#4468 Make ipa-server-install (and friends) into python libraries
Closed: Fixed None Opened 5 years ago by sgallagh.

ipa-server-install (and replica, client, etc.) are very powerful tools.

We would like to be able to access the code that they execute more directly within rolekit (which is providing the Fedora Server Role API). This would be so that we could solve the following problems:

  1. Track progress through the installation (postponed, see comment:26)
  2. Avoid putting DM and admin passwords into the process table (postponed, see comment:26)
  3. Avoid forking a process from our python daemon just to invoke more python code; it's unnecessary overhead.

pviktori, this ticket could be a basis of the planned OpenLMI integration announced on freeipa-devel.

Would a refactoring & making the installer use our installer base from AdminTool satisfy sgallagh's needs?

For (1) we'd need some coding, but it would definitely be easier to add to the framework than to the current code.

(2) can be addressed now, but with the framework it would be easier to be consistent.

Allowing (3) would be very easy, though we might want to add an even nicer interface. (And it would help IPA as well, for example I think it would help to have ipa-server-install just call ipa-dns-install at the end, so that the single-step and two-step installations would be equivalent.)

The ticket for the AdminTool refactoring is: #2652 Framework for admin/install tools

This ticket should only track the necessary changes on top of that.

Moving to 4.2, will be pat of OpenLMI integration. We will certainly also consider #2652 as it can fix some of our problems.

not only existing commands will be affected, there is also the commandline part for ticket 4302. It will probably need a command like ipa-topology-manage with subcommands like init| verify| show | connect |disconnect and has some overlap with ipa-replica-manage.

The (pviktori's) plan is to have introspectable argument definitions, like the IPA framework's Param, so supporting different ways to pass the options (function args, CLI, config files) should be easy.

A Password argument that the CLI user can specify by any of file, env var, command line, or interactive prompting, would of course be built in.

Someone, please take this.

This ticket is not critical for 4.2 GA and can be done in follow-up stabilization release - postponing.


  • ae9c3e2 DNS install: extract DNS installer into one module


  • 6a4b428 merge KRA installation machinery to a single module


  • 01fa05d KRA: get the right dogtag version during server uninstall


  • 5a7b153 install: Make a package out of ipaserver.install.server
  • 6dabe6e install: Move ipa-server-install code into a module
  • 3cb42e3 install: Move ipa-replica-install code into a module
  • f451af9 install: Move ipa-server-upgrade code into a module


  • 2acedb2 Move CA installation code into single module.
  • e01095d install: Fix missing variable initialization in replica install


  • 90e400e install: Fix CA-less server install
  • 4c70590 install: Fix external CA server install
  • 08229a0 install: Move private_ccache from ipaserver to ipapython
  • 9e9c01f install: Introduce installer framework ipapython.install
  • eb95922 install: Migrate ipa-server-install to the install framework


  • 1bf383e install: Handle Knob cli_name and cli_aliases values consistently
  • eb0251c install: Add support for positional arguments in CLI tools
  • 6f1ae05 install: Allow setting usage in CLI tools
  • 46cbe26 install: Migrate ipa-replica-install to the install framework


  • cbcd86b install: Initialize API early in server and replica install


  • bae80b0 install: Fix logging setup in server and replica install


  • c3a3d78 install: Fix ipa-replica-install not installing RA cert


  • 49d708f Replicas cannot define their own master password.

This ticket tracks several problems that will be fixed in different releases.

I am not sure about the scope and base design for 1., please open separate ticket if you are interested in this.

Part 2 is a duplicate of #4517.

Part 3 is fixed for ipa-server-install and ipa-replica-install in 4.2, so I am closing this ticket. Please open tickets for missing functionality that you depend on.

Metadata Update from @sgallagh:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.2

2 years ago

Login to comment on this ticket.