Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/05/2013 01:23 PM, Tomas Babej wrote: > On 06/04/2013 01:29 PM, Tomas Babej wrote: >> On 06/03/2013 02:58 PM, Martin Kosek wrote: >>> On 06/03/2013 02:43 PM, Tomas Babej wrote: Hi, this patch fixes the installation problems on master on F19 with krb5 packages > = 1.11.2-6 https://fedorahosted.org/freeipa/ticket/3666 Tomas >>> 1) Leaving cache_desc open: >>> >>> +(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc') >>> +os.environ['KRB5CCNAME'] = cache_path >>> >>> Why do we keep the descriptor open and close it at the and of the >>> installation? >>> Can we close it right after tempfile.mkstemp? I think we do it this way in >>> other places in installation. >>> >>> 2) What about other installers where we handle Kerberos auth, like >>> ipa-{replica,dns,ca}-install? >>> >>> A common function, other shared means, of handling KRB5CCNAME may be >>> appropriate to avoid duplicating code too much. >>> >>> Martin >> I moved the code responsible to PrivateCCache class, both for readability and >> conciseness. >> >> Private ccache now used in replica,dns and ca the installers. I managed to >> reproduce the error only with >> dns-install though(fails on adding the service principal), but having a >> private ccache for the installer should not hurt. >> >> Ipa-adtrust-install requires the admin ticket, so there shouldn't be an >> issue. > > My reasoning was flawed here, ipa-adtrust-install attempts to re-kinit admin > ticket, so it needs the private ccache as well. > > Sending one-liner fix. > > Tomas As also discussed with Alexander on IRC, we do not want to have private ccache for ipa-adtrust-install as we deliberately re-kinit admin user to add new MS-PAC information to the ticket so that subsequent trust commands work. In other install scripts, we want to have private ccache so that we don't mess with user's default ccache. This entire problem should go away when krb5 is fixed, see https://bugzilla.redhat.com/show_bug.cgi?id=961235 Thus, your current fix for private ccaches is correct. Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/04/2013 01:29 PM, Tomas Babej wrote: On 06/03/2013 02:58 PM, Martin Kosek wrote: On 06/03/2013 02:43 PM, Tomas Babej wrote: Hi, this patch fixes the installation problems on master on F19 with krb5 packages = 1.11.2-6 https://fedorahosted.org/freeipa/ticket/3666 Tomas 1) Leaving cache_desc open: +(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc') +os.environ['KRB5CCNAME'] = cache_path Why do we keep the descriptor open and close it at the and of the installation? Can we close it right after tempfile.mkstemp? I think we do it this way in other places in installation. 2) What about other installers where we handle Kerberos auth, like ipa-{replica,dns,ca}-install? A common function, other shared means, of handling KRB5CCNAME may be appropriate to avoid duplicating code too much. Martin I moved the code responsible to PrivateCCache class, both for readability and conciseness. Private ccache now used in replica,dns and ca the installers. I managed to reproduce the error only with dns-install though(fails on adding the service principal), but having a private ccache for the installer should not hurt. Ipa-adtrust-install requires the admin ticket, so there shouldn't be an issue. My reasoning was flawed here, ipa-adtrust-install attempts to re-kinit admin ticket, so it needs the private ccache as well. Sending one-liner fix. Tomas Tomas From 0177d6a7f14b87f42647376001e6ac580ca38e57 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 5 Jun 2013 13:17:19 +0200 Subject: [PATCH] Use private ccache in ipa-adtrust-install The ipa-adtrust-install script attempts to automatically re-kinit admin user ticket, hence it needs private ccache or the usage of the ipa-adtrust-install with sudo/su will fail. https://fedorahosted.org/freeipa/ticket/3666 --- install/tools/ipa-adtrust-install | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 5744c6f67aee5f55877d7ef1691e98dfdb8d8718..09831617de7daf03e876897eef1d99d9a1a4a8c6 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -405,5 +405,6 @@ information""" return 0 if __name__ == '__main__': -run_script(main, log_file_name=log_file_name, -operation_name='ipa-adtrust-install') +with private_ccache(): +run_script(main, log_file_name=log_file_name, + operation_name='ipa-adtrust-install') -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/05/2013 