Re: [Freeipa-devel] [PATCH 0120] prevent crash of CA-less server upgrade due to absent certmonger

2016-01-11 Thread Jan Cholasta

On 7.1.2016 09:31, Martin Babinsky wrote:

On 01/05/2016 03:49 PM, Martin Babinsky wrote:

fixes https://fedorahosted.org/freeipa/ticket/5519




Bump for review.


Works for me, ACK.

Pushed to:
master: bef0f4c5c38e7ff6415e8f8c96dc306ef7f0ce56
ipa-4-2: f55a228f5ddab45fdea884eee93eac9890cf093d
ipa-4-3: 0097558d3f5b56c7db930fc951bbdb6b46abbcc5

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


[Freeipa-devel] [PATCH 0120] prevent crash of CA-less server upgrade due to absent certmonger

2016-01-05 Thread Martin Babinsky

fixes https://fedorahosted.org/freeipa/ticket/5519

--
Martin^3 Babinsky
From d5e6dadf7e092b389284a753ec55e2448446f3d5 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 5 Jan 2016 13:00:24 +0100
Subject: [PATCH] prevent crash of CA-less server upgrade due to absent
 certmonger

ipa-server-upgrade tests whether certmonger service is running before
attempting to upgrade IPA master. This causes the upgrader to always fail when
there is no CA installer and certmonger is not needed, effectively preventing
CA-less IPA master to upgrade succefuly.

This test is now skipped if CA is not enabled.

https://fedorahosted.org/freeipa/ticket/5519
---
 ipaserver/install/server/upgrade.py | 30 --
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index f37a8fea504d828f9bce5a870ad0b48f154b4e88..20379f19c652cb0b5911a4c2f1c67eae7f763379 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -291,6 +291,24 @@ def setup_firefox_extension(fstore):
 http.setup_firefox_extension(realm, domain)
 
 
+def is_ca_enabled():
+"""
+check whether there is an active CA master
+:return: True if there is an active CA in topology, False otherwise
+"""
+ldap2 = api.Backend.ldap2
+was_connected = ldap2.isconnected()
+
+if not was_connected:
+ldap2.connect()
+
+try:
+return api.Command.ca_is_enabled()['result']
+finally:
+if not was_connected:
+ldap2.disconnect()
+
+
 def ca_configure_profiles_acl(ca):
 root_logger.info('[Authorizing RA Agent to modify profiles]')
 
@@ -1477,7 +1495,10 @@ def upgrade_configuration():
 http = httpinstance.HTTPInstance(fstore)
 http.configure_selinux_for_httpd()
 http.change_mod_nss_port_from_http()
-http.configure_certmonger_renewal_guard()
+
+if is_ca_enabled():
+http.configure_certmonger_renewal_guard()
+
 http.enable_and_start_oddjobd()
 
 ds.configure_dirsrv_ccache()
@@ -1629,7 +1650,12 @@ def upgrade_check(options):
 print(unicode(e))
 sys.exit(1)
 
-if not services.knownservices.certmonger.is_running():
+try:
+ca_is_enabled = is_ca_enabled()
+except Exception as e:
+raise RuntimeError("Cannot connect to LDAP server: {0}".format(e))
+
+if not services.knownservices.certmonger.is_running() and ca_is_enabled:
 raise RuntimeError('Certmonger is not running. Start certmonger and run upgrade again.')
 
 if not options.skip_version_check:
-- 
2.5.0

From 9ea7ddfd7262f57700f89f4ff531a80dfedfd3e4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 5 Jan 2016 13:00:24 +0100
Subject: [PATCH] prevent crash of CA-less server upgrade due to absent
 certmonger

ipa-server-upgrade tests whether certmonger service is running before
attempting to upgrade IPA master. This causes the upgrader to always fail when
there is no CA installer and certmonger is not needed, effectively preventing
CA-less IPA master to upgrade succefuly.

This test is now skipped if CA is not enabled.

https://fedorahosted.org/freeipa/ticket/5519
---
 ipaserver/install/server/upgrade.py | 29 +++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 945cb3ebd63767cb1d57083e1da7c5605ac5a2f9..616fba5c1a5b3737481aecbb09ab5344641a3b04 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -292,6 +292,24 @@ def setup_firefox_extension(fstore):
 http.setup_firefox_extension(realm, domain)
 
 
+def is_ca_enabled():
+"""
+check whether there is an active CA master
+:return: True if there is an active CA in topology, False otherwise
+"""
+ldap2 = api.Backend.ldap2
+was_connected = ldap2.isconnected()
+
+if not was_connected:
+ldap2.connect()
+
+try:
+return api.Command.ca_is_enabled()['result']
+finally:
+if not was_connected:
+ldap2.disconnect()
+
+
 def ca_configure_profiles_acl(ca):
 root_logger.info('[Authorizing RA Agent to modify profiles]')
 
@@ -1416,7 +1434,9 @@ def upgrade_configuration():
 http = httpinstance.HTTPInstance(fstore)
 http.configure_selinux_for_httpd()
 http.change_mod_nss_port_from_http()
-http.configure_certmonger_renewal_guard()
+
+if is_ca_enabled():
+http.configure_certmonger_renewal_guard()
 
 ds.configure_dirsrv_ccache()
 
@@ -1562,7 +1582,12 @@ def upgrade_check(options):
 print unicode(e)
 sys.exit(1)
 
-if not services.knownservices.certmonger.is_running():
+try:
+ca_is_enabled = is_ca_enabled()
+except Exception as e:
+raise RuntimeError("Cannot connect to LDAP server: {0}".format(e))
+
+if not services.knownservices.certmonger.is_running() and ca_is_enabled:
 raise Run