On 10/10/2014 03:24 PM, Jan Cholasta wrote:
Dne 8.10.2014 v 12:36 David Kupka napsal(a):
On 10/08/2014 09:29 AM, Jan Cholasta wrote:
Hi,
Dne 8.10.2014 v 09:09 David Kupka napsal(a):
https://fedorahosted.org/freeipa/ticket/4569
In renew_ca_cert and cainstance.py, dogtag should already be stopped in
the places you modified, so why the change?
I didn't noticed that it is already stopped, fixed.
Also I don't think it's a good idea to backup CS.cfg when dogtag is
still running (in cainstance.py). If the file is being modified by
dogtag at the time it is backed up, the backup may be corrupted.
Fixed, thanks.
CAInstance.backup_config should be called only when Dogtag is stopped as
well, you don't need to change it.
backup_config is callable from outside of cainstance.py so it's safer to
check that dogtag is stopped and stop it if necessary. When dogtag is
already stopped it won't do anything.
Honza
It would be better to stop and start dogtag only once in
ipa-upgradeconfig, not every time there is a modification to CS.cfg.
OK.
--
David Kupka
From 2332a404f9e53549ccadb925e8c3f267b4034175 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Tue, 30 Sep 2014 08:41:49 -0400
Subject: [PATCH] Stop dogtag when updating its configuration in
ipa-upgradeconfig.
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.
https://fedorahosted.org/freeipa/ticket/4569
---
install/tools/ipa-upgradeconfig | 46 ++++++++++++++++++++++-------------------
ipaserver/install/cainstance.py | 6 ++++--
2 files changed, 29 insertions(+), 23 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 82e7857d5dec8955935b948df34aab08bfa7f914..e064f38fc963d94c7775f2282402eaaddb682af4 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -233,8 +233,10 @@ def upgrade_pki(ca, fstore):
if not installutils.get_directive(configured_constants.CS_CFG_PATH,
'proxy.securePort', '=') and \
os.path.exists(paths.PKI_SETUP_PROXY):
- ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
- ,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
+ # update proxy configuration with stopped dogtag to prevent corruption
+ # of CS.cfg
+ ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib',
+ '-pki_instance_name=pki-ca','-subsystem_type=ca'])
root_logger.debug('Proxy configuration updated')
else:
root_logger.debug('Proxy configuration up-to-date')
@@ -1082,28 +1084,30 @@ def main():
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
ca.backup_config()
- # migrate CRL publish dir before the location in ipa.conf is updated
- ca_restart = migrate_crl_publish_dir(ca)
+ with installutils.stopped_service(configured_constants.SERVICE_NAME,
+ configured_constants.PKI_INSTANCE_NAME):
+ # migrate CRL publish dir before the location in ipa.conf is updated
+ ca_restart = migrate_crl_publish_dir(ca)
- if ca.is_configured():
- crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
- 'ca.crl.MasterCRL.enableCRLUpdates',
- '=')
- sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
+ if ca.is_configured():
+ crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
+ 'ca.crl.MasterCRL.enableCRLUpdates', '=')
+ sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
- certmap_dir = dsinstance.config_dirname(
- dsinstance.realm_to_serverid(api.env.realm))
+ certmap_dir = dsinstance.config_dirname(
+ dsinstance.realm_to_serverid(api.env.realm))
+
+ upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf")
+ upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf")
+ upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
+ if subject_base:
+ upgrade(
+ sub_dict,
+ os.path.join(certmap_dir, "certmap.conf"),
+ os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")
+ )
+ upgrade_pki(ca, fstore)
- upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf")
- upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf")
- upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
- if subject_base:
- upgrade(
- sub_dict,
- os.path.join(certmap_dir, "certmap.conf"),
- os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")
- )
- upgrade_pki(ca, fstore)
update_dbmodules(api.env.realm)
uninstall_ipa_kpasswd()
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 978b98a58deb0752d0eab20f4813ac30f960e17a..b480cb737d8009cca02fd2040cda08770e71d81f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1825,8 +1825,10 @@ def backup_config(dogtag_constants=None):
if dogtag_constants is None:
dogtag_constants = dogtag.configured_constants()
- shutil.copy(dogtag_constants.CS_CFG_PATH,
- dogtag_constants.CS_CFG_PATH + '.ipabkp')
+ with stopped_service(dogtag_constants.SERVICE_NAME,
+ instance_name=dogtag_constants.PKI_INSTANCE_NAME):
+ shutil.copy(dogtag_constants.CS_CFG_PATH,
+ dogtag_constants.CS_CFG_PATH + '.ipabkp')
def update_cert_config(nickname, cert, dogtag_constants=None):
"""
--
1.9.3
From 9d1198a4f5624df0bd3bfdc0df2ef0f4c0a9a65f Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Tue, 30 Sep 2014 08:41:49 -0400
Subject: [PATCH] Stop dogtag when updating its configuration in
ipa-upgradeconfig.