10:47 AM, Tomas Babej wrote: On 06/05/2013 10:07 AM, Petr Viktorin wrote: On 06/05/2013 09:20 AM, Tomas Babej wrote: On 06/04/2013 06:09 PM, Petr Viktorin wrote: On 06/04/2013 01:29 PM, Tomas Babej wrote: On 06/03/2013 02:58 PM, Martin Kosek wrote: On 06/03/2013 02:43 PM, Tomas Babej wrote: Hi, this patch fixes the installation problems on master on F19 with krb5 packages = 1.11.2-6 https://fedorahosted.org/freeipa/ticket/3666 Tomas 1) Leaving cache_desc open: +(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc') +os.environ['KRB5CCNAME'] = cache_path Why do we keep the descriptor open and close it at the and of the installation? Can we close it right after tempfile.mkstemp? I think we do it this way in other places in installation. 2) What about other installers where we handle Kerberos auth, like ipa-{replica,dns,ca}-install? A common function, other shared means, of handling KRB5CCNAME may be appropriate to avoid duplicating code too much. Martin I moved the code responsible to PrivateCCache class, both for readability and conciseness. Private ccache now used in replica,dns and ca the installers. I managed to reproduce the error only with dns-install though(fails on adding the service principal), but having a private ccache for the installer should not hurt. Ipa-adtrust-install requires the admin ticket, so there shouldn't be an issue. Tomas Shouldn't the context manager restore os.environ['KRB5CCNAME'] on exit? There's no need to, since the value of the environment variable is inherited only into child processes (pkispawn, etc.). Hence the KRB5CCNAME environment variable is not available outside the install script. Yes, but what if you call a child process after the context manager exits? I know that currently there is no code after the context manager exits, but that's no reason to surprise people who will want to reuse it later. Context managers are expected to clean up after themselves. If there's no way to do this then you should at least document that this one is special. But in this case it shouldn't be that hard to clean up. Not at all, I actually had the code there at some point, but removed it. Updated patch attached. Tomas Thanks. ACK, pushed to master, ipa-3-2. master: 6f51f92138ff12eff732bf028751dcfa8ef9b442 ipa-3-2: 4ec1de1a65f1fabe7f5b26b4c4487deec5cea0cf -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/05/2013 10:07 AM, Petr Viktorin wrote: On 06/05/2013 09:20 AM, Tomas Babej wrote: On 06/04/2013 06:09 PM, Petr Viktorin wrote: On 06/04/2013 01:29 PM, Tomas Babej wrote: On 06/03/2013 02:58 PM, Martin Kosek wrote: On 06/03/2013 02:43 PM, Tomas Babej wrote: Hi, this patch fixes the installation problems on master on F19 with krb5 packages = 1.11.2-6 https://fedorahosted.org/freeipa/ticket/3666 Tomas 1) Leaving cache_desc open: +(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc') +os.environ['KRB5CCNAME'] = cache_path Why do we keep the descriptor open and close it at the and of the installation? Can we close it right after tempfile.mkstemp? I think we do it this way in other places in installation. 2) What about other installers where we handle Kerberos auth, like ipa-{replica,dns,ca}-install? A common function, other shared means, of handling KRB5CCNAME may be appropriate to avoid duplicating code too much. Martin I moved the code responsible to PrivateCCache class, both for readability and conciseness. Private ccache now used in replica,dns and ca the installers. I managed to reproduce the error only with dns-install though(fails on adding the service principal), but having a private ccache for the installer should not hurt. Ipa-adtrust-install requires the admin ticket, so there shouldn't be an issue. Tomas Shouldn't the context manager restore os.environ['KRB5CCNAME'] on exit? There's no need to, since the value of the environment variable is inherited only into child processes (pkispawn, etc.). Hence the KRB5CCNAME environment variable is not available outside the install script. Yes, but what if you call a child process after the context manager exits? I know that currently there is no code after the context manager exits, but that's no reason to surprise people who will want to reuse it later. Context managers are expected to clean up after themselves. If there's no way to do this then you should at least document that this one is special. But in this case it shouldn't be that hard