#6392 Installers refactoring tracker
Closed: fixed 2 years ago Opened 2 years ago by mbasti.

All related installers refactoring tickets should be blockers of this ticket.


  • eac6f52 Remove redundant dsinstance restart
  • 83e72d7 Move ds.replica_populate to an update plugin
  • 7279ef1 Moved update of DNA plugin among update plugins
  • 2fdc2d0 CertDB: add API for non-destructive initialization from PKCS#12 bundle
  • b1283c1 initialize empty /etc/http/alias during server/replica install
  • 8a7e79a replica install: use one remote CA host name everywhere
  • 0e232b5 replica install: use one remote KRA host name everywhere
  • dc38d53 install: merge all CA install code paths into one
  • 0933e08 install: merge all KRA install code paths into one
  • f98faec ipa-client-install: move client install to module
  • 5c16608 client: remove unneded return configure_krb5_conf
  • 49f201e client: remove unneded return from configure_ipa_conf
  • cc6efb9 client: install function: return constant not hardcoded number
  • c30b45a client: remove extra return from hardcode_ldap_server
  • 1c92678 client: import IPAChangeConf directly instead the module
  • 31a9ef4 IPAChangeConf: use constant for empty line
  • 2dedfe5 server install: do not restart httpd during CA install
  • cf1c4e8 client: Making the configure functions more readable
  • bddd4fa Replaced EMPTY_LINE constant with a function call
  • 822e1bc replica install: merge RA cert import into CA install
  • 89bb5ed replica install: merge KRA agent cert export into KRA install
  • 8e36e03 certs: do not re-create NSS database when requesting service cert
  • 3d5161d Separate function to purge IPA host principals from keytab
  • a6ec372 do partial host enrollment in domain level 0 replica install
  • 1991279 fix incorrect invocation of ipa-getkeytab during DL0 host enrollment
  • 33537f5 client: make statestore and fstore consistent with server
  • 2c226eb client: move checks to client.install_check
  • 3f690a0 client: extract checks from install to install_check
  • fcea3b3 client: extract checks from uninstall to uninstall_check
  • 83fe6b6 client: move custom env variable into client module
  • 1f65c07 client: Remove useless except in ipa-client-install
  • 8cbbb53 client: fix script execution
  • bbad089 client: move clean CCACHE to module
  • b378673 client: move install cleanup from ipa-client-install to module
  • c38ce49 client: move install part to else branch
  • 5249eb8 client: use exceptions instead of return states
  • 847b6ed client: use correct code for failed uninstall
  • 0914a3a replicainstall: Unify default.conf file creation
  • 990e1ac Fix to ipachangeconf docstrings
  • b068d33 Added file permissions option to IPAChangeConf.newConf()
  • a3c9def Import just IPAChangeConf instead of the whole module
  • 8cb315a replica install: fix DS restart failure during replica promotion
  • 87c3c1a install: use ldaps for pkispawn in ipa-ca-install
  • bde1d82 Move httpd restart to DNS installation
  • ba4df64 Move the pki-tomcat restart to cainstance creation
  • 1fc128b Properly bootstrap replica promotion api
  • 500327b First step of merging replica installation of both DLs
  • 2de43e7 Split install_http_certs() into two functions
  • e40d6a2 Use host keytab to connect to remote server on DL0
  • 0b68899 Remove redundant CA cert file existance check
  • 928a4aa Use os.path.join instead of concatenation
  • 606cac1 Use updated CA certs in replica installation
  • 8359237 Take advantage of the ca/kra code cleanup in replica installation
  • bc2e338 replicainstall: move common checks to common_check()
  • 37578cf Use same means of checking replication agreements on both DLs
  • 1e6366b Offer more general way to check domain level in replicainstall
  • 15f282c service installers: clean up the inheritance
  • 81bf72d Make service user name a class member of Service
  • 3259998 Turn Kerberos-related properties to Service class members
  • 4286f38 Service: common method for service keytab requests
  • 6181844 use DM credentials to retrieve service keytab only in DLO
  • 3129b87 dsinstance: use keytab retrieval method from parent class
  • 4e97a01 installers: restart DS after KDC is configured
  • 73fc155 domain-level agnostic keytab retrieval in httpinstance
  • 7cd3b1b installutils: remove 'install_service_keytab' function
  • 8c742b1 Fix CA replica install on DL1
  • a641e27 install: improve CLI positional argument handling
  • be0c1af install: simplify CLI option parsing
  • 9fd1981 install: introduce updated knob constructor
  • a929ac3 install: use standard Python classes to declare knob types
  • 043c262 install: declare knob CLI names using the argparse convention
  • 269ca6c install: make knob base declaration explicit
  • 08a446a install: fix subclassing of knob groups
  • a8fdb8d install: introduce installer class hierarchy
  • 225fae8 install: migrate server installers to the new class hierarchy
  • 714699a install: allow specifying verbosity and console log format in CLI
  • 09423ac install: migrate client install to the new class hierarchy

There seems to be a regression: ipa-replica-install tries to install
a CA if there is a CA in the topology, even if --setup-ca is not provided.

Seems to have occurred in 822e1bc, where
instances of if config.setup_ca: were replaced with if ca_enabled:.

Fraser can you provide steps to reproduce? I haven't been able to reproduce it:

My steps:

[master ~]# ipa-server-install  # with CA
[replica ~]# ipa-client-install --server <server> --domain <domain>
[replica ~]# ipa-replica-install
[replica ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

There is a regression related to ipa-replica-install. The RA agent certificate is not tracked any more, while it used to be on all replicas in ca-full installation (whether the replica was running a CA or not).

getcert list -n ipaCert

does not output anything.

It seems that commit 822e1bc is responsible for this issue.

There is a regression with ipa-server-install --external-ca:

  [48/48]: configuring directory to start on boot
Done configuring directory server (dirsrv).
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    'dm_password'
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

The exception is:

  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 774, in install
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 148, in write_cache
    options['dm_password'], top_dir)

2016-11-14T17:40:02Z DEBUG The ipa-server-install command failed, exception: KeyError: 'dm_password'
2016-11-14T17:40:02Z ERROR 'dm_password'
2016-11-14T17:40:02Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

mbasti: I can't repro either. Maybe I had some local changes that broke it... ¯_(ツ)_/¯

regression fix:

  • 6ca96b3 Fix the naming of ipa-dnskeysyncd service principal



  • 4221266 replica install: track the RA agent certificate again


  • 4fff099 server install: fix external CA install

KRA agent PEM file is no longer present after ipa-server-install in /etc/httpd/alias/ caused by 822e1bc.

Has a PR:


  • 998c87a server install: fix KRA agent PEM file not being created

KRA agent PEM file is no longer present after ipa-replica-install in /etc/httpd/alias/


  • 26630db client install: correctly report all failure


  • 9ac068a Don't prepend option names with additional '--'

Metadata Update from @mbasti:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5

2 years ago


  • 00f49dd server install: remove duplicate -w option
  • 5efa55c install: add missing space in realm_name description
  • 94f362d server install: remove duplicate knob definitions
  • 1cfe06c client install: split off SSSD options into a separate class
  • 774d8d0 install CLI: remove magic option groups
  • 2fc9fed install: re-introduce option groups

Metadata Update from @mbasti:
- Issue close_status updated to: None

2 years ago

Metadata Update from @jcholast:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.