSError: - root_logger.debug("Error while moving /etc/sssd/sssd.conf to %s" % - paths.SSSD_CONF_DELETED) + logger.debug("Error while moving /etc/sssd/sssd.conf to %s", + paths.SSSD_CONF_DELETED) - root_logger.info( + logger.info( "Redundant SSSD configuration file " "/etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted") @@ -3230,19 +3229,19 @@ def uninstall(options): try: sssd.stop() except CalledProcessError: - root_logger.warning("SSSD service could not be stopped") + logger.warning("SSSD service could not be stopped") try: sssd.disable() except CalledProcessError as e: - root_logger.warning( + logger.warning( "Failed to disable automatic startup of the SSSD daemon: %s", e) tasks.restore_hostname(fstore, statestore) if fstore.has_files(): - root_logger.info("Restoring client configuration files") + logger.info("Restoring client configuration files") fstore.restore_all_files() unconfigure_nisdomain(statestore) @@ -3255,7 +3254,7 @@ def uninstall(options): restore_state(service, statestore) else: # this is an optional service, just log - root_logger.info( + logger.info( "%s daemon is not installed, skip configuration", service.service_name ) @@ -3288,14 +3287,14 @@ def uninstall(options): try: ntpconf.restore_forced_ntpd(statestore) except CalledProcessError as e: - root_logger.error('Failed to start chronyd: %s', e) + logger.error('Failed to start chronyd: %s', e) if was_sshd_configured and services.knownservices.sshd.is_running(): services.knownservices.sshd.restart() # Remove the Firefox configuration if statestore.has_state('firefox'): - root_logger.info("Removing Firefox configuration.") + logger.info("Removing Firefox configuration.") preferences_fname = statestore.restore_state( 'firefox', 'preferences_fname') if preferences_fname is not None: @@ -3303,20 +3302,20 @@ def uninstall(options): try: os.remove(preferences_fname) except Exception as e: - root_logger.warning( + logger.warning( "'%s' could not be removed: %s.", preferences_fname, str(e)) - root_logger.warning( + logger.warning( "Please remove file '%s' manually.", preferences_fname) rv = SUCCESS if fstore.has_files(): - root_logger.error('Some files have not been restored, see %s' % - paths.SYSRESTORE_INDEX) + logger.error('Some files have not been restored, see %s', + paths.SYSRESTORE_INDEX) has_state = False for module in statestore.modules: - root_logger.error( + logger.error( 'Some installation state for %s has not been ' 'restored, see /var/lib/ipa/sysrestore/sysrestore.state', module) @@ -3324,7 +3323,7 @@ def uninstall(options): rv = CLIENT_UNINSTALL_ERROR if has_state: - root_logger.warning( + logger.warning( 'Some installation state has not been restored.\n' 'This may cause re-installation to fail.\n' 'It should be safe to remove /var/lib/ipa-client/sysrestore.state ' @@ -3342,15 +3341,15 @@ def uninstall(options): remove_file(paths.KDC_CA_BUNDLE_PEM) remove_file(paths.CA_BUNDLE_PEM) - root_logger.info("Client uninstall complete.") + logger.info("Client uninstall complete.") # The next block of code prompts for reboot, therefore all uninstall # logic has to be done before if not options.unattended: - root_logger.info( + logger.info( "The original nsswitch.conf configuration has been restored.") - root_logger.info( + logger.info( "You may need to restart services or reboot the machine.") if not options.on_master: if user_input("Do you want to reboot the machine?", False): @@ -3368,6 +3367,7 @@ def uninstall(options): def init(installer): + root_logger = logging.getLogger() for handler in root_logger.handlers: if (isinstance(handler, logging.StreamHandler) and handler.stream is sys.stderr): # pylint: disable=no-member diff --git a/ipaclient/install/ipadiscovery.py b/ipaclient/install/ipadiscovery.py index d9ef191..c387d09 100644 --- a/ipaclient/install/ipadiscovery.py +++ b/ipaclient/install/ipadiscovery.py @@ -17,12 +17,12 @@ # along with this program. If not, see . # +import logging import operator import socket import six -from ipapython.ipa_log_manager import root_logger from dns import resolver, rdatatype from dns.exception import DNSException from ipalib import errors @@ -31,6 +31,8 @@ from ipaplatform.paths import paths from ipapython.ipautil import valid_ip, realm_to_suffix from ipapython.dn import DN +logger = logging.getLogger(__name__) + NOT_FQDN = -1 NO_LDAP_SERVER = -2 REALM_NOT_FOUND = -3 @@ -74,21 +76,22 @@ def get_ipa_basedn(conn): contexts.remove(default) contexts.insert(0, default) for context in contexts: - root_logger.debug("Check if naming context '%s' is for IPA" % context) + logger.debug("Check if naming context '%s' is for IPA", context) try: [entry] = conn.get_entries( DN(context), conn.SCOPE_BASE, "(info=IPA*)") except errors.NotFound: - root_logger.debug("LDAP server did not return info attribute to " - "check for IPA version") + logger.debug("LDAP server did not return info attribute to " + "check for IPA version") continue [info] = entry.raw['info'] info = info.decode('utf-8').lower() if info != IPA_BASEDN_INFO: - root_logger.debug("Detected IPA server version (%s) did not match the client (%s)" \ - % (info, IPA_BASEDN_INFO)) + logger.debug("Detected IPA server version (%s) did not match the " + "client (%s)", + info, IPA_BASEDN_INFO) continue - root_logger.debug("Naming context '%s' is a valid IPA context" % context) + logger.debug("Naming context '%s' is a valid IPA context", context) return DN(context) return None @@ -163,11 +166,11 @@ class IPADiscovery(object): :param reason: Reason this domain is searched (included in the log) """ servers = None - root_logger.debug('Start searching for LDAP SRV record in "%s" (%s) ' + - 'and its sub-domains', domain, reason) + logger.debug('Start searching for LDAP SRV record in "%s" (%s) ' + 'and its sub-domains', domain, reason) while not servers: if domain in tried: - root_logger.debug("Already searched %s; skipping", domain) + logger.debug("Already searched %s; skipping", domain) break tried.add(domain) @@ -191,8 +194,8 @@ class IPADiscovery(object): Returns a constant representing the overall search result. """ - root_logger.debug("[IPA Discovery]") - root_logger.debug( + logger.debug("[IPA Discovery]") + logger.debug( 'Starting IPA discovery with domain=%s, servers=%s, hostname=%s', domain, servers, hostname) @@ -206,7 +209,7 @@ class IPADiscovery(object): # get the local host name if not hostname: hostname = socket.getfqdn() - root_logger.debug('Hostname: %s', hostname) + logger.debug('Hostname: %s', hostname) if not hostname: return BAD_HOST_CONFIG @@ -237,10 +240,10 @@ class IPADiscovery(object): (domain, reason)) break if not self.domain: #no ldap server found - root_logger.debug('No LDAP server found') + logger.debug('No LDAP server found') return NO_LDAP_SERVER else: - root_logger.debug("Search for LDAP SRV record in %s", domain) + logger.debug("Search for LDAP SRV record in %s", domain) servers = self.ipadns_search_srv(domain, '_ldap._tcp', 389, break_on_first=False) if servers: @@ -250,19 +253,19 @@ class IPADiscovery(object): 'Discovered LDAP SRV records from %s' % domain) else: self.server = None - root_logger.debug('No LDAP server found') + logger.debug('No LDAP server found') return NO_LDAP_SERVER else: - root_logger.debug("Server and domain forced") + logger.debug("Server and domain forced") self.domain = domain self.domain_source = self.server_source = 'Forced' #search for kerberos - root_logger.debug("[Kerberos realm search]") + logger.debug("[Kerberos realm search]") if realm: - root_logger.debug("Kerberos realm forced") + logger.debug("Kerberos realm forced") self.realm = realm self.realm_source = 'Forced' else: @@ -286,11 +289,11 @@ class IPADiscovery(object): # Iterate through all of those to check if it is IPA LDAP server ldapret = [NOT_IPA_SERVER] ldapaccess = True - root_logger.debug("[LDAP server check]") + logger.debug("[LDAP server check]") valid_servers = [] for server in servers: - root_logger.debug('Verifying that %s (realm %s) is an IPA server', - server, self.realm) + logger.debug('Verifying that %s (realm %s) is an IPA server', + server, self.realm) # check ldap now ldapret = self.ipacheckldap(server, self.realm, ca_cert_path=ca_cert_path) @@ -315,14 +318,14 @@ class IPADiscovery(object): # via DNS break elif ldapret[0] == NOT_IPA_SERVER: - root_logger.warning( + logger.warning( 'Skip %s: not an IPA server', server) elif ldapret[0] == NO_LDAP_SERVER: - root_logger.warning( - 'Skip %s: LDAP server is not responding, unable to verify if ' - 'this is an IPA server', server) + logger.warning( + 'Skip %s: LDAP server is not responding, unable to verify ' + 'if this is an IPA server', server) else: - root_logger.warning( + logger.warning( 'Skip %s: cannot verify if this is an IPA server', server) # If one of LDAP servers checked rejects access (maybe anonymous @@ -335,21 +338,21 @@ class IPADiscovery(object): # Assume realm is the same as domain.upper() self.realm = self.domain.upper() self.realm_source = 'Assumed same as domain' - root_logger.debug( + logger.debug( "Assuming realm is the same as domain: %s", self.realm) if not ldapaccess and self.basedn is None: # Generate suffix from realm self.basedn = realm_to_suffix(self.realm) self.basedn_source = 'Generated from Kerberos realm' - root_logger.debug("Generated basedn from realm: %s" % self.basedn) + logger.debug("Generated basedn from realm: %s", self.basedn) - root_logger.debug( + logger.debug( "Discovery result: %s; server=%s, domain=%s, kdc=%s, basedn=%s", error_names.get(ldapret[0], ldapret[0]), self.server, self.domain, self.kdc, self.basedn) - root_logger.debug("Validated servers: %s" % ','.join(valid_servers)) + logger.debug("Validated servers: %s", ','.join(valid_servers)) self.servers = valid_servers # If we have any servers left then override the last return value @@ -381,7 +384,7 @@ class IPADiscovery(object): start_tls = False if ca_cert_path: start_tls = True - root_logger.debug("Init LDAP connection to: %s", ldap_uri) + logger.debug("Init LDAP connection to: %s", ldap_uri) lh = ipaldap.LDAPClient( ldap_uri, cacert=ca_cert_path, start_tls=start_tls, no_schema=True, decode_attrs=False) @@ -389,17 +392,17 @@ class IPADiscovery(object): lh.simple_bind(DN(), '') # get IPA base DN - root_logger.debug("Search LDAP server for IPA base DN") + logger.debug("Search LDAP server for IPA base DN") basedn = get_ipa_basedn(lh) except errors.ACIError: - root_logger.debug("LDAP Error: Anonymous access not allowed") + logger.debug("LDAP Error: Anonymous access not allowed") return [NO_ACCESS_TO_LDAP] except errors.DatabaseError as err: - root_logger.error("Error checking LDAP: %s" % err.strerror) + logger.error("Error checking LDAP: %s", err.strerror) # We should only get UNWILLING_TO_PERFORM if the remote LDAP # server has minssf > 0 and we have attempted a non-TLS conn. if ca_cert_path is None: - root_logger.debug( + logger.debug( "Cannot connect to LDAP server. Check that minssf is " "not enabled") return [NO_TLS_LDAP] @@ -407,14 +410,14 @@ class IPADiscovery(object): return [UNKNOWN_ERROR] if basedn is None: - root_logger.debug("The server is not an IPA server") + logger.debug("The server is not an IPA server") return [NOT_IPA_SERVER] self.basedn = basedn self.basedn_source = 'From IPA server %s' % lh.ldap_uri #search and return known realms - root_logger.debug( + logger.debug( "Search for (objectClass=krbRealmContainer) in %s (sub)", self.basedn) try: @@ -426,7 +429,7 @@ class IPADiscovery(object): return [REALM_NOT_FOUND] for lres in lret: - root_logger.debug("Found: %s", lres.dn) + logger.debug("Found: %s", lres.dn) [cn] = lres.raw['cn'] if six.PY3: cn = cn.decode('utf-8') @@ -437,15 +440,15 @@ class IPADiscovery(object): if trealm == r: return [0, thost, trealm] # must match or something is very wrong - root_logger.debug("Realm %s does not match any realm in LDAP " - "database", trealm) + logger.debug("Realm %s does not match any realm in LDAP " + "database", trealm) return [REALM_NOT_FOUND] else: if len(lrealms) != 1: #which one? we can't attach to a multi-realm server without DNS working - root_logger.debug("Multiple realms found, cannot decide " - "which realm is the right without " - "working DNS") + logger.debug("Multiple realms found, cannot decide " + "which realm is the right without " + "working DNS") return [REALM_NOT_FOUND] else: return [0, thost, lrealms[0]] @@ -454,19 +457,19 @@ class IPADiscovery(object): assert False, "Unknown error in ipadiscovery" except errors.DatabaseTimeout: - root_logger.debug("LDAP Error: timeout") + logger.debug("LDAP Error: timeout") return [NO_LDAP_SERVER] except errors.NetworkError as err: - root_logger.debug("LDAP Error: %s" % err.strerror) + logger.debug("LDAP Error: %s", err.strerror) return [NO_LDAP_SERVER] except errors.ACIError: - root_logger.debug("LDAP Error: Anonymous access not allowed") + logger.debug("LDAP Error: Anonymous access not allowed") return [NO_ACCESS_TO_LDAP] except errors.DatabaseError as err: - root_logger.debug("Error checking LDAP: %s" % err.strerror) + logger.debug("Error checking LDAP: %s", err.strerror) return [UNKNOWN_ERROR] except Exception as err: - root_logger.debug("Error checking LDAP: %s" % err) + logger.debug("Error checking LDAP: %s", err) return [UNKNOWN_ERROR] @@ -490,20 +493,21 @@ class IPADiscovery(object): qname = '%s.%s' % (srv_record_name, domain) - root_logger.debug("Search DNS for SRV record of %s", qname) + logger.debug("Search DNS for SRV record of %s", qname) try: answers = resolver.query(qname, rdatatype.SRV) answers = sorted(answers, key=operator.attrgetter('priority')) except DNSException as e: - root_logger.debug("DNS record not found: %s", e.__class__.__name__) + logger.debug("DNS record not found: %s", e.__class__.__name__) answers = [] for answer in answers: - root_logger.debug("DNS record found: %s", answer) + logger.debug("DNS record found: %s", answer) server = str(answer.target).rstrip(".") if not server: - root_logger.debug("Cannot parse the hostname from SRV record: %s", answer) + logger.debug("Cannot parse the hostname from SRV record: %s", + answer) continue if default_port is not None and answer.port != default_port: server = "%s:%s" % (server, str(answer.port)) @@ -524,24 +528,23 @@ class IPADiscovery(object): # now, check for a Kerberos realm the local host or domain is in qname = "_kerberos." + domain - root_logger.debug("Search DNS for TXT record of %s", qname) + logger.debug("Search DNS for TXT record of %s", qname) try: answers = resolver.query(qname, rdatatype.TXT) except DNSException as e: - root_logger.debug("DNS record not found: %s", e.__class__.__name__) + logger.debug("DNS record not found: %s", e.__class__.__name__) answers = [] realm = None for answer in answers: - root_logger.debug("DNS record found: %s", answer) + logger.debug("DNS record found: %s", answer) if answer.strings: try: realm = answer.strings[0].decode('utf-8') except UnicodeDecodeError as e: - root_logger.debug( - 'A TXT record cannot be decoded as UTF-8: {err}' - .format(err=e)) + logger.debug( + 'A TXT record cannot be decoded as UTF-8: %s', e) continue if realm: return realm @@ -558,7 +561,7 @@ class IPADiscovery(object): if kdc: kdc = ','.join(kdc) else: - root_logger.debug("SRV record for KDC not found! Domain: %s" % domain) + logger.debug("SRV record for KDC not found! Domain: %s", domain) kdc = None return kdc diff --git a/ipaclient/install/ntpconf.py b/ipaclient/install/ntpconf.py index a8d04f9..b2d514b 100644 --- a/ipaclient/install/ntpconf.py +++ b/ipaclient/install/ntpconf.py @@ -16,16 +16,18 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . # +import logging import os import shutil from ipalib import api from ipapython import ipautil -from ipapython.ipa_log_manager import root_logger from ipaplatform.tasks import tasks from ipaplatform import services from ipaplatform.paths import paths +logger = logging.getLogger(__name__) + ntp_conf = """# Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. restrict default kod nomodify notrap nopeer noquery @@ -159,13 +161,13 @@ def synconce_ntp(server_fqdn, debug=False): if debug: args.append('-d') try: - root_logger.info('Attempting to sync time using ntpd. ' - 'Will timeout after %d seconds' % timeout) + logger.info('Attempting to sync time using ntpd. ' + 'Will timeout after %d seconds', timeout) ipautil.run(args) return True except ipautil.CalledProcessError as e: if e.returncode == 124: - root_logger.debug('Process did not complete before timeout') + logger.debug('Process did not complete before timeout') return False diff --git a/ipalib/frontend.py b/ipalib/frontend.py index ad02286..3a05bb6 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -26,7 +26,6 @@ import six from ipapython.version import API_VERSION from ipapython.ipautil import APIVersion -from ipapython.ipa_log_manager import root_logger from ipalib.base import NameSpace from ipalib.plugable import Plugin, APINameSpace from ipalib.parameters import create_param, Param, Str, Flag @@ -1007,7 +1006,7 @@ class Command(HasParam): if self.msg_summary: return self.msg_summary % output - def log_messages(self, output, logger): + def log_messages(self, output): logger_functions = dict( debug=logger.debug, info=logger.info, @@ -1040,7 +1039,7 @@ class Command(HasParam): rv = 0 - self.log_messages(output, root_logger) + self.log_messages(output) order = [p.name for p in self.output_params()] if options.get('all', False): diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index c286996..13c6889 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -24,6 +24,7 @@ from __future__ import print_function +import logging import os import time import dbus @@ -31,11 +32,12 @@ import shlex import subprocess import tempfile from ipalib import api -from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN from ipaplatform.paths import paths from ipaplatform import services +logger = logging.getLogger(__name__) + DBUS_CM_PATH = '/org/fedorahosted/certmonger' DBUS_CM_IF = 'org.fedorahosted.certmonger' DBUS_CM_NAME = 'org.fedorahosted.certmonger' @@ -106,7 +108,7 @@ class _certmonger(_cm_dbus_object): if retcode is not None: return time.sleep(5) - root_logger.error("Failed to stop certmonger.") + logger.error("Failed to stop certmonger.") def __del__(self): self._stop_private_conn() @@ -120,15 +122,15 @@ class _certmonger(_cm_dbus_object): err_name = e.get_dbus_name() if err_name not in ['org.freedesktop.DBus.Error.NoServer', 'org.freedesktop.DBus.Error.FileNotFound']: - root_logger.error("Failed to connect to certmonger over " - "SystemBus: %s" % e) + logger.error("Failed to connect to certmonger over " + "SystemBus: %s", e) raise try: self._private_sock = self._start_private_conn() self._bus = dbus.connection.Connection(self._private_sock) except dbus.DBusException as e: - root_logger.error("Failed to connect to certmonger over " - "private socket: %s" % e) + logger.error("Failed to connect to certmonger over " + "private socket: %s", e) raise else: try: @@ -137,7 +139,7 @@ class _certmonger(_cm_dbus_object): try: services.knownservices.certmonger.start() except Exception as e: - root_logger.error("Failed to start certmonger: %s" % e) + logger.error("Failed to start certmonger: %s", e) raise for _t in range(0, self.timeout, 5): @@ -214,7 +216,7 @@ def get_request_value(request_id, directive): try: request = _get_request(dict(nickname=request_id)) except RuntimeError as e: - root_logger.error('Failed to get request: %s' % e) + logger.error('Failed to get request: %s', e) raise if request: if directive == 'ca-name': @@ -242,7 +244,7 @@ def get_request_id(criteria): try: request = _get_request(criteria) except RuntimeError as e: - root_logger.error('Failed to get request: %s' % e) + logger.error('Failed to get request: %s', e) raise if request: return request.prop_if.Get(DBUS_CM_REQUEST_IF, 'nickname') @@ -272,7 +274,7 @@ def add_request_value(request_id, directive, value): try: request = _get_request({'nickname': request_id}) except RuntimeError as e: - root_logger.error('Failed to get request: %s' % e) + logger.error('Failed to get request: %s', e) raise if request: request.obj_if.modify({directive: value}) @@ -381,8 +383,7 @@ def request_cert( else: raise RuntimeError('add_request() returned False') except Exception as e: - root_logger.error('Failed to create a new request: {error}' - .format(error=e)) + logger.error('Failed to create a new request: %s', e) raise return request.obj_if.get_nickname() @@ -471,8 +472,7 @@ def start_tracking( else: raise RuntimeError('add_request() returned False') except Exception as e: - root_logger.error('Failed to add new request: {error}' - .format(error=e)) + logger.error('Failed to add new request: %s', e) raise return request.prop_if.Get(DBUS_CM_REQUEST_IF, 'nickname') @@ -501,7 +501,7 @@ def stop_tracking(secdir=None, request_id=None, nickname=None, certfile=None): try: request = _get_request(criteria) except RuntimeError as e: - root_logger.error('Failed to get request: %s' % e) + logger.error('Failed to get request: %s', e) raise if request: request.parent.obj_if.remove_request(request.path) @@ -633,7 +633,7 @@ def check_state(dirs): def wait_for_request(request_id, timeout=120): for _i in range(0, timeout, 5): state = get_request_value(request_id, 'status') - root_logger.debug("certmonger request is in state %r", state) + logger.debug("certmonger request is in state %r", state) if state in ('CA_REJECTED', 'CA_UNREACHABLE', 'CA_UNCONFIGURED', 'NEED_GUIDANCE', 'NEED_CA', 'MONITORING'): break diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py index 91ea513..630912d 100644 --- a/ipalib/install/kinit.py +++ b/ipalib/install/kinit.py @@ -2,15 +2,17 @@ # Copyright (C) 2016 FreeIPA Contributors see COPYING for license # +import logging import os import time import gssapi from ipaplatform.paths import paths -from ipapython.ipa_log_manager import root_logger from ipapython.ipautil import run +logger = logging.getLogger(__name__) + # Cannot contact any KDC for requested realm KRB5_KDC_UNREACH = 2529639068 @@ -27,9 +29,9 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): """ errors_to_retry = {KRB5KDC_ERR_SVC_UNAVAILABLE, KRB5_KDC_UNREACH} - root_logger.debug("Initializing principal %s using keytab %s" - % (principal, keytab)) - root_logger.debug("using ccache %s" % ccache_name) + logger.debug("Initializing principal %s using keytab %s", + principal, keytab) + logger.debug("using ccache %s", ccache_name) for attempt in range(1, attempts + 1): old_config = os.environ.get('KRB5_CONFIG') if config is not None: @@ -41,19 +43,17 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): store = {'ccache': ccache_name, 'client_keytab': keytab} cred = gssapi.Credentials(name=name, store=store, usage='initiate') - root_logger.debug("Attempt %d/%d: success" - % (attempt, attempts)) + logger.debug("Attempt %d/%d: success", attempt, attempts) return cred except gssapi.exceptions.GSSError as e: if e.min_code not in errors_to_retry: # pylint: disable=no-member raise - root_logger.debug("Attempt %d/%d: failed: %s" - % (attempt, attempts, e)) + logger.debug("Attempt %d/%d: failed: %s", attempt, attempts, e) if attempt == attempts: - root_logger.debug("Maximum number of attempts (%d) reached" - % attempts) + logger.debug("Maximum number of attempts (%d) reached", + attempts) raise - root_logger.debug("Waiting 5 seconds before next retry") + logger.debug("Waiting 5 seconds before next retry") time.sleep(5) finally: if old_config is not None: @@ -69,22 +69,22 @@ def kinit_password(principal, password, ccache_name, config=None, web-based authentication, use armor_ccache_path to specify http service ccache. """ - root_logger.debug("Initializing principal %s using password" % principal) + logger.debug("Initializing principal %s using password", principal) args = [paths.KINIT, principal, '-c', ccache_name] if armor_ccache_name is not None: - root_logger.debug("Using armor ccache %s for FAST webauth" - % armor_ccache_name) + logger.debug("Using armor ccache %s for FAST webauth", + armor_ccache_name) args.extend(['-T', armor_ccache_name]) if lifetime: args.extend(['-l', lifetime]) if canonicalize: - root_logger.debug("Requesting principal canonicalization") + logger.debug("Requesting principal canonicalization") args.append('-C') if enterprise: - root_logger.debug("Using enterprise principal") + logger.debug("Using enterprise principal") args.append('-E') env = {'LC_ALL': 'C'} @@ -111,7 +111,7 @@ def kinit_armor(ccache_name, pkinit_anchors=None): :raises: CalledProcessError if the anonymous PKINIT fails """ - root_logger.debug("Initializing anonymous ccache") + logger.debug("Initializing anonymous ccache") env = {'LC_ALL': 'C'} args = [paths.KINIT, '-n', '-c', ccache_name] diff --git a/ipalib/install/sysrestore.py b/ipalib/install/sysrestore.py index 5c21956..b2e1a00 100644 --- a/ipalib/install/sysrestore.py +++ b/ipalib/install/sysrestore.py @@ -23,10 +23,10 @@ # parts of the system configuration to the way it was # before ipa-server-install was first run +import logging import os import os.path import shutil -from ipapython.ipa_log_manager import root_logger import random import six @@ -44,6 +44,8 @@ from ipaplatform.paths import paths if six.PY3: unicode = str +logger = logging.getLogger(__name__) + SYSRESTORE_PATH = paths.TMP SYSRESTORE_INDEXFILE = "sysrestore.index" SYSRESTORE_STATEFILE = "sysrestore.state" @@ -72,7 +74,7 @@ class FileStore(object): be an empty dictionary if the file doesn't exist. """ - root_logger.debug("Loading Index file from '%s'", self._index) + logger.debug("Loading Index file from '%s'", self._index) self.files = {} @@ -90,10 +92,10 @@ class FileStore(object): """Save the file list to @_index. If @files is an empty dict, then @_index should be removed. """ - root_logger.debug("Saving Index File to '%s'", self._index) + logger.debug("Saving Index File to '%s'", self._index) if len(self.files) == 0: - root_logger.debug(" -> no files, removing file") + logger.debug(" -> no files, removing file") if os.path.exists(self._index): os.remove(self._index) return @@ -113,13 +115,13 @@ class FileStore(object): does not already exist - which will be restored to its original location by restore_files(). """ - root_logger.debug("Backing up system configuration file '%s'", path) + logger.debug("Backing up system configuration file '%s'", path) if not os.path.isabs(path): raise ValueError("Absolute path required") if not os.path.isfile(path): - root_logger.debug(" -> Not backing up - '%s' doesn't exist", path) + logger.debug(" -> Not backing up - '%s' doesn't exist", path) return _reldir, backupfile = os.path.split(path) @@ -132,7 +134,8 @@ class FileStore(object): backup_path = os.path.join(self._path, filename) if os.path.exists(backup_path): - root_logger.debug(" -> Not backing up - already have a copy of '%s'", path) + logger.debug(" -> Not backing up - already have a copy of '%s'", + path) return shutil.copy2(path, backup_path) @@ -168,9 +171,11 @@ class FileStore(object): """ if new_path is None: - root_logger.debug("Restoring system configuration file '%s'", path) + logger.debug("Restoring system configuration file '%s'", + path) else: - root_logger.debug("Restoring system configuration file '%s' to '%s'", path, new_path) + logger.debug("Restoring system configuration file '%s' to '%s'", + path, new_path) if not os.path.isabs(path): raise ValueError("Absolute path required") @@ -193,7 +198,8 @@ class FileStore(object): backup_path = os.path.join(self._path, filename) if not os.path.exists(backup_path): - root_logger.debug(" -> Not restoring - '%s' doesn't exist", backup_path) + logger.debug(" -> Not restoring - '%s' doesn't exist", + backup_path) return False if new_path is not None: @@ -229,7 +235,8 @@ class FileStore(object): backup_path = os.path.join(self._path, filename) if not os.path.exists(backup_path): - root_logger.debug(" -> Not restoring - '%s' doesn't exist", backup_path) + logger.debug(" -> Not restoring - '%s' doesn't exist", + backup_path) continue shutil.copy(backup_path, path) # SELinux needs copy @@ -263,7 +270,7 @@ class FileStore(object): was no backup file to restore """ - root_logger.debug("Untracking system configuration file '%s'", path) + logger.debug("Untracking system configuration file '%s'", path) if not os.path.isabs(path): raise ValueError("Absolute path required") @@ -281,13 +288,14 @@ class FileStore(object): backup_path = os.path.join(self._path, filename) if not os.path.exists(backup_path): - root_logger.debug(" -> Not restoring - '%s' doesn't exist", backup_path) + logger.debug(" -> Not restoring - '%s' doesn't exist", + backup_path) return False try: os.unlink(backup_path) except Exception as e: - root_logger.error('Error removing %s: %s' % (backup_path, str(e))) + logger.error('Error removing %s: %s', backup_path, str(e)) del self.files[filename] self.save() @@ -329,7 +337,7 @@ class StateFile(object): """Load the modules from the file @_path. @modules will be an empty dictionary if the file doesn't exist. """ - root_logger.debug("Loading StateFile from '%s'", self._path) + logger.debug("Loading StateFile from '%s'", self._path) self.modules = {} @@ -350,14 +358,14 @@ class StateFile(object): """Save the modules to @_path. If @modules is an empty dict, then @_path should be removed. """ - root_logger.debug("Saving StateFile to '%s'", self._path) + logger.debug("Saving StateFile to '%s'", self._path) for module in list(self.modules): if len(self.modules[module]) == 0: del self.modules[module] if len(self.modules) == 0: - root_logger.debug(" -> no modules, removing file") + logger.debug(" -> no modules, removing file") if os.path.exists(self._path): os.remove(self._path) return diff --git a/ipalib/plugable.py b/ipalib/plugable.py index efe7316..f6f25e8 100644 --- a/ipalib/plugable.py +++ b/ipalib/plugable.py @@ -441,7 +441,7 @@ class API(ReadOnly): parser = self.build_global_parser() self.parser = parser - root_logger = ipa_log_manager.root_logger + root_logger = logging.getLogger() # If logging has already been configured somewhere else (like in the # installer), don't add handlers or change levels: diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 210eef6..8635894 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -56,7 +56,6 @@ from ipalib.errors import (public_errors, UnknownError, NetworkError, XMLRPCMarshallError, JSONError) from ipalib import errors, capabilities from ipalib.request import context, Connection -from ipapython.ipa_log_manager import root_logger from ipapython import ipautil from ipapython import session_storage from ipapython.cookie import Cookie @@ -542,7 +541,7 @@ class SSLTransport(LanguageAwareTransport): host, self._extra_headers, _x509 = self.get_host_info(host) if self._connection and host == self._connection[0]: - root_logger.debug("HTTP connection keep-alive (%s)", host) + logger.debug("HTTP connection keep-alive (%s)", host) return self._connection[1] conn = create_https_connection( @@ -552,7 +551,7 @@ class SSLTransport(LanguageAwareTransport): tls_version_max=api.env.tls_version_max) conn.connect() - root_logger.debug("New HTTP connection (%s)", host) + logger.debug("New HTTP connection (%s)", host) self._connection = host, conn return self._connection[1] @@ -715,13 +714,13 @@ class KerbTransport(SSLTransport): # keep-alive connection was terminated by remote peer, close # connection and let transport handle reconnect for us. self.close() - root_logger.debug("HTTP server has closed connection (%s)", host) + logger.debug("HTTP server has closed connection (%s)", host) raise except BaseException as e: # Unexpected exception may leave connections in a bad state. self.close() - root_logger.debug("HTTP connection destroyed (%s)", - host, exc_info=True) + logger.debug("HTTP connection destroyed (%s)", + host, exc_info=True) raise if six.PY3: @@ -781,8 +780,8 @@ class KerbTransport(SSLTransport): principal = getattr(context, 'principal', None) request_url = getattr(context, 'request_url', None) - root_logger.debug("received Set-Cookie (%s)'%s'", type(cookie_header), - cookie_header) + logger.debug("received Set-Cookie (%s)'%s'", type(cookie_header), + cookie_header) if not isinstance(cookie_header, list): cookie_header = [cookie_header] @@ -799,14 +798,16 @@ class KerbTransport(SSLTransport): if session_cookie is not None: break except Exception as e: - root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e) + logger.error("unable to parse cookie header '%s': %s", + cookie_header, e) return if session_cookie is None: return cookie_string = self._slice_session_cookie(session_cookie) - root_logger.debug("storing cookie '%s' for principal %s", cookie_string, principal) + logger.debug("storing cookie '%s' for principal %s", + cookie_string, principal) try: update_persistent_client_session_data(principal, cookie_string) except Exception as e: @@ -1210,7 +1211,7 @@ class JSONServerProxy(object): payload, version, pretty_print=print_json) if print_json: - root_logger.info( + logger.info( 'Request: %s', payload ) @@ -1223,7 +1224,7 @@ class JSONServerProxy(object): ) if print_json: - root_logger.info( + logger.info( 'Response: %s', json.dumps(json.loads(response), sort_keys=True, indent=4) ) diff --git a/ipalib/util.py b/ipalib/util.py index ea4c152..880d2bc 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -59,8 +59,6 @@ from ipapython.ssh import SSHPublicKey from ipapython.dn import DN, RDN from ipapython.dnsutil import DNSName from ipapython.dnsutil import resolve_ip_addresses -from ipapython.ipa_log_manager import root_logger - if six.PY3: unicode = str @@ -235,17 +233,13 @@ def get_proper_tls_version_span(tls_version_min, tls_version_max): if min_version_idx < min_allowed_idx: min_version_idx = min_allowed_idx - root_logger.warning("tls_version_min set too low ('{old}')," - "using '{new}' instead" - .format(old=tls_version_min, - new=TLS_VERSIONS[min_version_idx])) + logger.warning("tls_version_min set too low ('%s'),using '%s' instead", + tls_version_min, TLS_VERSIONS[min_version_idx]) if max_version_idx < min_allowed_idx: max_version_idx = min_version_idx - root_logger.warning("tls_version_max set too low ('{old}')," - "using '{new}' instead" - .format(old=tls_version_max, - new=TLS_VERSIONS[max_version_idx])) + logger.warning("tls_version_max set too low ('%s'),using '%s' instead", + tls_version_max, TLS_VERSIONS[max_version_idx]) return TLS_VERSIONS[min_version_idx:max_version_idx+1] @@ -1114,7 +1108,7 @@ def check_principal_realm_in_trust_namespace(api_instance, *keys): def no_matching_interface_for_ip_address_warning(addr_list): for ip in addr_list: if not ip.get_matching_interface(): - root_logger.warning( + logger.warning( "No network interface matches the IP address %s", ip) # fixme: once when loggers will be fixed, we can remove this # print diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 8fae1f3..5468864 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -22,6 +22,7 @@ Contains Red Hat OS family-specific service class implementations. """ +import logging import os import time import contextlib @@ -30,9 +31,10 @@ from ipaplatform.tasks import tasks from ipaplatform.base import services as base_services from ipapython import ipautil, dogtag -from ipapython.ipa_log_manager import root_logger from ipaplatform.paths import paths +logger = logging.getLogger(__name__) + # Mappings from service names as FreeIPA code references to these services # to their actual systemd service names @@ -189,7 +191,7 @@ class RedHatIPAService(RedHatService): class RedHatCAService(RedHatService): def wait_until_running(self): - root_logger.debug('Waiting until the CA is running') + logger.debug('Waiting until the CA is running') timeout = float(self.api.env.startup_timeout) op_timeout = time.time() + timeout while time.time() < op_timeout: @@ -198,10 +200,10 @@ class RedHatCAService(RedHatService): status = dogtag.ca_status(self.api.env.host) except Exception as e: status = 'check interrupted due to error: %s' % e - root_logger.debug('The CA status is: %s' % status) + logger.debug('The CA status is: %s', status) if status == 'running': break - root_logger.debug('Waiting for CA to start...') + logger.debug('Waiting for CA to start...') time.sleep(1) else: raise RuntimeError('CA did not start in %ss' % timeout) @@ -230,8 +232,8 @@ class RedHatCAService(RedHatService): self.wait_until_running() return True except Exception as e: - root_logger.debug( - 'Failed to check CA status: {err}'.format(err=e) + logger.debug( + 'Failed to check CA status: %s', e ) return False diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 07efeba..3d83aa0 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -41,7 +41,7 @@ from cffi import FFI from pyasn1.error import PyAsn1Error from six.moves import urllib -from ipapython.ipa_log_manager import root_logger, log_mgr +from ipapython.ipa_log_manager import log_mgr from ipapython import ipautil import ipapython.errors @@ -229,11 +229,11 @@ class RedHatTaskNamespace(BaseTaskNamespace): try: ipautil.run([paths.UPDATE_CA_TRUST]) except CalledProcessError as e: - root_logger.error( + log.error( "Could not update systemwide CA trust database: %s", e) return False else: - root_logger.info("Systemwide CA database updated.") + log.info("Systemwide CA database updated.") return True def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): @@ -248,7 +248,7 @@ class RedHatTaskNamespace(BaseTaskNamespace): try: os.remove(new_cacert_path) except OSError as e: - root_logger.error( + log.error( "Could not remove %s: %s", new_cacert_path, e) return False @@ -257,7 +257,7 @@ class RedHatTaskNamespace(BaseTaskNamespace): try: f = open(new_cacert_path, 'w') except IOError as e: - root_logger.info("Failed to open %s: %s" % (new_cacert_path, e)) + log.info("Failed to open %s: %s", new_cacert_path, e) return False f.write("# This file was created by IPA. Do not edit.\n" @@ -271,7 +271,7 @@ class RedHatTaskNamespace(BaseTaskNamespace): serial_number = x509.get_der_serial_number(cert, x509.DER) public_key_info = x509.get_der_public_key_info(cert, x509.DER) except (PyAsn1Error, ValueError, CertificateError) as e: - root_logger.warning( + log.warning( "Failed to decode certificate \"%s\": %s", nickname, e) continue @@ -311,7 +311,7 @@ class RedHatTaskNamespace(BaseTaskNamespace): try: ext_key_usage = x509.encode_ext_key_usage(ext_key_usage) except PyAsn1Error as e: - root_logger.warning( + log.warning( "Failed to encode extended key usage for \"%s\": %s", nickname, e) continue @@ -348,7 +348,7 @@ class RedHatTaskNamespace(BaseTaskNamespace): try: os.remove(new_cacert_path) except OSError as e: - root_logger.error( + log.error( "Could not remove %s: %s", new_cacert_path, e) result = False else: @@ -376,8 +376,8 @@ class RedHatTaskNamespace(BaseTaskNamespace): try: self.set_hostname(old_hostname) except ipautil.CalledProcessError as e: - root_logger.debug(traceback.format_exc()) - root_logger.error( + log.debug("%s", traceback.format_exc()) + log.error( "Failed to restore this machine hostname to %s (%s).", old_hostname, e ) @@ -481,12 +481,12 @@ class RedHatTaskNamespace(BaseTaskNamespace): os.unlink(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF) except OSError as e: if e.errno == errno.ENOENT: - root_logger.debug( + log.debug( 'Trying to remove %s but file does not exist', paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF ) else: - root_logger.error( + log.error( 'Error removing %s: %s', paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, e ) diff --git a/ipapython/admintool.py b/ipapython/admintool.py index 1143bf9..329e20f 100644 --- a/ipapython/admintool.py +++ b/ipapython/admintool.py @@ -30,7 +30,6 @@ from optparse import OptionGroup # pylint: disable=deprecated-module from ipapython import version from ipapython import config -from ipapython import ipa_log_manager from ipapython.ipa_log_manager import standard_logging_setup logger = logging.getLogger(__name__) @@ -233,7 +232,7 @@ class AdminTool(object): Logging to file is only set up after option validation and prompting; before that, all output will go to the console only. """ - root_logger = ipa_log_manager.root_logger + root_logger = logging.getLogger() for handler in root_logger.handlers: if (isinstance(handler, logging.StreamHandler) and handler.stream is sys.stderr): # pylint: disable=no-member diff --git a/ipapython/certdb.py b/ipapython/certdb.py index aa9bdaa..3a1fe70 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -18,6 +18,7 @@ # import collections +import logging import os import io import pwd @@ -32,7 +33,6 @@ from cryptography.hazmat.primitives import serialization import cryptography.x509 from ipapython.dn import DN -from ipapython.ipa_log_manager import root_logger from ipapython.kerberos import Principal from ipapython import ipautil from ipalib import x509 # pylint: disable=ipa-forbidden-import @@ -51,6 +51,8 @@ else: OPENSSL = paths.OPENSSL +logger = logging.getLogger(__name__) + CA_NICKNAME_FMT = "%s IPA CA" NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") @@ -318,7 +320,7 @@ class NSSDatabase(object): if os.path.exists(backup_path): os.rename(backup_path, path) except OSError as e: - root_logger.debug(e) + logger.debug('%s', e) def list_certs(self): """Return nicknames and cert flags for all certs in the database @@ -459,8 +461,9 @@ class NSSDatabase(object): x509.load_certificate(match.group(2)) except ValueError as e: if label != 'CERTIFICATE': - root_logger.warning( - "Skipping certificate in %s at line %s: %s", + logger.warning( + "Skipping certificate in %s at line %s: " + "%s", filename, line, e) continue else: @@ -473,11 +476,12 @@ class NSSDatabase(object): certs = x509.pkcs7_to_pems(body) except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': - root_logger.warning( - "Skipping certificate in %s at line %s: %s", + logger.warning( + "Skipping certificate in %s at line %s: " + "%s", filename, line, e) else: - root_logger.warning( + logger.warning( "Skipping PKCS#7 in %s at line %s: %s", filename, line, e) continue @@ -512,7 +516,7 @@ class NSSDatabase(object): result = ipautil.run( args, stdin=body, capture_output=True) except ipautil.CalledProcessError as e: - root_logger.warning( + logger.warning( "Skipping private key in %s at line %s: %s", filename, line, e) continue @@ -603,8 +607,8 @@ class NSSDatabase(object): def trust_root_cert(self, root_nickname, trust_flags): if root_nickname[:7] == "Builtin": - root_logger.debug( - "No need to add trust for built-in root CAs, skipping %s" % + logger.debug( + "No need to add trust for built-in root CAs, skipping %s", root_nickname) else: trust_flags = unparse_trust_flags(trust_flags) diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py index 011b722..b40302d 100644 --- a/ipapython/dnsutil.py +++ b/ipapython/dnsutil.py @@ -17,6 +17,8 @@ # along with this program. If not, see . # +import logging + import dns.name import dns.exception import dns.resolver @@ -25,11 +27,12 @@ import copy import six from ipapython.ipautil import UnsafeIPAddress -from ipapython.ipa_log_manager import root_logger if six.PY3: unicode = str +logger = logging.getLogger(__name__) + @six.python_2_unicode_compatible class DNSName(dns.name.Name): @@ -308,18 +311,19 @@ def resolve_rrsets(fqdn, rdtypes): for rdtype in rdtypes: try: answer = dns.resolver.query(fqdn, rdtype) - root_logger.debug('found %d %s records for %s: %s', - len(answer), rdtype, fqdn, ' '.join( - str(rr) for rr in answer)) + logger.debug('found %d %s records for %s: %s', + len(answer), + rdtype, + fqdn, + ' '.join(str(rr) for rr in answer)) rrsets.append(answer.rrset) except dns.resolver.NXDOMAIN as ex: - root_logger.debug(ex) + logger.debug('%s', ex) break # no such FQDN, do not iterate except dns.resolver.NoAnswer as ex: - root_logger.debug(ex) # record type does not exist for given FQDN + logger.debug('%s', ex) # record type does not exist for given FQDN except dns.exception.DNSException as ex: - root_logger.error('DNS query for %s %s failed: %s', - fqdn, rdtype, ex) + logger.error('DNS query for %s %s failed: %s', fqdn, rdtype, ex) raise return rrsets @@ -338,7 +342,7 @@ def resolve_ip_addresses(fqdn): def check_zone_overlap(zone, raise_on_error=True): - root_logger.info("Checking DNS domain %s, please wait ..." % zone) + logger.info("Checking DNS domain %s, please wait ...", zone) if not isinstance(zone, DNSName): zone = DNSName(zone).make_absolute() @@ -354,15 +358,15 @@ def check_zone_overlap(zone, raise_on_error=True): if raise_on_error: raise ValueError(msg) else: - root_logger.warning(msg) + logger.warning('%s', msg) return if containing_zone == zone: try: ns = [ans.to_text() for ans in dns.resolver.query(zone, 'NS')] except dns.exception.DNSException as e: - root_logger.debug("Failed to resolve nameserver(s) for domain" - " {0}: {1}".format(zone, e)) + logger.debug("Failed to resolve nameserver(s) for domain %s: %s", + zone, e) ns = [] msg = u"DNS zone {0} already exists in DNS".format(zone) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 28f78b5..c198144 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -18,6 +18,7 @@ # import collections +import logging import xml.dom.minidom import six @@ -32,7 +33,6 @@ from ipalib.errors import NetworkError from ipalib.text import _ # pylint: enable=ipa-forbidden-import from ipapython import ipautil -from ipapython.ipa_log_manager import root_logger # Python 3 rename. The package is available in "six.moves.http_client", but # pylint cannot handle classes from that alias @@ -45,6 +45,8 @@ except ImportError: if six.PY3: unicode = str +logger = logging.getLogger(__name__) + Profile = collections.namedtuple('Profile', ['profile_id', 'description', 'store_issued']) INCLUDED_PROFILES = { @@ -203,8 +205,8 @@ def _httplib_request( connection_options = {} uri = u'%s://%s%s' % (protocol, ipautil.format_netloc(host, port), path) - root_logger.debug('request %s %s', method, uri) - root_logger.debug('request body %r', request_body) + logger.debug('request %s %s', method, uri) + logger.debug('request body %r', request_body) headers = headers or {} if ( @@ -223,11 +225,11 @@ def _httplib_request( http_body = res.read() conn.close() except Exception as e: - root_logger.debug("httplib request failed:", exc_info=True) + logger.debug("httplib request failed:", exc_info=True) raise NetworkError(uri=uri, error=str(e)) - root_logger.debug('response status %d', http_status) - root_logger.debug('response headers %s', http_headers) - root_logger.debug('response body %r', http_body) + logger.debug('response status %d', http_status) + logger.debug('response headers %s', http_headers) + logger.debug('response body %r', http_body) return http_status, http_headers, http_body diff --git a/ipapython/ipa_log_manager.py b/ipapython/ipa_log_manager.py index 5dd9549..347d152 100644 --- a/ipapython/ipa_log_manager.py +++ b/ipapython/ipa_log_manager.py @@ -150,6 +150,7 @@ def standard_logging_setup(filename=None, verbose=False, debug=False, if console_format is None: console_format = LOGGING_FORMAT_STANDARD_CONSOLE + root_logger = logging.getLogger() root_logger.setLevel(logging.DEBUG) # File output is always logged at debug level @@ -178,4 +179,5 @@ def standard_logging_setup(filename=None, verbose=False, debug=False, # Single shared instance of log manager log_mgr = sys.modules[__name__] -root_logger = logging.getLogger() +root_logger = _DeprecatedLogger(logging.getLogger(), + '{}.log_mgr.root_logger'.format(__name__)) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 1bb48d4..d2b5abb 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -20,6 +20,7 @@ from __future__ import print_function import codecs +import logging import string import tempfile import subprocess @@ -50,9 +51,10 @@ import six from six.moves import input from six.moves import urllib -from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN +logger = logging.getLogger(__name__) + # only for OTP password that is manually retyped by user TMP_PWD_ENTROPY_BITS = 128 @@ -197,7 +199,7 @@ class CheckedIPAddress(UnsafeIPAddress): :return: InterfaceDetails named tuple or None if no interface has this address """ - root_logger.debug("Searching for an interface of IP address: %s", self) + logger.debug("Searching for an interface of IP address: %s", self) if self.version == 4: family = netifaces.AF_INET elif self.version == 6: @@ -223,7 +225,7 @@ class CheckedIPAddress(UnsafeIPAddress): addr=ifaddr, netmask=ifmask ) - root_logger.debug( + logger.debug( "Testing local IP address: %s (interface: %s)", ifaddrmask, interface) @@ -438,8 +440,8 @@ def run(args, stdin=None, raiseonerr=True, nolog=(), env=None, stdin = stdin.encode(encoding) arg_string = nolog_replace(' '.join(_log_arg(a) for a in args), nolog) - root_logger.debug('Starting external process') - root_logger.debug('args=%s' % arg_string) + logger.debug('Starting external process') + logger.debug('args=%s', arg_string) def preexec_fn(): if runas is not None: @@ -449,12 +451,11 @@ def run(args, stdin=None, raiseonerr=True, nolog=(), env=None, grp.getgrnam(group).gr_gid for group in suplementary_groups ] - root_logger.debug('runas=%s (UID %d, GID %s)', runas, - pent.pw_uid, pent.pw_gid) + logger.debug('runas=%s (UID %d, GID %s)', runas, + pent.pw_uid, pent.pw_gid) if suplementary_groups: for group, gid in zip(suplementary_groups, suplementary_gids): - root_logger.debug('suplementary_group=%s (GID %d)', - group, gid) + logger.debug('suplementary_group=%s (GID %d)', group, gid) os.setgroups(suplementary_gids) os.setregid(pent.pw_gid, pent.pw_gid) @@ -469,17 +470,17 @@ def run(args, stdin=None, raiseonerr=True, nolog=(), env=None, preexec_fn=preexec_fn) stdout, stderr = p.communicate(stdin) except KeyboardInterrupt: - root_logger.debug('Process interrupted') + logger.debug('Process interrupted') p.wait() raise except: - root_logger.debug('Process execution failed') + logger.debug('Process execution failed') raise finally: if skip_output: p_out.close() # pylint: disable=E1103 - root_logger.debug('Process finished, return code=%s', p.returncode) + logger.debug('Process finished, return code=%s', p.returncode) # The command and its output may include passwords that we don't want # to log. Replace those. @@ -498,9 +499,9 @@ def run(args, stdin=None, raiseonerr=True, nolog=(), env=None, else: error_log = stderr output_log = nolog_replace(output_log, nolog) - root_logger.debug('stdout=%s' % output_log) + logger.debug('stdout=%s', output_log) error_log = nolog_replace(error_log, nolog) - root_logger.debug('stderr=%s' % error_log) + logger.debug('stderr=%s', error_log) if capture_output: if six.PY2: @@ -995,9 +996,9 @@ def host_port_open(host, port, socket_type=socket.SOCK_STREAM, # Do not log udp failures as errors (to be consistent with # the rest of the code that checks for open ports) if socket_type == socket.SOCK_DGRAM: - root_logger.warning(msg) + logger.warning('%s', msg) else: - root_logger.error(msg) + logger.error('%s', msg) finally: if s is not None: s.close() @@ -1225,7 +1226,7 @@ def wait_for_open_ports(host, ports, timeout=0): if not isinstance(ports, (tuple, list)): ports = [ports] - root_logger.debug('wait_for_open_ports: %s %s timeout %d', host, ports, timeout) + logger.debug('wait_for_open_ports: %s %s timeout %d', host, ports, timeout) op_timeout = time.time() + timeout for port in ports: diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py index c6e4627..fc2b173 100644 --- a/ipaserver/advise/base.py +++ b/ipaserver/advise/base.py @@ -29,7 +29,7 @@ from ipalib.plugable import Plugin, API from ipalib.errors import ValidationError from ipaplatform.paths import paths from ipapython import admintool -from ipapython.ipa_log_manager import Filter, root_logger +from ipapython.ipa_log_manager import Filter """ @@ -508,6 +508,7 @@ class IpaAdvise(admintool.AdminTool): if not self.options.verbose: # Do not print connection information by default logger_name = r'ipalib\.rpc' + root_logger = logging.getLogger() root_logger.addFilter(Filter(logger_name, logging.WARNING)) # With no argument, print the list out and exit diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 6f67022..6de2194 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -29,7 +29,6 @@ import time from ipalib import api, _ from ipalib import errors from ipapython import ipautil -from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN from ipaserver.install import installutils from ipalib.util import normalize_name @@ -470,7 +469,7 @@ class DomainValidator(object): return pysss_type_key_translation_dict.get(object_type) def get_trusted_domain_object_from_sid(self, sid): - root_logger.debug("Converting SID to object name: %s" % sid) + logger.debug("Converting SID to object name: %s", sid) # Check if the given SID is valid if not self.is_trusted_sid_valid(sid): @@ -488,7 +487,7 @@ class DomainValidator(object): return result.get(pysss_nss_idmap.NAME_KEY) # If unsuccessful, search AD DC LDAP - root_logger.debug("Searching AD DC LDAP") + logger.debug("Searching AD DC LDAP") escaped_sid = escape_filter_chars( security.dom_sid(sid).__ndr_pack__(), @@ -659,7 +658,7 @@ class DomainValidator(object): (principal, password) = self._admin_creds.split('%', 1) # Destroy the contents of the ccache - root_logger.debug('Destroying the contents of the separate ccache') + logger.debug('Destroying the contents of the separate ccache') ipautil.run( [paths.KDESTROY, '-A', '-c', ccache_path], @@ -667,7 +666,7 @@ class DomainValidator(object): raiseonerr=False) # Destroy the contents of the ccache - root_logger.debug('Running kinit with credentials of AD administrator') + logger.debug('Running kinit with credentials of AD administrator') result = ipautil.run( [paths.KINIT, principal], @@ -743,9 +742,9 @@ class DomainValidator(object): msg = "Search on AD DC {host}:{port} failed with: {err}"\ .format(host=host, port=str(port), err=str(e)) if quiet: - root_logger.debug(msg) + logger.debug('%s', msg) else: - root_logger.warning(msg) + logger.warning('%s', msg) return entries @@ -944,15 +943,15 @@ class TrustDomainInstance(object): search_result = res['defaultNamingContext'][0] self.info['dns_hostname'] = res['dnsHostName'][0] except _ldap.LDAPError as e: - root_logger.error( - "LDAP error when connecting to %(host)s: %(error)s" % - dict(host=unicode(result.pdc_name), error=str(e))) + logger.error( + "LDAP error when connecting to %s: %s", + unicode(result.pdc_name), str(e)) except KeyError as e: - root_logger.error("KeyError: {err}, LDAP entry from {host} " - "returned malformed. Your DNS might be " - "misconfigured." - .format(host=unicode(result.pdc_name), - err=unicode(e))) + logger.error("KeyError: %s, LDAP entry from %s " + "returned malformed. Your DNS might be " + "misconfigured.", + unicode(e), + unicode(result.pdc_name)) if search_result: self.info['sid'] = self.parse_naming_context(search_result) @@ -1110,7 +1109,7 @@ class TrustDomainInstance(object): # Collision information contains entries for specific trusted domains # we collide with. Look into TLN collisions and add a TLN exclusion # entry to the specific domain trust. - root_logger.error("Attempt to solve forest trust topology conflicts") + logger.error("Attempt to solve forest trust topology conflicts") for rec in cinfo.entries: if rec.type == lsa.LSA_FOREST_TRUST_COLLISION_TDO: dominfo = self._pipe.lsaRQueryForestTrustInformation( @@ -1122,14 +1121,14 @@ class TrustDomainInstance(object): # trusted domain (forest). if not dominfo: result.append(rec) - root_logger.error("Unable to resolve conflict for " - "DNS domain %s in the forest %s " - "for domain trust %s. Trust cannot " - "be established unless this conflict " - "is fixed manually." - % (another_domain.info['dns_domain'], - self.info['dns_domain'], - rec.name.string)) + logger.error("Unable to resolve conflict for " + "DNS domain %s in the forest %s " + "for domain trust %s. Trust cannot " + "be established unless this conflict " + "is fixed manually.", + another_domain.info['dns_domain'], + self.info['dns_domain'], + rec.name.string) continue # Copy over the entries, extend with TLN exclusion @@ -1165,27 +1164,27 @@ class TrustDomainInstance(object): fti, 0) if cninfo: result.append(rec) - root_logger.error("When defining exception for DNS " - "domain %s in forest %s for " - "trusted forest %s, " - "got collision info back:\n%s" - % (another_domain.info['dns_domain'], - self.info['dns_domain'], - rec.name.string, - ndr_print(cninfo))) + logger.error("When defining exception for DNS " + "domain %s in forest %s for " + "trusted forest %s, " + "got collision info back:\n%s", + another_domain.info['dns_domain'], + self.info['dns_domain'], + rec.name.string, + ndr_print(cninfo)) else: result.append(rec) - root_logger.error("Unable to resolve conflict for " - "DNS domain %s in the forest %s " - "for in-forest domain %s. Trust cannot " - "be established unless this conflict " - "is fixed manually." - % (another_domain.info['dns_domain'], - self.info['dns_domain'], - rec.name.string)) + logger.error("Unable to resolve conflict for " + "DNS domain %s in the forest %s " + "for in-forest domain %s. Trust cannot " + "be established unless this conflict " + "is fixed manually.", + another_domain.info['dns_domain'], + self.info['dns_domain'], + rec.name.string) if len(result) == 0: - root_logger.error("Successfully solved all conflicts") + logger.error("Successfully solved all conflicts") raise TrustTopologyConflictSolved() # Otherwise, raise TrustTopologyConflictError() exception @@ -1217,9 +1216,9 @@ class TrustDomainInstance(object): ftlevel, ftinfo, 0) if cinfo: - root_logger.error("When setting forest trust information, " - "got collision info back:\n%s" - % (ndr_print(cinfo))) + logger.error("When setting forest trust information, " + "got collision info back:\n%s", + ndr_print(cinfo)) self.clear_ftinfo_conflict(another_domain, cinfo) def establish_trust(self, another_domain, trustdom_secret, @@ -1310,8 +1309,8 @@ class TrustDomainInstance(object): trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info) except RuntimeError as e: - root_logger.error( - 'unable to set trust transitivity status: %s' % (str(e))) + logger.error( + 'unable to set trust transitivity status: %s', str(e)) # Updating forest trust info may fail # If it failed due to topology conflict, it may be fixed automatically diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py index d4dc42e..9965028 100644 --- a/ipaserver/dns_data_management.py +++ b/ipaserver/dns_data_management.py @@ -4,6 +4,8 @@ from __future__ import absolute_import +import logging + import six from collections import defaultdict @@ -20,11 +22,12 @@ from time import sleep, time from ipalib import errors from ipalib.dns import record_name_format from ipapython.dnsutil import DNSName, resolve_rrsets -from ipapython.ipa_log_manager import root_logger if six.PY3: unicode=str +logger = logging.getLogger(__name__) + IPA_DEFAULT_MASTER_SRV_REC = ( # srv record name, port @@ -142,8 +145,8 @@ class IPASystemRecords(object): sleep(5) if not rrsets: - root_logger.error('unable to resolve host name %s to IP address, ' - 'ipa-ca DNS record will be incomplete', hostname) + logger.error('unable to resolve host name %s to IP address, ' + 'ipa-ca DNS record will be incomplete', hostname) return for rrset in rrsets: diff --git a/ipaserver/dnssec/ldapkeydb.py b/ipaserver/dnssec/ldapkeydb.py index 750d475..30c21ab 100644 --- a/ipaserver/dnssec/ldapkeydb.py +++ b/ipaserver/dnssec/ldapkeydb.py @@ -415,7 +415,6 @@ if __name__ == '__main__': # print information we think are useful to stdout # other garbage goes via logger to stderr ipa_log_manager.standard_logging_setup(debug=True) - log = ipa_log_manager.root_logger # IPA framework initialization # no logging to file @@ -425,10 +424,10 @@ if __name__ == '__main__': # LDAP initialization dns_dn = DN(ipalib.api.env.container_dns, ipalib.api.env.basedn) ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri) - log.debug('Connecting to LDAP') + logger.debug('Connecting to LDAP') # GSSAPI will be used, used has to be kinited already ldap.gssapi_bind() - log.debug('Connected') + logger.debug('Connected') ldapkeydb = LdapKeyDB(ldap, DN(('cn', 'keys'), ('cn', 'sec'), diff --git a/ipaserver/dnssec/odsmgr.py b/ipaserver/dnssec/odsmgr.py index 0bd92dc..6b181e2 100644 --- a/ipaserver/dnssec/odsmgr.py +++ b/ipaserver/dnssec/odsmgr.py @@ -209,4 +209,4 @@ if __name__ == '__main__': ipa_log_manager.standard_logging_setup(debug=True) ods = ODSMgr() reader = ods.get_ods_zonelist() - ipa_log_manager.root_logger.info('ODS zones: %s', reader.mapping) + logger.info('ODS zones: %s', reader.mapping) diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py index c84038b..76278a4 100644 --- a/ipaserver/install/adtrust.py +++ b/ipaserver/install/adtrust.py @@ -8,6 +8,7 @@ AD trust installer module from __future__ import print_function +import logging import os import six @@ -21,7 +22,6 @@ from ipapython.admintool import ScriptError from ipapython import ipaldap, ipautil from ipapython.dn import DN from ipapython.install.core import group, knob -from ipapython.ipa_log_manager import root_logger from ipaserver.install import adtrustinstance from ipaserver.install import service @@ -29,13 +29,15 @@ from ipaserver.install import service if six.PY3: unicode = str +logger = logging.getLogger(__name__) + netbios_name = None reset_netbios_name = False def netbios_name_error(name): - root_logger.error("\nIllegal NetBIOS name [%s].