to clean up. Not at all, I actually had the code there at some point, but removed it. Updated patch attached. Tomas [root@vm-002 labtool]# ipa-server-install [snip] Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password [root@vm-002 labtool]# echo $KRB5CCNAME [root@vm-002 labtool]# Two nitpicks: ipaserver/install/installutils.py: new blank line at EOF For most context managers I prefer @contextlib.contextmanager rather than writing out the class, it makes them shorter and easier to read Addressed in the updated patch. Tomas From 24ea3e0f7b717eff0928bf7bbe783328a12d4107 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Mon, 3 Jun 2013 12:06:06 +0200 Subject: [PATCH] Use private ccache in ipa install tools All installers that handle Kerberos auth, have been altered to use private ccache, that is ipa-server-install, ipa-dns-install, ipa-replica-install, ipa-ca-install. https://fedorahosted.org/freeipa/ticket/3666 --- install/tools/ipa-ca-install | 13 +++-- install/tools/ipa-dns-install | 5 +++-- install/tools/ipa-replica-install | 13 +++-- install/tools/ipa-server-install | 7 +-- ipaserver/install/installutils.py | 22 ++ 5 files changed, 44 insertions(+), 16 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 81c11834547c37b01c4749079284affd13bb10d7..3b7e9d206e35e68aef7af64172d34a2ee9f25342 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -28,9 +28,9 @@ from ipapython import services as ipaservices from ipaserver.install import installutils, service from ipaserver.install import certs -from ipaserver.install.installutils import HostnameLocalhost -from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info -from ipaserver.install.installutils import get_host_name, BadHostError +from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig, +expand_replica_info, read_replica_info, get_host_name, BadHostError, +private_ccache) from ipaserver.install import dsinstance, cainstance, bindinstance from ipaserver.install.replication import replica_conn_check from ipapython import version @@ -212,9 +212,10 @@ Run /usr/sbin/ipa-server-install --uninstall to clean up. if __name__ == '__main__': try: -installutils.run_script(main, log_file_name=log_file_name, -operation_name='ipa-ca-install', -fail_message=fail_message) +with private_ccache(): +installutils.run_script(main, log_file_name=log_file_name, +operation_name='ipa-ca-install', +fail_message=fail_message) finally: # always try to remove decrypted replica
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/05/2013 09:20 AM, Tomas Babej wrote: On 06/04/2013 06:09 PM, Petr Viktorin wrote: On 06/04/2013 01:29 PM, Tomas Babej wrote: On 06/03/2013 02:58 PM, Martin Kosek wrote: On 06/03/2013 02:43 PM, Tomas Babej wrote: Hi, this patch fixes the installation problems on master on F19 with krb5 packages = 1.11.2-6 https://fedorahosted.org/freeipa/ticket/3666 Tomas 1) Leaving cache_desc open: +(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc') +os.environ['KRB5CCNAME'] = cache_path Why do we keep the descriptor open and close it at the and of the installation? Can we close it right after tempfile.mkstemp? I think we do it this way in other places in installation. 2) What about other installers where we handle Kerberos auth, like ipa-{replica,dns,ca}-install? A common function, other shared means, of handling KRB5CCNAME may be appropriate to avoid duplicating code too much. Martin I moved the code responsible to PrivateCCache class, both for readability and conciseness. Private ccache now used in replica,dns and ca the installers. I managed to reproduce the error only with dns-install though(fails on adding the service principal), but having a private ccache for the installer should not hurt. Ipa-adtrust-install requires the admin ticket, so there shouldn't be an issue. Tomas Shouldn't the context manager restore os.environ['KRB5CCNAME'] on exit? There's no need to, since the value of the environment variable is inherited only into child processes (pkispawn, etc.). Hence the KRB5CCNAME environment variable is not available outside the install script. Yes, but what if you call a child process after the context manager exits? I know that currently there is no code after the context manager exits, but that's no reason to surprise people who will want to reuse it later. Context managers are expected to clean up after themselves. If there's no way to do this then you should at least document