Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/05/2013 01:23 PM, Tomas Babej wrote:
> On 06/04/2013 01:29 PM, Tomas Babej wrote:
>> On 06/03/2013 02:58 PM, Martin Kosek wrote:
>>> On 06/03/2013 02:43 PM, Tomas Babej wrote:
Hi,
this patch fixes the installation problems on master on F19 with krb5
packages
> = 1.11.2-6
https://fedorahosted.org/freeipa/ticket/3666
Tomas
>>> 1) Leaving cache_desc open:
>>>
>>> +(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc')
>>> +os.environ['KRB5CCNAME'] = cache_path
>>>
>>> Why do we keep the descriptor open and close it at the and of the
>>> installation?
>>> Can we close it right after tempfile.mkstemp? I think we do it this way in
>>> other places in installation.
>>>
>>> 2) What about other installers where we handle Kerberos auth, like
>>> ipa-{replica,dns,ca}-install?
>>>
>>> A common function, other shared means, of handling KRB5CCNAME may be
>>> appropriate to avoid duplicating code too much.
>>>
>>> Martin
>> I moved the code responsible to PrivateCCache class, both for readability and
>> conciseness.
>>
>> Private ccache now used in replica,dns and ca the installers. I managed to
>> reproduce the error only with
>> dns-install though(fails on adding the service principal), but having a
>> private ccache for the installer should not hurt.
>>
>> Ipa-adtrust-install requires the admin ticket, so there shouldn't be an
>> issue.
>
> My reasoning was flawed here, ipa-adtrust-install attempts to re-kinit admin
> ticket, so it needs the private ccache as well.
>
> Sending one-liner fix.
>
> Tomas
As also discussed with Alexander on IRC, we do not want to have private ccache
for ipa-adtrust-install as we deliberately re-kinit admin user to add new
MS-PAC information to the ticket so that subsequent trust commands work. In
other install scripts, we want to have private ccache so that we don't mess
with user's default ccache.
This entire problem should go away when krb5 is fixed, see
https://bugzilla.redhat.com/show_bug.cgi?id=961235
Thus, your current fix for private ccaches is correct.
Thanks,
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/04/2013 01:29 PM, Tomas Babej wrote:
On 06/03/2013 02:58 PM, Martin Kosek wrote:
On 06/03/2013 02:43 PM, Tomas Babej wrote:
Hi,
this patch fixes the installation problems on master on F19 with
krb5 packages
= 1.11.2-6
https://fedorahosted.org/freeipa/ticket/3666
Tomas
1) Leaving cache_desc open:
+(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc')
+os.environ['KRB5CCNAME'] = cache_path
Why do we keep the descriptor open and close it at the and of the
installation?
Can we close it right after tempfile.mkstemp? I think we do it this
way in
other places in installation.
2) What about other installers where we handle Kerberos auth, like
ipa-{replica,dns,ca}-install?
A common function, other shared means, of handling KRB5CCNAME may be
appropriate to avoid duplicating code too much.
Martin
I moved the code responsible to PrivateCCache class, both for
readability and conciseness.
Private ccache now used in replica,dns and ca the installers. I
managed to reproduce the error only with
dns-install though(fails on adding the service principal), but having
a private ccache for the installer should not hurt.
Ipa-adtrust-install requires the admin ticket, so there shouldn't be
an issue.
My reasoning was flawed here, ipa-adtrust-install attempts to re-kinit
admin ticket, so it needs the private ccache as well.
Sending one-liner fix.
Tomas
Tomas
From 0177d6a7f14b87f42647376001e6ac580ca38e57 Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Wed, 5 Jun 2013 13:17:19 +0200
Subject: [PATCH] Use private ccache in ipa-adtrust-install
The ipa-adtrust-install script attempts to automatically re-kinit
admin user ticket, hence it needs private ccache or the usage
of the ipa-adtrust-install with sudo/su will fail.