\n" % name) - root_logger.error( + logger.error("\nIllegal NetBIOS name [%s].\n", name) + logger.error( "Up to 15 characters and only uppercase ASCII letters, digits " "and dashes are allowed. Empty string is not allowed.") @@ -72,7 +74,7 @@ def retrieve_netbios_name(api): [flat_name_attr]) except errors.NotFound: # trust not configured - root_logger.debug("No previous trust configuration found") + logger.debug("No previous trust configuration found") return None else: return entry.get(flat_name_attr)[0] @@ -98,7 +100,7 @@ def set_and_check_netbios_name(netbios_name, unattended, api): if api.Backend.ldap2.isconnected(): cur_netbios_name = retrieve_netbios_name(api) else: - root_logger.debug( + logger.debug( "LDAP is not connected, can not retrieve NetBIOS name") if cur_netbios_name and not netbios_name: @@ -192,7 +194,7 @@ def retrieve_entries_without_sid(api): '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))' base_dn = api.env.basedn try: - root_logger.debug( + logger.debug( "Searching for objects with missing SID with " "filter=%s, base_dn=%s", filter, base_dn) entries, _truncated = api.Backend.ldap2.find_entries( @@ -202,7 +204,7 @@ def retrieve_entries_without_sid(api): # All objects have SIDs assigned pass except (errors.DatabaseError, errors.NetworkError) as e: - root_logger.error( + logger.error( "Could not retrieve a list of objects that need a SID " "identifier assigned: %s", e) @@ -214,7 +216,7 @@ def retrieve_and_ask_about_sids(api, options): if api.Backend.ldap2.isconnected(): entries = retrieve_entries_without_sid(api) else: - root_logger.debug( + logger.debug( "LDAP backend not connected, can not retrieve entries " "with missing SID") @@ -258,7 +260,7 @@ def retrieve_potential_adtrust_agents(api): dl_enabled_masters = api.Command.server_find( ipamindomainlevel=DOMAIN_LEVEL_0, all=True)['result'] except (errors.DatabaseError, errors.NetworkError) as e: - root_logger.error( + logger.error( "Could not retrieve a list of existing IPA masters: %s", e) return @@ -267,7 +269,7 @@ def retrieve_potential_adtrust_agents(api): adtrust_agents = api.Command.server_find( servrole=u'AD trust agent', all=True)['result'] except (errors.DatabaseError, errors.NetworkError) as e: - root_logger.error("Could not retrieve a list of adtrust agents: %s", e) + logger.error("Could not retrieve a list of adtrust agents: %s", e) return dl_enabled_master_cns = {m['cn'][0] for m in dl_enabled_masters} diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index f671c44..14c255b 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -19,6 +19,7 @@ from __future__ import print_function +import logging import os import errno import ldap @@ -40,7 +41,6 @@ from ipalib import errors, api from ipalib.util import normalize_zone from ipapython.dn import DN from ipapython import ipautil -from ipapython.ipa_log_manager import root_logger import ipapython.errors import ipaclient.install.ipachangeconf @@ -52,6 +52,8 @@ from ipaplatform.tasks import tasks if six.PY3: unicode = str +logger = logging.getLogger(__name__) + ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-' UPGRADE_ERROR = """ @@ -339,8 +341,8 @@ class ADTRUSTInstance(service.Service): # Abort if RID base needs to be added to more than one range if len(ranges_with_no_rid_base) != 1: - root_logger.critical("Found more than one local domain ID " - "range with no RID base set.") + logger.critical("Found more than one local domain ID " + "range with no RID base set.") raise RuntimeError("Too many ID ranges\n") # Abort if RID bases are too close @@ -372,8 +374,8 @@ class ADTRUSTInstance(service.Service): raise RuntimeError("Constraint violation.\n") except errors.NotFound as e: - root_logger.critical("ID range of the local domain not found, " - "define it and run again.") + logger.critical("ID range of the local domain not found, " + "define it and run again.") raise e def __reset_netbios_name(self): @@ -487,8 +489,8 @@ class ADTRUSTInstance(service.Service): wait_for_task(api.Backend.ldap2, task_dn) except Exception as e: - root_logger.warning("Exception occured during SID generation: {0}" - .format(str(e))) + logger.warning("Exception occured during SID generation: %s", + str(e)) def __add_s4u2proxy_target(self): """ @@ -549,8 +551,8 @@ class ADTRUSTInstance(service.Service): "-k", self.keytab]) except ipautil.CalledProcessError as e: if e.returncode != 5: - root_logger.critical("Failed to remove old key for %s" - % self.principal) + logger.critical("Failed to remove old key for %s", + self.principal) def srv_rec(self, host, port, prio): return "%(prio)d 100 %(port)d %(host)s" % dict(host=host,prio=prio,port=port) @@ -672,7 +674,8 @@ class ADTRUSTInstance(service.Service): self.cifs_hosts.append(normalize_zone(fqdn)) except Exception as e: - root_logger.critical("Checking replicas for cifs principals failed with error '%s'" % e) + logger.critical("Checking replicas for cifs principals failed " + "with error '%s'", e) def __enable_compat_tree(self): try: @@ -686,7 +689,8 @@ class ADTRUSTInstance(service.Service): current[lookup_nsswitch_name] = [config[1]] api.Backend.ldap2.update_entry(current) except Exception as e: - root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e) + logger.critical("Enabling nsswitch support in slapi-nis failed " + "with error '%s'", e) def __validate_server_hostname(self): hostname = socket.gethostname() @@ -702,7 +706,7 @@ class ADTRUSTInstance(service.Service): self.start() services.service('winbind', api).start() except Exception: - root_logger.critical("CIFS services failed to start") + logger.critical("CIFS services failed to start") def __stop(self): self.backup_state("running", self.is_running()) @@ -734,12 +738,12 @@ class ADTRUSTInstance(service.Service): try: self.ldap_enable('ADTRUST', self.fqdn, None, self.suffix) except (ldap.ALREADY_EXISTS, errors.DuplicateEntry): - root_logger.info("ADTRUST Service startup entry already exists.") + logger.info("ADTRUST Service startup entry already exists.") try: self.ldap_enable('EXTID', self.fqdn, None, self.suffix) except (ldap.ALREADY_EXISTS, errors.DuplicateEntry): - root_logger.info("EXTID Service startup entry already exists.") + logger.info("EXTID Service startup entry already exists.") def __setup_sub_dict(self): self.sub_dict = dict(REALM = self.realm, diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 5ba3f05..12d4a01 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -20,6 +20,7 @@ from __future__ import absolute_import from __future__ import print_function +import logging import tempfile import os import pwd @@ -42,7 +43,6 @@ from ipaserver.install import sysupgrade from ipapython import ipautil from ipapython import dnsutil from ipapython.dnsutil import DNSName -from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN from ipapython.admintool import ScriptError import ipalib @@ -62,6 +62,8 @@ from ipalib.util import (validate_zonemgr_str, normalize_zonemgr, if six.PY3: unicode = str +logger = logging.getLogger(__name__) + NAMED_CONF = paths.NAMED_CONF RESOLV_CONF = paths.RESOLV_CONF @@ -285,15 +287,15 @@ def read_reverse_zone(default, ip_address, allow_zone_overlap=False): if not zone: return None if not verify_reverse_zone(zone, ip_address): - root_logger.error("Invalid reverse zone %s for IP address %s" - % (zone, ip_address)) + logger.error("Invalid reverse zone %s for IP address %s", + zone, ip_address) continue if not allow_zone_overlap: try: dnsutil.check_zone_overlap(zone, raise_on_error=False) except ValueError as e: - root_logger.error("Reverse zone %s will not be used: %s" - % (zone, e)) + logger.error("Reverse zone %s will not be used: %s", + zone, e) continue break @@ -305,15 +307,14 @@ def get_auto_reverse_zones(ip_addresses): for ip in ip_addresses: if ipautil.reverse_record_exists(ip): # PTR exist there is no reason to create reverse zone - root_logger.info("Reverse record for IP address %s already " - "exists" % ip) + logger.info("Reverse record for IP address %s already exists", ip) continue default_reverse = get_reverse_zone_default(ip) try: dnsutil.check_zone_overlap(default_reverse) except ValueError: - root_logger.info("Reverse zone %s for IP address %s already exists" - % (default_reverse, ip)) + logger.info("Reverse zone %s for IP address %s already exists", + default_reverse, ip) continue auto_zones.append((ip, default_reverse)) return auto_zones @@ -463,7 +464,7 @@ def check_reverse_zones(ip_addresses, reverse_zones, options, unattended, if unattended: raise ScriptError(msg) else: - root_logger.warning(msg) + logger.warning('%s', msg) continue checked_reverse_zones.append(normalize_zone(rz)) @@ -483,11 +484,10 @@ def check_reverse_zones(ip_addresses, reverse_zones, options, unattended, # create reverse zone for IP addresses that does not have one for (ip, rz) in get_auto_reverse_zones(ips_missing_reverse): if options.auto_reverse: - root_logger.info("Reverse zone %s will be created" % rz) + logger.info("Reverse zone %s will be created", rz) checked_reverse_zones.append(rz) elif unattended: - root_logger.warning("Missing reverse record for IP address %s" - % ip) + logger.warning("Missing reverse record for IP address %s", ip) else: if ipautil.user_input("Do you want to create reverse zone for IP " "%s" % ip, True): @@ -497,7 +497,7 @@ def check_reverse_zones(ip_addresses, reverse_zones, options, unattended, return checked_reverse_zones -def check_forwarders(dns_forwarders, logger): +def check_forwarders(dns_forwarders): print("Checking DNS forwarders, please wait ...") forwarders_dnssec_valid = True for forwarder in dns_forwarders: @@ -508,8 +508,10 @@ def check_forwarders(dns_forwarders, logger): forwarders_dnssec_valid = False logger.warning("DNS server %s does not support DNSSEC: %s", forwarder, e) - logger.warning("Please fix forwarder configuration to enable DNSSEC support.\n" - "(For BIND 9 add directive \"dnssec-enable yes;\" to \"options {}\")") + logger.warning("Please fix forwarder configuration to enable " + "DNSSEC support.\n" + "(For BIND 9 add directive \"dnssec-enable yes;\" " + "to \"options {}\")") print("DNS server %s: %s" % (forwarder, e)) print("Please fix forwarder configuration to enable DNSSEC support.") print("(For BIND 9 add directive \"dnssec-enable yes;\" to \"options {}\")") @@ -534,7 +536,7 @@ def remove_master_dns_records(hostname, realm): bind.remove_server_ns_records(hostname) -def ensure_dnsserver_container_exists(ldap, api_instance, logger=None): +def ensure_dnsserver_container_exists(ldap, api_instance, logger=logger): """ Create cn=servers,cn=dns,$SUFFIX container. If logger is not None, emit a message that the container already exists when DuplicateEntry is raised @@ -550,8 +552,7 @@ def ensure_dnsserver_container_exists(ldap, api_instance, logger=None): try: ldap.add_entry(entry) except errors.DuplicateEntry: - if logger is not None: - logger.debug('cn=servers,cn=dns container already exists') + logger.debug('cn=servers,cn=dns container already exists') class DnsBackup(object): @@ -729,7 +730,7 @@ class BindInstance(service.Service): self.backup_state("running", self.is_running()) self.restart() except Exception as e: - root_logger.error("Named service failed to start (%s)", e) + logger.error("Named service failed to start (%s)", e) print("named service failed to start") def __enable(self): @@ -745,7 +746,7 @@ class BindInstance(service.Service): except errors.DuplicateEntry: # service already exists (forced DNS reinstall) # don't crash, just report error - root_logger.error("DNS service already exists") + logger.error("DNS service already exists") # disable named, we need to run named-pkcs11 only if self.get_state("named-regular-running") is None: @@ -755,12 +756,12 @@ class BindInstance(service.Service): try: self.named_regular.stop() except Exception as e: - root_logger.debug("Unable to stop named (%s)", e) + logger.debug("Unable to stop named (%s)", e) try: self.named_regular.mask() except Exception as e: - root_logger.debug("Unable to mask named (%s)", e) + logger.debug("Unable to mask named (%s)", e) def __setup_sub_dict(self): self.sub_dict = dict( @@ -823,7 +824,7 @@ class BindInstance(service.Service): result = self.api.Command.dnszone_find() for zone in result['result']: zone = unicode(zone['idnsname'][0]) # we need unicode due to backup - root_logger.debug("adding self NS to zone %s apex", zone) + logger.debug("adding self NS to zone %s apex", zone) add_ns_rr(zone, ns_hostname, self.dns_backup, force=True, api=self.api) @@ -864,7 +865,7 @@ class BindInstance(service.Service): addrs = installutils.resolve_ip_addresses_nss(fqdn) - root_logger.debug("Adding DNS records for master %s" % fqdn) + logger.debug("Adding DNS records for master %s", fqdn) self.__add_master_records(fqdn, addrs) def __setup_principal(self): @@ -898,8 +899,8 @@ class BindInstance(service.Service): except ldap.TYPE_OR_VALUE_EXISTS: pass except Exception as e: - root_logger.critical("Could not modify principal's %s entry: %s" \ - % (dns_principal, str(e))) + logger.critical("Could not modify principal's %s entry: %s", + dns_principal, str(e)) raise # bind-dyndb-ldap persistent search feature requires both size and time @@ -911,8 +912,8 @@ class BindInstance(service.Service): try: api.Backend.ldap2.modify_s(dns_principal, mod) except Exception as e: - root_logger.critical("Could not set principal's %s LDAP limits: %s" \ - % (dns_principal, str(e))) + logger.critical("Could not set principal's %s LDAP limits: %s", + dns_principal, str(e)) raise def __setup_named_conf(self): @@ -983,7 +984,7 @@ class BindInstance(service.Service): resolv_fd.write(resolv_txt) resolv_fd.close() except IOError as e: - root_logger.error('Could not write to resolv.conf: %s', e) + logger.error('Could not write to resolv.conf: %s', e) else: # python DNS might have global resolver cached in this variable # we have to re-initialize it because resolv.conf has changed @@ -1017,7 +1018,7 @@ class BindInstance(service.Service): if not cnames: return - root_logger.info('Removing IPA CA CNAME records') + logger.info('Removing IPA CA CNAME records') # create CNAME to FQDN mapping cname_fqdn = {} @@ -1043,7 +1044,7 @@ class BindInstance(service.Service): for cname in cnames: fqdn = cname_fqdn[cname] if fqdn not in masters: - root_logger.warning( + logger.warning( "Cannot remove IPA CA CNAME please remove them manually " "if necessary") return @@ -1088,18 +1089,18 @@ class BindInstance(service.Service): # remove records if entries: - root_logger.debug("Removing all NS records pointing to %s:", ns_rdata) + logger.debug("Removing all NS records pointing to %s:", ns_rdata) for entry in entries: if 'idnszone' in entry['objectclass']: # zone record zone = entry.single_value['idnsname'] - root_logger.debug("zone record %s", zone) + logger.debug("zone record %s", zone) del_ns_rr(zone, u'@', ns_rdata, api=self.api) else: zone = entry.dn[1].value # get zone from DN record = entry.single_value['idnsname'] - root_logger.debug("record %s in zone %s", record, zone) + logger.debug("record %s in zone %s", record, zone) del_ns_rr(zone, record, ns_rdata, api=self.api) def update_system_records(self): @@ -1111,18 +1112,18 @@ class BindInstance(service.Service): (_loc_rec, failed_loc_rec) ) = system_records.update_dns_records() except IPADomainIsNotManagedByIPAError: - root_logger.error( + logger.error( "IPA domain is not managed by IPA, please update records " "manually") else: if failed_ipa_rec or failed_loc_rec: - root_logger.error("Update of following records failed:") + logger.error("Update of following records failed:") for attr in (failed_ipa_rec, failed_loc_rec): for rname, node, error in attr: for record in IPASystemRecords.records_list_from_node( rname, node ): - root_logger.error("%s (%s)", record, error) + logger.error("%s (%s)", record, error) def check_global_configuration(self): """ @@ -1173,7 +1174,7 @@ class BindInstance(service.Service): try: self.fstore.restore_file(f) except ValueError as error: - root_logger.debug(error) + logger.debug('%s', error) # disabled by default, by ldap_enable() if enabled: diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 52cb20f..6b43af6 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -9,6 +9,7 @@ CA installer module from __future__ import print_function import enum +import logging import os.path import six @@ -31,7 +32,6 @@ from ipaserver.install import installutils, certs from ipaserver.install.replication import replica_conn_check from ipalib import api, errors, x509 from ipapython.dn import DN -from ipapython.ipa_log_manager import root_logger from . import conncheck, dogtag @@ -47,6 +47,8 @@ VALID_SUBJECT_BASE_ATTRS = { } VALID_SUBJECT_ATTRS = {'cn'} | VALID_SUBJECT_BASE_ATTRS +logger = logging.getLogger(__name__) + external_cert_file = None external_ca_file = None @@ -132,7 +134,7 @@ def install_check(standalone, replica_config, options): principal=principal, ca_cert_file=options.ca_cert_file) if options.skip_schema_check: - root_logger.info("Skipping CA DS schema check") + logger.info("Skipping CA DS schema check") else: cainstance.replica_ca_install_check(replica_config, options.promote) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 4af313b..a646ee6 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -56,7 +56,7 @@ from ipapython import ipautil from ipapython import ipaldap from ipapython.certdb import get_ca_nickname from ipapython.dn import DN -from ipapython.ipa_log_manager import standard_logging_setup, root_logger +from ipapython.ipa_log_manager import standard_logging_setup from ipaserver.secrets.kem import IPAKEMKeys from ipaserver.install import certs @@ -114,7 +114,7 @@ def get_preop_pin(instance_root, instance_name): try: f = open(filename) except IOError as e: - root_logger.error("Cannot open configuration file." + str(e)) + logger.error("Cannot open configuration file.%s", str(e)) raise e data = f.read() data = data.split('\n') @@ -633,7 +633,7 @@ class CAInstance(DogtagInstance): try: backup_config() except Exception as e: - root_logger.warning("Failed to backup CS.cfg: %s", e) + logger.warning("Failed to backup CS.cfg: %s", e) def create_certstore_passwdfile(self): """ @@ -1045,7 +1045,7 @@ class CAInstance(DogtagInstance): try: certmonger.stop_tracking(certfile=paths.RA_AGENT_PEM) except RuntimeError as e: - root_logger.error( + logger.error( "certmonger failed to stop tracking certificate: %s", e) services.knownservices.certmonger.stop() @@ -1206,12 +1206,12 @@ class CAInstance(DogtagInstance): if sysupgrade.get_upgrade_state('dogtag', 'setup_lwca_key_retrieval'): return - root_logger.info('[Set up lightweight CA key retrieval]') + logger.info('[Set up lightweight CA key retrieval]') self.__setup_lightweight_ca_key_retrieval_kerberos() self.__setup_lightweight_ca_key_retrieval_custodia() - root_logger.info('Configuring key retriever') + logger.info('Configuring key retriever') directives = [ ('features.authority.keyRetrieverClass', 'com.netscape.ca.ExternalProcessKeyRetriever'), @@ -1227,12 +1227,12 @@ class CAInstance(DogtagInstance): def __setup_lightweight_ca_key_retrieval_kerberos(self): pent = pwd.getpwnam(self.service_user) - root_logger.info('Creating principal') + logger.info('Creating principal') installutils.kadmin_addprinc(self.principal) self.suffix = ipautil.realm_to_suffix(self.realm) self.move_service(self.principal) - root_logger.info('Retrieving keytab') + logger.info('Retrieving keytab') installutils.create_keytab(self.keytab, self.principal) os.chmod(self.keytab, 0o600) os.chown(self.keytab, pent.pw_uid, pent.pw_gid) @@ -1240,7 +1240,7 @@ class CAInstance(DogtagInstance): def __setup_lightweight_ca_key_retrieval_custodia(self): pent = pwd.getpwnam(self.service_user) - root_logger.info('Creating Custodia keys') + logger.info('Creating Custodia keys') custodia_basedn = DN( ('cn', 'custodia'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) ensure_entry( @@ -1269,7 +1269,7 @@ class CAInstance(DogtagInstance): add_lightweight_ca_tracking_requests(lwcas) except errors.NotFound: # shouldn't happen, but don't fail if it does - root_logger.warning( + logger.warning( "Did not find any lightweight CAs; nothing to track") def __dogtag10_migration(self): @@ -1289,7 +1289,7 @@ def replica_ca_install_check(config, promote): # Check if the master has the necessary schema in its CA instance ca_ldap_url = 'ldap://%s:%s' % (config.ca_host_name, config.ca_ds_port) objectclass = 'ipaObject' - root_logger.debug('Checking if IPA schema is present in %s', ca_ldap_url) + logger.debug('Checking if IPA schema is present in %s', ca_ldap_url) try: with ipaldap.LDAPClient( ca_ldap_url, @@ -1302,14 +1302,14 @@ def replica_ca_install_check(config, promote): result = rschema.get_obj(ldap.schema.models.ObjectClass, objectclass) except Exception: - root_logger.critical( + logger.critical( 'CA DS schema check failed. Make sure the PKI service on the ' 'remote master is operational.') raise if result: - root_logger.debug('Check OK') + logger.debug('Check OK') else: - root_logger.critical( + logger.critical( 'The master CA directory server does not have necessary schema. ' 'Please run copy-schema-to-ca.py on all CA masters.\n' 'If you are certain that this is a false positive, use ' @@ -1604,7 +1604,7 @@ def import_included_profiles(): # Create the profile, replacing any existing profile of same name profile_data = __get_profile_config(profile_id) _create_dogtag_profile(profile_id, profile_data, overwrite=True) - root_logger.info("Imported profile '%s'", profile_id) + logger.info("Imported profile '%s'", profile_id) api.Backend.ra_certprofile.override_port = None conn.disconnect() @@ -1644,12 +1644,12 @@ def repair_profile_caIPAserviceCert(): need_repair = all(l in cur_config for l in indicators) if need_repair: - root_logger.debug( - "Detected that profile '{}' has been replaced with " - "incorrect version; begin repair.".format(profile_id)) + logger.debug( + "Detected that profile '%s' has been replaced with " + "incorrect version; begin repair.", profile_id) _create_dogtag_profile( profile_id, __get_profile_config(profile_id), overwrite=True) - root_logger.debug("Repair of profile '{}' complete.".format(profile_id)) + logger.debug("Repair of profile '%s' complete.", profile_id) api.Backend.ra_certprofile.override_port = None @@ -1678,7 +1678,7 @@ def migrate_profiles_to_ldap(): cs_cfg, re.MULTILINE ) if match is None: - root_logger.info("No file for profile '%s'; skipping", profile_id) + logger.info("No file for profile '%s'; skipping", profile_id) continue filename = match.group(1) @@ -1687,7 +1687,7 @@ def migrate_profiles_to_ldap(): cs_cfg, re.MULTILINE ) if match is None: - root_logger.info("No class_id for profile '%s'; skipping", profile_id) + logger.info("No class_id for profile '%s'; skipping", profile_id) continue class_id = match.group(1) @@ -1712,29 +1712,30 @@ def _create_dogtag_profile(profile_id, profile_data, overwrite): # import the profile try: profile_api.create_profile(profile_data) - root_logger.info("Profile '%s' successfully migrated to LDAP", - profile_id) + logger.info("Profile '%s' successfully migrated to LDAP", + profile_id) except errors.RemoteRetrieveError as e: - root_logger.debug("Error migrating '{}': {}".format( - profile_id, e)) + logger.debug("Error migrating '%s': %s", profile_id, e) # profile already exists if overwrite: try: profile_api.disable_profile(profile_id) except errors.RemoteRetrieveError: - root_logger.debug( + logger.debug( "Failed to disable profile '%s' " - "(it is probably already disabled)") + "(it is probably already disabled)", + profile_id) profile_api.update_profile(profile_id, profile_data) # enable the profile try: profile_api.enable_profile(profile_id) except errors.RemoteRetrieveError: - root_logger.debug( + logger.debug( "Failed to enable profile '%s' " - "(it is probably already enabled)") + "(it is probably already enabled)", + profile_id) def ensure_ipa_authority_entry(): diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 02c479d..8fbdb90 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -17,6 +17,7 @@ # along with this program. If not, see . # +import logging import os import stat import sys @@ -34,7 +35,6 @@ import six from six.moves import configparser from ipalib.install import certmonger, sysrestore -from ipapython.ipa_log_manager import root_logger from ipapython import dogtag from ipapython import ipautil from ipapython.certdb import EMPTY_TRUST_FLAGS, IPA_CA_TRUST_FLAGS @@ -45,6 +45,8 @@ from ipalib.errors import CertificateOperationError from ipalib.text import _ from ipaplatform.paths import paths +logger = logging.getLogger(__name__) + def get_cert_nickname(cert): """ @@ -355,7 +357,8 @@ class CertDB(object): self.secdir, nickname=nickname, pinfile=password_file, post_command=command) except RuntimeError as e: - root_logger.error("certmonger failed starting to track certificate: %s" % str(e)) + logger.error("certmonger failed starting to track certificate: %s", + str(e)) return cert = self.get_cert_from_db(nickname) @@ -371,7 +374,8 @@ class CertDB(object): try: certmonger.stop_tracking(self.secdir, nickname=nickname) except RuntimeError as e: - root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e)) + logger.error("certmonger failed to stop tracking certificate: %s", + str(e)) def create_server_cert(self, nickname, hostname, subject=None): """ @@ -446,7 +450,7 @@ class CertDB(object): client_keyfile=paths.RA_AGENT_KEY, **params) http_status, _http_headers, http_body = result - root_logger.debug("CA answer: %s", http_body) + logger.debug("CA answer: %s", http_body) if http_status != 200: raise CertificateOperationError( @@ -553,7 +557,8 @@ class CertDB(object): def trust_root_cert(self, root_nickname, trust_flags): if root_nickname is None: - root_logger.debug("Unable to identify root certificate to trust. Continuing but things are likely to fail.") + logger.debug("Unable to identify root certificate to trust. " + "Continuing but things are likely to fail.") return try: diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index bc3cea7..4971379 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -1,12 +1,13 @@ # Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license. +import logging + from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap from ipaserver.secrets.client import CustodiaClient from ipaplatform.paths import paths from ipaplatform.constants import constants from ipaserver.install.service import SimpleServiceInstance from ipapython import ipautil -from ipapython.ipa_log_manager import root_logger from ipapython.certdb import NSSDatabase from ipaserver.install import installutils from ipaserver.install import ldapupdate @@ -20,6 +21,8 @@ import tempfile import time import pwd +logger = logging.getLogger(__name__) + class CustodiaInstance(SimpleServiceInstance): def __init__(self, host_name=None, realm=None): @@ -64,19 +67,19 @@ class CustodiaInstance(SimpleServiceInstance): def upgrade_instance(self): if not sysupgrade.get_upgrade_state("custodia", "installed"): - root_logger.info("Custodia service is being configured") + logger.info("Custodia service is being configured") self.create_instance() else: old_config = open(self.config_file).read() self.