that this one is special. But in this case it shouldn't be that hard to clean up. [root@vm-002 labtool]# ipa-server-install [snip] Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password [root@vm-002 labtool]# echo $KRB5CCNAME [root@vm-002 labtool]# Two nitpicks: ipaserver/install/installutils.py: new blank line at EOF For most context managers I prefer @contextlib.contextmanager rather than writing out the class, it makes them shorter and easier to read Addressed in the updated patch. Tomas -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/04/2013 06:09 PM, Petr Viktorin wrote: On 06/04/2013 01:29 PM, Tomas Babej wrote: On 06/03/2013 02:58 PM, Martin Kosek wrote: On 06/03/2013 02:43 PM, Tomas Babej wrote: Hi, this patch fixes the installation problems on master on F19 with krb5 packages = 1.11.2-6 https://fedorahosted.org/freeipa/ticket/3666 Tomas 1) Leaving cache_desc open: +(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc') +os.environ['KRB5CCNAME'] = cache_path Why do we keep the descriptor open and close it at the and of the installation? Can we close it right after tempfile.mkstemp? I think we do it this way in other places in installation. 2) What about other installers where we handle Kerberos auth, like ipa-{replica,dns,ca}-install? A common function, other shared means, of handling KRB5CCNAME may be appropriate to avoid duplicating code too much. Martin I moved the code responsible to PrivateCCache class, both for readability and conciseness. Private ccache now used in replica,dns and ca the installers. I managed to reproduce the error only with dns-install though(fails on adding the service principal), but having a private ccache for the installer should not hurt. Ipa-adtrust-install requires the admin ticket, so there shouldn't be an issue. Tomas Shouldn't the context manager restore os.environ['KRB5CCNAME'] on exit? There's no need to, since the value of the environment variable is inherited only into child processes (pkispawn, etc.). Hence the KRB5CCNAME environment variable is not available outside the install script. [root@vm-002 labtool]# ipa-server-install [snip] Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password [root@vm-002 labtool]# echo $KRB5CCNAME [root@vm-002 labtool]# Two nitpicks: ipaserver/install/installutils.py: new blank line at EOF For most context managers I prefer @contextlib.contextmanager rather than writing out the class, it makes them shorter and easier to read Addressed in the updated patch. Tomas From 1e8fac58c0af6626129ba8934d5d4ed6e29698f2 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Mon, 3 Jun 2013 12:06:06 +0200 Subject: [PATCH] Use private ccache in ipa install tools All installers that handle Kerberos auth, have been altered to use private ccache, that is ipa-server-install, ipa-dns-install, ipa-replica-install, ipa-ca-install. https://fedorahosted.org/freeipa/ticket/3666 --- install/tools/ipa-ca-install | 13 +++-- install/tools/ipa-dns-install | 5 +++-- install/tools/ipa-replica-install | 13 +++-- install/tools/ipa-server-install | 7 +-- ipaserver/install/installutils.py | 14 ++ 5 files changed, 36 insertions(+), 16 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 81c11834547c37b01c4749079284affd13bb10d7..fcc8240583402eabb80a6bc701ae05d46adf0f60 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -28,9 +28,9 @@ from ipapython import services as ipaservices from ipaserver.install import installutils, service from ipaserver.install import certs -from ipaserver.install.installutils import HostnameLocalhost -from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info -from ipaserver.install.installutils import get_host_name, BadHostError +from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig, +expand_replica_info, read_replica_info, get_host_name, BadHostError, +privateCCache) from ipaserver.install import dsinstance, cainstance, bindinstance from ipaserver.install.replication import replica_conn_check from ipapython import version @@ -212,9 +212,10 @@ Run /usr/sbin/ipa-server-install --uninstall to clean up. if __name__ == '__main__': try: -installutils.run_script(main, log_file_name=log_file_name, -operation_name='ipa-ca-install', -fail_message=fail_message) +with privateCCache(): +installutils.run_script(main, log_file_name=log_file_name, +operation_name='ipa-ca-install', +fail_message=fail_message) finally: # always try to remove decrypted replica file try: diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index e12a0465ca2d09a6a8d25157a737f620f3ff4b1a..8321ca1161229bdb1462b4dff380bf7f0d4af3bf 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -258,5 +258,6 @@ def main(): return 0 if __name__ == '__main__': -installutils.run_script(main, log_file_name=log_file_name, -operation_name='ipa-dns-install') +with privateCCache(): +installutils.run_script(main, log_file_name=log_file_name, +operation_name='ipa-dns-install') diff --git a/install/tools/ipa-replica-install b/install/tools/ip
