URL: https://github.com/freeipa/freeipa/pull/5485
Author: rcritten
Title: #5485: Ensure IPA is running (ideally) before uninstalling the KRA
Action: opened
PR body:
"""
Ensure IPA is running (ideally) before uninstalling the KRA
The KRA attempts to unregister itself from the security domain
which requires that IPA be running for this to succeed.
1. Move the KRA uninstall call prior to stopping all IPA
services
2. Try to start IPA if it isn't running and a KRA is configured
It isn't mandatory that IPA be running for the KRA uninstall to
succeed but it will suppress a pretty scary backtrace and error
message.
https://pagure.io/freeipa/issue/8550
Signed-off-by: Rob Crittenden <rcrit...@redhat.com>
This also removes two deprecated API warnings from dogtag and changes a log
level from info to debug to suppress unnecessary output.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5485/head:pr5485
git checkout pr5485
From d9a052450b479bfab17187292249385494820ad0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Fri, 22 Jan 2021 17:23:53 -0500
Subject: [PATCH 1/5] Change CA profile migration message from info to debug
This is an informational message and clutters the installation
screen with no end-user benefit. Logging it as debug is
sufficient to know what is going on.
---
ipaserver/install/cainstance.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 131418df7b0..8196e3dee1e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1959,7 +1959,7 @@ def import_included_profiles():
_create_dogtag_profile(profile_id, profile_data, overwrite=True)
logger.debug("Imported profile '%s'", profile_id)
else:
- logger.info(
+ logger.debug(
"Profile '%s' is already in LDAP; skipping", profile_id
)
@@ -2034,7 +2034,7 @@ def migrate_profiles_to_ldap():
state = profile_states.get(profile_id.lower(), ProfileState.MISSING)
if state != ProfileState.MISSING:
# We don't reconsile enabled/disabled state.
- logger.info(
+ logger.debug(
"Profile '%s' is already in LDAP and %s; skipping",
profile_id, state.value
)
From 981f01622043a4ab2d59ebbf7269f3b2500f84f6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Fri, 22 Jan 2021 17:25:28 -0500
Subject: [PATCH 2/5] Use the new API introduced in PKI 10.8
https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes
---
ipaserver/install/dogtaginstance.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 52dfc016a1e..7f2a4a32e41 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -84,7 +84,7 @@ def get_security_domain():
cert_paths=paths.IPA_CA_CRT
)
domain_client = pki.system.SecurityDomainClient(connection)
- info = domain_client.get_security_domain_info()
+ info = domain_client.get_domain_info()
return info
@@ -97,7 +97,7 @@ def is_installing_replica(sys_type):
"""
info = get_security_domain()
try:
- sys_list = info.systems[sys_type]
+ sys_list = info.subsystems[sys_type]
return len(sys_list.hosts) > 0
except KeyError:
return False
From ad3d77e55419ff4c280f37c66d10ec7faf64d944 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 26 Jan 2021 10:12:31 -0500
Subject: [PATCH 3/5] ipactl: support script status 3, program is not running
Return status 3 if ipactl status can't start 389-ds or if
any of the expected services is not running.
https://pagure.io/freeipa/issue/8588
Signed-off-by: Rob Crittenden <rcrit...@redhat.com>
---
ipaserver/install/ipactl.py | 41 ++++++++++++++++++++++++++++---------
1 file changed, 31 insertions(+), 10 deletions(-)
diff --git a/ipaserver/install/ipactl.py b/ipaserver/install/ipactl.py
index f813d0d728c..545a4843e3a 100644
--- a/ipaserver/install/ipactl.py
+++ b/ipaserver/install/ipactl.py
@@ -613,6 +613,22 @@ def ipa_restart(options):
def ipa_status(options):
+ """Report status of IPA-owned processes
+
+ The LSB defines the possible status values as:
+
+ 0 program is running or service is OK
+ 1 program is dead and /var/run pid file exists
+ 2 program is dead and /var/lock lock file exists
+ 3 program is not running
+ 4 program or service status is unknown
+ 5-99 reserved for future LSB use
+ 100-149 reserved for distribution use
+ 150-199 reserved for application use
+ 200-254 reserved
+
+ We only really care about 0, 3 and 4.