__config_file() new_config = open(self.config_file).read() if new_config != old_config: - root_logger.info("Restarting Custodia") + logger.info("Restarting Custodia") self.restart() mode = os.stat(self.server_keys).st_mode if stat.S_IMODE(mode) != 0o600: - root_logger.info("Secure server.keys mode") + logger.info("Secure server.keys mode") os.chmod(self.server_keys, 0o600) def create_replica(self, master_host_name): @@ -118,8 +121,8 @@ class CustodiaInstance(SimpleServiceInstance): def __wait_keys(self, host, timeout=300): ldap_uri = 'ldap://%s' % host deadline = int(time.time()) + timeout - root_logger.info("Waiting up to {} seconds to see our keys " - "appear on host: {}".format(timeout, host)) + logger.info("Waiting up to %s seconds to see our keys " + "appear on host: %s", timeout, host) konn = KEMLdap(ldap_uri) saved_e = None @@ -129,8 +132,8 @@ class CustodiaInstance(SimpleServiceInstance): except Exception as e: # log only once for the same error if not isinstance(e, type(saved_e)): - root_logger.debug( - "Transient error getting keys: '{err}'".format(err=e)) + logger.debug( + "Transient error getting keys: '%s'", e) saved_e = e if int(time.time()) > deadline: raise RuntimeError("Timed out trying to obtain keys.") diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py index 1c1aac0..9970054 100644 --- a/ipaserver/install/dns.py +++ b/ipaserver/install/dns.py @@ -10,6 +10,7 @@ from __future__ import absolute_import from __future__ import print_function import enum +import logging # absolute import is necessary because IPA module dns clashes with python-dns from dns import resolver @@ -33,7 +34,6 @@ from ipapython.dn import DN from ipapython.dnsutil import check_zone_overlap from ipapython.install import typing from ipapython.install.core import group, knob -from ipapython.ipa_log_manager import root_logger from ipapython.admintool import ScriptError from ipapython.ipautil import user_input from ipaserver.install.installutils import get_server_ip_address @@ -47,6 +47,8 @@ from ipaserver.install import opendnssecinstance if six.PY3: unicode = str +logger = logging.getLogger(__name__) + ip_addresses = [] reverse_zones = [] @@ -129,9 +131,9 @@ def install_check(standalone, api, replica, options, hostname): dnsutil.check_zone_overlap(domain, raise_on_error=False) except ValueError as e: if options.force or options.allow_zone_overlap: - root_logger.warning("%s Please make sure that the domain is " - "properly delegated to this IPA server.", - e) + logger.warning("%s Please make sure that the domain is " + "properly delegated to this IPA server.", + e) else: raise e @@ -140,7 +142,7 @@ def install_check(standalone, api, replica, options, hostname): dnsutil.check_zone_overlap(reverse_zone) except ValueError as e: if options.force or options.allow_zone_overlap: - root_logger.warning(six.text_type(e)) + logger.warning('%s', six.text_type(e)) else: raise e @@ -239,7 +241,7 @@ def install_check(standalone, api, replica, options, hostname): runas=constants.ODS_USER, suplementary_groups=[constants.NAMED_GROUP]) except CalledProcessError as e: - root_logger.debug("%s", e) + logger.debug("%s", e) raise RuntimeError("This IPA server cannot be promoted to " "DNSSEC master role because some keys were " "not replicated from the original " @@ -273,8 +275,8 @@ def install_check(standalone, api, replica, options, hostname): for ip in ip_addresses: if dnsutil.inside_auto_empty_zone(dnsutil.DNSName(ip.reverse_dns)): options.forward_policy = 'only' - root_logger.debug('IP address %s belongs to a private range, ' - 'using forward policy only', ip) + logger.debug('IP address %s belongs to a private range, ' + 'using forward policy only', ip) break if options.no_forwarders: @@ -289,13 +291,12 @@ def install_check(standalone, api, replica, options, hostname): # test DNSSEC forwarders if options.forwarders: - if (not bindinstance.check_forwarders(options.forwarders, - root_logger) + if (not bindinstance.check_forwarders(options.forwarders) and not options.no_dnssec_validation): options.no_dnssec_validation = True print("WARNING: DNSSEC validation will be disabled") - root_logger.debug("will use DNS forwarders: %s\n", options.forwarders) + logger.debug("will use DNS forwarders: %s\n", options.forwarders) if not standalone: search_reverse_zones = False diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index b73eed8..0091250 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -17,7 +17,6 @@ from ipaserver import p11helper as _ipap11helper from ipapython.dnsutil import DNSName from ipaserver.install import service from ipaserver.install import installutils -from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN from ipapython import ipautil from ipaplatform.constants import constants @@ -46,7 +45,7 @@ def remove_replica_public_keys(hostname): class DNSKeySyncInstance(service.Service): - def __init__(self, fstore=None, logger=root_logger): + def __init__(self, fstore=None, logger=logger): super(DNSKeySyncInstance, self).__init__( "ipa-dnskeysyncd", service_desc="DNS key synchronization service", diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 39248ed..c0ad242 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -20,6 +20,7 @@ from __future__ import print_function +import logging import shutil import pwd import os @@ -36,7 +37,6 @@ from ipalib.install import certmonger, certstore from ipapython.certdb import (IPA_CA_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS, TrustFlags) -from ipapython.ipa_log_manager import root_logger from ipapython import ipautil, ipaldap from ipapython import dogtag from ipaserver.install import service @@ -55,6 +55,8 @@ from ipapython.admintool import ScriptError from ipaplatform import services from ipaplatform.paths import paths +logger = logging.getLogger(__name__) + DS_USER = platformconstants.DS_USER DS_GROUP = platformconstants.DS_GROUP @@ -104,16 +106,16 @@ def remove_ds_instance(serverid, force=False): args = [paths.REMOVE_DS_PL, '-i', instance_name] if force: args.append('-f') - root_logger.debug("Forcing instance removal") + logger.debug("Forcing instance removal") try: ipautil.run(args) except ipautil.CalledProcessError: if force: - root_logger.error("Instance removal failed.") + logger.error("Instance removal failed.") raise - root_logger.debug("'%s' failed. " - "Attempting to force removal" % paths.REMOVE_DS_PL) + logger.debug("'%s' failed. " + "Attempting to force removal", paths.REMOVE_DS_PL) remove_ds_instance(serverid, force=True) @@ -452,11 +454,11 @@ class DsInstance(service.Service): try: api.Backend.ldap2.delete_entry(r) except Exception as e: - root_logger.critical( + logger.critical( "Error during SASL mapping removal: %s", e) raise except Exception as e: - root_logger.critical("Error while enumerating SASL mappings %s", e) + logger.critical("Error while enumerating SASL mappings %s", e) raise entry = api.Backend.ldap2.make_entry( @@ -530,7 +532,7 @@ class DsInstance(service.Service): self.sub_dict['BASEDC'] = self.realm.split('.')[0].lower() base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict) - root_logger.debug(base_txt) + logger.debug("%s", base_txt) target_fname = paths.DIRSRV_BOOT_LDIF base_fd = open(target_fname, "w") @@ -542,19 +544,19 @@ class DsInstance(service.Service): os.chown(target_fname, pent.pw_uid, pent.pw_gid) inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict) - root_logger.debug("writing inf template") + logger.debug("writing inf template") inf_fd = ipautil.write_tmp_file(inf_txt) inf_txt = re.sub(r"RootDNPwd=.*\n", "", inf_txt) - root_logger.debug(inf_txt) + logger.debug("%s", inf_txt) args = [ paths.SETUP_DS_PL, "--silent", "--logfile", "-", "-f", inf_fd.name, ] - root_logger.debug("calling setup-ds.pl") + logger.debug("calling setup-ds.pl") try: ipautil.run(args) - root_logger.debug("completed creating DS instance") + logger.debug("completed creating DS instance") except ipautil.CalledProcessError as e: raise RuntimeError("failed to create DS instance %s" % e) @@ -597,7 +599,7 @@ class DsInstance(service.Service): try: os.remove(temp_filename) except OSError as e: - root_logger.debug("Failed to clean temporary file: %s" % e) + logger.debug("Failed to clean temporary file: %s", e) def __add_default_schemas(self): pent = pwd.getpwnam(DS_USER) @@ -638,13 +640,15 @@ class DsInstance(service.Service): try: super(DsInstance, self).restart(instance) if not is_ds_running(instance): - root_logger.critical("Failed to restart the directory server. See the installation log for details.") + logger.critical("Failed to restart the directory server. " + "See the installation log for details.") raise ScriptError() except SystemExit as e: raise e except Exception as e: # TODO: roll back here? - root_logger.critical("Failed to restart the directory server (%s). See the installation log for details." % e) + logger.critical("Failed to restart the directory server (%s). " + "See the installation log for details.", e) api.Backend.ldap2.connect() def __start_instance(self): @@ -671,7 +675,7 @@ class DsInstance(service.Service): # Note, keep dn in sync with dn in install/share/memberof-task.ldif dn = DN(('cn', 'IPA install %s' % self.sub_dict["TIME"]), ('cn', 'memberof task'), ('cn', 'tasks'), ('cn', 'config')) - root_logger.debug("Waiting for memberof task to complete.") + logger.debug("Waiting for memberof task to complete.") ldap_uri = ipaldap.get_ldap_uri(self.fqdn) conn = ipaldap.LDAPClient(ldap_uri) if self.dm_password: @@ -955,7 +959,7 @@ class DsInstance(service.Service): self._ldap_mod("default-hbac.ldif", self.sub_dict) def change_admin_password(self, password): - root_logger.debug("Changing admin password") + logger.debug("Changing admin password") dir_ipa = paths.VAR_LIB_IPA with tempfile.NamedTemporaryFile("w", dir=dir_ipa) as dmpwdfile, \ @@ -974,10 +978,10 @@ class DsInstance(service.Service): env = {'LDAPTLS_CACERTDIR': os.path.dirname(paths.IPA_CA_CRT), 'LDAPTLS_CACERT': paths.IPA_CA_CRT} ipautil.run(args, env=env) - root_logger.debug("ldappasswd done") + logger.debug("ldappasswd done") except ipautil.CalledProcessError as e: print("Unable to set admin password", e) - root_logger.debug("Unable to set admin password %s" % e) + logger.debug("Unable to set admin password %s", e) def uninstall(self): if self.is_configured(): @@ -992,7 +996,7 @@ class DsInstance(service.Service): self.fstore.restore_file(paths.LIMITS_CONF) self.fstore.restore_file(paths.SYSCONFIG_DIRSRV) except ValueError as error: - root_logger.debug(error) + logger.debug("%s", error) # disabled during IPA installation if enabled: @@ -1001,14 +1005,14 @@ class DsInstance(service.Service): serverid = self.restore_state("serverid") if serverid is not None: self.stop_tracking_certificates(serverid) - root_logger.debug("Removing DS instance %s" % serverid) + logger.debug("Removing DS instance %s", serverid) try: remove_ds_instance(serverid) installutils.remove_keytab(paths.DS_KEYTAB) installutils.remove_ccache(run_as=DS_USER) except ipautil.CalledProcessError: - root_logger.error("Failed to remove DS instance. You may " - "need to remove instance data manually") + logger.error("Failed to remove DS instance. You may " + "need to remove instance data manually") # Just eat this state self.restore_state("user_exists") @@ -1025,7 +1029,7 @@ class DsInstance(service.Service): try: services.knownservices.dirsrv.restart(ds_instance, wait=False) except Exception as e: - root_logger.error( + logger.error( 'Unable to restart DS instance %s: %s', ds_instance, e) def stop_tracking_certificates(self, serverid=None): @@ -1059,12 +1063,12 @@ class DsInstance(service.Service): # first make sure we have a valid cacert_fname try: if not os.access(cacert_fname, os.R_OK): - root_logger.critical("The given CA cert file named [%s] could not be read" % - cacert_fname) + logger.critical("The given CA cert file named [%s] could not " + "be read", cacert_fname) return False except OSError as e: - root_logger.critical("The given CA cert file named [%s] could not be read: %s" % - (cacert_fname, str(e))) + logger.critical("The given CA cert file named [%s] could not " + "be read: %s", cacert_fname, str(e)) return False # ok - ca cert file can be read # shutdown the server @@ -1085,8 +1089,8 @@ class DsInstance(service.Service): try: certdb.load_cacert(cacert_fname, EXTERNAL_CA_TRUST_FLAGS) except ipautil.CalledProcessError as e: - root_logger.critical("Error importing CA cert file named [%s]: %s" % - (cacert_fname, str(e))) + logger.critical("Error importing CA cert file named [%s]: %s", + cacert_fname, str(e)) status = False # restart the directory server self.start() @@ -1150,7 +1154,7 @@ class DsInstance(service.Service): except errors.NotFound: self._ldap_mod('ipa-sidgen-conf.ldif', dict(SUFFIX=suffix)) else: - root_logger.debug("sidgen plugin is already configured") + logger.debug("sidgen plugin is already configured") def _add_extdom_plugin(self): """ @@ -1168,7 +1172,7 @@ class DsInstance(service.Service): except errors.NotFound: self._ldap_mod('ipa-extdom-extop-conf.ldif', dict(SUFFIX=suffix)) else: - root_logger.debug("extdom plugin is already configured") + logger.debug("extdom plugin is already configured") def find_subject_base(self): """ @@ -1181,20 +1185,20 @@ class DsInstance(service.Service): is configured, the api is initialized elsewhere and that a ticket already have been acquired. """ - root_logger.debug( + logger.debug( 'Trying to find certificate subject base in sysupgrade') subject_base = sysupgrade.get_upgrade_state( 'certmap.conf', 'subject_base') if subject_base: - root_logger.debug( + logger.debug( 'Found certificate subject base in sysupgrade: %s', subject_base) return subject_base - root_logger.debug( + logger.debug( 'Unable to find certificate subject base in sysupgrade') - root_logger.debug( + logger.debug( 'Trying to find certificate subject base in DS') ds_is_running = is_ds_running() @@ -1203,25 +1207,24 @@ class DsInstance(service.Service): self.start() ds_is_running = True except ipautil.CalledProcessError as e: - root_logger.error('Cannot start DS to find certificate ' - 'subject base: %s', e) + logger.error('Cannot start DS to find certificate ' + 'subject base: %s', e) if ds_is_running: try: ret = api.Command['config_show']() subject_base = str( ret['result']['ipacertificatesubjectbase'][0]) - root_logger.debug( + logger.debug( 'Found certificate subject base in DS: %s', subject_base) except errors.PublicError as e: - root_logger.error('Cannot connect to DS to find certificate ' - 'subject base: %s', e) + logger.error('Cannot connect to DS to find certificate ' + 'subject base: %s', e) if subject_base: return subject_base - root_logger.debug('Unable to find certificate subject base in ' - 'certmap.conf') + logger.debug('Unable to find certificate subject base in certmap.conf') return None def __set_domain_level(self): diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index b29b8af..6c56316 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,6 +19,7 @@ from __future__ import print_function +import logging import os import os.path import pwd @@ -42,7 +43,6 @@ from ipaserver.install import installutils from ipapython import dogtag from ipapython import ipautil from ipapython.dn import DN -from ipapython.ipa_log_manager import root_logger import ipapython.errors from ipaserver.install import sysupgrade from ipalib import api @@ -51,6 +51,8 @@ from ipaplatform.tasks import tasks from ipaplatform.paths import paths from ipaplatform import services +logger = logging.getLogger(__name__) + HTTPD_USER = constants.HTTPD_USER KDCPROXY_USER = constants.KDCPROXY_USER @@ -369,7 +371,7 @@ class HTTPInstance(service.Service): capture_output=True) except ipautil.CalledProcessError as e: if e.returncode == 29: # ERROR: Module not found in database. - root_logger.debug( + logger.debug( 'Module %s not available, treating as disabled', name) return False raise @@ -495,7 +497,7 @@ class HTTPInstance(service.Service): oddjobd.enable() oddjobd.start() except Exception as e: - root_logger.critical("Unable to start oddjobd: {0}".format(str(e))) + logger.critical("Unable to start oddjobd: %s", str(e)) def update_httpd_service_ipa_conf(self): tasks.configure_httpd_service_ipa_conf() @@ -545,7 +547,7 @@ class HTTPInstance(service.Service): try: self.fstore.restore_file(f) except ValueError as error: - root_logger.debug(error) + logger.debug("%s", error) installutils.remove_keytab(self.keytab) installutils.remove_file(paths.HTTP_CCACHE) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 5f7a346..5571625 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -21,6 +21,7 @@ from __future__ import absolute_import from __future__ import print_function import errno +import logging import socket import getpass import gssapi @@ -55,7 +56,6 @@ import ipaplatform from ipapython import ipautil, admintool, version from ipapython.admintool import ScriptError from ipapython.certdb import EXTERNAL_CA_TRUST_FLAGS -from ipapython.ipa_log_manager import root_logger from ipapython.ipaldap import DIRMAN_DN, LDAPClient from ipalib.util import validate_hostname from ipalib import api, errors, x509 @@ -68,6 +68,8 @@ from ipaplatform.tasks import tasks if six.PY3: unicode = str +logger = logging.getLogger(__name__) + # Used to determine install status IPA_MODULES = [ 'httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'install', 'krb5kdc', 'ntpd', @@ -166,16 +168,17 @@ def verify_fqdn(host_name, no_host_dns=False, local_hostname=True): if local_hostname: try: - root_logger.debug('Check if %s is a primary hostname for localhost', host_name) + logger.debug('Check if %s is a primary hostname for localhost', + host_name) ex_name = socket.gethostbyaddr(host_name) - root_logger.debug('Primary hostname for localhost: %s', ex_name[0]) + logger.debug('Primary hostname for localhost: %s', ex_name[0]) if host_name != ex_name[0]: raise HostLookupError("The host name %s does not match the primary host name %s. "\ "Please check /etc/hosts or DNS name resolution" % (host_name, ex_name[0])) except socket.gaierror: pass except socket.error as e: - root_logger.debug( + logger.debug( 'socket.gethostbyaddr() error: %d: %s', e.errno, e.strerror) # pylint: disable=no-member @@ -184,10 +187,10 @@ def verify_fqdn(host_name, no_host_dns=False, local_hostname=True): return try: - root_logger.debug('Search DNS for %s', host_name) + logger.debug('Search DNS for %s', host_name) hostaddr = socket.getaddrinfo(host_name, None) except Exception as e: - root_logger.debug('Search failed: %s', e) + logger.debug('Search failed: %s', e) raise HostForwardLookupError("Unable to resolve host name, check /etc/hosts or DNS name resolution") if len(hostaddr) == 0: @@ -195,7 +198,7 @@ def verify_fqdn(host_name, no_host_dns=False, local_hostname=True): # Verify this is NOT a CNAME try: - root_logger.debug('Check if %s is not a CNAME', host_name) + logger.debug('Check if %s is not a CNAME', host_name) resolver.query(host_name, rdatatype.CNAME) raise HostReverseLookupError("The IPA Server Hostname cannot be a CNAME, only A and AAAA names are allowed.") except DNSException: @@ -210,17 +213,17 @@ def verify_fqdn(host_name, no_host_dns=False, local_hostname=True): if address == '127.0.0.1' or address == '::1': raise HostForwardLookupError("The IPA Server hostname must not resolve to localhost (%s). A routable IP address must be used. Check /etc/hosts to see if %s is an alias for %s" % (address, host_name, address)) try: - root_logger.debug('Check reverse address of %s', address) + logger.debug('Check reverse address of %s', address) revname = socket.gethostbyaddr(address)[0] except Exception as e: - root_logger.debug('Check failed: %s', e) - root_logger.error( + logger.debug('Check failed: %s', e) + logger.error( "Unable to resolve the IP address %s to a host name, " "check /etc/hosts and DNS name resolution", address) else: - root_logger.debug('Found reverse name: %s', revname) + logger.debug('Found reverse name: %s', revname) if revname != host_name: - root_logger.error( + logger.error( "The host name %s does not match the value %s obtained " "by reverse lookup on IP address %s", host_name, revname, address) @@ -523,7 +526,7 @@ def create_keytab(path, principal): if ipautil.file_exists(path): os.remove(path) except os.error: - root_logger.critical("Failed to remove %s." % path) + logger.critical("Failed to remove %s.", path) return kadmin("ktadd -k " + path + " " + principal) @@ -540,8 +543,7 @@ def resolve_ip_addresses_nss(fqdn): socket.AF_UNSPEC, socket.SOCK_STREAM) except socket.error as ex: if ex.errno == socket.EAI_NODATA or ex.errno == socket.EAI_NONAME: - root_logger.debug('Name %s does not have any address: %s', - fqdn, ex) + logger.debug('Name %s does not have any address: %s', fqdn, ex) return set() else: raise @@ -554,11 +556,11 @@ def resolve_ip_addresses_nss(fqdn): except ValueError as ex: # getaddinfo may return link-local address other similar oddities # which are not accepted by CheckedIPAddress - skip these - root_logger.warning('Name %s resolved to an unacceptable IP ' - 'address %s: %s', fqdn, ai[4][0], ex) + logger.warning('Name %s resolved to an unacceptable IP ' + 'address %s: %s', fqdn, ai[4][0], ex) else: ip_addresses.add(ip) - root_logger.debug('Name %s resolved to %s', fqdn, ip_addresses) + logger.debug('Name %s resolved to %s', fqdn, ip_addresses) return ip_addresses def get_host_name(no_host_dns): @@ -592,7 +594,8 @@ def get_server_ip_address(host_name, unattended, setup_dns, ip_addresses): try: ips.append(ipautil.CheckedIPAddress(ha)) except ValueError as e: - root_logger.warning("Invalid IP address %s for %s: %s", ha, host_name, unicode(e)) + logger.warning("Invalid IP address %s for %s: %s", + ha, host_name, unicode(e)) if not ips and not ip_addresses: if not unattended: @@ -773,8 +776,8 @@ def read_replica_info_dogtag_port(config_dir): try: dogtag_master_ds_port = int(fd.read()) except (ValueError, IOError) as e: - root_logger.debug('Cannot parse dogtag DS port: %s', e) - root_logger.debug('Default to %d', default_port) + logger.debug('Cannot parse dogtag DS port: %s', e) + logger.debug('Default to %d', default_port) dogtag_master_ds_port = default_port return dogtag_master_ds_port @@ -785,31 +788,33 @@ def create_replica_config(dirman_password, filename, options): try: top_dir, dir = expand_replica_info(filename, dirman_password) except Exception as e: - root_logger.error("Failed to decrypt or open the replica file.") + logger.error("Failed to decrypt or open the replica file.") raise ScriptError( "ERROR: Failed to decrypt or open the replica file.\n" "Verify you entered the correct Directory Manager password.") config = ReplicaConfig(top_dir) read_replica_info(dir, config) - root_logger.debug( - 'Installing replica file with version %d (0 means no version in prepared file).', + logger.debug( + 'Installing replica file with version %d ' + '(0 means no version in prepared file).', config.version) if config.version and config.version > version.NUM_VERSION: - root_logger.error( - 'A replica file from a newer release (%d) cannot be installed on an older version (%d)', + logger.error( + 'A replica file from a newer release (%d) cannot be installed on ' + 'an older version (%d)', config.version, version.NUM_VERSION) raise ScriptError() config.dirman_password = dirman_password try: host = get_host_name(options.no_host_dns) except BadHostError as e: - root_logger.error(str(e)) + logger.error("%s", str(e)) raise ScriptError() if config.host_name != host: try: print("This replica was created for '%s' but this machine is named '%s'" % (config.host_name, host)) if not ipautil.user_input("This may cause problems. Continue?", False): - root_logger.debug( + logger.debug( "Replica was created for %s but machine is named %s " "User chose to exit", config.host_name, host) @@ -817,7 +822,7 @@ def create_replica_config(dirman_password, filename, options): config.host_name = host print("") except KeyboardInterrupt: - root_logger.debug("Keyboard Interrupt") + logger.debug("Keyboard Interrupt") raise ScriptError(rval=0) config.dir = dir config.ca_ds_port = read_replica_info_dogtag_port(config.dir) @@ -849,7 +854,7 @@ def remove_file(filename): if os.path.lexists(filename): os.unlink(filename) except Exception as e: - root_logger.error('Error removing %s: %s' % (filename, str(e))) + logger.error('Error removing %s: %s', filename, str(e)) def rmtree(path): @@ -860,7 +865,7 @@ def rmtree(path): if os.path.exists(path): shutil.rmtree(path) except Exception as e: - root_logger.error('Error removing %s: %s' % (path, str(e))) + logger.error('Error removing %s: %s', path, str(e)) def is_ipa_configured(): @@ -875,16 +880,16 @@ def is_ipa_configured(): for module in IPA_MODULES: if sstore.has_state(module): - root_logger.debug('%s is configured' % module) + logger.debug('%s is configured', module) installed = True else: - root_logger.debug('%s is not configured' % module) + logger.debug('%s is not configured', module) if fstore.has_files(): - root_logger.debug('filestore has files') + logger.debug('filestore has files') installed = True else: - root_logger.debug('filestore is tracking no files') + logger.debug('filestore is tracking no files') return installed @@ -905,7 +910,7 @@ def run_script(main_function, operation_name, log_file_name=None, :param fail_message: Optional message displayed on failure """ - root_logger.info('Starting script: %s', operation_name) + logger.info('Starting script: %s', operation_name) try: try: return_value = main_function() @@ -915,26 +920,24 @@ def run_script(main_function, operation_name, log_file_name=None, (e.code is None or e.code == 0) # pylint: disable=no-member ): # Not an error after all - root_logger.info('The %s command was successful', - operation_name) + logger.info('The %s command was successful', operation_name) else: # Log at the DEBUG level, which is not output to the console # (unless in debug/verbose mode), but is written to a logfile # if one is open. tb = sys.exc_info()[2] - root_logger.debug('\n'.join(traceback.format_tb(tb))) - root_logger.debug('The %s command failed, exception: %s: %s', - operation_name, type(e).__name__, e) + logger.debug("%s", '\n'.join(traceback.format_tb(tb))) + logger.debug('The %s command failed, exception: %s: %s', + operation_name, type(e).