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.
https://fedorahosted.org/freeipa/ticket/4569
---
install/tools/ipa-upgradeconfig | 46 ++++++++++++++++++++++-------------------
ipaserver/install/cainstance.py | 6 ++++--
2 files changed, 29 insertions(+), 23 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index ba4ac93998fa203719e058fdfe557f4f2a67a865..82610f30ad6e76238e6483387b3433a4a0e7299b 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -233,8 +233,10 @@ def upgrade_pki(ca, fstore):
if not installutils.get_directive(configured_constants.CS_CFG_PATH,
'proxy.securePort', '=') and \
os.path.exists(paths.PKI_SETUP_PROXY):
- ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
- ,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
+ # update proxy configuration with stopped dogtag to prevent corruption
+ # of CS.cfg
+ ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib',
+ '-pki_instance_name=pki-ca','-subsystem_type=ca'])
root_logger.debug('Proxy configuration updated')
else:
root_logger.debug('Proxy configuration up-to-date')
@@ -1147,28 +1149,30 @@ def main():
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
ca.backup_config()
- # migrate CRL publish dir before the location in ipa.conf is updated
- ca_restart = migrate_crl_publish_dir(ca)
+ with installutils.stopped_service(configured_constants.SERVICE_NAME,
+ configured_constants.PKI_INSTANCE_NAME):
+ # migrate CRL publish dir before the location in ipa.conf is updated
+ ca_restart = migrate_crl_publish_dir(ca)
- if ca.is_configured():
- crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
- 'ca.crl.MasterCRL.enableCRLUpdates',
- '=')
- sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
+ if ca.is_configured():
+ crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
+ 'ca.crl.MasterCRL.enableCRLUpdates', '=')
+ sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
- ds_serverid = dsinstance.realm_to_serverid(api.env.realm)
- ds_dirname = dsinstance.config_dirname(ds_serverid)
+ ds_serverid = dsinstance.realm_to_serverid(api.env.realm)
+ ds_dirname = dsinstance.config_dirname(ds_serverid)
+
+ upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf")
+ upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf")
+ upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
+ if subject_base:
+ upgrade(
+ sub_dict,
+ os.path.join(ds_dirname, "certmap.conf"),
+ os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")
+ )
+ upgrade_pki(ca, fstore)
- upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf")
- upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf")
- upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
- if subject_base:
- upgrade(
- sub_dict,
- os.path.join(ds_dirname, "certmap.conf"),
- os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")
- )
- upgrade_pki(ca, fstore)
update_dbmodules(api.env.realm)
uninstall_ipa_kpasswd()
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index ebc2d244839f24a6c83928639fa8d6aabd50a97c..243954f4b5cb39ae91bf739c45095b089dbd67d0 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1861,8 +1861,10 @@ def backup_config(dogtag_constants=None):
if dogtag_constants is None:
dogtag_constants = dogtag.configured_constants()
- shutil.copy(dogtag_constants.CS_CFG_PATH,
- dogtag_constants.CS_CFG_PATH + '.ipabkp')
+ with stopped_service(dogtag_constants.SERVICE_NAME,
+ instance_name=dogtag_constants.PKI_INSTANCE_NAME):
+ shutil.copy(dogtag_constants.CS_CFG_PATH,
+ dogtag_constants.CS_CFG_PATH + '.ipabkp')
def update_cert_config(nickname, cert, dogtag_constants=None):
"""
--
1.9.3
From 66bc57468a399b806f0905348255db3c1831ce41 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Tue, 30 Sep 2014 08:41:49 -0400
Subject: [PATCH] Stop dogtag when updating its configuration in
ipa-upgradeconfig.
