Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install

Tomas Babej Tue, 04 Jun 2013 04:30:24 -0700

On 06/03/2013 02:58 PM, Martin Kosek wrote:

On 06/03/2013 02:43 PM, Tomas Babej wrote:

Hi,


this patch fixes the installation problems on master on F19 with krb5 packages

= 1.11.2-6

https://fedorahosted.org/freeipa/ticket/3666

Tomas

1) Leaving cache_desc open:

+        (cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc')
+        os.environ['KRB5CCNAME'] = cache_path

Why do we keep the descriptor open and close it at the and of the installation?
Can we close it right after tempfile.mkstemp? I think we do it this way in
other places in installation.

2) What about other installers where we handle Kerberos auth, like
ipa-{replica,dns,ca}-install?

A common function, other shared means, of handling KRB5CCNAME may be
appropriate to avoid duplicating code too much.

Martin

I moved the code responsible to PrivateCCache class, both forreadability and conciseness.

Private ccache now used in replica,dns and ca the installers. I managedto reproduce the error only withdns-install though(fails on adding the service principal), but having aprivate ccache for the installer should not hurt.

Ipa-adtrust-install requires the admin ticket, so there shouldn't be anissue.


Tomas

From 199ade8c7f3eaae15dca3693a92600c635e61d57 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Mon, 3 Jun 2013 12:06:06 +0200
Subject: [PATCH] Use private ccache in ipa install tools

All installers that handle Kerberos auth, have been altered to use
private ccache, that is ipa-server-install, ipa-dns-install,
ipa-replica-install, ipa-ca-install.

https://fedorahosted.org/freeipa/ticket/3666
---
 install/tools/ipa-ca-install      | 13 +++++++------
 install/tools/ipa-dns-install     |  5 +++--
 install/tools/ipa-replica-install | 13 +++++++------
 install/tools/ipa-server-install  |  7 +++++--
 ipaserver/install/installutils.py | 16 ++++++++++++++++
 5 files changed, 38 insertions(+), 16 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 81c11834547c37b01c4749079284affd13bb10d7..0f889afac0165f56646778b74b6368fd28b313d8 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -28,9 +28,9 @@ from ipapython import services as ipaservices
 
 from ipaserver.install import installutils, service
 from ipaserver.install import certs
-from ipaserver.install.installutils import HostnameLocalhost
-from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info
-from ipaserver.install.installutils import get_host_name, BadHostError
+from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig,
+        expand_replica_info, read_replica_info, get_host_name, BadHostError,
+        PrivateCCache)
 from ipaserver.install import dsinstance, cainstance, bindinstance
 from ipaserver.install.replication import replica_conn_check
 from ipapython import version
@@ -212,9 +212,10 @@ Run /usr/sbin/ipa-server-install --uninstall to clean up.
 
 if __name__ == '__main__':
     try:
-        installutils.run_script(main, log_file_name=log_file_name,
-                operation_name='ipa-ca-install',
-                fail_message=fail_message)
+        with PrivateCCache():
+            installutils.run_script(main, log_file_name=log_file_name,
+                    operation_name='ipa-ca-install',
+                    fail_message=fail_message)
     finally:
         # always try to remove decrypted replica file
         try:
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index e12a0465ca2d09a6a8d25157a737f620f3ff4b1a..c8b0aa3b8f2728510b7419975c2d937bf9188ac3 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -258,5 +258,6 @@ def main():
     return 0
 
 if __name__ == '__main__':
-    installutils.run_script(main, log_file_name=log_file_name,
-        operation_name='ipa-dns-install')
+    with PrivateCCache():
+        installutils.run_script(main, log_file_name=log_file_name,
+            operation_name='ipa-dns-install')
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index b194b85a201c2d842938d3251fa9179c57d0bd68..2ab67933257b6ec82b39372b20c1fe854d4a92f2 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -36,9 +36,9 @@ from ipaserver.install import dsinstance, installutils, krbinstance, service
 from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs
 from ipaserver.install import memcacheinstance
 from ipaserver.install.replication import replica_conn_check, ReplicationManager
-from ipaserver.install.installutils import HostnameLocalhost, resolve_host
-from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info
-from ipaserver.install.installutils import get_host_name, BadHostError
+from ipaserver.install.installutils import (HostnameLocalhost, resolve_host,
+        ReplicaConfig, expand_replica_info, read_replica_info ,get_host_name,
+        BadHostError, PrivateCCache)
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install import cainstance
 from ipalib import api, errors, util
@@ -726,9 +726,10 @@ Run /usr/sbin/ipa-server-install --uninstall to clean up.
 
 if __name__ == '__main__':
     try:
-        installutils.run_script(main, log_file_name=log_file_name,
-                operation_name='ipa-replica-install',
-                fail_message=fail_message)
+        with PrivateCCache():
+            installutils.run_script(main, log_file_name=log_file_name,
+                    operation_name='ipa-replica-install',
+                    fail_message=fail_message)
     finally:
         # always try to remove decrypted replica file
         try:
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 62adbd5bc5183793f3371e46e276b9ad20077b84..8b480c5f431c3836479d5bc31b09c620211ef0a3 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -1210,6 +1210,7 @@ def main():
 
 if __name__ == '__main__':
     success = False
+
     try:
         # FIXME: Common option parsing, logging setup, etc should be factored
         # out from all install scripts
@@ -1219,8 +1220,10 @@ if __name__ == '__main__':
         else:
             log_file_name = "/var/log/ipaserver-install.log"
 
-        installutils.run_script(main, log_file_name=log_file_name,
-            operation_name='ipa-server-install')
+        # Use private ccache
+        with PrivateCCache():
+            installutils.run_script(main, log_file_name=log_file_name,
+                                    operation_name='ipa-server-install')
         success = True
 
     finally:
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 5ed2689d75ab5b372a40031f03bab5000302752c..6a2015126f3f5c485ba5bb299239ea3bec4bfcf9 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -753,3 +753,19 @@ def check_pkcs12(pkcs12_info, ca_file, hostname):
                 (pkcs12_filename, e))
 
         return server_cert_name
+
+
+class PrivateCCache(object):
+
+    def __init__(self):
+        (self.desc, self.path) = tempfile.mkstemp(prefix='krbcc')
+        os.close(self.desc)
+
+    def __enter__(self):
+        os.environ['KRB5CCNAME'] = self.path
+        return self
+
+    def __exit__(self, type, value, traceback):
+        if os.path.exists(self.path):
+            os.remove(self.path)
+
-- 
1.8.1.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install

Reply via email to