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/04/2013 01:29 PM, Tomas Babej wrote: On 06/03/2013 02:58 PM, Martin Kosek wrote: On 06/03/2013 02:43 PM, Tomas Babej wrote: Hi, this patch fixes the installation problems on master on F19 with krb5 packages = 1.11.2-6 https://fedorahosted.org/freeipa/ticket/3666 Tomas 1) Leaving cache_desc open: +(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc') +os.environ['KRB5CCNAME'] = cache_path Why do we keep the descriptor open and close it at the and of the installation? Can we close it right after tempfile.mkstemp? I think we do it this way in other places in installation. 2) What about other installers where we handle Kerberos auth, like ipa-{replica,dns,ca}-install? A common function, other shared means, of handling KRB5CCNAME may be appropriate to avoid duplicating code too much. Martin I moved the code responsible to PrivateCCache class, both for readability and conciseness. Private ccache now used in replica,dns and ca the installers. I managed to reproduce the error only with dns-install though(fails on adding the service principal), but having a private ccache for the installer should not hurt. Ipa-adtrust-install requires the admin ticket, so there shouldn't be an issue. Tomas Shouldn't the context manager restore os.environ['KRB5CCNAME'] on exit? Two nitpicks: ipaserver/install/installutils.py: new blank line at EOF For most context managers I prefer @contextlib.contextmanager rather than writing out the class, it makes them shorter and easier to read. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/03/2013 02:58 PM, Martin Kosek wrote: On 06/03/2013 02:43 PM, Tomas Babej wrote: Hi, this patch fixes the installation problems on master on F19 with krb5 packages = 1.11.2-6 https://fedorahosted.org/freeipa/ticket/3666 Tomas 1) Leaving cache_desc open: +(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc') +os.environ['KRB5CCNAME'] = cache_path Why do we keep the descriptor open and close it at the and of the installation? Can we close it right after tempfile.mkstemp? I think we do it this way in other places in installation. 2) What about other installers where we handle Kerberos auth, like ipa-{replica,dns,ca}-install? A common function, other shared means, of handling KRB5CCNAME may be appropriate to avoid duplicating code too much. Martin I moved the code responsible to PrivateCCache class, both for readability and conciseness. Private ccache now used in replica,dns and ca the installers. I managed to reproduce the error only with dns-install though(fails on adding the service principal), but having a private ccache for the installer should not hurt. Ipa-adtrust-install requires the admin ticket, so there shouldn't be an issue. Tomas From 199ade8c7f3eaae15dca3693a92600c635e61d57 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Mon, 3 Jun 2013 12:06:06 +0200 Subject: [PATCH] Use private ccache in ipa install tools All installers that handle Kerberos auth, have been altered to use private ccache, that is ipa-server-install, ipa-dns-install, ipa-replica-install, ipa-ca-install. https://fedorahosted.org/freeipa/ticket/3666 --- install/tools/ipa-ca-install | 13 +++-- install/tools/ipa-dns-install | 5 +++-- install/tools/ipa-replica-install | 13 +++-- install/tools/ipa-server-install | 7 +-- ipaserver/install/installutils.py | 16 5 files changed, 38 insertions(+), 16 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 81c11834547c37b01c4749079284affd13bb10d7..0f889afac0165f56646778b74b6368fd28b313d8 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -28,9 +28,9 @@ from ipapython import services as ipaservices from ipaserver.install import installutils, service from ipaserver.install import certs -from ipaserver.install.installutils import HostnameLocalhost -from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info -from