__name__, e) if fail_message and not isinstance(e, SystemExit): print(fail_message) raise else: if return_value: - root_logger.info('The %s command failed, return value %s', - operation_name, return_value) + logger.info('The %s command failed, return value %s', + operation_name, return_value) else: - root_logger.info('The %s command was successful', - operation_name) + logger.info('The %s command was successful', operation_name) sys.exit(return_value) except BaseException as error: @@ -1116,25 +1119,25 @@ def stopped_service(service, instance_name=""): else: log_instance_name = "" - root_logger.debug('Ensuring that service %s%s is not running while ' - 'the next set of commands is being executed.', service, - log_instance_name) + logger.debug('Ensuring that service %s%s is not running while ' + 'the next set of commands is being executed.', service, + log_instance_name) service_obj = services.service(service, api) # Figure out if the service is running, if not, yield if not service_obj.is_running(instance_name): - root_logger.debug('Service %s%s is not running, continue.', service, - log_instance_name) + logger.debug('Service %s%s is not running, continue.', service, + log_instance_name) yield else: # Stop the service, do the required stuff and start it again - root_logger.debug('Stopping %s%s.', service, log_instance_name) + logger.debug('Stopping %s%s.', service, log_instance_name) service_obj.stop(instance_name) try: yield finally: - root_logger.debug('Starting %s%s.', service, log_instance_name) + logger.debug('Starting %s%s.', service, log_instance_name) service_obj.start(instance_name) @@ -1148,12 +1151,12 @@ def check_entropy(): emsg = 'WARNING: Your system is running out of entropy, ' \ 'you may experience long delays' service.print_msg(emsg) - root_logger.debug(emsg) + logger.debug("%s", emsg) except IOError as e: - root_logger.debug( + logger.debug( "Could not open %s: %s", paths.ENTROPY_AVAIL, e) except ValueError as e: - root_logger.debug("Invalid value in %s %s", paths.ENTROPY_AVAIL, e) + logger.debug("Invalid value in %s %s", paths.ENTROPY_AVAIL, e) def load_external_cert(files, ca_subject): @@ -1285,13 +1288,13 @@ def check_creds(options, realm_name): # Check if ccache is available default_cred = None try: - root_logger.debug('KRB5CCNAME set to %s' % - os.environ.get('KRB5CCNAME', None)) + logger.debug('KRB5CCNAME set to %s', + os.environ.get('KRB5CCNAME', None)) # get default creds, will raise if none found default_cred = gssapi.creds.Credentials() principal = str(default_cred.name) except gssapi.raw.misc.GSSError as e: - root_logger.debug('Failed to find default ccache: %s' % e) + logger.debug('Failed to find default ccache: %s', e) principal = None # Check if the principal matches the requested one (if any) @@ -1300,9 +1303,9 @@ def check_creds(options, realm_name): if op.find('@') == -1: op = '%s@%s' % (op, realm_name) if principal != op: - root_logger.debug('Specified principal %s does not match ' - 'available credentials (%s)' % - (options.principal, principal)) + logger.debug('Specified principal %s does not match ' + 'available credentials (%s)', + options.principal, principal) principal = None if principal is None: @@ -1326,16 +1329,16 @@ def check_creds(options, realm_name): except EOFError: stdin = None if not stdin: - root_logger.error( + logger.error( "Password must be provided for %s.", principal) raise ScriptError("Missing password for %s" % principal) else: if sys.stdin.isatty(): - root_logger.error("Password must be provided in " + - "non-interactive mode.") - root_logger.info("This can be done via " + - "echo password | ipa-client-install " + - "... or with the -w option.") + logger.error("Password must be provided in " + "non-interactive mode.") + logger.info("This can be done via " + "echo password | ipa-client-install " + "... or with the -w option.") raise ScriptError("Missing password for %s" % principal) else: stdin = sys.stdin.readline() @@ -1346,7 +1349,7 @@ def check_creds(options, realm_name): try: kinit_password(principal, stdin, ccache_name) except RuntimeError as e: - root_logger.error("Kerberos authentication failed: %s" % e) + logger.error("Kerberos authentication failed: %s", e) raise ScriptError("Invalid credentials: %s" % e) os.environ['KRB5CCNAME'] = ccache_name @@ -1450,9 +1453,9 @@ class ModifyLDIF(ldif.LDIFParser): raise ValueError("add: {dn}, {attr}: values are " "missing".format(dn=dn, attr=attr)) else: - root_logger.error("Ignoring entry: %s : only modifications " - "are allowed (missing \"changetype: " - "modify\")", dn) + logger.error("Ignoring entry: %s : only modifications " + "are allowed (missing \"changetype: " + "modify\")", dn) def handle(self, dn, entry): if dn in self.modifications: @@ -1485,7 +1488,7 @@ class ModifyLDIF(ldif.LDIFParser): # check if there are any remaining modifications remaining_changes = set(self.modifications.keys()) - self.dn_updated for dn in remaining_changes: - root_logger.error( + logger.error( "DN: %s does not exists or haven't been updated", dn) @@ -1496,13 +1499,13 @@ def remove_keytab(keytab_path): :param keytab_path: path to the keytab file """ try: - root_logger.debug("Removing service keytab: {}".format(keytab_path)) + logger.debug("Removing service keytab: %s", keytab_path) os.remove(keytab_path) except OSError as e: if e.errno != errno.ENOENT: - root_logger.warning("Failed to remove Kerberos keytab '{}': " - "{}".format(keytab_path, e)) - root_logger.warning("You may have to remove it manually") + logger.warning("Failed to remove Kerberos keytab '%s': %s", + keytab_path, e) + logger.warning("You may have to remove it manually") def remove_ccache(ccache_path=None, run_as=None): @@ -1512,17 +1515,17 @@ def remove_ccache(ccache_path=None, run_as=None): :param ccache_path: path to the ccache file :param run_as: run kdestroy as this user """ - root_logger.debug("Removing service credentials cache") + logger.debug("Removing service credentials cache") kdestroy_cmd = [paths.KDESTROY] if ccache_path is not None: - root_logger.debug("Ccache path: '{}'".format(ccache_path)) + logger.debug("Ccache path: '%s'", ccache_path) kdestroy_cmd.extend(['-c', ccache_path]) try: ipautil.run(kdestroy_cmd, runas=run_as, env={}) except ipautil.CalledProcessError as e: - root_logger.warning( - "Failed to clear Kerberos credentials cache: {}".format(e)) + logger.warning( + "Failed to clear Kerberos credentials cache: %s", e) def restart_dirsrv(instance_name="", capture_output=True): diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index f0875fb..30d8fc1 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -20,6 +20,7 @@ from __future__ import absolute_import from __future__ import print_function +import logging import os import pwd import socket @@ -37,7 +38,6 @@ from ipapython import kernel_keyring from ipalib import api, errors from ipalib.constants import ANON_USER from ipalib.install import certmonger -from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN from ipapython.dogtag import KDC_PROFILE @@ -49,6 +49,8 @@ from ipaplatform.constants import constants from ipaplatform.tasks import tasks from ipaplatform.paths import paths +logger = logging.getLogger(__name__) + PKINIT_ENABLED = 'pkinitEnabled' @@ -246,7 +248,7 @@ class KrbInstance(service.Service): try: self.start() except Exception: - root_logger.critical("krb5kdc service failed to start") + logger.critical("krb5kdc service failed to start") def __setup_sub_dict(self): if os.path.exists(paths.COMMON_KRB5_CONF_DIR): @@ -277,11 +279,11 @@ class KrbInstance(service.Service): domain = dns.name.from_text(self.domain) fqdn = dns.name.from_text(self.fqdn) if not fqdn.is_subdomain(domain): - root_logger.debug("IPA FQDN '%s' is not located in default domain '%s'", - fqdn, domain) + logger.debug("IPA FQDN '%s' is not located in default domain '%s'", + fqdn, domain) server_domain = fqdn.parent().to_unicode(omit_final_dot=True) - root_logger.debug("Domain '%s' needs additional mapping in krb5.conf", - server_domain) + logger.debug("Domain '%s' needs additional mapping in krb5.conf", + server_domain) dr_map = " .%(domain)s = %(realm)s\n %(domain)s = %(realm)s\n" \ % dict(domain=server_domain, realm=self.realm) else: @@ -290,11 +292,11 @@ class KrbInstance(service.Service): # Configure KEYRING CCACHE if supported if kernel_keyring.is_persistent_keyring_supported(): - root_logger.debug("Enabling persistent keyring CCACHE") + logger.debug("Enabling persistent keyring CCACHE") self.sub_dict['OTHER_LIBDEFAULTS'] = \ " default_ccache_name = KEYRING:persistent:%{uid}\n" else: - root_logger.debug("Persistent keyring CCACHE is not enabled") + logger.debug("Persistent keyring CCACHE is not enabled") self.sub_dict['OTHER_LIBDEFAULTS'] = '' def __add_krb_container(self): @@ -444,7 +446,7 @@ class KrbInstance(service.Service): # if the certificate is already tracked, ignore the error name = e.get_dbus_name() if name != 'org.fedorahosted.certmonger.duplicate': - root_logger.error("Failed to initiate the request: %s", e) + logger.error("Failed to initiate the request: %s", e) return finally: if prev_helper is not None: @@ -500,8 +502,8 @@ class KrbInstance(service.Service): self._install_pkinit_ca_bundle() self.pkinit_enable() except RuntimeError as e: - root_logger.error("PKINIT certificate request failed: %s", e) - root_logger.error("Failed to configure PKINIT") + logger.error("PKINIT certificate request failed: %s", e) + logger.error("Failed to configure PKINIT") self.stop_tracking_certs() self.issue_selfsigned_pkinit_certs() @@ -542,7 +544,7 @@ class KrbInstance(service.Service): try: self.restart() except Exception: - root_logger.critical("krb5kdc service failed to restart") + logger.critical("krb5kdc service failed to restart") raise def get_anonymous_principal_name(self): @@ -590,7 +592,7 @@ class KrbInstance(service.Service): try: self.fstore.restore_file(f) except ValueError as error: - root_logger.debug(error) + logger.debug("%s", error) # disabled by default, by ldap_enable() if enabled: diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py index f30c1f2..f26ba1b 100644 --- a/ipaserver/install/ntpinstance.py +++ b/ipaserver/install/ntpinstance.py @@ -18,11 +18,14 @@ # along with this program. If not, see . # +import logging + from ipaserver.install import service from ipaserver.install import sysupgrade from ipaplatform.constants import constants from ipaplatform.paths import paths -from ipapython.ipa_log_manager import root_logger + +logger = logging.getLogger(__name__) NTPD_OPTS_VAR = constants.NTPD_OPTS_VAR NTPD_OPTS_QUOTE = constants.NTPD_OPTS_QUOTE @@ -160,7 +163,7 @@ class NTPInstance(service.Service): try: self.fstore.restore_file(paths.NTP_CONF) except ValueError as error: - root_logger.debug(error) + logger.debug("%s", error) if enabled: self.enable() diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py index 59f27f5..8ad53af 100644 --- a/ipaserver/install/odsexporterinstance.py +++ b/ipaserver/install/odsexporterinstance.py @@ -2,6 +2,7 @@ # Copyright (C) 2014 FreeIPA Contributors see COPYING for license # +import logging import os import pwd import grp @@ -10,7 +11,6 @@ import ldap from ipaserver.install import service from ipaserver.install import installutils -from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN from ipapython import ipautil from ipaplatform.constants import constants @@ -18,6 +18,8 @@ from ipaplatform.paths import paths from ipaplatform import services from ipalib import errors, api +logger = logging.getLogger(__name__) + class ODSExporterInstance(service.Service): def __init__(self, fstore=None): @@ -72,7 +74,7 @@ class ODSExporterInstance(service.Service): self.ldap_enable('DNSKeyExporter', self.fqdn, None, self.suffix) except errors.DuplicateEntry: - root_logger.error("DNSKeyExporter service already exists") + logger.error("DNSKeyExporter service already exists") def __setup_key_exporter(self): installutils.set_directive(paths.SYSCONFIG_IPA_ODS_EXPORTER, @@ -116,8 +118,8 @@ class ODSExporterInstance(service.Service): except ldap.TYPE_OR_VALUE_EXISTS: pass except Exception as e: - root_logger.critical("Could not modify principal's %s entry: %s" - % (dns_exporter_principal_dn, str(e))) + logger.critical("Could not modify principal's %s entry: %s", + dns_exporter_principal_dn, str(e)) raise # limit-free connection @@ -129,8 +131,8 @@ class ODSExporterInstance(service.Service): try: api.Backend.ldap2.modify_s(dns_exporter_principal_dn, mod) except Exception as e: - root_logger.critical("Could not set principal's %s LDAP limits: %s" - % (dns_exporter_principal_dn, str(e))) + logger.critical("Could not set principal's %s LDAP limits: %s", + dns_exporter_principal_dn, str(e)) raise def __disable_signerd(self): diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py index bc2974a..0082b8f 100644 --- a/ipaserver/install/opendnssecinstance.py +++ b/ipaserver/install/opendnssecinstance.py @@ -2,6 +2,7 @@ # Copyright (C) 2014 FreeIPA Contributors see COPYING for license # +import logging import os import pwd import grp @@ -12,7 +13,6 @@ from subprocess import CalledProcessError from ipalib.install import sysrestore from ipaserver.install import service from ipaserver.install import installutils -from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN from ipapython import ipautil from ipaplatform import services @@ -22,6 +22,8 @@ from ipalib import errors, api from ipaserver import p11helper from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL +logger = logging.getLogger(__name__) + KEYMASTER = u'dnssecKeyMaster' @@ -139,7 +141,7 @@ class OpenDNSSECInstance(service.Service): self.ldap_enable('DNSSEC', self.fqdn, None, self.suffix, self.extra_config) except errors.DuplicateEntry: - root_logger.error("DNSSEC service already exists") + logger.error("DNSSEC service already exists") # add the KEYMASTER identifier into ipaConfigString # this is needed for the re-enabled DNSSEC master @@ -148,7 +150,7 @@ class OpenDNSSECInstance(service.Service): try: entry = api.Backend.ldap2.get_entry(dn, ['ipaConfigString']) except errors.NotFound as e: - root_logger.error( + logger.error( "DNSSEC service entry not found in the LDAP (%s)", e) else: config = entry.setdefault('ipaConfigString', []) @@ -240,11 +242,11 @@ class OpenDNSSECInstance(service.Service): SOFTHSM_DNSSEC_TOKEN_LABEL, pin, paths.LIBSOFTHSM2_SO) try: # generate master key - root_logger.debug("Creating master key") + logger.debug("Creating master key") p11helper.generate_master_key(p11) # change tokens mod/owner - root_logger.debug("Changing ownership of token files") + logger.debug("Changing ownership of token files") for (root, dirs, files) in os.walk(paths.DNSSEC_TOKENS_DIR): for directory in dirs: dir_path = os.path.join(root, directory) @@ -261,7 +263,7 @@ class OpenDNSSECInstance(service.Service): def __setup_dnssec(self): # run once only if self.get_state("kasp_db_configured") and not self.kasp_db_file: - root_logger.debug("Already configured, skipping step") + logger.debug("Already configured, skipping step") return self.backup_state("kasp_db_configured", True) @@ -344,18 +346,18 @@ class OpenDNSSECInstance(service.Service): self.print_msg("Exporting DNSSEC data before uninstallation") ipautil.run(cmd, runas=constants.ODS_USER) except CalledProcessError: - root_logger.error("DNSSEC data export failed") + logger.error("DNSSEC data export failed") try: shutil.copy(paths.OPENDNSSEC_KASP_DB, paths.IPA_KASP_DB_BACKUP) except IOError as e: - root_logger.error( + logger.error( "Unable to backup OpenDNSSEC database %s, " "restore will be skipped: %s", paths.OPENDNSSEC_KASP_DB, e) else: - root_logger.info("OpenDNSSEC database backed up in %s", - paths.IPA_KASP_DB_BACKUP) + logger.info("OpenDNSSEC database backed up in %s", + paths.IPA_KASP_DB_BACKUP) # restore OpenDNSSEC's KASP DB only if backup succeeded # removing the file without backup could totally break DNSSEC restore_list.append(paths.OPENDNSSEC_KASP_DB) @@ -364,7 +366,7 @@ class OpenDNSSECInstance(service.Service): try: self.fstore.restore_file(f) except ValueError as error: - root_logger.debug(error) + logger.debug("%s", error) self.restore_state("kasp_db_configured") # just eat state diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py index bc88e66..bec5a09 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -22,7 +22,6 @@ import logging from ipalib import Registry, errors from ipalib import Updater from ipapython.dn import DN -from ipapython.ipa_log_manager import root_logger from ipaserver.install import sysupgrade from ipaserver.install.adtrustinstance import ADTRUSTInstance @@ -49,7 +48,8 @@ class update_default_range(Updater): except errors.NotFound: pass else: - root_logger.debug("default_range: ipaDomainIDRange entry found, skip plugin") + logger.debug("default_range: ipaDomainIDRange entry found, skip " + "plugin") return False, [] dn = DN(('cn', 'admins'), self.api.env.container_group, @@ -57,8 +57,8 @@ class update_default_range(Updater): try: admins_entry = ldap.get_entry(dn, ['gidnumber']) except errors.NotFound: - root_logger.error("default_range: No local ID range and no admins " - "group found. Cannot create default ID range") + logger.error("default_range: No local ID range and no admins " + "group found. Cannot create default ID range") return False, [] id_range_base_id = admins_entry['gidnumber'][0] @@ -92,8 +92,8 @@ class update_default_range(Updater): try: (entries, _truncated) = ldap.find_entries(search_filter, attrs, dn) except errors.NotFound: - root_logger.warning("default_range: no dnaSharedConfig object found. " - "Cannot check default range size.") + logger.warning("default_range: no dnaSharedConfig object found. " + "Cannot check default range size.") else: masters = set() remaining_values_sum = 0 @@ -105,8 +105,9 @@ class update_default_range(Updater): try: remaining_values = int(remaining_values) except ValueError: - root_logger.warning("default_range: could not parse " - "remaining values from '%s'", remaining_values) + logger.warning("default_range: could not parse " + "remaining values from '%s'", + remaining_values) continue else: remaining_values_sum += remaining_values @@ -122,7 +123,7 @@ class update_default_range(Updater): ' RANGE_SIZE = (--idmax) - (--idstart) + 1' ] - root_logger.error("default_range: %s", "\n".join(msg)) + logger.error("default_range: %s", "\n".join(msg)) return False, [update] diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py index 7844981..3b7d2dc 100644 --- a/ipaserver/install/plugins/dns.py +++ b/ipaserver/install/plugins/dns.py @@ -32,7 +32,6 @@ from ipalib import Registry, errors, util from ipalib import Updater from ipapython.dn import DN from ipapython import dnsutil -from ipapython.ipa_log_manager import root_logger from ipaserver.install import sysupgrade from ipaserver.install.bindinstance import ensure_dnsserver_container_exists from ipaserver.plugins.dns import dns_container_exists @@ -246,11 +245,13 @@ class update_dns_limits(Updater): entry = ldap.get_entry(dns_service_dn, self.limit_attributes) except errors.NotFound: # this host may not have DNS service set - root_logger.debug("DNS: service %s not found, no need to update limits" % dns_service_dn) + logger.debug("DNS: service %s not found, no need to update limits", + dns_service_dn) return False, [] if all(entry.get(limit.lower(), [None])[0] == self.limit_value for limit in self.limit_attributes): - root_logger.debug("DNS: limits for service %s already set" % dns_service_dn) + logger.debug("DNS: limits for service %s already set", + dns_service_dn) # service is already updated return False, [] @@ -261,7 +262,8 @@ class update_dns_limits(Updater): value=self.limit_value)) dnsupdate = {'dn': dns_service_dn, 'updates': limit_updates} - root_logger.debug("DNS: limits for service %s will be updated" % dns_service_dn) + logger.debug("DNS: limits for service %s will be updated", + dns_service_dn) return False, [dnsupdate] diff --git a/ipaserver/install/plugins/update_idranges.py b/ipaserver/install/plugins/update_idranges.py index 67dbdd5..9fce536 100644 --- a/ipaserver/install/plugins/update_idranges.py +++ b/ipaserver/install/plugins/update_idranges.py @@ -17,10 +17,13 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import logging + from ipalib import Registry, errors from ipalib import Updater from ipapython.dn import DN -from ipapython.ipa_log_manager import root_logger + +logger = logging.getLogger(__name__) register = Registry() @@ -37,8 +40,8 @@ class update_idrange_type(Updater): base_dn = DN(self.api.env.container_ranges, self.api.env.basedn) search_filter = ("(&(objectClass=ipaIDrange)(!(ipaRangeType=*)))") - root_logger.debug("update_idrange_type: search for ID ranges with no " - "type set") + logger.debug("update_idrange_type: search for ID ranges with no " + "type set") while True: # Run the search in loop to avoid issues when LDAP limits are hit @@ -49,24 +52,23 @@ class update_idrange_type(Updater): ['objectclass'], base_dn, time_limit=0, size_limit=0) except errors.NotFound: - root_logger.debug("update_idrange_type: no ID range without " - "type set found") + logger.debug("update_idrange_type: no ID range without " + "type set found") return False, [] except errors.ExecutionError as e: - root_logger.error("update_idrange_type: cannot retrieve list " - "of ranges with no type set: %s", e) + logger.error("update_idrange_type: cannot retrieve list " + "of ranges with no type set: %s", e) return False, [] if not entries: # No entry was returned, rather break than continue cycling - root_logger.debug("update_idrange_type: no ID range was " - "returned") + logger.debug("update_idrange_type: no ID range was returned") return False, [] - root_logger.debug("update_idrange_type: found %d " - "idranges to update, truncated: %s", - len(entries), truncated) + logger.debug("update_idrange_type: found %d " + "idranges to update, truncated: %s", + len(entries), truncated) error = False @@ -83,30 +85,30 @@ class update_idrange_type(Updater): entry['ipaRangeType'] = ['ipa-local'] else: entry['ipaRangeType'] = ['unknown'] - root_logger.error("update_idrange_type: could not detect " - "range type for entry: %s" % str(entry.dn)) - root_logger.error("update_idrange_type: ID range type set " - "to 'unknown' for entry: %s" % str(entry.dn)) + logger.error("update_idrange_type: could not detect " + "range type for entry: %s", str(entry.dn)) + logger.error("update_idrange_type: ID range type set " + "to 'unknown' for entry: %s", str(entry.dn)) try: ldap.update_entry(entry) except (errors.EmptyModlist, errors.NotFound): pass except errors.ExecutionError as e: - root_logger.debug("update_idrange_type: cannot " - "update idrange type: %s", e) + logger.debug("update_idrange_type: cannot " + "update idrange type: %s", e) error = True if error: # Exit loop to avoid infinite cycles - root_logger.error("update_idrange_type: error(s) " - "detected during idrange type update") + logger.error("update_idrange_type: error(s) " + "detected during idrange type update") return False, [] elif not truncated: # All affected entries updated, exit the loop - root_logger.debug("update_idrange_type: all affected idranges " - "were assigned types") + logger.debug("update_idrange_type: all affected idranges " + "were assigned types") return False, [] return False, [] @@ -126,7 +128,7 @@ class update_idrange_baserid(Updater): search_filter = ("(&(objectClass=ipaTrustedADDomainRange)" "(ipaRangeType=ipa-ad-trust-posix)" "(!(ipaBaseRID=0)))") - root_logger.debug( + logger.debug( "update_idrange_baserid: search for ipa-ad-trust-posix ID ranges " "with ipaBaseRID != 0" ) @@ -137,18 +139,18 @@ class update_idrange_baserid(Updater): paged_search=True, time_limit=0, size_limit=0) except errors.NotFound: - root_logger.debug("update_idrange_baserid: no AD domain " - "range with posix attributes found") + logger.debug("update_idrange_baserid: no AD domain " + "range with posix attributes found") return False, [] except errors.ExecutionError as e: - root_logger.error("update_idrange_baserid: cannot retrieve " - "list of affected ranges: %s", e) + logger.error("update_idrange_baserid: cannot retrieve " + "list of affected ranges: %s", e) return False, [] - root_logger.debug("update_idrange_baserid: found %d " - "idranges possible to update", - len(entries)) + logger.debug("update_idrange_baserid: found %d " + "idranges possible to update", + len(entries)) error = False @@ -156,22 +158,22 @@ class update_idrange_baserid(Updater): for entry in entries: entry['ipabaserid'] = 0 try: - root_logger.debug("Updating existing idrange: %s" % (entry.dn)) + logger.debug("Updating existing idrange: %s", entry.dn) ldap.update_entry(entry) - root_logger.info("Done") + logger.info("Done") except (errors.EmptyModlist, errors.NotFound): pass except errors.ExecutionError as e: - root_logger.debug("update_idrange_type: cannot " - "update idrange: %s", e) + logger.debug("update_idrange_type: cannot " + "update idrange: %s", e) error = True if error: - root_logger.error("update_idrange_baserid: error(s) " - "detected during idrange baserid update") + logger.error("update_idrange_baserid: error(s) " + "detected during idrange baserid update") else: # All affected entries updated, exit the loop - root_logger.debug("update_idrange_baserid: all affected " - "idranges updated") + logger.debug("update_idrange_baserid: all affected " + "idranges updated") return False, [] diff --git a/ipaserver/install/plugins/update_passsync.py b/ipaserver/install/plugins/update_passsync.py index d3235a2..ef4701e 100644 --- a/ipaserver/install/plugins/update_passsync.py +++ b/ipaserver/install/plugins/update_passsync.py @@ -2,12 +2,15 @@ # Copyright (C) 2014 FreeIPA Contributors see COPYING for license # +import logging + from ipalib import Registry, errors from ipalib import Updater from ipapython.dn import DN -from ipapython.ipa_log_manager import root_logger from ipaserver.install import sysupgrade +logger = logging.getLogger(__name__) + register = Registry() @@ -17,10 +20,10 @@ class update_passync_privilege_check(Updater): def execute(self, **options): update_done = sysupgrade.get_upgrade_state('winsync', 'passsync_privilege_updated') if update_done: - root_logger.debug("PassSync privilege update pre-check not needed") + logger.debug("PassSync privilege update pre-check not needed") return False, [] - root_logger.debug("Check if there is existing PassSync privilege") + logger.debug("Check if there is existing PassSync privilege") passsync_privilege_dn = DN(('cn','PassSync Service'), self.api.env.container_privilege, @@ -30,10 +33,10 @@ class update_passync_privilege_check(Updater): try: ldap.get_entry(passsync_privilege_dn, ['']) except errors.NotFound: - root_logger.debug("PassSync privilege not found, this is a new update") + logger.debug("PassSync privilege not found, this is a new update") sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', False) else: - root_logger.debug("PassSync privilege found, skip updating PassSync") + logger.debug("PassSync privilege found, skip updating PassSync") sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True) return False, [] @@ -48,10 +51,10 @@ class update_passync_privilege_update(Updater): def execute(self, **options): update_done = sysupgrade.get_upgrade_state('winsync', 'passsync_privilege_updated') if update_done: - root_logger.debug("PassSync privilege update not needed") + logger.debug("PassSync privilege update not needed") return False, [] - root_logger.debug("Add PassSync user as a member of PassSync privilege") + logger.debug("Add PassSync user as a member of PassSync privilege") ldap = self.api.Backend.ldap2 passsync_dn = DN(('uid','passsync'), ('cn', 'sysaccounts'), ('cn', 'etc'), self.api.env.basedn) @@ -62,11 +65,11 @@ class update_passync_privilege_update(Updater): try: ldap.get_entry(passsync_dn, ['']) except errors.NotFound: - root_logger.debug("PassSync user not found, no update needed") + logger.debug("PassSync user not found, no update needed") sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True) return False, [] else: - root_logger.debug("PassSync user found, do update") + logger.debug("PassSync user found, do update") update = {'dn': passsync_privilege_dn, 'updates': [ diff --git a/ipaserver/install/plugins/update_referint.py b/ipaserver/install/plugins/update_referint.py index bf53937..0d17a00 100644 --- a/ipaserver/install/plugins/update_referint.py +++ b/ipaserver/install/plugins/update_referint.py @@ -2,10 +2,13 @@ # Copyright (C) 2014 FreeIPA Contributors see COPYING for license # +import logging + from ipalib import Registry, errors from ipalib import Updater from ipapython.dn import DN -from ipapython.ipa_log_manager import root_logger + +logger = logging.getLogger(__name__) register = Registry() @@ -30,39 +33,39 @@ class update_referint(Updater): def execute(self, **options): - root_logger.debug("Upgrading referential integrity plugin configuration") + logger.debug("Upgrading referential integrity plugin configuration") ldap = self.api.Backend.ldap2 try: entry = ldap.get_entry(self.referint_dn) except errors.NotFound: - root_logger.error("Referential integrity configuration not found") + logger.error("Referential integrity configuration not found") return False, [] referint_membership_attrs = [] - root_logger.debug("Initial value: %s", repr(entry)) + logger.debug("Initial value: %s", repr(entry)) # nsslapd-pluginArg0 -> referint-update-delay update_delay = entry.get('nsslapd-pluginArg0') if update_delay: - root_logger.debug("add: referint-update-delay: %s", update_delay) + logger.debug("add: referint-update-delay: %s", update_delay) entry['referint-update-delay'] = update_delay entry['nsslapd-pluginArg0'] = None else: - root_logger.debug("Plugin already uses new style, skipping") + logger.debug("Plugin already uses new style, skipping") return False, [] # nsslapd-pluginArg1 -> referint-logfile logfile = entry.get('nsslapd-pluginArg1') if logfile: - root_logger.debug("add: referint-logfile: %s", logfile) + logger.debug("add: referint-logfile: %s", logfile) entry['referint-logfile'] = logfile entry['nsslapd-pluginArg1'] = None # nsslapd-pluginArg2 -> referint-logchanges logchanges = entry.get('nsslapd-pluginArg2') if logchanges: - root_logger.debug("add: referint-logchanges: %s", logchanges) + logger.debug("add: referint-logchanges: %s", logchanges) entry['referint-logchanges'] = logchanges entry['nsslapd-pluginArg2'] = None @@ -79,11 +82,11 @@ class update_referint(Updater): # mixing old and new style entry['referint-membership-attr'] = referint_membership_attrs - root_logger.debug("Final value: %s", repr(entry)) + logger.debug("Final value: %s", repr(entry)) try: ldap.update_entry(entry) except errors.EmptyModlist: - root_logger.debug("No modifications required") + logger.debug("No modifications required") return False, [] return False, [] diff --git a/ipaserver/install/plugins/update_services.py b/ipaserver/install/plugins/update_services.py index 28f2401..a941663 100644 --- a/ipaserver/install/plugins/update_services.py +++ b/ipaserver/install/plugins/update_services.py @@ -17,10 +17,13 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import logging + from ipalib import Registry, errors from ipalib import Updater from ipapython.dn import DN -from ipapython.ipa_log_manager import root_logger + +logger = logging.getLogger(__name__) register = Registry() @@ -39,8 +42,8 @@ class update_service_principalalias(Updater): base_dn = DN(self.api.env.container_service, self.api.env.basedn) search_filter = ("(&(objectclass=krbprincipal)(objectclass=ipaservice)" "(!