https://fedorahosted.org/freeipa/ticket/3666
---
install/tools/ipa-adtrust-install | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 5744c6f67aee5f55877d7ef1691e98dfdb8d8718..09831617de7daf03e876897eef1d99d9a1a4a8c6 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -405,5 +405,6 @@ information"""
return 0
if __name__ == '__main__':
-run_script(main, log_file_name=log_file_name,
-operation_name='ipa-adtrust-install')
+with private_ccache():
+run_script(main, log_file_name=log_file_name,
+ operation_name='ipa-adtrust-install')
--
1.8.1.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/05/2013 10:47 AM, Tomas Babej wrote:
On 06/05/2013 10:07 AM, Petr Viktorin wrote:
On 06/05/2013 09:20 AM, Tomas Babej wrote:
On 06/04/2013 06:09 PM, Petr Viktorin wrote:
On 06/04/2013 01:29 PM, Tomas Babej wrote:
On 06/03/2013 02:58 PM, Martin Kosek wrote:
On 06/03/2013 02:43 PM, Tomas Babej wrote:
Hi,
this patch fixes the installation problems on master on F19 with
krb5
packages
= 1.11.2-6
https://fedorahosted.org/freeipa/ticket/3666
Tomas
1) Leaving cache_desc open:
+(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc')
+os.environ['KRB5CCNAME'] = cache_path
Why do we keep the descriptor open and close it at the and of the
installation?
Can we close it right after tempfile.mkstemp? I think we do it this
way in
other places in installation.
2) What about other installers where we handle Kerberos auth, like
ipa-{replica,dns,ca}-install?
A common function, other shared means, of handling KRB5CCNAME may be
appropriate to avoid duplicating code too much.
Martin
I moved the code responsible to PrivateCCache class, both for
readability and conciseness.
Private ccache now used in replica,dns and ca the installers. I
managed
to reproduce the error only with
dns-install though(fails on adding the service principal), but
having a
private ccache for the installer should not hurt.
Ipa-adtrust-install requires the admin ticket, so there shouldn't
be an
issue.
Tomas
Shouldn't the context manager restore os.environ['KRB5CCNAME'] on exit?
There's no need to, since the value of the environment variable is
inherited only into child processes (pkispawn, etc.). Hence the
KRB5CCNAME
environment variable is not available outside the install script.
Yes, but what if you call a child process after the context manager
exits?
I know that currently there is no code after the context manager
exits, but that's no reason to surprise people who will want to reuse
it later.
Context managers are expected to clean up after themselves. If there's
no way to do this then you should at least document that this one is
special. But in this case it shouldn't be that hard to clean up.
Not at all, I actually had the code there at some point, but removed it.
Updated patch attached.
Tomas
Thanks. ACK, pushed to master, ipa-3-2.
master: 6f51f92138ff12eff732bf028751dcfa8ef9b442
ipa-3-2: 4ec1de1a65f1fabe7f5b26b4c4487deec5cea0cf
--
Petr³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/05/2013 10:07 AM, Petr Viktorin wrote:
On 06/05/2013 09:20 AM, Tomas Babej wrote:
On 06/04/2013 06:09 PM, Petr Viktorin wrote:
On 06/04/2013 01:29 PM, Tomas Babej wrote:
On 06/03/2013 02:58 PM, Martin Kosek wrote:
On 06/03/2013 02:43 PM, Tomas Babej wrote:
Hi,
this patch fixes the installation problems on master on F19 with
krb5
packages
= 1.11.2-6
https://fedorahosted.org/freeipa/ticket/3666
Tomas
1) Leaving cache_desc open:
+(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc')
+os.environ['KRB5CCNAME'] = cache_path
Why do we keep the descriptor open and close it at the and of the
installation?
Can we close it right after tempfile.mkstemp? I think we do it this
way in
other places in installation.
2) What about other installers where we handle Kerberos auth, like
ipa-{replica,dns,ca}-install?
A common function, other shared means, of handling KRB5CCNAME may be
appropriate to avoid duplicating code too much.
Martin
I moved the code responsible to PrivateCCache class, both for
readability and conciseness.
Private ccache now used in replica,dns and ca the installers. I
managed
to reproduce the error only with
dns-install though(fails on adding the service principal), but
having a
private ccache for the installer should not hurt.
Ipa-adtrust-install requires the admin ticket, so there shouldn't
be an
issue.
Tomas
Shouldn't the context manager restore os.environ['KRB5CCNAME'] on exit?
There's no need to, since the value of the environment variable is
inherited only into child processes (pkispawn, etc.). Hence the
KRB5CCNAME
environment variable is not available outside the install script.