+ """
try:
dirsrv = services.knownservices.dirsrv
@@ -627,7 +643,8 @@ def ipa_status(options):
svc_list = []
except Exception as e:
raise IpactlError(
- "Failed to get list of services to probe status: " + str(e)
+ "Failed to get list of services to probe status: " + str(e),
+ 4
)
dirsrv = services.knownservices.dirsrv
@@ -636,19 +653,19 @@ def ipa_status(options):
print("Directory Service: RUNNING")
else:
print("Directory Service: STOPPED")
- if len(svc_list) == 0:
- print(
- (
- "Directory Service must be running in order to "
- "obtain status of other services"
- )
- )
except Exception as e:
- raise IpactlError("Failed to get Directory Service status")
+ raise IpactlError("Failed to get Directory Service status", 4)
if len(svc_list) == 0:
- return
+ raise IpactlError(
+ (
+ "Directory Service must be running in order to "
+ "obtain status of other services"
+ ),
+ 3,
+ )
+ stopped = 0
for svc in svc_list:
svchandle = services.service(svc, api=api)
try:
@@ -656,9 +673,13 @@ def ipa_status(options):
print("%s Service: RUNNING" % svc)
else:
print("%s Service: STOPPED" % svc)
+ stopped += 1
except Exception:
emit_err("Failed to get %s Service status" % svc)
+ if stopped > 0:
+ raise IpactlError("%d service(s) are not running" % stopped, 3)
+
def main():
if not os.getegid() == 0:
From 993d376812ad5370ce42308aff954c39f6112ad3 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Mon, 25 Jan 2021 11:40:22 -0500
Subject: [PATCH 4/5] Ensure IPA is running (ideally) before uninstalling the
KRA
The KRA attempts to unregister itself from the security domain
which requires that IPA be running for this to succeed.
1. Move the KRA uninstall call prior to stopping all IPA
services
2. Try to start IPA if it isn't running and a KRA is configured
It isn't mandatory that IPA be running for the KRA uninstall to
succeed but it will suppress a pretty scary backtrace and error
message.
https://pagure.io/freeipa/issue/8550
Signed-off-by: Rob Crittenden <rcrit...@redhat.com>
---
ipaserver/install/kra.py | 19 +++++++++++++++++++
ipaserver/install/server/install.py | 8 ++++++--
2 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index c7a097b58d0..ffed5df1402 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -8,6 +8,7 @@
from __future__ import absolute_import
+import logging
import os
from ipalib import api
@@ -23,6 +24,8 @@
from . import dogtag
+logger = logging.getLogger(__name__)
+
def install_check(api, replica_config, options):
if replica_config is not None and not replica_config.setup_kra:
@@ -113,6 +116,22 @@ def install(api, replica_config, options, custodia):
named.restart(capture_output=True)
+def uninstall_check(options):
+ """IPA needs to be running so pkidestroy can unregister KRA"""
+ kra = krainstance.KRAInstance(api.env.realm)
+ if not kra.is_installed():
+ return
+
+ result = ipautil.run([paths.IPACTL, 'status'],
+ raiseonerr=False)
+
+ if result.returncode not in [0, 4]:
+ try:
+ ipautil.run([paths.IPACTL, 'start'])
+ except Exception:
+ logger.info("Re-starting IPA failed, continuing uninstall")
+
+
def uninstall():
kra = krainstance.KRAInstance(api.env.realm)
kra.stop_tracking_certificates()
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 103cfccfbe8..b01fd85a5de 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -1098,6 +1098,8 @@ def uninstall_check(installer):
"uninstall procedure?", False):
raise ScriptError("Aborting uninstall operation.")
+ kra.uninstall_check(options)
+
try:
api.Backend.ldap2.connect(autobind=True)
@@ -1165,6 +1167,10 @@ def uninstall(installer):
rv = 0
+ # Uninstall the KRA prior to shutting the services down so it
+ # can un-register with the CA.
+ kra.uninstall()
+
print("Shutting down all IPA services")
try:
services.knownservices.ipa.stop()
@@ -1177,8 +1183,6 @@ def uninstall(installer):
restore_time_sync(sstore, fstore)
- kra.uninstall()
-
ca.uninstall()
dns.uninstall()
From 4a684fff2895b092b671f37c6a1a0efaec681bde Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 26 Jan 2021 10:14:33 -0500
Subject: [PATCH 5/5] Temp commit
---
.freeipa-pr-ci.yaml | 2 +-
ipatests/prci_definitions/temp_commit.yaml | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b634..80656690080 120000
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index b297cd4e319..2494a8ea73c 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -68,7 +68,7 @@ jobs:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
- test_suite: test_integration/test_REPLACEME.py
+ test_suite: test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA
template: *ci-master-latest
- timeout: 3600
- topology: *master_1repl_1client
+ timeout: 7200
+ topology: *master_1repl
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
