Set explicit confdir option for global contexts

[tiran]

Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.

The special contexts are:

• backup
• cli_installer
• installer
• ipctl
• renew
• restore
• server
• updates

The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.

https://fedorahosted.org/freeipa/ticket/6389

Signed-off-by: Christian Heimes cheimes@redhat.com

[tiran]

For #182

[HonzaCholasta]

You missed a few:

daemons/dnssec/ipa-dnskeysync-replica:124:ipalib.api.bootstrap(in_server=True, log=None)  # no logging to file
daemons/dnssec/ipa-dnskeysyncd:23:api.bootstrap(in_server=True, log=None)  # no logging to file
daemons/dnssec/ipa-ods-exporter:618:ipalib.api.bootstrap(in_server=True, log=None)  # no logging to file
doc/guide/wsgi.py.txt:9:env._bootstrap(context='server', log=None)
doc/guide/wsgi.py.txt:13:api.bootstrap(context='server', debug=env.debug, log=None) (ref:wsgi-app-bootstrap)
install/restart_scripts/renew_ra_cert:39:    api.bootstrap(in_server=True, context='restart')
install/tools/ipa-adtrust-install:269:    api.bootstrap(**cfg)
install/tools/ipa-ca-install:262:    api.bootstrap(in_server=True, ra_plugin='dogtag')
install/tools/ipa-compat-manage:105:    api.bootstrap(context='cli', in_server=True, debug=options.debug)
install/tools/ipa-csreplica-manage:418:    api.bootstrap(**api_env)
install/tools/ipa-dns-install:139:    api.bootstrap(**cfg)
install/tools/ipa-managed-entries:75:    api.bootstrap(context='cli', debug=options.debug)
install/tools/ipa-nis-manage:118:    api.bootstrap(context='cli', debug=options.debug, in_server=True)
install/tools/ipa-replica-manage:1512:    api.bootstrap(**api_env)
ipapython/dnssec/ldapkeydb.py:417:    ipalib.api.bootstrap(in_server=True, log=None)  # no logging to file
ipaserver/advise/base.py:238:        api.bootstrap(in_server=False, context='cli')
ipaserver/advise/base.py:240:        advise_api.bootstrap(in_server=False, context='cli')
ipaserver/install/ipa_cacert_manage.py:99:        api.bootstrap(in_server=True)
ipaserver/install/ipa_kra_install.py:80:        api.bootstrap(in_server=True)
ipaserver/install/ipa_otptoken_import.py:512:        api.bootstrap(in_server=True)
ipaserver/install/ipa_replica_prepare.py:183:        api.bootstrap(in_server=True)
ipaserver/install/ipa_server_certinstall.py:102:        api.bootstrap(in_server=True)
ipatests/test_ipaserver/test_ldap.py:114:        myapi.bootstrap(context='cli', in_server=True)
ipatests/test_ipaserver/test_serverroles.py:472:    test_api.bootstrap(in_server=True, ldap_uri=api.env.ldap_uri)
lite-server.py:130:    (options, args) = api.bootstrap_with_global_options(parser, context='lite')

[tiran]

I fixed a few. Some scripts deliberately do not have the confdir flag in bootstrap.

[HonzaCholasta]

Please explain, all of the affected scripts are server-only and thus not related to the integration effort and most probably won't work correctly with non-server configuration anyway.

[tiran]

All bootstrap() calls without an explicit confdir argument are fine. If you think otherwise, please list all calls and give me a compelling reason to have them ignore IPA_CONFDIR.