Yes, but what if you call a child process after the context manager
exits?
I know that currently there is no code after the context manager
exits, but that's no reason to surprise people who will want to reuse
it later.
Context managers are expected to clean up after themselves. If there's
no way to do this then you should at least document that this one is
special. But in this case it shouldn't be that hard to clean up.
Not at all, I actually had the code there at some point, but removed it.
Updated patch attached.
Tomas
[root@vm-002 labtool]# ipa-server-install
[snip]
Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
[root@vm-002 labtool]# echo $KRB5CCNAME
[root@vm-002 labtool]#
Two nitpicks:
ipaserver/install/installutils.py: new blank line at EOF
For most context managers I prefer @contextlib.contextmanager rather
than writing out the class, it makes them shorter and easier to read
Addressed in the updated patch.
Tomas
From 24ea3e0f7b717eff0928bf7bbe783328a12d4107 Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Mon, 3 Jun 2013 12:06:06 +0200
Subject: [PATCH] Use private ccache in ipa install tools
All installers that handle Kerberos auth, have been altered to use
private ccache, that is ipa-server-install, ipa-dns-install,
ipa-replica-install, ipa-ca-install.
https://fedorahosted.org/freeipa/ticket/3666
---
install/tools/ipa-ca-install | 13 +++--
install/tools/ipa-dns-install | 5 +++--
install/tools/ipa-replica-install | 13 +++--
install/tools/ipa-server-install | 7 +--
ipaserver/install/installutils.py | 22 ++
5 files changed, 44 insertions(+), 16 deletions(-)
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 81c11834547c37b01c4749079284affd13bb10d7..3b7e9d206e35e68aef7af64172d34a2ee9f25342 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -28,9 +28,9 @@ from ipapython import services as ipaservices
from ipaserver.install import installutils, service
from ipaserver.install import certs
-from ipaserver.install.installutils import HostnameLocalhost
-from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info
-from ipaserver.install.installutils import get_host_name, BadHostError
+from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig,
+expand_replica_info, read_replica_info, get_host_name, BadHostError,
+private_ccache)
from ipaserver.install import dsinstance, cainstance, bindinstance
from ipaserver.install.replication import replica_conn_check
from ipapython import version
@@ -212,9 +212,10 @@ Run /usr/sbin/ipa-server-install --uninstall to clean up.
if __name__ == '__main__':
try:
-installutils.run_script(main, log_file_name=log_file_name,
-operation_name='ipa-ca-install',
-fail_message=fail_message)
+with private_ccache():
+installutils.run_script(main, log_file_name=log_file_name,
+operation_name='ipa-ca-install',
+fail_message=fail_message)
finally:
# always try to remove decrypted replica
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/05/2013 09:20 AM, Tomas Babej wrote:
On 06/04/2013 06:09 PM, Petr Viktorin wrote:
On 06/04/2013 01:29 PM, Tomas Babej wrote:
On 06/03/2013 02:58 PM, Martin Kosek wrote:
On 06/03/2013 02:43 PM, Tomas Babej wrote:
Hi,
this patch fixes the installation problems on master on F19 with krb5
packages
= 1.11.2-6
https://fedorahosted.org/freeipa/ticket/3666
Tomas
1) Leaving cache_desc open:
+(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc')
+os.environ['KRB5CCNAME'] = cache_path
Why do we keep the descriptor open and close it at the and of the
installation?
Can we close it right after tempfile.mkstemp? I think we do it this
way in
other places in installation.
2) What about other installers where we handle Kerberos auth, like
ipa-{replica,dns,ca}-install?
A common function, other shared means, of handling KRB5CCNAME may be
appropriate to avoid duplicating code too much.
Martin
I moved the code responsible to PrivateCCache class, both for
readability and conciseness.
Private ccache now used in replica,dns and ca the installers. I managed
to reproduce the error only with
dns-install though(fails on adding the service principal), but having a
private ccache for the installer should not hurt.
Ipa-adtrust-install requires the admin ticket, so there shouldn't be an
issue.
Tomas
Shouldn't the context manager restore os.environ['KRB5CCNAME'] on exit?
There's no need to, since the value of the environment variable is
inherited only into child processes (pkispawn, etc.). Hence the KRB5CCNAME
environment variable is not available outside the install script.