(objectclass=ipakrbprincipal)))") - root_logger.debug("update_service_principalalias: search for affected " - "services") + logger.debug("update_service_principalalias: search for affected " + "services") while True: # run the search in loop to avoid issues when LDAP limits are hit @@ -50,21 +53,21 @@ class update_service_principalalias(Updater): ['objectclass', 'krbprincipalname'], base_dn, time_limit=0, size_limit=0) except errors.NotFound: - root_logger.debug("update_service_principalalias: no service " - "to update found") + logger.debug("update_service_principalalias: no service " + "to update found") return False, [] except errors.ExecutionError as e: - root_logger.error("update_service_principalalias: cannot " - "retrieve list of affected services: %s", e) + logger.error("update_service_principalalias: cannot " + "retrieve list of affected services: %s", e) return False, [] if not entries: # no entry was returned, rather break than continue cycling - root_logger.debug("update_service_principalalias: no service " - "was returned") + logger.debug("update_service_principalalias: no service " + "was returned") return False, [] - root_logger.debug("update_service_principalalias: found %d " - "services to update, truncated: %s", - len(entries), truncated) + logger.debug("update_service_principalalias: found %d " + "services to update, truncated: %s", + len(entries), truncated) error = False for entry in entries: @@ -76,18 +79,18 @@ class update_service_principalalias(Updater): except (errors.EmptyModlist, errors.NotFound): pass except errors.ExecutionError as e: - root_logger.debug("update_service_principalalias: cannot " - "update service: %s", e) + logger.debug("update_service_principalalias: cannot " + "update service: %s", e) error = True if error: # exit loop to avoid infinite cycles - root_logger.error("update_service_principalalias: error(s)" - "detected during service update") + logger.error("update_service_principalalias: error(s)" + "detected during service update") return False, [] elif not truncated: # all affected entries updated, exit the loop - root_logger.debug("update_service_principalalias: all affected" - " services updated") + logger.debug("update_service_principalalias: all affected" + " services updated") return False, [] return False, [] diff --git a/ipaserver/install/plugins/update_uniqueness.py b/ipaserver/install/plugins/update_uniqueness.py index fda339b..44b8bfc 100644 --- a/ipaserver/install/plugins/update_uniqueness.py +++ b/ipaserver/install/plugins/update_uniqueness.py @@ -17,10 +17,13 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import logging + from ipalib import Registry, errors from ipalib import Updater from ipapython.dn import DN -from ipapython.ipa_log_manager import root_logger + +logger = logging.getLogger(__name__) register = Registry() @@ -182,8 +185,8 @@ class update_uniqueness_plugins_to_new_syntax(Updater): base_dn=self.plugins_dn, ) except errors.NotFound: - root_logger.debug("No uniqueness plugin entries with old style " - "configuration found") + logger.debug("No uniqueness plugin entries with old style " + "configuration found") return False, [] update_list = [] @@ -198,14 +201,14 @@ class update_uniqueness_plugins_to_new_syntax(Updater): for entry in entries: # test for mixed configuration if any(attr in entry for attr in new_attributes): - root_logger.critical("Mixed old and new style configuration " - "for plugin %s. Plugin will not work. " - "Skipping plugin migration, please fix it " - "manually", - entry.dn) + logger.critical("Mixed old and new style configuration " + "for plugin %s. Plugin will not work. " + "Skipping plugin migration, please fix it " + "manually", + entry.dn) continue - root_logger.debug("Configuration of plugin %s will be migrated " - "to new style", entry.dn) + logger.debug("Configuration of plugin %s will be migrated " + "to new style", entry.dn) try: # detect which configuration was used arg0 = entry.get('nsslapd-pluginarg0') @@ -214,9 +217,9 @@ class update_uniqueness_plugins_to_new_syntax(Updater): else: update = self.__subtree_style(entry) except ValueError as e: - root_logger.error("Unable to migrate configuration of " - "plugin %s (%s)", - entry.dn, e) + logger.error("Unable to migrate configuration of " + "plugin %s (%s)", + entry.dn, e) else: update_list.append(update) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 1c7955c..516372f 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -19,6 +19,8 @@ from __future__ import print_function +import logging + import six import time import datetime @@ -30,7 +32,6 @@ import ldap from ipalib import api, errors from ipalib.cli import textui -from ipapython.ipa_log_manager import root_logger from ipapython import ipautil, ipaldap, kerberos from ipapython.admintool import ScriptError from ipapython.dn import DN @@ -40,6 +41,8 @@ from ipaserver.install import installutils if six.PY3: unicode = str +logger = logging.getLogger(__name__) + # the default container used by AD for user entries WIN_USER_CONTAINER = DN(('cn', 'Users')) # the default container used by IPA for user entries @@ -176,7 +179,7 @@ def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True): except errors.NotFound: pass # no entry yet except Exception as e: # badness - root_logger.error("Error reading entry %s: %s", dn, e) + logger.error("Error reading entry %s: %s", dn, e) raise if not entry: if not quiet: @@ -188,7 +191,7 @@ def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True): raise errors.NotFound( reason="wait_for_entry timeout for %s for %s" % (connection, dn)) elif entry and not quiet: - root_logger.error("The waited for entry is: %s", entry) + logger.error("The waited for entry is: %s", entry) class ReplicationManager(object): @@ -268,12 +271,13 @@ class ReplicationManager(object): for a in range(1, attempts + 1): try: - root_logger.debug('Fetching nsDS5ReplicaId from master ' - '[attempt %d/%d]', a, attempts) + logger.debug('Fetching nsDS5ReplicaId from master ' + '[attempt %d/%d]', a, attempts) replica = master_conn.get_entry(dn) id_values = replica.get('nsDS5ReplicaId') if not id_values: - root_logger.debug("Unable to retrieve nsDS5ReplicaId from remote server") + logger.debug("Unable to retrieve nsDS5ReplicaId from " + "remote server") raise RuntimeError("Unable to retrieve nsDS5ReplicaId from remote server") # nsDS5ReplicaId is single-valued now, but historically it could # contain multiple values, of which we need the highest. @@ -285,22 +289,22 @@ class ReplicationManager(object): (ldap.MOD_ADD, 'nsDS5ReplicaId', str(retval + 1))] master_conn.modify_s(dn, mod_list) - root_logger.debug('Successfully updated nsDS5ReplicaId.') + logger.debug('Successfully updated nsDS5ReplicaId.') return retval except errors.NotFound: - root_logger.debug("Unable to retrieve nsDS5ReplicaId from remote server") + logger.debug("Unable to retrieve nsDS5ReplicaId from remote " + "server") raise # these errors signal a conflict in updating replica ID. # We then wait for a random time interval and try again except (ldap.NO_SUCH_ATTRIBUTE, ldap.OBJECT_CLASS_VIOLATION) as e: sleep_interval = randint(1, 5) - root_logger.debug("Update failed (%s). Conflicting operation?", - e) + logger.debug("Update failed (%s). Conflicting operation?", e) time.sleep(sleep_interval) # in case of other error we bail out except ldap.LDAPError as e: - root_logger.debug("Problem updating nsDS5ReplicaID %s" % e) + logger.debug("Problem updating nsDS5ReplicaID %s", e) raise raise RuntimeError("Failed to update nsDS5ReplicaId in %d attempts" @@ -457,7 +461,7 @@ class ReplicationManager(object): try: r_conn.modify_s(entry.dn, mod) except ldap.UNWILLING_TO_PERFORM: - root_logger.debug( + logger.debug( "nsds5replicabinddngroup attribute not supported on " "remote master.") @@ -560,8 +564,8 @@ class ReplicationManager(object): conn.modify_s(self.db_suffix, [(ldap.MOD_ADD, 'aci', [ "(targetattr = \"*\")(version 3.0; acl \"Proxied authorization for database links\"; allow (proxy) userdn = \"ldap:///%s\";)" % self.repl_man_dn ])]) except ldap.TYPE_OR_VALUE_EXISTS: - root_logger.debug("proxy aci already exists in suffix %s on %s" - % (self.db_suffix, conn.ldap_uri)) + logger.debug("proxy aci already exists in suffix %s on %s", + self.db_suffix, conn.ldap_uri) def get_mapping_tree_entry(self): try: @@ -572,7 +576,7 @@ class ReplicationManager(object): # TODO: Check we got only one entry return entries[0] except errors.NotFound: - root_logger.debug( + logger.debug( "failed to find mapping tree entry for %s", self.db_suffix) raise @@ -595,8 +599,8 @@ class ReplicationManager(object): try: self.conn.modify_s(dn, mod) except ldap.TYPE_OR_VALUE_EXISTS: - root_logger.debug("chainOnUpdate already enabled for %s" - % self.db_suffix) + logger.debug("chainOnUpdate already enabled for %s", + self.db_suffix) def setup_chain_on_update(self, other_conn): chainbe = self.setup_chaining_backend(other_conn) @@ -628,8 +632,8 @@ class ReplicationManager(object): try: conn.modify_s(extop_dn, mod) except ldap.TYPE_OR_VALUE_EXISTS: - root_logger.debug("Plugin '%s' already '%s' in passSyncManagersDNs", - extop_dn, pass_dn) + logger.debug("Plugin '%s' already '%s' in passSyncManagersDNs", + extop_dn, pass_dn) # And finally add it is a member of PassSync privilege to allow # displaying user NT attributes and reset passwords @@ -642,8 +646,8 @@ class ReplicationManager(object): try: conn.modify_s(passsync_privilege_dn, mod) except ldap.TYPE_OR_VALUE_EXISTS: - root_logger.debug("PassSync service '%s' already have '%s' as member", - passsync_privilege_dn, pass_dn) + logger.debug("PassSync service '%s' already have '%s' as member", + passsync_privilege_dn, pass_dn) def setup_winsync_agmt(self, entry, win_subtree=None): if win_subtree is None: @@ -757,7 +761,8 @@ class ReplicationManager(object): error_message = '' while (retries > 0 ): - root_logger.info('Getting ldap service principals for conversion: %s and %s' % (filter_a, filter_b)) + logger.info('Getting ldap service principals for conversion: ' + '%s and %s', filter_a, filter_b) try: a_entry = b.get_entries(self.suffix, ldap.SCOPE_SUBTREE, filter=filter_a) @@ -771,20 +776,20 @@ class ReplicationManager(object): pass if a_entry and b_entry: - root_logger.debug('Found both principals.') + logger.debug('Found both principals.') break # One or both is missing, force sync again if not a_entry: - root_logger.debug('Unable to find entry for %s on %s' - % (filter_a, str(b))) + logger.debug('Unable to find entry for %s on %s', + filter_a, str(b)) self.force_sync(a, b.host) _cn, dn = self.agreement_dn(b.host) _haserror, error_message = self.wait_for_repl_update(a, dn, 60) if not b_entry: - root_logger.debug('Unable to find entry for %s on %s' - % (filter_b, str(a))) + logger.debug('Unable to find entry for %s on %s', + filter_b, str(a)) self.force_sync(b, a.host) _cn, dn = self.agreement_dn(a.host) _haserror, error_message = self.wait_for_repl_update(b, dn, 60) @@ -888,7 +893,7 @@ class ReplicationManager(object): try: self.conn.modify_s(dn, mod) except Exception as e: - root_logger.debug("Failed to remove referral value: %s" % str(e)) + logger.debug("Failed to remove referral value: %s", str(e)) def check_repl_init(self, conn, agmtdn, start): done = False @@ -957,8 +962,9 @@ class ReplicationManager(object): end = 0 # incremental update is done if inprogress is false and end >= start done = inprogress and inprogress.lower() == 'false' and start <= end - root_logger.info("Replication Update in progress: %s: status: %s: start: %d: end: %d" % - (inprogress, status, start, end)) + logger.info("Replication Update in progress: %s: status: %s: " + "start: %d: end: %d", + inprogress, status, start, end) if status: # always check for errors # status will usually be a number followed by a string # number != 0 means error @@ -1084,14 +1090,14 @@ class ReplicationManager(object): for dn,entry in res: if dn == "": self.ad_suffix = entry['defaultNamingContext'][0] - root_logger.info("AD Suffix is: %s" % self.ad_suffix) + logger.info("AD Suffix is: %s", self.ad_suffix) if self.ad_suffix == "": raise RuntimeError("Failed to lookup AD's Ldap suffix") ad_conn.unbind_s() del ad_conn except Exception as e: - root_logger.info("Failed to connect to AD server %s" % ad_dc_name) - root_logger.info("The error was: %s" % e) + logger.info("Failed to connect to AD server %s", ad_dc_name) + logger.info("The error was: %s", e) raise RuntimeError("Failed to setup winsync replication") # Setup the only half. @@ -1106,10 +1112,11 @@ class ReplicationManager(object): self.setup_agreement(self.conn, ad_dc_name, repl_man_dn=ad_binddn, repl_man_passwd=ad_pwd, iswinsync=True, win_subtree=ad_subtree) - root_logger.info("Added new sync agreement, waiting for it to become ready . . .") + logger.info("Added new sync agreement, waiting for it to become " + "ready . . .") _cn, dn = self.agreement_dn(ad_dc_name) self.wait_for_repl_update(self.conn, dn, 300) - root_logger.info("Agreement is ready, starting replication . . .") + logger.info("Agreement is ready, starting replication . . .") # Add winsync replica to the public DIT dn = DN(('cn',ad_dc_name),('cn','replicas'),('cn','ipa'),('cn','etc'), self.suffix) @@ -1123,7 +1130,7 @@ class ReplicationManager(object): try: self.conn.add_entry(entry) except Exception as e: - root_logger.info("Failed to create public entry for winsync replica") + logger.info("Failed to create public entry for winsync replica") #Finally start replication ret = self.start_replication(self.conn, ad_dc_name) @@ -1195,12 +1202,12 @@ class ReplicationManager(object): entries = conn.get_entries( DN(('cn', 'config')), ldap.SCOPE_SUBTREE, filter) except errors.NotFound: - root_logger.error("Unable to find replication agreement for %s" % - (hostname)) + logger.error("Unable to find replication agreement for %s", + hostname) raise RuntimeError("Unable to proceed") if len(entries) > 1: - root_logger.error("Found multiple agreements for %s" % hostname) - root_logger.error("Using the first one only (%s)" % entries[0].dn) + logger.error("Found multiple agreements for %s", hostname) + logger.error("Using the first one only (%s)", entries[0].dn) dn = entries[0].dn schedule = entries[0].single_value.get('nsds5replicaupdateschedule') @@ -1210,13 +1217,13 @@ class ReplicationManager(object): if schedule is not None: if newschedule == schedule: newschedule = '2358-2359 1' - root_logger.info("Setting agreement %s schedule to %s to force synch" % - (dn, newschedule)) + logger.info("Setting agreement %s schedule to %s to force synch", + dn, newschedule) mod = [(ldap.MOD_REPLACE, 'nsDS5ReplicaUpdateSchedule', [ newschedule ])] conn.modify_s(dn, mod) time.sleep(1) - root_logger.info("Deleting schedule %s from agreement %s" % - (newschedule, dn)) + logger.info("Deleting schedule %s from agreement %s", + newschedule, dn) mod = [(ldap.MOD_DELETE, 'nsDS5ReplicaUpdateSchedule', None)] conn.modify_s(dn, mod) @@ -1280,8 +1287,9 @@ class ReplicationManager(object): mod = [(ldap.MOD_DELETE, 'memberPrincipal', member_principal)] self.conn.modify_s(dn, mod) except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE): - root_logger.debug("Replica (%s) memberPrincipal (%s) not found in %s" % \ - (replica, member_principal, dn)) + logger.debug("Replica (%s) memberPrincipal (%s) not found in " + "%s", + replica, member_principal, dn) except Exception as e: if not force: raise e @@ -1375,14 +1383,15 @@ class ReplicationManager(object): # This usually isn't a show-stopper. if critical: raise e - root_logger.debug("No permission to modify replica read-only status, continuing anyway") + logger.debug("No permission to modify replica read-only status, " + "continuing anyway") def cleanallruv(self, replicaId): """ Create a CLEANALLRUV task and monitor it until it has completed. """ - root_logger.debug("Creating CLEANALLRUV task for replica id %d" % replicaId) + logger.debug("Creating CLEANALLRUV task for replica id %d", replicaId) dn = DN(('cn', 'clean %d' % replicaId), ('cn', 'cleanallruv'),('cn', 'tasks'), ('cn', 'config')) e = self.conn.make_entry( @@ -1410,7 +1419,8 @@ class ReplicationManager(object): """ Create a task to abort a CLEANALLRUV operation. """ - root_logger.debug("Creating task to abort a CLEANALLRUV operation for replica id %d" % replicaId) + logger.debug("Creating task to abort a CLEANALLRUV operation for " + "replica id %d", replicaId) dn = DN(('cn', 'abort %d' % replicaId), ('cn', 'abort cleanallruv'),('cn', 'tasks'), ('cn', 'config')) e = self.conn.make_entry( @@ -1735,7 +1745,7 @@ class CSReplicationManager(ReplicationManager): (ipautil.format_netloc(hostname, port), self.db_suffix)) self.conn.update_entry(entry) except Exception as e: - root_logger.debug("Failed to remove referral value: %s" % e) + logger.debug("Failed to remove referral value: %s", e) def has_ipaca(self): try: @@ -1761,14 +1771,14 @@ def get_cs_replication_manager(realm, host, dirman_passwd): # If it doesn't, raise exception. ports = [389, 7389] for port in ports: - root_logger.debug('Looking for PKI DS on %s:%s' % (host, port)) + logger.debug('Looking for PKI DS on %s:%s', host, port) replication_manager = CSReplicationManager( realm, host, dirman_passwd, port) if replication_manager.has_ipaca(): - root_logger.debug('PKI DS found on %s:%s' % (host, port)) + logger.debug('PKI DS found on %s:%s', host, port) return replication_manager else: - root_logger.debug('PKI tree not found on %s:%s' % (host, port)) + logger.debug('PKI tree not found on %s:%s', host, port) raise errors.NotFound(reason='Cannot reach PKI DS at %s on ports %s' % (host, ports)) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index dced253..16e0b69 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -5,6 +5,7 @@ from __future__ import print_function import errno +import logging import os import pickle import shutil @@ -16,7 +17,6 @@ import six from ipalib.install import certmonger, sysrestore from ipapython import ipautil -from ipapython.ipa_log_manager import root_logger from ipapython.ipautil import ( format_netloc, ipa_generate_password, run, user_input) from ipapython.admintool import ScriptError @@ -51,6 +51,8 @@ except ImportError: NoneType = type(None) +logger = logging.getLogger(__name__) + SYSRESTORE_DIR_PATH = paths.SYSRESTORE @@ -257,9 +259,9 @@ def common_cleanup(func): try: dsinstance.remove_ds_instance(ds.serverid) except ipautil.CalledProcessError: - root_logger.error("Failed to remove DS instance. You " - "may need to remove instance data " - "manually") + logger.error("Failed to remove DS instance. You " + "may need to remove instance data " + "manually") raise ScriptError() finally: if not success and installer._installation_cleanup: @@ -288,7 +290,7 @@ def remove_master_from_managed_topology(api_instance, options): raise ScriptError(str(e)) except Exception as e: # if the master was already deleted we will just get a warning - root_logger.warning("Failed to delete master: {}".format(e)) + logger.warning("Failed to delete master: %s", e) @common_cleanup @@ -451,12 +453,12 @@ def install_check(installer): raise ScriptError(e) host_name = host_name.lower() - root_logger.debug("will use host_name: %s\n" % host_name) + logger.debug("will use host_name: %s\n", host_name) if not options.domain_name: domain_name = read_domain_name(host_name[host_name.find(".")+1:], not installer.interactive) - root_logger.debug("read domain_name: %s\n" % domain_name) + logger.debug("read domain_name: %s\n", domain_name) try: validate_domain_name(domain_name) except ValueError as e: @@ -468,7 +470,7 @@ def install_check(installer): if not options.realm_name: realm_name = read_realm_name(domain_name, not installer.interactive) - root_logger.debug("read realm_name: %s\n" % realm_name) + logger.debug("read realm_name: %s\n", realm_name) else: realm_name = options.realm_name.upper() @@ -1103,24 +1105,24 @@ def uninstall(installer): sysupgrade.remove_upgrade_file() if fstore.has_files(): - root_logger.error('Some files have not been restored, see ' - '%s/sysrestore.index' % SYSRESTORE_DIR_PATH) + logger.error('Some files have not been restored, see ' + '%s/sysrestore.index', SYSRESTORE_DIR_PATH) has_state = False for module in IPA_MODULES: # from installutils if sstore.has_state(module): - root_logger.error('Some installation state for %s has not been ' - 'restored, see %s/sysrestore.state' % - (module, SYSRESTORE_DIR_PATH)) + logger.error('Some installation state for %s has not been ' + 'restored, see %s/sysrestore.state', + module, SYSRESTORE_DIR_PATH) has_state = True rv = 1 if has_state: - root_logger.error('Some installation state has not been restored.\n' - 'This may cause re-installation to fail.\n' - 'It should be safe to remove %s/sysrestore.state ' - 'but it may\n' - 'mean your system hasn\'t be restored to its ' - 'pre-installation state.' % SYSRESTORE_DIR_PATH) + logger.error('Some installation state has not been restored.\n' + 'This may cause re-installation to fail.\n' + 'It should be safe to remove %s/sysrestore.state ' + 'but it may\n' + 'mean your system hasn\'t be restored to its ' + 'pre-installation state.', SYSRESTORE_DIR_PATH) # Note that this name will be wrong after the first uninstall. dirname = dsinstance.config_dirname( @@ -1128,23 +1130,23 @@ def uninstall(installer): dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, paths.HTTPD_ALIAS_DIR] ids = certmonger.check_state(dirs) if ids: - root_logger.error('Some certificates may still be tracked by ' - 'certmonger.\n' - 'This will cause re-installation to fail.\n' - 'Start the certmonger service and list the ' - 'certificates being tracked\n' - ' # getcert list\n' - 'These may be untracked by executing\n' - ' # getcert stop-tracking -i \n' - 'for each id in: %s' % ', '.join(ids)) + logger.error('Some certificates may still be tracked by ' + 'certmonger.\n' + 'This will cause re-installation to fail.\n' + 'Start the certmonger service and list the ' + 'certificates being tracked\n' + ' # getcert list\n' + 'These may be untracked by executing\n' + ' # getcert stop-tracking -i \n' + 'for each id in: %s', ', '.join(ids)) # Remove the cert renewal lock file try: os.remove(paths.IPA_RENEWAL_LOCK) except OSError as e: if e.errno != errno.ENOENT: - root_logger.warning("Failed to remove file %s: %s", - paths.IPA_RENEWAL_LOCK, e) + logger.warning("Failed to remove file %s: %s", + paths.IPA_RENEWAL_LOCK, e) print("Removing IPA client configuration") try: diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 4f28de2..72568b8 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -5,6 +5,8 @@ from __future__ import print_function import contextlib +import logging + import dns.exception as dnsexception import dns.name as dnsname import dns.resolver as dnsresolver @@ -25,7 +27,6 @@ from ipalib.install.kinit import kinit_keytab from ipapython import ipaldap, ipautil from ipapython.certdb import IPA_CA_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS from ipapython.dn import DN -from ipapython.ipa_log_manager import root_logger from ipapython.admintool import ScriptError from ipaplatform import services from ipaplatform.tasks import tasks @@ -50,6 +51,8 @@ if six.PY3: NoneType = type(None) +logger = logging.getLogger(__name__) + def get_dirman_password(): return installutils.read_password("Directory Manager (existing master)", @@ -185,13 +188,13 @@ def install_dns_records(config, options, remote_api): config.domain_name, reverse_zone) except errors.NotFound as e: - root_logger.debug('Replica DNS records could not be added ' - 'on master: %s', str(e)) + logger.debug('Replica DNS records could not be added ' + 'on master: %s', str(e)) # we should not fail here no matter what except Exception as e: - root_logger.info('Replica DNS records could not be added ' - 'on master: %s', str(e)) + logger.info('Replica DNS records could not be added ' + 'on master: %s', str(e)) def create_ipa_conf(fstore, config, ca_enabled): @@ -270,14 +273,14 @@ def check_dns_resolution(host_name, dns_servers): else: break if not server_ips: - root_logger.error( + logger.error( 'Could not resolve any DNS server hostname: %s', dns_servers) return False resolver = dnsresolver.Resolver() resolver.nameservers = server_ips - root_logger.debug('Search DNS server %s (%s) for %s', - dns_server, server_ips, host_name) + logger.debug('Search DNS server %s (%s) for %s', + dns_server, server_ips, host_name) # Get IP addresses of host_name addresses = set() @@ -292,7 +295,7 @@ def check_dns_resolution(host_name, dns_servers): addresses.update(r.address for r in result.rrset) if not addresses: - root_logger.error( + logger.error( 'Could not resolve hostname %s using DNS. ' 'Clients may not function properly. ' 'Please check your DNS setup. ' @@ -310,13 +313,12 @@ def check_dns_resolution(host_name, dns_servers): continue checked.add(address) try: - root_logger.debug('Check reverse address %s (%s)', - address, host_name) + logger.debug('Check reverse address %s (%s)', address, host_name) revname = dnsreversename.from_address(address) rrset = resolver.query(revname, 'PTR').rrset except Exception as e: - root_logger.debug('Check failed: %s %s', type(e).__name__, e) - root_logger.error( + logger.debug('Check failed: %s %s', type(e).__name__, e) + logger.error( 'Reverse DNS resolution of address %s (%s) failed. ' 'Clients may not function properly. ' 'Please check your DNS setup. ' @@ -330,11 +332,11 @@ def check_dns_resolution(host_name, dns_servers): names = [r.target.to_text() for r in rrset] else: names = [] - root_logger.debug( + logger.debug( 'Address %s resolves to: %s. ', address, ', '.join(names)) if not rrset or not any( r.target == host_name_obj for r in rrset): - root_logger.error( + logger.error( 'The IP address %s of host %s resolves to: %s. ' 'Clients may not function properly. ' 'Please check your DNS setup. ' @@ -455,7 +457,7 @@ def promote_sssd(host_name): try: sssd.restart() except CalledProcessError: - root_logger.warning("SSSD service restart was unsuccessful.") + logger.warning("SSSD service restart was unsuccessful.") def promote_openldap_conf(hostname, master): @@ -497,7 +499,7 @@ def promote_openldap_conf(hostname, master): ldap_change_conf.newConf(ldap_conf, new_opts) ldap_change_conf.changeConf(ldap_conf, change_opts) except Exception as e: - root_logger.info("Failed to update {}: {}".format(ldap_conf, e)) + logger.info("Failed to update %s: %s", ldap_conf, e) @contextlib.contextmanager @@ -610,7 +612,7 @@ def check_domain_level_is_supported(current): "raised before installing a replica with " "this version is allowed to be installed " "within this domain.") - root_logger.error(message) + logger.error("%s", message) raise ScriptError(message, rval=3) @@ -622,7 +624,7 @@ def enroll_dl0_replica(installer, fstore, remote_api, debug=False): * configure client-like /etc/krb5.conf to enable GSSAPI auth further down the replica installation """ - root_logger.info("Enrolling host to IPA domain") + logger.info("Enrolling host to IPA domain") config = installer._config hostname = config.host_name @@ -749,7 +751,7 @@ def install_check(installer): "Could not find a suitable server cert in import in %s" % pkcs12_info[0]) except Exception as e: - root_logger.error('%s', e) + logger.error('%s', e) raise RuntimeError( "Server cert is not valid. Please run ipa-replica-prepare to " "create a new replica file.") @@ -777,8 +779,8 @@ def install_check(installer): # Check that we don't already have a replication agreement if replman.get_replication_agreement(config.host_name): - root_logger.info('Error: A replication agreement for this ' - 'host already exists.') + logger.info('Error: A replication agreement for this ' + 'host already exists.') msg = ("A replication agreement for this host already exists. " "It needs to be removed.\n" "Run this on the master that generated the info file:\n" @@ -802,8 +804,8 @@ def install_check(installer): except errors.NotFound: pass else: - root_logger.info('Error: Host %s already exists on the master ' - 'server.' % config.host_name) + logger.info('Error: Host %s already exists on the master ' + 'server.', config.host_name) msg = ("The host %s already exists on the master server.