[tiran]

• daemons/dnssec/ipa-dnskeysync-replica:124:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file
• daemons/dnssec/ipa-dnskeysyncd:23:api.bootstrap(in_server=True, log=None) # no logging to file
• daemons/dnssec/ipa-ods-exporter:618:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file
• doc/guide/wsgi.py.txt:9:env._bootstrap(context='server', log=None)
• doc/guide/wsgi.py.txt:13:api.bootstrap(context='server', debug=env.debug, log=None) (ref:wsgi-app-bootstrap)
• install/restart_scripts/renew_ra_cert:39: api.bootstrap(in_server=True, context='restart')
• install/tools/ipa-adtrust-install:269: api.bootstrap(**cfg)
• install/tools/ipa-ca-install:262: api.bootstrap(in_server=True, ra_plugin='dogtag')
• install/tools/ipa-compat-manage:105: api.bootstrap(context='cli', in_server=True, debug=options.debug)
• install/tools/ipa-csreplica-manage:418: api.bootstrap(**api_env)
• install/tools/ipa-dns-install:139: api.bootstrap(**cfg)
• install/tools/ipa-managed-entries:75: api.bootstrap(context='cli', debug=options.debug)
• install/tools/ipa-nis-manage:118: api.bootstrap(context='cli', debug=options.debug, in_server=True)
• install/tools/ipa-replica-manage:1512: api.bootstrap(**api_env)
• ipaserver/dnssec/ldapkeydb.py:417: ipalib.api.bootstrap(in_server=True, log=None) # no logging to file
• ipaserver/advise/base.py:238: api.bootstrap(in_server=False, context='cli')
• ipaserver/advise/base.py:240: advise_api.bootstrap(in_server=False, context='cli')
• ipaserver/install/ipa_cacert_manage.py:99: api.bootstrap(in_server=True)
• ipaserver/install/ipa_kra_install.py:80: api.bootstrap(in_server=True)
• ipaserver/install/ipa_otptoken_import.py:512: api.bootstrap(in_server=True)
• ipaserver/install/ipa_replica_prepare.py:183: api.bootstrap(in_server=True)
• ipaserver/install/ipa_server_certinstall.py:102: api.bootstrap(in_server=True)
• ipatests/test_ipaserver/test_ldap.py:114: myapi.bootstrap(context='cli', in_server=True)
• ipatests/test_ipaserver/test_serverroles.py:472: test_api.bootstrap(in_server=True, ldap_uri=api.env.ldap_uri)
• lite-server.py:130: (options, args) = api.bootstrap_with_global_options(parser, context='lite')

[pvoborni]

If I understand Christian right, it is not disagreement about something which needs to be done. But rather a proposal to address rest of the scripts later in other pull request. So that we can push this PR to unblock subsequent reviews.

Is it correct? If so can be proceed with checking if current code is OK and finished rest in other PR?

[HonzaCholasta]

That may be so, but why do it later when it can be done now in 10 minutes?

More importantly, we try hard not to introduce new inconsistencies to our code and I don't see why this PR should be an exception (the incosistency is differing behavior of server-side scripts when IPA_CONFDIR is set, if it's not obvious).

[HonzaCholasta]

BTW, @tiran, if you don't have 10 minutes of your time to make the changes, I would be happy to spend 10 minutes of my time to amend the patch before pusing it. If that's OK with you, ACK.

[tiran]

It's not a 10 minute change because I don't want to have a purely mechanical transition. It's going to take several hours of bike shedding and head banging.

Some calls to bootstrap are fine without confdir. Other places like test suite need another approach. I already have some local patches to replace some test hacks (e.g. ipalib/__init__.py) with proper pytest code.

[pvoborni]

Christian, was your answer an agreement to Honza's proposal? I.e. push this PR? Do rest later by Honza?

[tiran]

@pvoborni No, my answer is an disagreement. Honza does not want the approve the PR as it stands now.

My proposal is

• Review this PR under the premise that it does not break current code when IPA_CONFDIR is absent.
• Review the disputable code lines after my deadline and within the next two weeks. Some of them might need an explicit confdir, some might not. I need to carefully think about each call.

[pvoborni]

Lets push this code if it is correct but only misses usecases mentioned above". Honza will implement the missing usecases in separate PR.

[HonzaCholasta]

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/1e6a204b4372bbbfb722a00370a5ce4e34406b9f