Yes, but what if you call a child process after the context manager exits?
I know that currently there is no code after the context manager exits,
but that's no reason to surprise people who will want to reuse it later.
Context managers are expected to clean up after themselves. If there's
no way to do this then you should at least document that this one is
special. But in this case it shouldn't be that hard to clean up.
[root@vm-002 labtool]# ipa-server-install
[snip]
Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
[root@vm-002 labtool]# echo $KRB5CCNAME
[root@vm-002 labtool]#
Two nitpicks:
ipaserver/install/installutils.py: new blank line at EOF
For most context managers I prefer @contextlib.contextmanager rather
than writing out the class, it makes them shorter and easier to read
Addressed in the updated patch.
Tomas
--
Petr³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/04/2013 06:09 PM, Petr Viktorin wrote:
On 06/04/2013 01:29 PM, Tomas Babej wrote:
On 06/03/2013 02:58 PM, Martin Kosek wrote:
On 06/03/2013 02:43 PM, Tomas Babej wrote:
Hi,
this patch fixes the installation problems on master on F19 with krb5
packages
= 1.11.2-6
https://fedorahosted.org/freeipa/ticket/3666
Tomas
1) Leaving cache_desc open:
+(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc')
+os.environ['KRB5CCNAME'] = cache_path
Why do we keep the descriptor open and close it at the and of the
installation?
Can we close it right after tempfile.mkstemp? I think we do it this
way in
other places in installation.
2) What about other installers where we handle Kerberos auth, like
ipa-{replica,dns,ca}-install?
A common function, other shared means, of handling KRB5CCNAME may be
appropriate to avoid duplicating code too much.
Martin
I moved the code responsible to PrivateCCache class, both for
readability and conciseness.
Private ccache now used in replica,dns and ca the installers. I managed
to reproduce the error only with
dns-install though(fails on adding the service principal), but having a
private ccache for the installer should not hurt.
Ipa-adtrust-install requires the admin ticket, so there shouldn't be an
issue.
Tomas
Shouldn't the context manager restore os.environ['KRB5CCNAME'] on exit?
There's no need to, since the value of the environment variable is
inherited only into child processes (pkispawn, etc.). Hence the KRB5CCNAME
environment variable is not available outside the install script.
[root@vm-002 labtool]# ipa-server-install
[snip]
Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
[root@vm-002 labtool]# echo $KRB5CCNAME
[root@vm-002 labtool]#
Two nitpicks:
ipaserver/install/installutils.py: new blank line at EOF
For most context managers I prefer @contextlib.contextmanager rather
than writing out the class, it makes them shorter and easier to read
Addressed in the updated patch.
Tomas
From 1e8fac58c0af6626129ba8934d5d4ed6e29698f2 Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Mon, 3 Jun 2013 12:06:06 +0200
Subject: [PATCH] Use private ccache in ipa install tools
All installers that handle Kerberos auth, have been altered to use
private ccache, that is ipa-server-install, ipa-dns-install,
ipa-replica-install, ipa-ca-install.
https://fedorahosted.org/freeipa/ticket/3666
---
install/tools/ipa-ca-install | 13 +++--
install/tools/ipa-dns-install | 5 +++--
install/tools/ipa-replica-install | 13 +++--
install/tools/ipa-server-install | 7 +--
ipaserver/install/installutils.py | 14 ++
5 files changed, 36 insertions(+), 16 deletions(-)
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 81c11834547c37b01c4749079284affd13bb10d7..fcc8240583402eabb80a6bc701ae05d46adf0f60 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -28,9 +28,9 @@ from ipapython import services as ipaservices
from ipaserver.install import installutils, service
from ipaserver.install import certs
-from ipaserver.install.installutils import HostnameLocalhost
-from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info
-from ipaserver.install.installutils import get_host_name, BadHostError
+from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig,
+expand_replica_info, read_replica_info, get_host_name, BadHostError,
+privateCCache)
from ipaserver.install import dsinstance, cainstance, bindinstance
from ipaserver.install.replication import replica_conn_check
from ipapython import version
@@ -212,9 +212,10 @@ Run /usr/sbin/ipa-server-install --uninstall to clean up.
