Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig

David Kupka Wed, 08 Oct 2014 03:37:40 -0700

On 10/08/2014 09:29 AM, Jan Cholasta wrote:

Hi,


Dne 8.10.2014 v 09:09 David Kupka napsal(a):

https://fedorahosted.org/freeipa/ticket/4569


In renew_ca_cert and cainstance.py, dogtag should already be stopped in
the places you modified, so why the change?


I didn't noticed that it is already stopped, fixed.


Also I don't think it's a good idea to backup CS.cfg when dogtag is
still running (in cainstance.py). If the file is being modified by
dogtag at the time it is backed up, the backup may be corrupted.

Fixed, thanks.

Honza


--
David Kupka

From 104dca26a87255be2b67652dd0f4c60b71e92e90 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Tue, 30 Sep 2014 08:41:49 -0400
Subject: [PATCH] Stop dogtag when updating its configuration in
 ipa-upgradeconfig.

Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.

https://fedorahosted.org/freeipa/ticket/4569
---
 install/tools/ipa-upgradeconfig | 15 +++++++++++----
 ipaserver/install/cainstance.py |  6 ++++--
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index ba4ac93998fa203719e058fdfe557f4f2a67a865..08ff9a224d92245ff2c5845e6c9df22a700df562 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -233,7 +233,12 @@ def upgrade_pki(ca, fstore):
     if not installutils.get_directive(configured_constants.CS_CFG_PATH,
                                       'proxy.securePort', '=') and \
             os.path.exists(paths.PKI_SETUP_PROXY):
-        ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
+        # update proxy configuration with stopped dogtag to prevent corruption
+        # of CS.cfg
+        with installutils.stopped_service(
+                configured_constants.SERVICE_NAME,
+                configured_constants.PKI_INSTANCE_NAME):
+            ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
                      ,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
         root_logger.debug('Proxy configuration updated')
     else:
@@ -821,9 +826,11 @@ def migrate_crl_publish_dir(ca):
                 root_logger.error('Cannot move CRL file to new directory: %s', e)
 
     try:
-        installutils.set_directive(caconfig.CS_CFG_PATH,
-            'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
-            publishdir, quotes=False, separator='=')
+        with installutils.stopped_service(caconfig.SERVICE_NAME,
+                caconfig.PKI_INSTANCE_NAME):
+            installutils.set_directive(caconfig.CS_CFG_PATH,
+                'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
+                publishdir, quotes=False, separator='=')
     except OSError, e:
         root_logger.error('Cannot update CA configuration file "%s": %s',
                 caconfig.CS_CFG_PATH, e)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 521f25d96693efe64b5859901bb3da9da79ee0ec..ac6dd828aa38e14c16e7bb7c7d1c397793222852 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1841,8 +1841,10 @@ def backup_config(dogtag_constants=None):
     if dogtag_constants is None:
         dogtag_constants = dogtag.configured_constants()
 
-    shutil.copy(dogtag_constants.CS_CFG_PATH,
-                dogtag_constants.CS_CFG_PATH + '.ipabkp')
+    with stopped_service(dogtag_constants.SERVICE_NAME,
+                         instance_name=dogtag_constants.PKI_INSTANCE_NAME):
+        shutil.copy(dogtag_constants.CS_CFG_PATH,
+                    dogtag_constants.CS_CFG_PATH + '.ipabkp')
 
 def update_cert_config(nickname, cert, dogtag_constants=None):
     """
-- 
1.9.3

From f322136e5fd0bc1df5edf712c931c328dc5bdb5d Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Tue, 30 Sep 2014 08:41:49 -0400
Subject: [PATCH] Stop dogtag when updating its configuration in
 ipa-upgradeconfig.

Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.

https://fedorahosted.org/freeipa/ticket/4569
---
 install/tools/ipa-upgradeconfig | 15 +++++++++++----
 ipaserver/install/cainstance.py |  6 ++++--
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 3914eb59066b515d33bebc19ca5afb4f50548bb2..abe3c077ccbaebf7317591eca19be99b686ae37d 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -233,7 +233,12 @@ def upgrade_pki(ca, fstore):
     if not installutils.get_directive(configured_constants.CS_CFG_PATH,
                                       'proxy.securePort', '=') and \
             os.path.exists(paths.PKI_SETUP_PROXY):
-        ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
+        # update proxy configuration with stopped dogtag to prevent corruption
+        # of CS.cfg
+        with installutils.stopped_service(
+                configured_constants.SERVICE_NAME,
+                configured_constants.PKI_INSTANCE_NAME):
+            ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
                      ,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
         root_logger.debug('Proxy configuration updated')
     else:
@@ -825,9 +830,11 @@ def migrate_crl_publish_dir(ca):
                 root_logger.error('Cannot move CRL file to new directory: %s', e)
 
     try:
-        installutils.set_directive(caconfig.CS_CFG_PATH,
-            'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
-            publishdir, quotes=False, separator='=')
+        with installutils.stopped_service(caconfig.SERVICE_NAME,
+                caconfig.PKI_INSTANCE_NAME):
+            installutils.set_directive(caconfig.CS_CFG_PATH,
+                'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
+                publishdir, quotes=False, separator='=')
     except OSError, e:
         root_logger.error('Cannot update CA configuration file "%s": %s',
                 caconfig.CS_CFG_PATH, e)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 3a296f58964f23f273044b91b02ffd43251f8b3b..2829faa7747e561ab01aeda84b79ff7e380c25b7 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1742,8 +1742,10 @@ def backup_config(dogtag_constants=None):
     if dogtag_constants is None:
         dogtag_constants = dogtag.configured_constants()
 
-    shutil.copy(dogtag_constants.CS_CFG_PATH,
-                dogtag_constants.CS_CFG_PATH + '.ipabkp')
+    with stopped_service(dogtag_constants.SERVICE_NAME,
+                         instance_name=dogtag_constants.PKI_INSTANCE_NAME):
+        shutil.copy(dogtag_constants.CS_CFG_PATH,
+                    dogtag_constants.CS_CFG_PATH + '.ipabkp')
 
 def update_people_entry(dercert):
     """
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig

Reply via email to