\n" "You should remove it before proceeding:\n" " %% ipa host-del %s" % @@ -814,7 +816,7 @@ def install_check(installer): if dns_masters: if not options.no_host_dns: master = config.master_host_name - root_logger.debug('Check forward/reverse DNS resolution') + logger.debug('Check forward/reverse DNS resolution') resolution_ok = ( check_dns_resolution(master, dns_masters) and check_dns_resolution(config.host_name, dns_masters)) @@ -822,8 +824,8 @@ def install_check(installer): if not ipautil.user_input("Continue?", False): raise ScriptError(rval=0) else: - root_logger.debug('No IPA DNS servers, ' - 'skipping forward/reverse resolution check') + logger.debug('No IPA DNS servers, ' + 'skipping forward/reverse resolution check') kra_enabled = remote_api.Command.kra_is_enabled()['result'] @@ -949,7 +951,7 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn): raise RuntimeError('IPA domain not found in LDAP.') if len(entry['associatedDomain']) > 1: - root_logger.critical( + logger.critical( "Multiple IPA domains found. We are so sorry :-(, you are " "probably experiencing this bug " "https://fedorahosted.org/freeipa/ticket/5976. Please contact us " @@ -1200,13 +1202,13 @@ def promote_check(installer): "Upgrade the peer master or use the ipa-replica-prepare " "command on the master and use a prep file to install " "this replica.") - root_logger.error(msg) + logger.error("%s", msg) raise ScriptError(rval=3) dns_masters = remote_api.Object['dnsrecord'].get_dns_masters() if dns_masters: if not options.no_host_dns: - root_logger.debug('Check forward/reverse DNS resolution') + logger.debug('Check forward/reverse DNS resolution') resolution_ok = ( check_dns_resolution(config.master_host_name, dns_masters) and @@ -1215,8 +1217,8 @@ def promote_check(installer): if not ipautil.user_input("Continue?", False): raise ScriptError(rval=0) else: - root_logger.debug('No IPA DNS servers, ' - 'skipping forward/reverse resolution check') + logger.debug('No IPA DNS servers, ' + 'skipping forward/reverse resolution check') entry_attrs = conn.get_ipa_config() subject_base = entry_attrs.get('ipacertificatesubjectbase', [None])[0] @@ -1230,20 +1232,20 @@ def promote_check(installer): config.ca_host_name = ca_host ca_enabled = True if options.dirsrv_cert_files: - root_logger.error("Certificates could not be provided when " - "CA is present on some master.") + logger.error("Certificates could not be provided when " + "CA is present on some master.") raise ScriptError(rval=3) else: if options.setup_ca: - root_logger.error("The remote master does not have a CA " - "installed, can't set up CA") + logger.error("The remote master does not have a CA " + "installed, can't set up CA") raise ScriptError(rval=3) ca_enabled = False if not options.dirsrv_cert_files: - root_logger.error("Cannot issue certificates: a CA is not " - "installed. Use the --http-cert-file, " - "--dirsrv-cert-file options to provide " - "custom certificates.") + logger.error("Cannot issue certificates: a CA is not " + "installed. Use the --http-cert-file, " + "--dirsrv-cert-file options to provide " + "custom certificates.") raise ScriptError(rval=3) kra_host = service.find_providing_server( @@ -1253,8 +1255,8 @@ def promote_check(installer): kra_enabled = True else: if options.setup_kra: - root_logger.error("There is no KRA server in the domain, " - "can't setup a KRA clone") + logger.error("There is no KRA server in the domain, " + "can't setup a KRA clone") raise ScriptError(rval=3) kra_enabled = False @@ -1285,14 +1287,14 @@ def promote_check(installer): adtrust.install_check(False, options, remote_api) except errors.ACIError: - root_logger.debug(traceback.format_exc()) + logger.debug("%s", traceback.format_exc()) raise ScriptError("\nInsufficient privileges to promote the server." "\nPossible issues:" "\n- A user has insufficient privileges" "\n- This client has insufficient privileges " "to become an IPA replica") except errors.LDAPError: - root_logger.debug(traceback.format_exc()) + logger.debug("%s", traceback.format_exc()) raise ScriptError("\nUnable to connect to LDAP server %s" % config.master_host_name) finally: diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 6b34d0c..4eb2c9e 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -4,6 +4,7 @@ from __future__ import print_function +import logging import re import os import shutil @@ -32,7 +33,6 @@ from ipaclient.install.client import sssd_enable_service from ipaplatform import services from ipaplatform.tasks import tasks from ipapython import ipautil, version, certdb -from ipapython.ipa_log_manager import root_logger from ipapython import dnsutil from ipapython.dn import DN from ipaplatform.constants import constants @@ -59,6 +59,8 @@ from ipaserver.install.ldapupdate import BadSyntax if six.PY3: unicode = str +logger = logging.getLogger(__name__) + class KpasswdInstance(service.SimpleServiceInstance): def __init__(self): @@ -168,29 +170,30 @@ def upgrade_file(sub_dict, filename, template, add=False): new = int(find_version(template)) if old < 0 and not add: - root_logger.error("%s not found." % filename) + logger.error("%s not found.", filename) raise RuntimeError("%s not found." % filename) if new < 0: - root_logger.error("%s not found." % template) + logger.error("%s not found.", template) if new == 0: - root_logger.error("Template %s is not versioned." % template) + logger.error("Template %s is not versioned.", template) if old == 0: # The original file does not have a VERSION entry. This means it's now # managed by IPA, but previously was not. - root_logger.warning("%s is now managed by IPA. It will be " - "overwritten. A backup of the original will be made.", filename) + logger.warning("%s is now managed by IPA. It will be " + "overwritten. A backup of the original will be made.", + filename) if old < new or (add and old == 0): backup_file(filename, new) update_conf(sub_dict, filename, template) - root_logger.info("Upgraded %s to version %d", filename, new) + logger.info("Upgraded %s to version %d", filename, new) def check_certs(): """Check ca.crt is in the right place, and try to fix if not""" - root_logger.info('[Verifying that root certificate is published]') + logger.info('[Verifying that root certificate is published]') if not os.path.exists(paths.CA_CRT): ca_file = paths.IPA_CA_CRT if os.path.exists(ca_file): @@ -200,10 +203,11 @@ def check_certs(): finally: os.umask(old_umask) else: - root_logger.error("Missing Certification Authority file.") - root_logger.error("You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt") + logger.error("Missing Certification Authority file.") + logger.error("You should place a copy of the CA certificate in " + "/usr/share/ipa/html/ca.crt") else: - root_logger.debug('Certificate file exists') + logger.debug('Certificate file exists') def upgrade_pki(ca, fstore): """ @@ -212,15 +216,15 @@ def upgrade_pki(ca, fstore): This requires enabling SSL renegotiation. """ - root_logger.info('[Verifying that CA proxy configuration is correct]') + logger.info('[Verifying that CA proxy configuration is correct]') if not ca.is_configured(): - root_logger.info('CA is not configured') + logger.info('CA is not configured') return http = httpinstance.HTTPInstance(fstore) http.enable_mod_nss_renegotiate() - root_logger.debug('Proxy configuration up-to-date') + logger.debug('Proxy configuration up-to-date') def update_dbmodules(realm, filename=paths.KRB5_CONF): newfile = [] @@ -228,14 +232,14 @@ def update_dbmodules(realm, filename=paths.KRB5_CONF): found_realm = False prefix = '' - root_logger.info('[Verifying that KDC configuration is using ipa-kdb backend]') + logger.info('[Verifying that KDC configuration is using ipa-kdb backend]') fd = open(filename) lines = fd.readlines() fd.close() if ' db_library = ipadb.so\n' in lines: - root_logger.debug('dbmodules already updated in %s', filename) + logger.debug('dbmodules already updated in %s', filename) return for line in lines: @@ -261,33 +265,33 @@ def update_dbmodules(realm, filename=paths.KRB5_CONF): fd = open(filename, 'w') fd.write("".join(newfile)) fd.close() - root_logger.debug('%s updated', filename) + logger.debug('%s updated', filename) def cleanup_kdc(fstore): """ Clean up old KDC files if they exist. We need to remove the actual file and any references in the uninstall configuration. """ - root_logger.info('[Checking for deprecated KDC configuration files]') + logger.info('[Checking for deprecated KDC configuration files]') for file in ['kpasswd.keytab', 'ldappwd']: filename = os.path.join(paths.VAR_KERBEROS_KRB5KDC_DIR, file) installutils.remove_file(filename) if fstore.has_file(filename): fstore.untrack_file(filename) - root_logger.debug('Uninstalling %s', filename) + logger.debug('Uninstalling %s', filename) def cleanup_adtrust(fstore): """ Clean up any old Samba backup files that were deprecated. """ - root_logger.info('[Checking for deprecated backups of Samba ' - 'configuration files]') + logger.info('[Checking for deprecated backups of Samba ' + 'configuration files]') for backed_up_file in [paths.SMB_CONF]: if fstore.has_file(backed_up_file): fstore.untrack_file(backed_up_file) - root_logger.debug('Removing %s from backup', backed_up_file) + logger.debug('Removing %s from backup', backed_up_file) def cleanup_dogtag(): @@ -302,9 +306,9 @@ def cleanup_dogtag(): subsystems.append('KRA') for system in subsystems: - root_logger.debug( - "Cleaning up after pkispawn for the {sub} subsystem" - .format(sub=system)) + logger.debug( + "Cleaning up after pkispawn for the %s subsystem", + system) instance = dogtaginstance.DogtagInstance( api.env.realm, system, service_desc=None, ) @@ -319,8 +323,8 @@ def upgrade_adtrust_config(): if not adtrustinstance.ipa_smb_conf_exists(): return - root_logger.info("[Remove FILE: prefix from 'dedicated keytab file' " - "in Samba configuration]") + logger.info("[Remove FILE: prefix from 'dedicated keytab file' " + "in Samba configuration]") args = [paths.NET, "conf", "setparm", "global", "dedicated keytab file", paths.SAMBA_KEYTAB] @@ -328,33 +332,33 @@ def upgrade_adtrust_config(): try: ipautil.run(args) except ipautil.CalledProcessError as e: - root_logger.warning("Error updating Samba registry: %s", e) + logger.warning("Error updating Samba registry: %s", e) def ca_configure_profiles_acl(ca): - root_logger.info('[Authorizing RA Agent to modify profiles]') + logger.info('[Authorizing RA Agent to modify profiles]') if not ca.is_configured(): - root_logger.info('CA is not configured') + logger.info('CA is not configured') return False return cainstance.configure_profiles_acl() def ca_configure_lightweight_ca_acls(ca): - root_logger.info('[Authorizing RA Agent to manage lightweight CAs]') + logger.info('[Authorizing RA Agent to manage lightweight CAs]') if not ca.is_configured(): - root_logger.info('CA is not configured') + logger.info('CA is not configured') return False return cainstance.configure_lightweight_ca_acls() def ca_enable_ldap_profile_subsystem(ca): - root_logger.info('[Ensuring CA is using LDAPProfileSubsystem]') + logger.info('[Ensuring CA is using LDAPProfileSubsystem]') if not ca.is_configured(): - root_logger.info('CA is not configured') + logger.info('CA is not configured') return False needs_update = False @@ -370,8 +374,8 @@ def ca_enable_ldap_profile_subsystem(ca): needs_update = True break except OSError as e: - root_logger.error('Cannot read CA configuration file "%s": %s', - paths.CA_CS_CFG_PATH, e) + logger.error('Cannot read CA configuration file "%s": %s', + paths.CA_CS_CFG_PATH, e) return False if needs_update: @@ -384,36 +388,37 @@ def ca_enable_ldap_profile_subsystem(ca): ca.restart('pki-tomcat') - root_logger.info('[Migrating certificate profiles to LDAP]') + logger.info('[Migrating certificate profiles to LDAP]') cainstance.migrate_profiles_to_ldap() return needs_update def ca_import_included_profiles(ca): - root_logger.info('[Ensuring presence of included profiles]') + logger.info('[Ensuring presence of included profiles]') if not ca.is_configured(): - root_logger.info('CA is not configured') + logger.info('CA is not configured') return False return cainstance.import_included_profiles() def ca_ensure_lightweight_cas_container(ca): - root_logger.info('[Ensuring Lightweight CAs container exists in Dogtag database]') + logger.info('[Ensuring Lightweight CAs container exists in Dogtag ' + 'database]') if not ca.is_configured(): - root_logger.info('CA is not configured') + logger.info('CA is not configured') return False return cainstance.ensure_lightweight_cas_container() def ca_add_default_ocsp_uri(ca): - root_logger.info('[Adding default OCSP URI configuration]') + logger.info('[Adding default OCSP URI configuration]') if not ca.is_configured(): - root_logger.info('CA is not configured') + logger.info('CA is not configured') return False value = installutils.get_directive( @@ -438,11 +443,11 @@ def upgrade_ca_audit_cert_validity(ca): Returns True if restart is needed, False otherwise. """ - root_logger.info('[Verifying that CA audit signing cert has 2 year validity]') + logger.info('[Verifying that CA audit signing cert has 2 year validity]') if ca.is_configured(): return ca.set_audit_renewal() else: - root_logger.info('CA is not configured') + logger.info('CA is not configured') return False @@ -457,11 +462,11 @@ def named_remove_deprecated_options(): When some change in named.conf is done, this functions returns True. """ - root_logger.info('[Removing deprecated DNS configuration options]') + logger.info('[Removing deprecated DNS configuration options]') if not bindinstance.named_conf_exists(): # DNS service may not be configured - root_logger.info('DNS is not configured') + logger.info('DNS is not configured') return False deprecated_options = ['zone_refresh', 'psearch', 'cache_ttl', @@ -478,16 +483,16 @@ def named_remove_deprecated_options(): removed_options.append(option) except IOError as e: - root_logger.error('Cannot modify DNS configuration in %s: %s', - bindinstance.NAMED_CONF, e) + logger.error('Cannot modify DNS configuration in %s: %s', + bindinstance.NAMED_CONF, e) # Log only the changed options if not removed_options: - root_logger.debug('No changes made') + logger.debug('No changes made') return False - root_logger.debug('The following configuration options have been removed: ' - '{options}'.format(options = ', '.join(removed_options))) + logger.debug('The following configuration options have been removed: %s', + ', '.join(removed_options)) return True @@ -500,11 +505,11 @@ def named_set_minimum_connections(): changed = False - root_logger.info('[Ensuring minimal number of connections]') + logger.info('[Ensuring minimal number of connections]') if not bindinstance.named_conf_exists(): # DNS service may not be configured - root_logger.info('DNS is not configured') + logger.info('DNS is not configured') return changed # make sure number of connections is right @@ -513,8 +518,8 @@ def named_set_minimum_connections(): try: connections = bindinstance.named_conf_get_directive('connections') except IOError as e: - root_logger.debug('Cannot retrieve connections option from %s: %s', - bindinstance.NAMED_CONF, e) + logger.debug('Cannot retrieve connections option from %s: %s', + bindinstance.NAMED_CONF, e) return changed try: @@ -529,15 +534,15 @@ def named_set_minimum_connections(): try: bindinstance.named_conf_set_directive('connections', minimum_connections) - root_logger.debug('Connections set to %d', minimum_connections) + logger.debug('Connections set to %d', minimum_connections) except IOError as e: - root_logger.error('Cannot update connections in %s: %s', - bindinstance.NAMED_CONF, e) + logger.error('Cannot update connections in %s: %s', + bindinstance.NAMED_CONF, e) else: changed = True if not changed: - root_logger.debug('No changes made') + logger.debug('No changes made') return changed @@ -551,27 +556,27 @@ def named_update_gssapi_configuration(): When some change in named.conf is done, this functions returns True """ - root_logger.info('[Updating GSSAPI configuration in DNS]') + logger.info('[Updating GSSAPI configuration in DNS]') if not bindinstance.named_conf_exists(): # DNS service may not be configured - root_logger.info('DNS is not configured') + logger.info('DNS is not configured') return False if sysupgrade.get_upgrade_state('named.conf', 'gssapi_updated'): - root_logger.debug('Skip GSSAPI configuration check') + logger.debug('Skip GSSAPI configuration check') return False try: gssapi_keytab = bindinstance.named_conf_get_directive('tkey-gssapi-keytab', bindinstance.NAMED_SECTION_OPTIONS) except IOError as e: - root_logger.error('Cannot retrieve tkey-gssapi-keytab option from %s: %s', - bindinstance.NAMED_CONF, e) + logger.error('Cannot retrieve tkey-gssapi-keytab option from %s: %s', + bindinstance.NAMED_CONF, e) return False else: if gssapi_keytab: - root_logger.debug('GSSAPI configuration already updated') + logger.debug('GSSAPI configuration already updated') sysupgrade.set_upgrade_state('named.conf', 'gssapi_updated', True) return False @@ -581,13 +586,14 @@ def named_update_gssapi_configuration(): tkey_domain = bindinstance.named_conf_get_directive('tkey-domain', bindinstance.NAMED_SECTION_OPTIONS) except IOError as e: - root_logger.error('Cannot retrieve tkey-gssapi-credential option from %s: %s', - bindinstance.NAMED_CONF, e) + logger.error('Cannot retrieve tkey-gssapi-credential option from %s: ' + '%s', + bindinstance.NAMED_CONF, e) return False if not tkey_credential or not tkey_domain: - root_logger.error('Either tkey-gssapi-credential or tkey-domain is missing in %s. ' - 'Skip update.', bindinstance.NAMED_CONF) + logger.error('Either tkey-gssapi-credential or tkey-domain is missing ' + 'in %s. Skip update.', bindinstance.NAMED_CONF) return False try: @@ -601,11 +607,11 @@ def named_update_gssapi_configuration(): 'tkey-gssapi-keytab', paths.NAMED_KEYTAB, bindinstance.NAMED_SECTION_OPTIONS) except IOError as e: - root_logger.error('Cannot update GSSAPI configuration in %s: %s', - bindinstance.NAMED_CONF, e) + logger.error('Cannot update GSSAPI configuration in %s: %s', + bindinstance.NAMED_CONF, e) return False else: - root_logger.debug('GSSAPI configuration updated') + logger.debug('GSSAPI configuration updated') sysupgrade.set_upgrade_state('named.conf', 'gssapi_updated', True) return True @@ -615,27 +621,27 @@ def named_update_pid_file(): """ Make sure that named reads the pid file from the right file """ - root_logger.info('[Updating pid-file configuration in DNS]') + logger.info('[Updating pid-file configuration in DNS]') if not bindinstance.named_conf_exists(): # DNS service may not be configured - root_logger.info('DNS is not configured') + logger.info('DNS is not configured') return False if sysupgrade.get_upgrade_state('named.conf', 'pid-file_updated'): - root_logger.debug('Skip pid-file configuration check') + logger.debug('Skip pid-file configuration check') return False try: pid_file = bindinstance.named_conf_get_directive('pid-file', bindinstance.NAMED_SECTION_OPTIONS) except IOError as e: - root_logger.error('Cannot retrieve pid-file option from %s: %s', - bindinstance.NAMED_CONF, e) + logger.error('Cannot retrieve pid-file option from %s: %s', + bindinstance.NAMED_CONF, e) return False else: if pid_file: - root_logger.debug('pid-file configuration already updated') + logger.debug('pid-file configuration already updated') sysupgrade.set_upgrade_state('named.conf', 'pid-file_updated', True) return False @@ -643,11 +649,11 @@ def named_update_pid_file(): bindinstance.named_conf_set_directive('pid-file', paths.NAMED_PID, bindinstance.NAMED_SECTION_OPTIONS) except IOError as e: - root_logger.error('Cannot update pid-file configuration in %s: %s', - bindinstance.NAMED_CONF, e) + logger.error('Cannot update pid-file configuration in %s: %s', + bindinstance.NAMED_CONF, e) return False else: - root_logger.debug('pid-file configuration updated') + logger.debug('pid-file configuration updated') sysupgrade.set_upgrade_state('named.conf', 'pid-file_updated', True) return True @@ -658,21 +664,21 @@ def named_enable_dnssec(): """ if not bindinstance.named_conf_exists(): # DNS service may not be configured - root_logger.info('DNS is not configured') + logger.info('DNS is not configured') return False if not sysupgrade.get_upgrade_state('named.conf', 'dnssec_enabled'): - root_logger.info('[Enabling "dnssec-enable" configuration in DNS]') + logger.info('[Enabling "dnssec-enable" configuration in DNS]') try: bindinstance.named_conf_set_directive('dnssec-enable', 'yes', bindinstance.NAMED_SECTION_OPTIONS, str_val=False) except IOError as e: - root_logger.error('Cannot update dnssec-enable configuration in %s: %s', - bindinstance.NAMED_CONF, e) + logger.error('Cannot update dnssec-enable configuration in %s: %s', + bindinstance.NAMED_CONF, e) return False else: - root_logger.debug('dnssec-enabled in %s' % bindinstance.NAMED_CONF) + logger.debug('dnssec-enabled in %s', bindinstance.NAMED_CONF) sysupgrade.set_upgrade_state('named.conf', 'dnssec_enabled', True) return True @@ -686,7 +692,7 @@ def named_validate_dnssec(): """ if not bindinstance.named_conf_exists(): # DNS service may not be configured - root_logger.info('DNS is not configured') + logger.info('DNS is not configured') return False if (not sysupgrade.get_upgrade_state('named.conf', 'dnssec_validation_upgraded') @@ -694,17 +700,19 @@ def named_validate_dnssec(): 'dnssec-validation', bindinstance.NAMED_SECTION_OPTIONS, str_val=False) is None): # dnssec-validation is not configured, disable it - root_logger.info('[Disabling "dnssec-validate" configuration in DNS]') + logger.info('[Disabling "dnssec-validate" configuration in DNS]') try: bindinstance.named_conf_set_directive('dnssec-validation', 'no', bindinstance.NAMED_SECTION_OPTIONS, str_val=False) except IOError as e: - root_logger.error('Cannot update dnssec-validate configuration in %s: %s', - bindinstance.NAMED_CONF, e) + logger.error('Cannot update dnssec-validate configuration in %s: ' + '%s', + bindinstance.NAMED_CONF, e) return False else: - root_logger.debug('dnssec-validate already configured in %s' % bindinstance.NAMED_CONF) + logger.debug('dnssec-validate already configured in %s', + bindinstance.NAMED_CONF) sysupgrade.set_upgrade_state('named.conf', 'dnssec_validation_upgraded', True) return True @@ -715,34 +723,34 @@ def named_bindkey_file_option(): """ if not bindinstance.named_conf_exists(): # DNS service may not be configured - root_logger.info('DNS is not configured') + logger.info('DNS is not configured') return False if sysupgrade.get_upgrade_state('named.conf', 'bindkey-file_updated'): - root_logger.debug('Skip bindkey-file configuration check') + logger.debug('Skip bindkey-file configuration check') return False try: bindkey_file = bindinstance.named_conf_get_directive('bindkey-file', bindinstance.NAMED_SECTION_OPTIONS) except IOError as e: - root_logger.error('Cannot retrieve bindkey-file option from %s: %s', - bindinstance.NAMED_CONF, e) + logger.error('Cannot retrieve bindkey-file option from %s: %s', + bindinstance.NAMED_CONF, e) return False else: if bindkey_file: - root_logger.debug('bindkey-file configuration already updated') + logger.debug('bindkey-file configuration already updated') sysupgrade.set_upgrade_state('named.conf', 'bindkey-file_updated', True) return False - root_logger.info('[Setting "bindkeys-file" option in named.conf]') + logger.info('[Setting "bindkeys-file" option in named.conf]') try: bindinstance.named_conf_set_directive('bindkeys-file', paths.NAMED_BINDKEYS_FILE, bindinstance.NAMED_SECTION_OPTIONS) except IOError as e: - root_logger.error('Cannot update bindkeys-file configuration in %s: %s', - bindinstance.NAMED_CONF, e) + logger.error('Cannot update bindkeys-file configuration in %s: %s', + bindinstance.NAMED_CONF, e) return False @@ -755,34 +763,37 @@ def named_managed_keys_dir_option(): """ if not bindinstance.named_conf_exists(): # DNS service may not be configured - root_logger.info('DNS is not configured') + logger.info('DNS is not configured') return False if sysupgrade.get_upgrade_state('named.conf', 'managed-keys-directory_updated'): - root_logger.debug('Skip managed-keys-directory configuration check') + logger.debug('Skip managed-keys-directory configuration check') return False try: managed_keys = bindinstance.named_conf_get_directive('managed-keys-directory', bindinstance.NAMED_SECTION_OPTIONS) except IOError as e: - root_logger.error('Cannot retrieve managed-keys-directory option from %s: %s', - bindinstance.NAMED_CONF, e) + logger.error('Cannot retrieve managed-keys-directory option from %s: ' + '%s', + bindinstance.NAMED_CONF, e) return False else: if managed_keys: - root_logger.debug('managed_keys_directory configuration already updated') + logger.debug('managed_keys_directory configuration already ' + 'updated') sysupgrade.set_upgrade_state('named.conf', 'managed-keys-directory_updated', True) return False - root_logger.info('[Setting "managed-keys-directory" option in named.conf]') + logger.info('[Setting "managed-keys-directory" option in named.conf]') try: bindinstance.named_conf_set_directive('managed-keys-directory', paths.NAMED_MANAGED_KEYS_DIR, bindinstance.NAMED_SECTION_OPTIONS) except IOError as e: - root_logger.error('Cannot update managed-keys-directory configuration in %s: %s', - bindinstance.NAMED_CONF, e) + logger.error('Cannot update managed-keys-directory configuration in ' + '%s: %s', + bindinstance.NAMED_CONF, e) return False @@ -795,31 +806,31 @@ def named_root_key_include(): """ if not bindinstance.named_conf_exists(): # DNS service may not be configured - root_logger.info('DNS is not configured') + logger.info('DNS is not configured') return False if sysupgrade.get_upgrade_state('named.conf', 'root_key_updated'): - root_logger.debug('Skip root key configuration check') + logger.debug('Skip root key configuration check') return False try: root_key = bindinstance.named_conf_include_exists(paths.NAMED_ROOT_KEY) except IOError as e: - root_logger.error('Cannot check root key include in %s: %s', - bindinstance.NAMED_CONF, e) + logger.error('Cannot check root key include in %s: %s', + bindinstance.NAMED_CONF, e) return False else: if root_key: - root_logger.debug('root keys configuration already updated') + logger.debug('root keys configuration already updated') sysupgrade.set_upgrade_state('named.conf', 'root_key_updated', True) return False - root_logger.info('[Including named root key in named.conf]') + logger.info('[Including named root key in named.conf]') try: bindinstance.named_conf_add_include(paths.NAMED_ROOT_KEY) except IOError as e: - root_logger.error('Cannot update named root key include in %s: %s', - bindinstance.NAMED_CONF, e) + logger.error('Cannot update named root key include in %s: %s', + bindinstance.NAMED_CONF, e) return False @@ -831,11 +842,11 @@ def named_update_global_forwarder_policy(): bind = bindinstance.BindInstance() if not bindinstance.named_conf_exists() or not bind.is_configured(): # DNS service may not be configured - root_logger.info('DNS is not configured') + logger.info('DNS is not configured') return False - root_logger.info('[Checking global forwarding policy in named.conf ' - 'to avoid conflicts with automatic empty zones]') + logger.info('[Checking global forwarding policy in named.conf ' + 'to avoid conflicts with automatic empty zones]') if sysupgrade.get_upgrade_state( 'named.conf', 'forward_policy_conflict_with_empty_zones_handled' ): @@ -853,7 +864,7 @@ def named_update_global_forwarder_policy(): # ranges so hopefully automatic empty zones are not a problem return False except dns.exception.DNSException as ex: - root_logger.error( + logger.error( 'Skipping update of global DNS forwarder in named.conf: ' 'Unable to determine if local server is using an ' 'IP address belonging to an automatic empty zone. ' @@ -868,9 +879,9 @@ def named_update_global_forwarder_policy(): ) == 'only': return False - root_logger.info('Global forward policy in named.conf will ' - 'be changed to "only" to avoid conflicts with ' - 'automatic empty zones') + logger.info('Global forward policy in named.conf will ' + 'be changed to "only" to avoid conflicts with ' + 'automatic empty zones') bindinstance.named_conf_set_directive( 'forward', 'only', @@ -889,14 +900,14 @@ def named_add_server_id(): bind = bindinstance.BindInstance() if not bindinstance.named_conf_exists() or not bind.is_configured(): # DNS service may not be configured - root_logger.info('DNS is not configured') + logger.info('DNS is not configured') return False if sysupgrade.get_upgrade_state('named.conf', 'add_server_id'): # upgrade was done already return False - root_logger.info('[Adding server_id to named.conf]') + logger.info('[Adding server_id to named.conf]') bindinstance.named_conf_set_directive('server_id', api.env.host) sysupgrade.set_upgrade_state('named.conf', 'add_server_id', True) return True @@ -974,9 +985,9 @@ def certificate_renewal_update(ca, ds, http): } ] - root_logger.info("[Update certmonger certificate renewal configuration]") + logger.info("[Update certmonger certificate renewal configuration]") if not ca.is_configured(): - root_logger.info('CA is not configured') + logger.info('CA is not configured') return False db = certs.CertDB(api.env.realm, paths.PKI_TOMCAT_ALIAS_DIR) @@ -1011,7 +1022,7 @@ def certificate_renewal_update(ca, ds, http): filename = paths.CERTMONGER_CAS_CA_RENEWAL if os.path.exists(filename): with installutils.stopped_service('certmonger'): - root_logger.info("Removing %s" % filename) + logger.info("Removing %s", filename) installutils.remove_file(filename) ca.configure_certmonger_renewal() @@ -1022,7 +1033,7 @@ def certificate_renewal_update(ca, ds, http): ds.start_tracking_certificates(serverid) http.start_tracking_certificates() - root_logger.info("Certmonger certificate renewal configuration updated") + logger.info("Certmonger certificate renewal configuration updated") return True def copy_crl_file(old_path, new_path=None): @@ -1032,14 +1043,14 @@ def copy_crl_file(old_path, new_path=None): if new_path is None: filename = os.path.basename(old_path) new_path = os.path.join(paths.PKI_CA_PUBLISH_DIR, filename) - root_logger.debug('copy_crl_file: %s -> %s', old_path, new_path) + logger.debug('copy_crl_file: %s -> %s', old_path, new_path) if os.path.islink(old_path): # update symlink to the most most recent CRL file filename = os.path.basename(os.readlink(old_path)) realpath = os.path.join(paths.PKI_CA_PUBLISH_DIR, filename) - root_logger.debug('copy_crl_file: Create symlink %s -> %s', - new_path, realpath) + logger.debug('copy_crl_file: Create symlink %s -> %s', + new_path, realpath) os.symlink(realpath, new_path) else: shutil.copy2(old_path, new_path) @@ -1053,13 +1064,13 @@ def migrate_crl_publish_dir(ca): Move CRL publish dir from /var/lib/pki-ca/publish to IPA controlled tree: /var/lib/ipa/pki-ca/publish """ - root_logger.info('[Migrate CRL publish directory]') + logger.info('[Migrate CRL publish directory]') if sysupgrade.get_upgrade_state('dogtag', 'moved_crl_publish_dir'): - root_logger.info('CRL tree already moved') + logger.info('CRL tree already moved') return False if not ca.is_configured(): - root_logger.info('CA is not configured') + logger.info('CA is not configured') return False try: @@ -1068,8 +1079,8 @@ def migrate_crl_publish_dir(ca): 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', separator='=') except OSError as e: - root_logger.error('Cannot read CA configuration file "%s": %s', - paths.CA_CS_CFG_PATH, e) + logger.error('Cannot read CA configuration file "%s": %s', + paths.CA_CS_CFG_PATH, e) return False # Prepare target publish dir (creation, permissions, SELinux context) @@ -1078,16 +1089,16 @@ def migrate_crl_publish_dir(ca): if old_publish_dir == paths.PKI_CA_PUBLISH_DIR: # publish dir is already updated - root_logger.info('Publish directory already set to new location') + logger.info('Publish directory already set to new location') sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True) return False # Copy all CRLs to new directory - root_logger.info('Copy all CRLs to new publish directory') + logger.info('Copy all CRLs to new publish directory') try: crl_files_unsorted = cainstance.get_crl_files(old_publish_dir) except OSError as e: - root_logger.error('Cannot move CRL files to new directory: %s', e) + logger.error('Cannot move CRL files to new directory: %s', e) else: # Move CRL files at the end of the list to make sure that the actual # CRL files are copied first @@ -1097,7 +1108,7 @@ def migrate_crl_publish_dir(ca): try: copy_crl_file(f) except Exception as e: - root_logger.error('Cannot move CRL file to new directory: %s', e) + logger.error('Cannot move CRL file to new directory: %s', e) try: installutils.set_directive( @@ -1105,23 +1116,23 @@ def migrate_crl_publish_dir(ca): 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', publishdir, quotes=False, separator='=') except OSError as e: - root_logger.error('Cannot update CA configuration file "%s": %s', - paths.CA_CS_CFG_PATH, e) + logger.error('Cannot update CA configuration file "%s": %s', + paths.CA_CS_CFG_PATH, e) return False sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True) - root_logger.info('CRL publish directory has been migrated, ' - 'request pki-tomcat restart') + logger.info('CRL publish directory has been migrated, ' + 'request pki-tomcat restart') return True def ca_enable_pkix(ca): - root_logger.info('[Enable PKIX certificate path discovery and validation]') + logger.info('[Enable PKIX certificate path discovery and validation]') if sysupgrade.get_upgrade_state('dogtag', 'pkix_enabled'): - root_logger.info('PKIX already enabled') + logger.info('PKIX already enabled') return False if not ca.is_configured(): - root_logger.info('CA is not configured') + logger.info('CA is not configured') return False ca.enable_pkix() @@ -1131,15 +1142,15 @@ def ca_enable_pkix(ca): def add_ca_dns_records(): - root_logger.info('[Add missing CA DNS records]') + logger.info('[Add missing CA DNS records]') if sysupgrade.get_upgrade_state('dns', 'ipa_ca_records'): - root_logger.info('IPA CA DNS records already processed') + logger.info('IPA CA DNS records already processed') return ret = api.Command['dns_is_enabled']() if not ret['result']: - root_logger.info('DNS is not configured') + logger.info('DNS is not configured') sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True) return @@ -1167,18 +1178,18 @@ def find_subject_base(): ) return subject_base - root_logger.error('Unable to determine certificate subject base. ' - 'certmap.conf will not be updated.') + logger.error('Unable to determine certificate subject base. ' + 'certmap.conf will not be updated.') def uninstall_selfsign(ds, http): - root_logger.info('[Removing self-signed CA]') + logger.info('[Removing self-signed CA]') """Replace self-signed CA by a CA-less install""" if api.env.ra_plugin != 'selfsign': - root_logger.debug('Self-signed CA is not installed') + logger.debug('Self-signed CA is not installed') return - root_logger.warning( + logger.warning( 'Removing self-signed CA. Certificates will need to managed manually.') p = SafeConfigParser() p.read(paths.IPA_DEFAULT_CONF) @@ -1192,13 +1203,13 @@ def uninstall_selfsign(ds, http): def uninstall_dogtag_9(ds, http): - root_logger.info('[Removing Dogtag 9 CA]') + logger.info('[Removing Dogtag 9 CA]') if api.env.ra_plugin != 'dogtag': - root_logger.debug('Dogtag CA is not installed') + logger.debug('Dogtag CA is not installed') return if api.env.dogtag_version >= 10: - root_logger.debug('Dogtag is version 10 or above') + logger.debug('Dogtag is version 10 or above') return dn = DN(('cn', 'CA'), ('cn', api.env.host), ('cn', 'masters'), @@ -1206,7 +1217,7 @@ def uninstall_dogtag_9(ds, http): try: api.Backend.ldap2.delete_entry(dn) except ipalib.errors.PublicError as e: - root_logger.error("Cannot delete %s: %s", dn, e) + logger.error("Cannot delete %s: %s", dn, e) p = SafeConfigParser() p.read(paths.IPA_DEFAULT_CONF) @@ -1236,21 +1247,21 @@ def uninstall_dogtag_9(ds, http): try: services.service('pki-cad', api).disable('pki-ca') except Exception as e: - root_logger.warning("Failed to disable pki-cad: %s", e) + logger.warning("Failed to disable pki-cad: %s", e) try: services.service('pki-cad', api).stop('pki-ca') except Exception as e: - root_logger.warning("Failed to stop pki-cad: %s", e) + logger.warning("Failed to stop pki-cad: %s", e) if serverid is not None: try: services.service('dirsrv', api).disable(serverid) except Exception as e: - root_logger.warning("Failed to disable dirsrv: %s", e) + logger.warning("Failed to disable dirsrv: %s", e) try: services.service('dirsrv', api).stop(serverid) except Exception as e: - root_logger.warning("Failed to stop dirsrv: %s", e) + logger.warning("Failed to stop dirsrv: %s", e) http.restart() @@ -1264,17 +1275,17 @@ def mask_named_regular(): sysupgrade.set_upgrade_state('dns', 'regular_named_masked', True) if bindinstance.named_conf_exists(): - root_logger.info('[Masking named]') + logger.info('[Masking named]') named = services.service('named-regular', api) try: named.stop() except Exception as e: - root_logger.warning('Unable to stop named service (%s)', e) + logger.warning('Unable to stop named service (%s)', e) try: named.mask() except Exception as e: - root_logger.warning('Unable to mask named service (%s)', e) + logger.warning('Unable to mask named service (%s)', e) return True @@ -1287,7 +1298,7 @@ def fix_dyndb_ldap_workdir_permissions(): return if bindinstance.named_conf_exists(): - root_logger.info('[Fix bind-dyndb-ldap IPA working directory]') + logger.info('[Fix bind-dyndb-ldap IPA working directory]') dnskeysync = dnskeysyncinstance.DNSKeySyncInstance() dnskeysync.set_dyndb_ldap_workdir_permissions() @@ -1299,14 +1310,14 @@ def fix_schema_file_syntax(): https://fedorahosted.org/freeipa/ticket/3578 """ - root_logger.info('[Fix DS schema file syntax]') + logger.info('[Fix DS schema file syntax]') # This is not handled by normal schema updates, because pre-1.3.2 DS will # ignore (auto-fix) these syntax errors, and 1.3.2 and above will choke on # them before checking dynamic schema updates. if sysupgrade.get_upgrade_state('ds', 'fix_schema_syntax'): - root_logger.info('Syntax already fixed') + logger.info('Syntax already fixed') return serverid = installutils.realm_to_serverid(api.env.realm) @@ -1323,7 +1334,7 @@ def fix_schema_file_syntax(): "NAME 'idnsRecord'" in line and line.count('(') == 2 and line.count(')') == 1): - root_logger.debug('Add closing parenthesis in idnsRecord') + logger.debug('Add closing parenthesis in idnsRecord') line += ' )' result_lines.append(line) @@ -1339,7 +1350,7 @@ def fix_schema_file_syntax(): line = line.strip('\n') if (line.startswith('objectClasses:') and "NAME 'ipaSudoRule'" in line): - root_logger.debug('Remove extra dollar sign in ipaSudoRule') + logger.debug('Remove extra dollar sign in ipaSudoRule') line = line.replace('$$', '$') result_lines.append(line) @@ -1361,10 +1372,10 @@ def set_sssd_domain_option(option, value): def remove_ds_ra_cert(subject_base): - root_logger.info('[Removing RA cert from DS NSS database]') + logger.info('[Removing RA cert from DS NSS database]') if sysupgrade.get_upgrade_state('ds', 'remove_ra_cert'): - root_logger.info('RA cert already removed') + logger.info('RA cert already removed') return dbdir = dsinstance.config_dirname( @@ -1380,14 +1391,14 @@ def remove_ds_ra_cert(subject_base): def fix_trust_flags(): - root_logger.info('[Fixing trust flags in %s]' % paths.HTTPD_ALIAS_DIR) + logger.info('[Fixing trust flags in %s]', paths.HTTPD_ALIAS_DIR) if sysupgrade.get_upgrade_state('http', 'fix_trust_flags'): - root_logger.info("Trust flags already processed") + logger.info("Trust flags already processed") return if not api.Command.ca_is_enabled()['result']: - root_logger.info("CA is not enabled") + logger.info("CA is not enabled") return db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) @@ -1400,10 +1411,10 @@ def fix_trust_flags(): def update_mod_nss_protocol(http): - root_logger.info('[Updating mod_nss protocol versions]') + logger.info('[Updating mod_nss protocol versions]') if sysupgrade.get_upgrade_state('nss.conf', 'protocol_updated_tls12'): - root_logger.info("Protocol versions already updated") + logger.info("Protocol versions already updated") return http.set_mod_nss_protocol() @@ -1412,16 +1423,16 @@ def update_mod_nss_protocol(http): def disable_mod_nss_ocsp(http): - root_logger.info('[Updating mod_nss enabling OCSP]') + logger.info('[Updating mod_nss enabling OCSP]') http.disable_mod_nss_ocsp() def update_mod_nss_cipher_suite(http): - root_logger.info('[Updating mod_nss cipher suite]') + logger.info('[Updating mod_nss cipher suite]') revision = sysupgrade.get_upgrade_state('nss.conf', 'cipher_suite_updated') if revision and revision >= httpinstance.NSS_CIPHER_REVISION: - root_logger.debug("Cipher suite already updated") + logger.debug("Cipher suite already updated") return http.set_mod_nss_cipher_suite() @@ -1432,19 +1443,19 @@ def update_mod_nss_cipher_suite(http): httpinstance.NSS_CIPHER_REVISION) def update_ipa_httpd_service_conf(http): - root_logger.info('[Updating HTTPD service IPA configuration]') + logger.info('[Updating HTTPD service IPA configuration]') http.update_httpd_service_ipa_conf() def update_http_keytab(http): - root_logger.info('[Moving HTTPD service keytab to gssproxy]') + logger.info('[Moving HTTPD service keytab to gssproxy]') if os.path.exists(paths.OLD_IPA_KEYTAB): # ensure proper SELinux context by using copy operation shutil.copy(paths.OLD_IPA_KEYTAB, http.keytab) try: os.remove(paths.OLD_IPA_KEYTAB) except OSError as e: - root_logger.error( + logger.error( 'Cannot remove file %s (%s). Please remove the file manually.', paths.OLD_IPA_KEYTAB, e ) @@ -1455,10 +1466,10 @@ def update_http_keytab(http): def ds_enable_sidgen_extdom_plugins(ds): """For AD trust agents, make sure we enable sidgen and extdom plugins """ - root_logger.info('[Enable sidgen and extdom plugins by default]') + logger.info('[Enable sidgen and extdom plugins by default]') if sysupgrade.get_upgrade_state('ds', 'enable_ds_sidgen_extdom_plugins'): - root_logger.debug('sidgen and extdom plugins are enabled already') + logger.debug('sidgen and extdom plugins are enabled already') return ds.add_sidgen_plugin(api.env.basedn) @@ -1466,9 +1477,9 @@ def ds_enable_sidgen_extdom_plugins(ds): sysupgrade.set_upgrade_state('ds', 'enable_ds_sidgen_extdom_plugins', True) def ca_upgrade_schema(ca): - root_logger.info('[Upgrading CA schema]') + logger.info('[Upgrading CA schema]') if not ca.is_configured(): - root_logger.info('CA is not configured') + logger.info('CA is not configured') return False schema_files=[ @@ -1478,22 +1489,22 @@ def ca_upgrade_schema(ca): try: modified = schemaupdate.update_schema(schema_files, ldapi=True) except Exception as e: - root_logger.error("%s", e) + logger.error("%s", e) raise RuntimeError('CA schema upgrade failed.', 1) else: if modified: - root_logger.info('CA schema update complete') + logger.info('CA schema update complete') return True else: - root_logger.info('CA schema update complete (no changes)') + logger.info('CA schema update complete (no changes)') return False def add_default_caacl(ca): - root_logger.info('[Add default CA ACL]') + logger.info('[Add default CA ACL]') if sysupgrade.get_upgrade_state('caacl', 'add_default_caacl'): - root_logger.info('Default CA ACL already added') + logger.info('Default CA ACL already added') return if ca.is_configured(): @@ -1503,7 +1514,7 @@ def add_default_caacl(ca): def setup_pkinit(krb): - root_logger.info("[Setup PKINIT]") + logger.info("[Setup PKINIT]") if not krbinstance.is_pkinit_enabled(): krb.issue_selfsigned_pkinit_certs() @@ -1543,7 +1554,7 @@ def setup_pkinit(krb): aug.save() except IOError: for error_path in aug.match('/augeas//error'): - root_logger.error('augeas: %s', aug.get(error_path)) + logger.error('augeas: %s', aug.get(error_path)) raise if krb.is_running(): @@ -1554,7 +1565,7 @@ def setup_pkinit(krb): def enable_certauth(krb): - root_logger.info("[Enable certauth]") + logger.info("[Enable certauth]") aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD, loadpath=paths.USR_SHARE_IPA_DIR) @@ -1575,7 +1586,7 @@ def enable_certauth(krb): aug.save() except IOError: for error_path in aug.match('/augeas//error'): - root_logger.error('augeas: %s', aug.get(error_path)) + logger.error('augeas: %s', aug.get(error_path)) raise if krb.is_running(): @@ -1605,7 +1616,7 @@ def upgrade_configuration(): Execute configuration upgrade of the IPA services """ - root_logger.debug('IPA version %s' % version.VENDOR_VERSION) + logger.debug('IPA version %s', version.VENDOR_VERSION) fstore = sysrestore.FileStore(paths.SYSRESTORE) @@ -1699,8 +1710,8 @@ def upgrade_configuration(): removed_sysconfig_file = paths.SYSCONFIG_HTTPD if fstore.has_file(removed_sysconfig_file): - root_logger.info('Restoring %s as it is no longer required', - removed_sysconfig_file) + logger.info('Restoring %s as it is no longer required', + removed_sysconfig_file) fstore.restore_file(removed_sysconfig_file) http = httpinstance.HTTPInstance(fstore) @@ -1730,7 +1741,7 @@ def upgrade_configuration(): ds_enable_sidgen_extdom_plugins(ds) if not http.is_kdcproxy_configured(): - root_logger.info('[Enabling KDC Proxy]') + logger.info('[Enabling KDC Proxy]') http.create_kdcproxy_conf() http.enable_kdcproxy() @@ -1803,13 +1814,13 @@ def upgrade_configuration(): if any(named_conf_changes): # configuration has changed, restart the name server - root_logger.info('Changes to named.conf have been made, restart named') + logger.info('Changes to named.conf have been made, restart named') bind = bindinstance.BindInstance(fstore) try: if bind.is_running(): bind.restart() except ipautil.CalledProcessError as e: - root_logger.error("Failed to restart %s: %s", bind.service_name, e) + logger.error("Failed to restart %s: %s", bind.service_name, e) if bind_started: bind.stop() @@ -1830,12 +1841,12 @@ def upgrade_configuration(): ]) if ca_restart: - root_logger.info( + logger.info( 'pki-tomcat configuration changed, restart pki-tomcat') try: ca.restart('pki-tomcat') except ipautil.CalledProcessError as e: - root_logger.error("Failed to restart %s: %s", ca.service_name, e) + logger.error("Failed to restart %s: %s", ca.service_name, e) ca_enable_ldap_profile_subsystem(ca) @@ -1894,7 +1905,7 @@ def upgrade_check(options): try: installutils.check_server_configuration() except RuntimeError as e: - root_logger.error(e) + logger.error("%s", e) sys.exit(1) if not options.skip_version_check: @@ -1906,14 +1917,13 @@ def upgrade_check(options): raise RuntimeError( 'Unable to execute IPA upgrade: %s' % e, 1) except installutils.UpgradeMissingVersionError as e: - root_logger.info("Missing version: %s", e) + logger.info("Missing version: %s", e) except installutils.UpgradeVersionError: # Ignore other errors pass else: - root_logger.info("Skipping version check") - root_logger.warning("Upgrade without version check may break your " - "system") + logger.info("Skipping version check") + logger.warning("Upgrade without version check may break your system") def upgrade(): @@ -1938,14 +1948,14 @@ def upgrade(): raise RuntimeError('IPA upgrade failed.', 1) else: if data_upgrade.modified: - root_logger.info('Update complete') + logger.info('Update complete') else: - root_logger.info('Update complete, no data were modified') + logger.info('Update complete, no data were modified') # store new data version after upgrade installutils.store_version() print('Upgrading IPA services') - root_logger.info('Upgrading the configuration of the IPA services') + logger.info('Upgrading the configuration of the IPA services') upgrade_configuration() - root_logger.info('The IPA services were upgraded') + logger.info('The IPA services were upgraded') diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 0523e91..49cf022 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -17,6 +17,7 @@ # along with this program. If not, see . # +import logging import sys import os import pwd @@ -30,12 +31,12 @@ import six from ipalib.install import certstore, sysrestore from ipapython import ipautil from ipapython.dn import DN -from ipapython.ipa_log_manager import root_logger from ipapython import kerberos from ipalib import api, errors from ipaplatform import services from ipaplatform.paths import paths +logger = logging.getLogger(__name__) if six.PY3: unicode = str @@ -60,7 +61,7 @@ SERVICE_LIST = { } def print_msg(message, output_fd=sys.stdout): - root_logger.debug(message) + logger.debug("%s", message) output_fd.write(message) output_fd.write("\n") output_fd.flush() @@ -184,7 +185,7 @@ def set_service_entry_config(name, fqdn, config_values, existing_values = entry.get('ipaConfigString', []) for value in config_values: if case_insensitive_attr_has_value(existing_values, value): - root_logger.debug( + logger.debug( "service %s: config string %s already set", name, value) entry.setdefault('ipaConfigString', []).append(value) @@ -192,15 +193,15 @@ def set_service_entry_config(name, fqdn, config_values, try: api.Backend.ldap2.update_entry(entry) except errors.EmptyModlist: - root_logger.debug( + logger.debug( "service %s has already enabled config values %s", name, config_values) return except: - root_logger.debug("failed to set service %s config values", name) + logger.debug("failed to set service %s config values", name) raise - root_logger.debug("service %s has all config values set", name) + logger.debug("service %s has all config values set", name) return entry = api.Backend.ldap2.make_entry( @@ -213,7 +214,7 @@ def set_service_entry_config(name, fqdn, config_values, try: api.Backend.ldap2.add_entry(entry) except (errors.DuplicateEntry) as e: - root_logger.debug("failed to add service entry %s", name) + logger.debug("failed to add service entry %s", name) raise e @@ -307,7 +308,7 @@ class Service(object): try: ipautil.run(args, nolog=nologlist) except ipautil.CalledProcessError as e: - root_logger.critical("Failed to load %s: %s" % (ldif, str(e))) + logger.critical("Failed to load %s: %s", ldif, str(e)) if raise_on_err: raise finally: @@ -373,7 +374,8 @@ class Service(object): try: api.Backend.ldap2.update_entry(entry) except Exception as e: - root_logger.critical("Could not add certificate to service %s entry: %s" % (self.principal, str(e))) + logger.critical("Could not add certificate to service %s entry: " + "%s", self.principal, str(e)) def import_ca_certs(self, db, ca_is_configured, conn=None): if conn is None: @@ -494,7 +496,7 @@ class Service(object): method() e = datetime.datetime.now() d = e - s - root_logger.debug(" duration: %d seconds" % d.seconds) + logger.debug(" duration: %d seconds", d.seconds) step = 0 steps_iter = iter(self.steps) @@ -507,7 +509,7 @@ class Service(object): if not (isinstance(e, SystemExit) and e.code == 0): # pylint: disable=no-member # show the traceback, so it's not lost if cleanup method fails - root_logger.debug("%s" % traceback.format_exc()) + logger.debug("%s", traceback.format_exc()) self.print_msg(' [error] %s: %s' % (type(e).__name__, e)) # run through remaining methods marked run_after_failure @@ -551,7 +553,7 @@ class Service(object): base_dn=entry_dn, scope=api.Backend.ldap2.SCOPE_BASE) except errors.NotFound: - root_logger.debug("service %s startup entry already disabled", name) + logger.debug("service %s startup entry already disabled", name) return assert len(entries) == 1 # only one entry is expected @@ -568,10 +570,10 @@ class Service(object): except errors.EmptyModlist: pass except: - root_logger.debug("failed to disable service %s startup entry", name) + logger.debug("failed to disable service %s startup entry", name) raise - root_logger.debug("service %s startup entry disabled", name) + logger.debug("service %s startup entry disabled", name) def ldap_remove_service_container(self, name, fqdn, ldap_suffix): entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), @@ -579,9 +581,9 @@ class Service(object): try: api.Backend.ldap2.delete_entry(entry_dn) except errors.NotFound: - root_logger.debug("service %s container already removed", name) + logger.debug("service %s container already removed", name) else: - root_logger.debug("service %s container sucessfully removed", name) + logger.debug("service %s container sucessfully removed", name) def _add_service_principal(self): try: diff --git a/ipaserver/install/sysupgrade.py b/ipaserver/install/sysupgrade.py index 7b51eac..ae80b74 100644 --- a/ipaserver/install/sysupgrade.py +++ b/ipaserver/install/sysupgrade.py @@ -17,12 +17,14 @@ # along with this program. If not, see . # +import logging import os import os.path from ipalib.install import sysrestore from ipaplatform.paths import paths -from ipapython.ipa_log_manager import root_logger + +logger = logging.getLogger(__name__) STATEFILE_FILE = 'sysupgrade.state' @@ -49,4 +51,4 @@ def remove_upgrade_file(): try: os.remove(os.path.join(paths.STATEFILE_DIR, STATEFILE_FILE)) except Exception as e: - root_logger.debug('Cannot remove sysupgrade state file: %s', e) + logger.debug('Cannot remove sysupgrade state file: %s', e) diff --git a/ipaserver/install/upgradeinstance.py b/ipaserver/install/upgradeinstance.py index e5bc8a2..a161b34 100644 --- a/ipaserver/install/upgradeinstance.py +++ b/ipaserver/install/upgradeinstance.py @@ -17,6 +17,8 @@ # along with this program. If not, see . # +import logging + import ldif import shutil import random @@ -24,13 +26,14 @@ import traceback from ipalib import api from ipaplatform.paths import paths from ipaplatform import services -from ipapython.ipa_log_manager import root_logger from ipaserver.install import installutils from ipaserver.install import schemaupdate from ipaserver.install import ldapupdate from ipaserver.install import service +logger = logging.getLogger(__name__) + DSE = 'dse.ldif' @@ -219,10 +222,10 @@ class IPAUpgrade(service.Service): self.files = ld.get_all_files(ldapupdate.UPDATES_DIR) self.modified = (ld.update(self.files) or self.modified) except ldapupdate.BadSyntax as e: - root_logger.error('Bad syntax in upgrade %s', e) + logger.error('Bad syntax in upgrade %s', e) raise except Exception as e: # Bad things happened, return gracefully - root_logger.error('Upgrade failed with %s', e) - root_logger.debug('%s', traceback.format_exc()) + logger.error('Upgrade failed with %s', e) + logger.debug('%s', traceback.format_exc()) raise RuntimeError(e) diff --git a/ipaserver/plugins/aci.py b/ipaserver/plugins/aci.py index f5973e9..f775d16 100644 --- a/ipaserver/plugins/aci.py +++ b/ipaserver/plugins/aci.py @@ -118,6 +118,7 @@ targetattr REPLACES the current attributes, it does not add to them. """ from copy import deepcopy +import logging import six @@ -129,12 +130,13 @@ from ipalib import output from ipalib import _, ngettext from ipalib.plugable import Registry from .baseldap import gen_pkey_only_option, pkey_to_value -from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN if six.PY3: unicode = str +logger = logging.getLogger(__name__) + register = Registry() ACI_NAME_PREFIX_SEP = ":" @@ -394,7 +396,7 @@ def _convert_strings_to_acis(acistrs): try: acis.append(ACI(a)) except SyntaxError: - root_logger.warning("Failed to parse: %s" % a) + logger.warning("Failed to parse: %s", a) return acis def _find_aci_by_name(acis, aciprefix, aciname): diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index e22ec7c..2eb2137 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -49,7 +49,6 @@ from ipalib.request import context from ipalib import output from ipapython import kerberos from ipapython.dn import DN -from ipapython.ipa_log_manager import root_logger from ipaserver.plugins.service import normalize_principal, validate_realm try: @@ -514,7 +513,7 @@ class BaseCertObject(Object): except Exception: # Invalid GeneralName (i.e. not a valid X.509 cert); # don't fail but log something about it - root_logger.warning( + logger.warning( "Encountered bad GeneralName; skipping", exc_info=True) serial_number = obj.get('serial_number') diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 3e64f9d..0ef290c 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -39,7 +39,6 @@ from .baseldap import ( from .dns import dns_container_exists from ipapython.dn import DN from ipapython.ipautil import realm_to_suffix -from ipapython.ipa_log_manager import root_logger from ipalib import api, Str, StrEnum, Password, Bool, _, ngettext, Int, Flag from ipalib import Command from ipalib import errors @@ -394,10 +393,10 @@ def add_range(myapi, trustinstance, range_name, dom_sid, *keys, **options): if not info_list: # We were unable to gain UNIX specific info from the AD - root_logger.debug("Unable to gain POSIX info from the AD") + logger.debug("Unable to gain POSIX info from the AD") else: if all(attr in info for attr in required_msSFU_attrs): - root_logger.debug("Able to gain POSIX info from the AD") + logger.debug("Able to gain POSIX info from the AD") range_type = u'ipa-ad-trust-posix' max_uid = info.get('msSFU30MaxUidNumber') diff --git a/ipatests/pytest_plugins/beakerlib.py b/ipatests/pytest_plugins/beakerlib.py index 828a851..0bb4c97 100644 --- a/ipatests/pytest_plugins/beakerlib.py +++ b/ipatests/pytest_plugins/beakerlib.py @@ -25,12 +25,13 @@ If the plugin is active, sets up IPA logging to also log to Beaker. import logging -from ipapython.ipa_log_manager import Formatter, root_logger +from ipapython.ipa_log_manager import Formatter def pytest_configure(config): plugin = config.pluginmanager.getplugin('BeakerLibPlugin') if plugin: + root_logger = logging.getLogger() root_logger.setLevel(logging.DEBUG) handler = BeakerLibLogHandler(plugin.run_beakerlib_command) diff --git a/ipatests/pytest_plugins/nose_compat.py b/ipatests/pytest_plugins/nose_compat.py index 6966e25..8cd6b2d 100644 --- a/ipatests/pytest_plugins/nose_compat.py +++ b/ipatests/pytest_plugins/nose_compat.py @@ -23,7 +23,7 @@ import os import sys import logging -from ipapython.ipa_log_manager import Formatter, root_logger +from ipapython.ipa_log_manager import Formatter def pytest_addoption(parser): @@ -64,4 +64,5 @@ def pytest_configure(config): handler = LogHandler() handler.setFormatter(Formatter('[%(name)s] %(message)s')) handler.setLevel(config.getoption('logging_level')) + root_logger = logging.getLogger() root_logger.addHandler(handler)