if __name__ == '__main__':
try:
-installutils.run_script(main, log_file_name=log_file_name,
-operation_name='ipa-ca-install',
-fail_message=fail_message)
+with privateCCache():
+installutils.run_script(main, log_file_name=log_file_name,
+operation_name='ipa-ca-install',
+fail_message=fail_message)
finally:
# always try to remove decrypted replica file
try:
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index e12a0465ca2d09a6a8d25157a737f620f3ff4b1a..8321ca1161229bdb1462b4dff380bf7f0d4af3bf 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -258,5 +258,6 @@ def main():
return 0
if __name__ == '__main__':
-installutils.run_script(main, log_file_name=log_file_name,
-operation_name='ipa-dns-install')
+with privateCCache():
+installutils.run_script(main, log_file_name=log_file_name,
+operation_name='ipa-dns-install')
diff --git a/install/tools/ipa-replica-install b/install/tools/ip
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/04/2013 01:29 PM, Tomas Babej wrote:
On 06/03/2013 02:58 PM, Martin Kosek wrote:
On 06/03/2013 02:43 PM, Tomas Babej wrote:
Hi,
this patch fixes the installation problems on master on F19 with krb5
packages
= 1.11.2-6
https://fedorahosted.org/freeipa/ticket/3666
Tomas
1) Leaving cache_desc open:
+(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc')
+os.environ['KRB5CCNAME'] = cache_path
Why do we keep the descriptor open and close it at the and of the
installation?
Can we close it right after tempfile.mkstemp? I think we do it this
way in
other places in installation.
2) What about other installers where we handle Kerberos auth, like
ipa-{replica,dns,ca}-install?
A common function, other shared means, of handling KRB5CCNAME may be
appropriate to avoid duplicating code too much.
Martin
I moved the code responsible to PrivateCCache class, both for
readability and conciseness.
Private ccache now used in replica,dns and ca the installers. I managed
to reproduce the error only with
dns-install though(fails on adding the service principal), but having a
private ccache for the installer should not hurt.
Ipa-adtrust-install requires the admin ticket, so there shouldn't be an
issue.
Tomas
Shouldn't the context manager restore os.environ['KRB5CCNAME'] on exit?
Two nitpicks:
ipaserver/install/installutils.py: new blank line at EOF
For most context managers I prefer @contextlib.contextmanager rather
than writing out the class, it makes them shorter and easier to read.
--
Petr³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/03/2013 02:58 PM, Martin Kosek wrote:
On 06/03/2013 02:43 PM, Tomas Babej wrote:
Hi,
this patch fixes the installation problems on master on F19 with krb5 packages
= 1.11.2-6
https://fedorahosted.org/freeipa/ticket/3666
Tomas
1) Leaving cache_desc open:
+(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc')
+os.environ['KRB5CCNAME'] = cache_path
Why do we keep the descriptor open and close it at the and of the installation?
Can we close it right after tempfile.mkstemp? I think we do it this way in
other places in installation.
2) What about other installers where we handle Kerberos auth, like
ipa-{replica,dns,ca}-install?
A common function, other shared means, of handling KRB5CCNAME may be
appropriate to avoid duplicating code too much.
Martin
I moved the code responsible to PrivateCCache class, both for
readability and conciseness.
Private ccache now used in replica,dns and ca the installers. I managed
to reproduce the error only with
dns-install though(fails on adding the service principal), but having a
private ccache for the installer should not hurt.
Ipa-adtrust-install requires the admin ticket, so there shouldn't be an
issue.
Tomas
From 199ade8c7f3eaae15dca3693a92600c635e61d57 Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Mon, 3 Jun 2013 12:06:06 +0200
Subject: [PATCH] Use private ccache in ipa install tools
All installers that handle Kerberos auth, have been altered to use
private ccache, that is ipa-server-install, ipa-dns-install,
ipa-replica-install, ipa-ca-install.