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.
https://fedorahosted.org/freeipa/ticket/4569
---
install/tools/ipa-upgradeconfig | 46 ++++++++++++++++++++++-------------------
ipaserver/install/cainstance.py | 6 ++++--
2 files changed, 29 insertions(+), 23 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 339dcb9ec17afd7044920c57cc9708fdeb923c77..0678926dea88ae336eefa12eefaa4dfc06d808ef 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -233,8 +233,10 @@ def upgrade_pki(ca, fstore):
if not installutils.get_directive(configured_constants.CS_CFG_PATH,
'proxy.securePort', '=') and \
os.path.exists(paths.PKI_SETUP_PROXY):
- ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
- ,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
+ # update proxy configuration with stopped dogtag to prevent corruption
+ # of CS.cfg
+ ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib',
+ '-pki_instance_name=pki-ca','-subsystem_type=ca'])
root_logger.debug('Proxy configuration updated')
else:
root_logger.debug('Proxy configuration up-to-date')
@@ -1087,28 +1089,30 @@ def main():
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
ca.backup_config()
- # migrate CRL publish dir before the location in ipa.conf is updated
- ca_restart = migrate_crl_publish_dir(ca)
+ with installutils.stopped_service(configured_constants.SERVICE_NAME,
+ configured_constants.PKI_INSTANCE_NAME):
+ # migrate CRL publish dir before the location in ipa.conf is updated
+ ca_restart = migrate_crl_publish_dir(ca)
- if ca.is_configured():
- crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
- 'ca.crl.MasterCRL.enableCRLUpdates',
- '=')
- sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
+ if ca.is_configured():
+ crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
+ 'ca.crl.MasterCRL.enableCRLUpdates', '=')
+ sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
- ds_serverid = dsinstance.realm_to_serverid(api.env.realm)
- ds_dirname = dsinstance.config_dirname(ds_serverid)
+ ds_serverid = dsinstance.realm_to_serverid(api.env.realm)
+ ds_dirname = dsinstance.config_dirname(ds_serverid)
+
+ upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf")
+ upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf")
+ upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
+ if subject_base:
+ upgrade(
+ sub_dict,
+ os.path.join(ds_dirname, "certmap.conf"),
+ os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")
+ )
+ upgrade_pki(ca, fstore)
- upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf")
- upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf")
- upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
- if subject_base:
- upgrade(
- sub_dict,
- os.path.join(ds_dirname, "certmap.conf"),
- os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")
- )
- upgrade_pki(ca, fstore)
update_dbmodules(api.env.realm)
uninstall_ipa_kpasswd()
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 2c912206a37accfdf217c955755b82ed0d2056af..750730240194634b0fdf3a72a4a21ddafade7448 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1699,8 +1699,10 @@ def backup_config(dogtag_constants=None):
if dogtag_constants is None:
dogtag_constants = dogtag.configured_constants()
- shutil.copy(dogtag_constants.CS_CFG_PATH,
- dogtag_constants.CS_CFG_PATH + '.ipabkp')
+ with installutils.stopped_service(dogtag_constants.SERVICE_NAME,
+ instance_name=dogtag_constants.PKI_INSTANCE_NAME):
+ shutil.copy(dogtag_constants.CS_CFG_PATH,
+ dogtag_constants.CS_CFG_PATH + '.ipabkp')
def update_people_entry(dercert):
"""
--
1.9.3
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
