URL: https://github.com/freeipa/freeipa/pull/1725 Author: abbra Title: #1725: upgrade: Run configuration upgrade under empty ccache collection Action: opened
PR body: """ Use temporary empty DIR-based ccache collection to prevent upgrade failures in case KCM: or KEYRING: ccache type is used by default in krb5.conf and is not available. We don't need any user credentials during upgrade procedure but kadmin.local would attempt to resolve default ccache and if that's not available, kadmin.local will fail. This approach was successfully tested with OpenQA tests that upgrade from F27 to F28. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1725/head:pr1725 git checkout pr1725
From 93357837908dcbadf2da9607afc4d4e9313b0a9b Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Wed, 21 Mar 2018 10:33:32 +0200 Subject: [PATCH] upgrade: Run configuration upgrade under empty ccache collection Use temporary empty DIR-based ccache collection to prevent upgrade failures in case KCM: or KEYRING: ccache type is used by default in krb5.conf and is not available. We don't need any user credentials during upgrade procedure but kadmin.local would attempt to resolve default ccache and if that's not available, kadmin.local will fail. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818 Signed-off-by: Alexander Bokovoy <aboko...@redhat.com> --- ipaserver/install/server/upgrade.py | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 5654cc32d5..35e1005820 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -11,6 +11,8 @@ import pwd import fileinput import sys +import tempfile +from contextlib import contextmanager from augeas import Augeas import dns.exception from ipalib import api, x509 @@ -1931,6 +1933,33 @@ def upgrade_check(options): logger.warning("Upgrade without version check may break your system") +@contextmanager +def empty_ccache(): + # Create temporary directory and use it as a DIR: ccache collection + # instead of whatever is a default in /etc/krb5.conf + # + # In Fedora 28 KCM: became a default credentials cache collection + # but if KCM daemon (part of SSSD) is not running, libkrb5 will fail + # to initialize. This causes kadmin.local to fail. + # Since we are in upgrade, we cannot kinit anyway (KDC is offline). + # Bug https://bugzilla.redhat.com/show_bug.cgi?id=1558818 + kpath_dir = tempfile.mkdtemp(prefix="upgrade_ccaches", + dir=paths.IPA_CCACHES) + kpath = "DIR:{dir}s".format(dir=kpath_dir) + old_path = os.environ.get('KRB5CCNAME') + try: + os.environ['KRB5CCNAME'] = kpath + yield + finally: + if old_path: + os.environ['KRB5CCNAME'] = old_path + else: + del os.environ['KRB5CCNAME'] + for f in os.listdir(kpath_dir): + os.remove(os.path.join(kpath_dir, f)) + os.rmdir(kpath_dir) + + def upgrade(): realm = api.env.realm schema_files = [os.path.join(paths.USR_SHARE_IPA_DIR, f) for f @@ -1955,7 +1984,8 @@ def upgrade(): print('Upgrading IPA services') logger.info('Upgrading the configuration of the IPA services') - upgrade_configuration() + with empty_ccache(): + upgrade_configuration() logger.info('The IPA services were upgraded') # store new data version after upgrade
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org