https://fedorahosted.org/freeipa/ticket/3666
---
install/tools/ipa-ca-install | 13 +++--
install/tools/ipa-dns-install | 5 +++--
install/tools/ipa-replica-install | 13 +++--
install/tools/ipa-server-install | 7 +--
ipaserver/install/installutils.py | 16
5 files changed, 38 insertions(+), 16 deletions(-)
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 81c11834547c37b01c4749079284affd13bb10d7..0f889afac0165f56646778b74b6368fd28b313d8 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -28,9 +28,9 @@ from ipapython import services as ipaservices
from ipaserver.install import installutils, service
from ipaserver.install import certs
-from ipaserver.install.installutils import HostnameLocalhost
-from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info
-from ipaserver.install.installutils import get_host_name, BadHostError
+from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig,
+expand_replica_info, read_replica_info, get_host_name, BadHostError,
+PrivateCCache)
from ipaserver.install import dsinstance, cainstance, bindinstance
from ipaserver.install.replication import replica_conn_check
from ipapython import version
@@ -212,9 +212,10 @@ Run /usr/sbin/ipa-server-install --uninstall to clean up.
if __name__ == '__main__':
try:
-installutils.run_script(main, log_file_name=log_file_name,
-operation_name='ipa-ca-install',
-fail_message=fail_message)
+with PrivateCCache():
+installutils.run_script(main, log_file_name=log_file_name,
+operation_name='ipa-ca-install',
+fail_message=fail_message)
finally:
# always try to remove decrypted replica file
try:
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index e12a0465ca2d09a6a8d25157a737f620f3ff4b1a..c8b0aa3b8f2728510b7419975c2d937bf9188ac3 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -258,5 +258,6 @@ def main():
return 0
if __name__ == '__main__':
-installutils.run_script(main, log_file_name=log_file_name,
-operation_name='ipa-dns-install')
+with PrivateCCache():
+installutils.run_script(main, log_file_name=log_file_name,
+operation_name='ipa-dns-install')
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index b194b85a201c2d842938d3251fa9179c57d0bd68..2ab67933257b6ec82b39372b20c1fe854d4a92f2 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -36,9 +36,9 @@ from ipaserver.install import dsinstance, installutils, krbinstance, service
from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs
from ipaserver.install import memcacheinstance
from ipaserver.install.replication import replica_conn_check, ReplicationManager
-from ipaserver.install.installutils import HostnameLocalhost, resolve_host
-from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info
-from ipaserver.install.installutils import get_host_name, BadHostError
+from ipaserver.install.installutils import (HostnameLocalhost, resolve_host,
+ReplicaConfig, expand_replica_info, read_replica_info ,get_host_name,
+
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/03/2013 02:43 PM, Tomas Babej wrote:
> Hi,
>
> this patch fixes the installation problems on master on F19 with krb5 packages
>>= 1.11.2-6
>
> https://fedorahosted.org/freeipa/ticket/3666
>
> Tomas
1) Leaving cache_desc open:
+(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc')
+os.environ['KRB5CCNAME'] = cache_path
Why do we keep the descriptor open and close it at the and of the installation?
Can we close it right after tempfile.mkstemp? I think we do it this way in
other places in installation.
2) What about other installers where we handle Kerberos auth, like
ipa-{replica,dns,ca}-install?
A common function, other shared means, of handling KRB5CCNAME may be
appropriate to avoid duplicating code too much.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
Hi, this patch fixes the installation problems on master on F19 with krb5 packages >= 1.11.2-6 https://fedorahosted.org/freeipa/ticket/3666 Tomas From f3e6b38bee50bf5856ae04bfb6ccd109b636f037 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Mon, 3 Jun 2013 12:06:06 +0200 Subject: [PATCH] Use private ccache in ipa-server-install https://fedorahosted.org/freeipa/ticket/3666 --- install/tools/ipa-server-install | 10 ++ 1 file changed, 10 insertions(+) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 62adbd5bc5183793f3371e46e276b9ad20077b84..db29ac3a79228ae44435630e2ad9fb6bd1145ada 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -1210,6 +1210,7 @@ def main(): if __name__ == '__main__': success = False + try: # FIXME: Common option parsing, logging setup, etc should be factored # out from all install scripts @@ -1219,11 +1220,20 @@ if __name__ == '__main__': else: log_file_name = "/var/log/ipaserver-install.log" +# Use private ccache +(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc') +os.environ['KRB5CCNAME'] = cache_path + installutils.run_script(main, log_file_name=log_file_name, operation_name='ipa-server-install') success = True finally: +# Remove private ccache +os.close(cache_desc) +if os.path.exists(cache_path): +os.remove(cache_path) + if not success and installation_cleanup: # Do a cautious clean up as we don't know what failed and what is # the state of the environment -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
