fixes https://fedorahosted.org/freeipa/ticket/5519
--
Martin^3 Babinsky
From d5e6dadf7e092b389284a753ec55e2448446f3d5 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Tue, 5 Jan 2016 13:00:24 +0100
Subject: [PATCH] prevent crash of CA-less server upgrade due to absent
certmonger
ipa-server-upgrade tests whether certmonger service is running before
attempting to upgrade IPA master. This causes the upgrader to always fail when
there is no CA installer and certmonger is not needed, effectively preventing
CA-less IPA master to upgrade succefuly.
This test is now skipped if CA is not enabled.
https://fedorahosted.org/freeipa/ticket/5519
---
ipaserver/install/server/upgrade.py | 30 --
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index f37a8fea504d828f9bce5a870ad0b48f154b4e88..20379f19c652cb0b5911a4c2f1c67eae7f763379 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -291,6 +291,24 @@ def setup_firefox_extension(fstore):
http.setup_firefox_extension(realm, domain)
+def is_ca_enabled():
+"""
+check whether there is an active CA master
+:return: True if there is an active CA in topology, False otherwise
+"""
+ldap2 = api.Backend.ldap2
+was_connected = ldap2.isconnected()
+
+if not was_connected:
+ldap2.connect()
+
+try:
+return api.Command.ca_is_enabled()['result']
+finally:
+if not was_connected:
+ldap2.disconnect()
+
+
def ca_configure_profiles_acl(ca):
root_logger.info('[Authorizing RA Agent to modify profiles]')
@@ -1477,7 +1495,10 @@ def upgrade_configuration():
http = httpinstance.HTTPInstance(fstore)
http.configure_selinux_for_httpd()
http.change_mod_nss_port_from_http()
-http.configure_certmonger_renewal_guard()
+
+if is_ca_enabled():
+http.configure_certmonger_renewal_guard()
+
http.enable_and_start_oddjobd()
ds.configure_dirsrv_ccache()
@@ -1629,7 +1650,12 @@ def upgrade_check(options):
print(unicode(e))
sys.exit(1)
-if not services.knownservices.certmonger.is_running():
+try:
+ca_is_enabled = is_ca_enabled()
+except Exception as e:
+raise RuntimeError("Cannot connect to LDAP server: {0}".format(e))
+
+if not services.knownservices.certmonger.is_running() and ca_is_enabled:
raise RuntimeError('Certmonger is not running. Start certmonger and run upgrade again.')
if not options.skip_version_check:
--
2.5.0
From 9ea7ddfd7262f57700f89f4ff531a80dfedfd3e4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Tue, 5 Jan 2016 13:00:24 +0100
Subject: [PATCH] prevent crash of CA-less server upgrade due to absent
certmonger
ipa-server-upgrade tests whether certmonger service is running before
attempting to upgrade IPA master. This causes the upgrader to always fail when
there is no CA installer and certmonger is not needed, effectively preventing
CA-less IPA master to upgrade succefuly.
This test is now skipped if CA is not enabled.
https://fedorahosted.org/freeipa/ticket/5519
---
ipaserver/install/server/upgrade.py | 29 +++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 945cb3ebd63767cb1d57083e1da7c5605ac5a2f9..616fba5c1a5b3737481aecbb09ab5344641a3b04 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -292,6 +292,24 @@ def setup_firefox_extension(fstore):
http.setup_firefox_extension(realm, domain)
+def is_ca_enabled():
+"""
+check whether there is an active CA master
+:return: True if there is an active CA in topology, False otherwise
+"""
+ldap2 = api.Backend.ldap2
+was_connected = ldap2.isconnected()
+
+if not was_connected:
+ldap2.connect()
+
+try:
+return api.Command.ca_is_enabled()['result']
+finally:
+if not was_connected:
+ldap2.disconnect()
+
+
def ca_configure_profiles_acl(ca):
root_logger.info('[Authorizing RA Agent to modify profiles]')
@@ -1416,7 +1434,9 @@ def upgrade_configuration():
http = httpinstance.HTTPInstance(fstore)
http.configure_selinux_for_httpd()
http.change_mod_nss_port_from_http()
-http.configure_certmonger_renewal_guard()
+
+if is_ca_enabled():
+http.configure_certmonger_renewal_guard()
ds.configure_dirsrv_ccache()
@@ -1562,7 +1582,12 @@ def upgrade_check(options):
print unicode(e)
sys.exit(1)
-if not services.knownservices.certmonger.is_running():
+try:
+ca_is_enabled = is_ca_enabled()
+except Exception as e:
+raise RuntimeError("Cannot connect to LDAP server: {0}".format(e))
+
+if not services.knownservices.certmonger.is_running() and ca_is_enabled:
raise Run