ipaserver.install.installutils import get_host_name, BadHostError +from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig, +expand_replica_info, read_replica_info, get_host_name, BadHostError, +PrivateCCache) from ipaserver.install import dsinstance, cainstance, bindinstance from ipaserver.install.replication import replica_conn_check from ipapython import version @@ -212,9 +212,10 @@ Run /usr/sbin/ipa-server-install --uninstall to clean up. if __name__ == '__main__': try: -installutils.run_script(main, log_file_name=log_file_name, -operation_name='ipa-ca-install', -fail_message=fail_message) +with PrivateCCache(): +installutils.run_script(main, log_file_name=log_file_name, +operation_name='ipa-ca-install', +fail_message=fail_message) finally: # always try to remove decrypted replica file try: diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index e12a0465ca2d09a6a8d25157a737f620f3ff4b1a..c8b0aa3b8f2728510b7419975c2d937bf9188ac3 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -258,5 +258,6 @@ def main(): return 0 if __name__ == '__main__': -installutils.run_script(main, log_file_name=log_file_name, -operation_name='ipa-dns-install') +with PrivateCCache(): +installutils.run_script(main, log_file_name=log_file_name, +operation_name='ipa-dns-install') diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index b194b85a201c2d842938d3251fa9179c57d0bd68..2ab67933257b6ec82b39372b20c1fe854d4a92f2 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -36,9 +36,9 @@ from ipaserver.install import dsinstance, installutils, krbinstance, service from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs from ipaserver.install import memcacheinstance from ipaserver.install.replication import replica_conn_check, ReplicationManager -from ipaserver.install.installutils import HostnameLocalhost, resolve_host -from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info -from ipaserver.install.installutils import get_host_name, BadHostError +from ipaserver.install.installutils import (HostnameLocalhost, resolve_host, +ReplicaConfig, expand_replica_info, read_replica_info ,get_host_name, +
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/03/2013 02:43 PM, Tomas Babej wrote: > Hi, > > this patch fixes the installation problems on master on F19 with krb5 packages >>= 1.11.2-6 > > https://fedorahosted.org/freeipa/ticket/3666 > > Tomas 1) Leaving cache_desc open: +(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc') +os.environ['KRB5CCNAME'] = cache_path Why do we keep the descriptor open and close it at the and of the installation? Can we close it right after tempfile.mkstemp? I think we do it this way in other places in installation. 2) What about other installers where we handle Kerberos auth, like ipa-{replica,dns,ca}-install? A common function, other shared means, of handling KRB5CCNAME may be appropriate to avoid duplicating code too much. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
Hi, this patch fixes the installation problems on master on F19 with krb5 packages >= 1.11.2-6 https://fedorahosted.org/freeipa/ticket/3666 Tomas From f3e6b38bee50bf5856ae04bfb6ccd109b636f037 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Mon, 3 Jun 2013 12:06:06 +0200 Subject: [PATCH] Use private ccache in ipa-server-install https://fedorahosted.org/freeipa/ticket/3666 --- install/tools/ipa-server-install | 10 ++ 1 file changed, 10 insertions(+) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 62adbd5bc5183793f3371e46e276b9ad20077b84..db29ac3a79228ae44435630e2ad9fb6bd1145ada 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -1210,6 +1210,7 @@ def main(): if __name__ == '__main__': success = False + try: # FIXME: Common option parsing, logging setup, etc should be factored # out from all install scripts @@ -1219,11 +1220,20 @@ if __name__ == '__main__': else: log_file_name = "/var/log/ipaserver-install.log" +# Use private ccache +(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc') +os.environ['KRB5CCNAME'] = cache_path + installutils.run_script(main, log_file_name=log_file_name, operation_name='ipa-server-install') success = True finally: +# Remove private ccache +os.close(cache_desc) +if os.path.exists(cache_path): +os.remove(cache_path) + if not success and installation_cleanup: # Do a cautious clean up as we don't know what failed and what is # the state of the environment -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel