Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Jan Cholasta]

On 25.2.2016 14:13, David Kupka wrote:

On 24/02/16 15:07, Rob Crittenden wrote:

David Kupka wrote:

On 23/02/16 16:41, Rob Crittenden wrote:

David Kupka wrote:

On 23/02/16 10:14, Martin Kosek wrote:

On 02/23/2016 09:47 AM, David Kupka wrote:

On 22/02/16 16:15, Martin Kosek wrote:

On 02/22/2016 04:04 PM, Jan Cholasta wrote:

On 22.2.2016 15:56, David Kupka wrote:

On 22/02/16 07:28, Jan Cholasta wrote:

On 18.2.2016 10:10, David Kupka wrote:

On 19/01/16 16:10, David Kupka wrote:

On 19/01/16 14:38, Jan Cholasta wrote:

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and
removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on
the old
path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
post-save command:
/usr/lib64/ipa/certmonger/renew_ra_cert
pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv
RHEL72
post-save command:
/usr/lib64/ipa/certmonger/restart_httpd






You're right it will break the upgrade. I haven't noticed that
Server-Cert for DS and HTTPD are not handled by
certificate_renewal_update (ipaserver.install.server.upgrade)
where all
the other trackings are stopped and then configured again
with the
paths.CERTMONGER_COMMAND_TEMPLATE already updated.

Thanks for the catch.



I've updated Timo's patch little more and added
start_tracking_certificates() for dsinstance and httpinstance.
Now the
upgrade works as expected.


The way the patches are split is kind of weird and apparently
confusing
(see the other thread). IMO there should be 2 patches: the first
should
add the ability to change DS and HTTP certmonger config during
upgrade
(i.e. the start_tracking_certificates() methods and
certificate_renewal_update() changes), the second should move
the
helpers (i.e. the actual move and certificate_renewal_update()
version
bump).


Honza, do I understand it correctly that the code is OK but I
did not
split it to the patches correctly?


Yes.


Before acking or pushing, can you please explain for me how the
upgrade of
certmonger tracking requests work? I want to make sure this is
right, so please
bear with me:

1) How does it edit existing tracking requests with the new helper
paths?

2) Does it go and try to edit the requests on every upgrade? Or is
there some
check that requests were updated?

Thanks,
Martin



Whole upgrade of renewal requests is done in
ipaserver/install/server/upgrade.py in
certificate_renewal_upgrade().

First there is version of requests and if it's the same as in state
file
upgrade is skipped.
Then every request is searched over certmonger's DBus interface and
if at least
one is not found it means that there was change in request
configuration. All
tracking requests are then stopped and started again with new
configuration.

So to answer you questions:
1) By stopping the old request with the old parameters (including
path) and
starting new with new parameters.

2) Only if version was bumped which happens only if some of the
requests changes.


Ah, so IIUC, if you bump the version, requests should be properly
updated. The
change looks fine then.



After discussion with Honza, we decided to drop the part comparing
only
base names of pre- and post-save commands and use it as whole. I've
also
split the patches so it's obvious what is going on.

Patches should be applied in this order:

freeipa-dkupka-0091.0


A cert could silently fail to be tracked in
start_tracking_certificates() if no serverid can be found.


In that case it also wouldn't be stopped. The behavior is the same as in
existing stop_tracking_certificates(). Should we rather raise and stop
the upgrade? I guess not but warning would be probably useful. What
solution would you prefer, Rob?


I don't know all the callers of this. It may be perfectly safe to assume
that a serverid is always there, but the implication if it isn't is that
some tracking cert won't be updated properly right? That potentially

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[David Kupka]

On 24/02/16 15:07, Rob Crittenden wrote:

David Kupka wrote:

On 23/02/16 16:41, Rob Crittenden wrote:

David Kupka wrote:

On 23/02/16 10:14, Martin Kosek wrote:

On 02/23/2016 09:47 AM, David Kupka wrote:

On 22/02/16 16:15, Martin Kosek wrote:

On 02/22/2016 04:04 PM, Jan Cholasta wrote:

On 22.2.2016 15:56, David Kupka wrote:

On 22/02/16 07:28, Jan Cholasta wrote:

On 18.2.2016 10:10, David Kupka wrote:

On 19/01/16 16:10, David Kupka wrote:

On 19/01/16 14:38, Jan Cholasta wrote:

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and
removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on
the old
path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
post-save command:
/usr/lib64/ipa/certmonger/renew_ra_cert
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv
RHEL72
post-save command:
/usr/lib64/ipa/certmonger/restart_httpd






You're right it will break the upgrade. I haven't noticed that
Server-Cert for DS and HTTPD are not handled by
certificate_renewal_update (ipaserver.install.server.upgrade)
where all
the other trackings are stopped and then configured again
with the
paths.CERTMONGER_COMMAND_TEMPLATE already updated.

Thanks for the catch.



I've updated Timo's patch little more and added
start_tracking_certificates() for dsinstance and httpinstance.
Now the
upgrade works as expected.


The way the patches are split is kind of weird and apparently
confusing
(see the other thread). IMO there should be 2 patches: the first
should
add the ability to change DS and HTTP certmonger config during
upgrade
(i.e. the start_tracking_certificates() methods and
certificate_renewal_update() changes), the second should move the
helpers (i.e. the actual move and certificate_renewal_update()
version
bump).


Honza, do I understand it correctly that the code is OK but I
did not
split it to the patches correctly?


Yes.


Before acking or pushing, can you please explain for me how the
upgrade of
certmonger tracking requests work? I want to make sure this is
right, so please
bear with me:

1) How does it edit existing tracking requests with the new helper
paths?

2) Does it go and try to edit the requests on every upgrade? Or is
there some
check that requests were updated?

Thanks,
Martin



Whole upgrade of renewal requests is done in
ipaserver/install/server/upgrade.py in certificate_renewal_upgrade().

First there is version of requests and if it's the same as in state
file
upgrade is skipped.
Then every request is searched over certmonger's DBus interface and
if at least
one is not found it means that there was change in request
configuration. All
tracking requests are then stopped and started again with new
configuration.

So to answer you questions:
1) By stopping the old request with the old parameters (including
path) and
starting new with new parameters.

2) Only if version was bumped which happens only if some of the
requests changes.


Ah, so IIUC, if you bump the version, requests should be properly
updated. The
change looks fine then.



After discussion with Honza, we decided to drop the part comparing only
base names of pre- and post-save commands and use it as whole. I've also
split the patches so it's obvious what is going on.

Patches should be applied in this order:

freeipa-dkupka-0091.0


A cert could silently fail to be tracked in
start_tracking_certificates() if no serverid can be found.


In that case it also wouldn't be stopped. The behavior is the same as in
existing stop_tracking_certificates(). Should we rather raise and stop
the upgrade? I guess not but warning would be probably useful. What
solution would you prefer, Rob?


I don't know all the callers of this. It may be perfectly safe to assume
that a serverid is always there, but the implication if it isn't is that
some tracking cert won't be updated properly right? That potentially
could mean no renewal.

So the 

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Rob Crittenden]

David Kupka wrote:
> On 23/02/16 16:41, Rob Crittenden wrote:
>> David Kupka wrote:
>>> On 23/02/16 10:14, Martin Kosek wrote:
 On 02/23/2016 09:47 AM, David Kupka wrote:
> On 22/02/16 16:15, Martin Kosek wrote:
>> On 02/22/2016 04:04 PM, Jan Cholasta wrote:
>>> On 22.2.2016 15:56, David Kupka wrote:
 On 22/02/16 07:28, Jan Cholasta wrote:
> On 18.2.2016 10:10, David Kupka wrote:
>> On 19/01/16 16:10, David Kupka wrote:
>>> On 19/01/16 14:38, Jan Cholasta wrote:
 On 19.1.2016 14:26, Martin Kosek wrote:
> On 01/19/2016 01:47 PM, David Kupka wrote:
>> I've polished the patch attached to #5586 by Timo Aaltonen.
>>
>> Thanks for the patch. I've fixed the path in specfile and
>> removed
>> unused import
>> but otherwise it works, ACK.
>>
>> https://fedorahosted.org/freeipa/ticket/5586
>
> Won't this break existing certmonger requests depending on
> the old
> path?

 It will, I don't see any upgrade code.

>
> # getcert list | grep '/usr/lib64/ipa/certmonger'
>pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert
> cert-pki-ca"
>pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert
> cert-pki-ca"
>pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert
> cert-pki-ca"
>pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> "caSigningCert
> cert-pki-ca"
>post-save command:
> /usr/lib64/ipa/certmonger/renew_ra_cert
>pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> "Server-Cert
> cert-pki-ca"
>post-save command:
> /usr/lib64/ipa/certmonger/restart_dirsrv
> RHEL72
>post-save command:
> /usr/lib64/ipa/certmonger/restart_httpd
>


>>>
>>> You're right it will break the upgrade. I haven't noticed that
>>> Server-Cert for DS and HTTPD are not handled by
>>> certificate_renewal_update (ipaserver.install.server.upgrade)
>>> where all
>>> the other trackings are stopped and then configured again
>>> with the
>>> paths.CERTMONGER_COMMAND_TEMPLATE already updated.
>>>
>>> Thanks for the catch.
>>>
>>
>> I've updated Timo's patch little more and added
>> start_tracking_certificates() for dsinstance and httpinstance.
>> Now the
>> upgrade works as expected.
>
> The way the patches are split is kind of weird and apparently
> confusing
> (see the other thread). IMO there should be 2 patches: the first
> should
> add the ability to change DS and HTTP certmonger config during
> upgrade
> (i.e. the start_tracking_certificates() methods and
> certificate_renewal_update() changes), the second should move the
> helpers (i.e. the actual move and certificate_renewal_update()
> version
> bump).
>
 Honza, do I understand it correctly that the code is OK but I
 did not
 split it to the patches correctly?
>>>
>>> Yes.
>>
>> Before acking or pushing, can you please explain for me how the
>> upgrade of
>> certmonger tracking requests work? I want to make sure this is
>> right, so please
>> bear with me:
>>
>> 1) How does it edit existing tracking requests with the new helper
>> paths?
>>
>> 2) Does it go and try to edit the requests on every upgrade? Or is
>> there some
>> check that requests were updated?
>>
>> Thanks,
>> Martin
>>
>
> Whole upgrade of renewal requests is done in
> ipaserver/install/server/upgrade.py in certificate_renewal_upgrade().
>
> First there is version of requests and if it's the same as in state
> file
> upgrade is skipped.
> Then every request is searched over certmonger's DBus interface and
> if at least
> one is not found it means that there was change in request
> configuration. All

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[David Kupka]

On 23/02/16 16:41, Rob Crittenden wrote:

David Kupka wrote:

On 23/02/16 10:14, Martin Kosek wrote:

On 02/23/2016 09:47 AM, David Kupka wrote:

On 22/02/16 16:15, Martin Kosek wrote:

On 02/22/2016 04:04 PM, Jan Cholasta wrote:

On 22.2.2016 15:56, David Kupka wrote:

On 22/02/16 07:28, Jan Cholasta wrote:

On 18.2.2016 10:10, David Kupka wrote:

On 19/01/16 16:10, David Kupka wrote:

On 19/01/16 14:38, Jan Cholasta wrote:

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and
removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on
the old
path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
   pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
   post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
   pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
   post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
   pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
   post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
   pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
   post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
   post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
   pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
   post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
   post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv
RHEL72
   post-save command: /usr/lib64/ipa/certmonger/restart_httpd






You're right it will break the upgrade. I haven't noticed that
Server-Cert for DS and HTTPD are not handled by
certificate_renewal_update (ipaserver.install.server.upgrade)
where all
the other trackings are stopped and then configured again with the
paths.CERTMONGER_COMMAND_TEMPLATE already updated.

Thanks for the catch.



I've updated Timo's patch little more and added
start_tracking_certificates() for dsinstance and httpinstance.
Now the
upgrade works as expected.


The way the patches are split is kind of weird and apparently
confusing
(see the other thread). IMO there should be 2 patches: the first
should
add the ability to change DS and HTTP certmonger config during
upgrade
(i.e. the start_tracking_certificates() methods and
certificate_renewal_update() changes), the second should move the
helpers (i.e. the actual move and certificate_renewal_update()
version
bump).


Honza, do I understand it correctly that the code is OK but I did not
split it to the patches correctly?


Yes.


Before acking or pushing, can you please explain for me how the
upgrade of
certmonger tracking requests work? I want to make sure this is
right, so please
bear with me:

1) How does it edit existing tracking requests with the new helper
paths?

2) Does it go and try to edit the requests on every upgrade? Or is
there some
check that requests were updated?

Thanks,
Martin



Whole upgrade of renewal requests is done in
ipaserver/install/server/upgrade.py in certificate_renewal_upgrade().

First there is version of requests and if it's the same as in state file
upgrade is skipped.
Then every request is searched over certmonger's DBus interface and
if at least
one is not found it means that there was change in request
configuration. All
tracking requests are then stopped and started again with new
configuration.

So to answer you questions:
1) By stopping the old request with the old parameters (including
path) and
starting new with new parameters.

2) Only if version was bumped which happens only if some of the
requests changes.


Ah, so IIUC, if you bump the version, requests should be properly
updated. The
change looks fine then.



After discussion with Honza, we decided to drop the part comparing only
base names of pre- and post-save commands and use it as whole. I've also
split the patches so it's obvious what is going on.

Patches should be applied in this order:

freeipa-dkupka-0091.0


A cert could silently fail to be tracked in
start_tracking_certificates() if no serverid can be found.


In that case it also wouldn't be stopped. The behavior is the same as in 
existing stop_tracking_certificates(). Should we rather raise and stop 
the upgrade? I guess not but warning would be probably useful. What 
solution would you prefer, Rob?





freeipa-dkupka-0087.1
freeipa-dkupka-0088.1
freeipa-tjaalton-0011.2
freeipa-dkupka-0092.0






--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Rob Crittenden]

David Kupka wrote:
> On 23/02/16 10:14, Martin Kosek wrote:
>> On 02/23/2016 09:47 AM, David Kupka wrote:
>>> On 22/02/16 16:15, Martin Kosek wrote:
 On 02/22/2016 04:04 PM, Jan Cholasta wrote:
> On 22.2.2016 15:56, David Kupka wrote:
>> On 22/02/16 07:28, Jan Cholasta wrote:
>>> On 18.2.2016 10:10, David Kupka wrote:
 On 19/01/16 16:10, David Kupka wrote:
> On 19/01/16 14:38, Jan Cholasta wrote:
>> On 19.1.2016 14:26, Martin Kosek wrote:
>>> On 01/19/2016 01:47 PM, David Kupka wrote:
 I've polished the patch attached to #5586 by Timo Aaltonen.

 Thanks for the patch. I've fixed the path in specfile and
 removed
 unused import
 but otherwise it works, ACK.

 https://fedorahosted.org/freeipa/ticket/5586
>>>
>>> Won't this break existing certmonger requests depending on
>>> the old
>>> path?
>>
>> It will, I don't see any upgrade code.
>>
>>>
>>> # getcert list | grep '/usr/lib64/ipa/certmonger'
>>>   pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>   post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "auditSigningCert
>>> cert-pki-ca"
>>>   pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>   post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert
>>> cert-pki-ca"
>>>   pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>   post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "subsystemCert
>>> cert-pki-ca"
>>>   pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>   post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "caSigningCert
>>> cert-pki-ca"
>>>   post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>>   pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>   post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "Server-Cert
>>> cert-pki-ca"
>>>   post-save command:
>>> /usr/lib64/ipa/certmonger/restart_dirsrv
>>> RHEL72
>>>   post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>
>>
>>
>
> You're right it will break the upgrade. I haven't noticed that
> Server-Cert for DS and HTTPD are not handled by
> certificate_renewal_update (ipaserver.install.server.upgrade)
> where all
> the other trackings are stopped and then configured again with the
> paths.CERTMONGER_COMMAND_TEMPLATE already updated.
>
> Thanks for the catch.
>

 I've updated Timo's patch little more and added
 start_tracking_certificates() for dsinstance and httpinstance.
 Now the
 upgrade works as expected.
>>>
>>> The way the patches are split is kind of weird and apparently
>>> confusing
>>> (see the other thread). IMO there should be 2 patches: the first
>>> should
>>> add the ability to change DS and HTTP certmonger config during
>>> upgrade
>>> (i.e. the start_tracking_certificates() methods and
>>> certificate_renewal_update() changes), the second should move the
>>> helpers (i.e. the actual move and certificate_renewal_update()
>>> version
>>> bump).
>>>
>> Honza, do I understand it correctly that the code is OK but I did not
>> split it to the patches correctly?
>
> Yes.

 Before acking or pushing, can you please explain for me how the
 upgrade of
 certmonger tracking requests work? I want to make sure this is
 right, so please
 bear with me:

 1) How does it edit existing tracking requests with the new helper
 paths?

 2) Does it go and try to edit the requests on every upgrade? Or is
 there some
 check that requests were updated?

 Thanks,
 Martin

>>>
>>> Whole upgrade of renewal requests is done in
>>> ipaserver/install/server/upgrade.py in certificate_renewal_upgrade().
>>>
>>> First there is version of requests and if it's the same as in state file
>>> upgrade is skipped.
>>> Then every request is searched over certmonger's DBus interface and
>>> if at least
>>> one is not found it means that there was change in request
>>> configuration. All
>>> tracking requests are then stopped and started again with new
>>> configuration.
>>>
>>> So to answer you questions:
>>> 1) By stopping the old request with the old parameters (including
>>> path) and
>>> starting new with new parameters.
>>>
>>> 2) Only if version was bumped which happens only if some of the
>>> requests changes.
>>
>> Ah, so IIUC, if you bump the version, requests should be properly
>> updated. The
>> change 

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[David Kupka]

On 23/02/16 10:14, Martin Kosek wrote:

On 02/23/2016 09:47 AM, David Kupka wrote:

On 22/02/16 16:15, Martin Kosek wrote:

On 02/22/2016 04:04 PM, Jan Cholasta wrote:

On 22.2.2016 15:56, David Kupka wrote:

On 22/02/16 07:28, Jan Cholasta wrote:

On 18.2.2016 10:10, David Kupka wrote:

On 19/01/16 16:10, David Kupka wrote:

On 19/01/16 14:38, Jan Cholasta wrote:

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on the old
path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
  pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
  post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
  pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
  post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
  pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
  post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
  pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
  post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
  post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
  pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
  post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
  post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
RHEL72
  post-save command: /usr/lib64/ipa/certmonger/restart_httpd






You're right it will break the upgrade. I haven't noticed that
Server-Cert for DS and HTTPD are not handled by
certificate_renewal_update (ipaserver.install.server.upgrade) where all
the other trackings are stopped and then configured again with the
paths.CERTMONGER_COMMAND_TEMPLATE already updated.

Thanks for the catch.



I've updated Timo's patch little more and added
start_tracking_certificates() for dsinstance and httpinstance. Now the
upgrade works as expected.


The way the patches are split is kind of weird and apparently confusing
(see the other thread). IMO there should be 2 patches: the first should
add the ability to change DS and HTTP certmonger config during upgrade
(i.e. the start_tracking_certificates() methods and
certificate_renewal_update() changes), the second should move the
helpers (i.e. the actual move and certificate_renewal_update() version
bump).


Honza, do I understand it correctly that the code is OK but I did not
split it to the patches correctly?


Yes.


Before acking or pushing, can you please explain for me how the upgrade of
certmonger tracking requests work? I want to make sure this is right, so please
bear with me:

1) How does it edit existing tracking requests with the new helper paths?

2) Does it go and try to edit the requests on every upgrade? Or is there some
check that requests were updated?

Thanks,
Martin



Whole upgrade of renewal requests is done in
ipaserver/install/server/upgrade.py in certificate_renewal_upgrade().

First there is version of requests and if it's the same as in state file
upgrade is skipped.
Then every request is searched over certmonger's DBus interface and if at least
one is not found it means that there was change in request configuration. All
tracking requests are then stopped and started again with new configuration.

So to answer you questions:
1) By stopping the old request with the old parameters (including path) and
starting new with new parameters.

2) Only if version was bumped which happens only if some of the requests 
changes.


Ah, so IIUC, if you bump the version, requests should be properly updated. The
change looks fine then.



After discussion with Honza, we decided to drop the part comparing only 
base names of pre- and post-save commands and use it as whole. I've also 
split the patches so it's obvious what is going on.


Patches should be applied in this order:

freeipa-dkupka-0091.0
freeipa-dkupka-0087.1
freeipa-dkupka-0088.1
freeipa-tjaalton-0011.2
freeipa-dkupka-0092.0

--
David Kupka
From 3e43c00c9d90752c28b5e81ddb7827ba00f12eba Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 17 Feb 2016 15:18:04 +0100
Subject: [PATCH 2/5] dsinstance: add start_tracking_certificates method

Configure certmonger to start tracing certificate for DS.

https://fedorahosted.org/freeipa/ticket/5586
---
 ipaserver/install/dsinstance.py | 10 ++
 ipaserver/install/server/upgrade.py | 19 +--
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Martin Kosek]

On 02/23/2016 09:47 AM, David Kupka wrote:
> On 22/02/16 16:15, Martin Kosek wrote:
>> On 02/22/2016 04:04 PM, Jan Cholasta wrote:
>>> On 22.2.2016 15:56, David Kupka wrote:
 On 22/02/16 07:28, Jan Cholasta wrote:
> On 18.2.2016 10:10, David Kupka wrote:
>> On 19/01/16 16:10, David Kupka wrote:
>>> On 19/01/16 14:38, Jan Cholasta wrote:
 On 19.1.2016 14:26, Martin Kosek wrote:
> On 01/19/2016 01:47 PM, David Kupka wrote:
>> I've polished the patch attached to #5586 by Timo Aaltonen.
>>
>> Thanks for the patch. I've fixed the path in specfile and removed
>> unused import
>> but otherwise it works, ACK.
>>
>> https://fedorahosted.org/freeipa/ticket/5586
>
> Won't this break existing certmonger requests depending on the old
> path?

 It will, I don't see any upgrade code.

>
> # getcert list | grep '/usr/lib64/ipa/certmonger'
>  pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>  post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert
> cert-pki-ca"
>  pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>  post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert
> cert-pki-ca"
>  pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>  post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert
> cert-pki-ca"
>  pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>  post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "caSigningCert
> cert-pki-ca"
>  post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>  pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>  post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "Server-Cert
> cert-pki-ca"
>  post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> RHEL72
>  post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>


>>>
>>> You're right it will break the upgrade. I haven't noticed that
>>> Server-Cert for DS and HTTPD are not handled by
>>> certificate_renewal_update (ipaserver.install.server.upgrade) where all
>>> the other trackings are stopped and then configured again with the
>>> paths.CERTMONGER_COMMAND_TEMPLATE already updated.
>>>
>>> Thanks for the catch.
>>>
>>
>> I've updated Timo's patch little more and added
>> start_tracking_certificates() for dsinstance and httpinstance. Now the
>> upgrade works as expected.
>
> The way the patches are split is kind of weird and apparently confusing
> (see the other thread). IMO there should be 2 patches: the first should
> add the ability to change DS and HTTP certmonger config during upgrade
> (i.e. the start_tracking_certificates() methods and
> certificate_renewal_update() changes), the second should move the
> helpers (i.e. the actual move and certificate_renewal_update() version
> bump).
>
 Honza, do I understand it correctly that the code is OK but I did not
 split it to the patches correctly?
>>>
>>> Yes.
>>
>> Before acking or pushing, can you please explain for me how the upgrade of
>> certmonger tracking requests work? I want to make sure this is right, so 
>> please
>> bear with me:
>>
>> 1) How does it edit existing tracking requests with the new helper paths?
>>
>> 2) Does it go and try to edit the requests on every upgrade? Or is there some
>> check that requests were updated?
>>
>> Thanks,
>> Martin
>>
> 
> Whole upgrade of renewal requests is done in
> ipaserver/install/server/upgrade.py in certificate_renewal_upgrade().
> 
> First there is version of requests and if it's the same as in state file
> upgrade is skipped.
> Then every request is searched over certmonger's DBus interface and if at 
> least
> one is not found it means that there was change in request configuration. All
> tracking requests are then stopped and started again with new configuration.
> 
> So to answer you questions:
> 1) By stopping the old request with the old parameters (including path) and
> starting new with new parameters.
> 
> 2) Only if version was bumped which happens only if some of the requests 
> changes.

Ah, so IIUC, if you bump the version, requests should be properly updated. The
change looks fine then.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[David Kupka]

On 22/02/16 16:15, Martin Kosek wrote:

On 02/22/2016 04:04 PM, Jan Cholasta wrote:

On 22.2.2016 15:56, David Kupka wrote:

On 22/02/16 07:28, Jan Cholasta wrote:

On 18.2.2016 10:10, David Kupka wrote:

On 19/01/16 16:10, David Kupka wrote:

On 19/01/16 14:38, Jan Cholasta wrote:

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on the old
path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
 post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
 post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
RHEL72
 post-save command: /usr/lib64/ipa/certmonger/restart_httpd






You're right it will break the upgrade. I haven't noticed that
Server-Cert for DS and HTTPD are not handled by
certificate_renewal_update (ipaserver.install.server.upgrade) where all
the other trackings are stopped and then configured again with the
paths.CERTMONGER_COMMAND_TEMPLATE already updated.

Thanks for the catch.



I've updated Timo's patch little more and added
start_tracking_certificates() for dsinstance and httpinstance. Now the
upgrade works as expected.


The way the patches are split is kind of weird and apparently confusing
(see the other thread). IMO there should be 2 patches: the first should
add the ability to change DS and HTTP certmonger config during upgrade
(i.e. the start_tracking_certificates() methods and
certificate_renewal_update() changes), the second should move the
helpers (i.e. the actual move and certificate_renewal_update() version
bump).


Honza, do I understand it correctly that the code is OK but I did not
split it to the patches correctly?


Yes.


Before acking or pushing, can you please explain for me how the upgrade of
certmonger tracking requests work? I want to make sure this is right, so please
bear with me:

1) How does it edit existing tracking requests with the new helper paths?

2) Does it go and try to edit the requests on every upgrade? Or is there some
check that requests were updated?

Thanks,
Martin



Whole upgrade of renewal requests is done in 
ipaserver/install/server/upgrade.py in certificate_renewal_upgrade().


First there is version of requests and if it's the same as in state file 
upgrade is skipped.
Then every request is searched over certmonger's DBus interface and if 
at least one is not found it means that there was change in request 
configuration. All tracking requests are then stopped and started again 
with new configuration.


So to answer you questions:
1) By stopping the old request with the old parameters (including path) 
and starting new with new parameters.


2) Only if version was bumped which happens only if some of the requests 
changes.


--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Martin Kosek]

On 02/22/2016 04:04 PM, Jan Cholasta wrote:
> On 22.2.2016 15:56, David Kupka wrote:
>> On 22/02/16 07:28, Jan Cholasta wrote:
>>> On 18.2.2016 10:10, David Kupka wrote:
 On 19/01/16 16:10, David Kupka wrote:
> On 19/01/16 14:38, Jan Cholasta wrote:
>> On 19.1.2016 14:26, Martin Kosek wrote:
>>> On 01/19/2016 01:47 PM, David Kupka wrote:
 I've polished the patch attached to #5586 by Timo Aaltonen.

 Thanks for the patch. I've fixed the path in specfile and removed
 unused import
 but otherwise it works, ACK.

 https://fedorahosted.org/freeipa/ticket/5586
>>>
>>> Won't this break existing certmonger requests depending on the old
>>> path?
>>
>> It will, I don't see any upgrade code.
>>
>>>
>>> # getcert list | grep '/usr/lib64/ipa/certmonger'
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "auditSigningCert
>>> cert-pki-ca"
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert
>>> cert-pki-ca"
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "subsystemCert
>>> cert-pki-ca"
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "caSigningCert
>>> cert-pki-ca"
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "Server-Cert
>>> cert-pki-ca"
>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>>> RHEL72
>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>
>>
>>
>
> You're right it will break the upgrade. I haven't noticed that
> Server-Cert for DS and HTTPD are not handled by
> certificate_renewal_update (ipaserver.install.server.upgrade) where all
> the other trackings are stopped and then configured again with the
> paths.CERTMONGER_COMMAND_TEMPLATE already updated.
>
> Thanks for the catch.
>

 I've updated Timo's patch little more and added
 start_tracking_certificates() for dsinstance and httpinstance. Now the
 upgrade works as expected.
>>>
>>> The way the patches are split is kind of weird and apparently confusing
>>> (see the other thread). IMO there should be 2 patches: the first should
>>> add the ability to change DS and HTTP certmonger config during upgrade
>>> (i.e. the start_tracking_certificates() methods and
>>> certificate_renewal_update() changes), the second should move the
>>> helpers (i.e. the actual move and certificate_renewal_update() version
>>> bump).
>>>
>> Honza, do I understand it correctly that the code is OK but I did not
>> split it to the patches correctly?
> 
> Yes.

Before acking or pushing, can you please explain for me how the upgrade of
certmonger tracking requests work? I want to make sure this is right, so please
bear with me:

1) How does it edit existing tracking requests with the new helper paths?

2) Does it go and try to edit the requests on every upgrade? Or is there some
check that requests were updated?

Thanks,
Martin

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[David Kupka]

On 22/02/16 07:28, Jan Cholasta wrote:

On 18.2.2016 10:10, David Kupka wrote:

On 19/01/16 16:10, David Kupka wrote:

On 19/01/16 14:38, Jan Cholasta wrote:

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on the old
path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
post-save command: /usr/lib64/ipa/certmonger/restart_httpd






You're right it will break the upgrade. I haven't noticed that
Server-Cert for DS and HTTPD are not handled by
certificate_renewal_update (ipaserver.install.server.upgrade) where all
the other trackings are stopped and then configured again with the
paths.CERTMONGER_COMMAND_TEMPLATE already updated.

Thanks for the catch.



I've updated Timo's patch little more and added
start_tracking_certificates() for dsinstance and httpinstance. Now the
upgrade works as expected.


The way the patches are split is kind of weird and apparently confusing
(see the other thread). IMO there should be 2 patches: the first should
add the ability to change DS and HTTP certmonger config during upgrade
(i.e. the start_tracking_certificates() methods and
certificate_renewal_update() changes), the second should move the
helpers (i.e. the actual move and certificate_renewal_update() version
bump).

Honza, do I understand it correctly that the code is OK but I did not 
split it to the patches correctly?


--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Jan Cholasta]

On 22.2.2016 15:56, David Kupka wrote:

On 22/02/16 07:28, Jan Cholasta wrote:

On 18.2.2016 10:10, David Kupka wrote:

On 19/01/16 16:10, David Kupka wrote:

On 19/01/16 14:38, Jan Cholasta wrote:

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on the old
path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
RHEL72
post-save command: /usr/lib64/ipa/certmonger/restart_httpd






You're right it will break the upgrade. I haven't noticed that
Server-Cert for DS and HTTPD are not handled by
certificate_renewal_update (ipaserver.install.server.upgrade) where all
the other trackings are stopped and then configured again with the
paths.CERTMONGER_COMMAND_TEMPLATE already updated.

Thanks for the catch.



I've updated Timo's patch little more and added
start_tracking_certificates() for dsinstance and httpinstance. Now the
upgrade works as expected.


The way the patches are split is kind of weird and apparently confusing
(see the other thread). IMO there should be 2 patches: the first should
add the ability to change DS and HTTP certmonger config during upgrade
(i.e. the start_tracking_certificates() methods and
certificate_renewal_update() changes), the second should move the
helpers (i.e. the actual move and certificate_renewal_update() version
bump).


Honza, do I understand it correctly that the code is OK but I did not
split it to the patches correctly?


Yes.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Jan Cholasta]

On 18.2.2016 10:10, David Kupka wrote:

On 19/01/16 16:10, David Kupka wrote:

On 19/01/16 14:38, Jan Cholasta wrote:

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on the old
path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
post-save command: /usr/lib64/ipa/certmonger/restart_httpd






You're right it will break the upgrade. I haven't noticed that
Server-Cert for DS and HTTPD are not handled by
certificate_renewal_update (ipaserver.install.server.upgrade) where all
the other trackings are stopped and then configured again with the
paths.CERTMONGER_COMMAND_TEMPLATE already updated.

Thanks for the catch.



I've updated Timo's patch little more and added
start_tracking_certificates() for dsinstance and httpinstance. Now the
upgrade works as expected.


The way the patches are split is kind of weird and apparently confusing 
(see the other thread). IMO there should be 2 patches: the first should 
add the ability to change DS and HTTP certmonger config during upgrade 
(i.e. the start_tracking_certificates() methods and 
certificate_renewal_update() changes), the second should move the 
helpers (i.e. the actual move and certificate_renewal_update() version 
bump).


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Timo Aaltonen]

18.02.2016, 18:51, Timo Aaltonen kirjoitti:
> 18.02.2016, 18:41, Timo Aaltonen kirjoitti:
>> 18.02.2016, 13:33, Martin Kosek kirjoitti:
>>> On 02/18/2016 10:10 AM, David Kupka wrote:
 From 9952937f207f9a0afae8211276f1b7d7e762fd4e Mon Sep 17 00:00:00 2001
 From: Timo Aaltonen 
 Date: Tue, 19 Jan 2016 12:37:56 +0100
 Subject: [PATCH] Move freeipa certmonger helpers to libexecdir.

 The scripts in this directory are simple python scripts, nothing 
 arch-specific
 in them. Having them under libexec would simplify the code a bit too, since
 there would be no need to worry about lib vs lib64 (which also cause 
 trouble
 on Debian).
>>>
>>> Isn't this the patch which moves our scripts in different location and thus
>>> breaks existing certmonger tracking requests *after upgrade*?
>>
>> Yes, there are two solutions that I can think of
>>
>> - add symlinks /usr/lib{,64}/certmonger -> /usr/libexec/certmonger
>> - modify existing tracking requests to use the new path
>>
>> the first might suffice with a transition period?
> 
> also, I assumed certmonger would move it's own scripts.. if not, just
> symlink the ipa ones not the whole dir.

Riiight, especially as the certmonger helpers are native binaries, so
those won't move :)

I hope to continue on porting 4.3 soon and revisit this again..

-- 
t

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Timo Aaltonen]

18.02.2016, 18:41, Timo Aaltonen kirjoitti:
> 18.02.2016, 13:33, Martin Kosek kirjoitti:
>> On 02/18/2016 10:10 AM, David Kupka wrote:
>>> From 9952937f207f9a0afae8211276f1b7d7e762fd4e Mon Sep 17 00:00:00 2001
>>> From: Timo Aaltonen 
>>> Date: Tue, 19 Jan 2016 12:37:56 +0100
>>> Subject: [PATCH] Move freeipa certmonger helpers to libexecdir.
>>>
>>> The scripts in this directory are simple python scripts, nothing 
>>> arch-specific
>>> in them. Having them under libexec would simplify the code a bit too, since
>>> there would be no need to worry about lib vs lib64 (which also cause trouble
>>> on Debian).
>>
>> Isn't this the patch which moves our scripts in different location and thus
>> breaks existing certmonger tracking requests *after upgrade*?
> 
> Yes, there are two solutions that I can think of
> 
> - add symlinks /usr/lib{,64}/certmonger -> /usr/libexec/certmonger
> - modify existing tracking requests to use the new path
> 
> the first might suffice with a transition period?

also, I assumed certmonger would move it's own scripts.. if not, just
symlink the ipa ones not the whole dir.


-- 
t

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Timo Aaltonen]

18.02.2016, 13:33, Martin Kosek kirjoitti:
> On 02/18/2016 10:10 AM, David Kupka wrote:
>> From 9952937f207f9a0afae8211276f1b7d7e762fd4e Mon Sep 17 00:00:00 2001
>> From: Timo Aaltonen 
>> Date: Tue, 19 Jan 2016 12:37:56 +0100
>> Subject: [PATCH] Move freeipa certmonger helpers to libexecdir.
>>
>> The scripts in this directory are simple python scripts, nothing 
>> arch-specific
>> in them. Having them under libexec would simplify the code a bit too, since
>> there would be no need to worry about lib vs lib64 (which also cause trouble
>> on Debian).
> 
> Isn't this the patch which moves our scripts in different location and thus
> breaks existing certmonger tracking requests *after upgrade*?

Yes, there are two solutions that I can think of

- add symlinks /usr/lib{,64}/certmonger -> /usr/libexec/certmonger
- modify existing tracking requests to use the new path

the first might suffice with a transition period?

-- 
t

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Martin Kosek]

On 02/18/2016 10:10 AM, David Kupka wrote:
> From 9952937f207f9a0afae8211276f1b7d7e762fd4e Mon Sep 17 00:00:00 2001
> From: Timo Aaltonen 
> Date: Tue, 19 Jan 2016 12:37:56 +0100
> Subject: [PATCH] Move freeipa certmonger helpers to libexecdir.
> 
> The scripts in this directory are simple python scripts, nothing arch-specific
> in them. Having them under libexec would simplify the code a bit too, since
> there would be no need to worry about lib vs lib64 (which also cause trouble
> on Debian).

Isn't this the patch which moves our scripts in different location and thus
breaks existing certmonger tracking requests *after upgrade*?

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[David Kupka]

On 19/01/16 16:10, David Kupka wrote:

On 19/01/16 14:38, Jan Cholasta wrote:

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on the old path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
post-save command: /usr/lib64/ipa/certmonger/restart_httpd






You're right it will break the upgrade. I haven't noticed that
Server-Cert for DS and HTTPD are not handled by
certificate_renewal_update (ipaserver.install.server.upgrade) where all
the other trackings are stopped and then configured again with the
paths.CERTMONGER_COMMAND_TEMPLATE already updated.

Thanks for the catch.



I've updated Timo's patch little more and added 
start_tracking_certificates() for dsinstance and httpinstance. Now the 
upgrade works as expected.


--
David Kupka
From 64927531ec69b77f705691590070fcb8dc634aed Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 17 Feb 2016 15:18:04 +0100
Subject: [PATCH 1/2] dsinstance: add start_tracking_certificates method

Configure certmonger to start tracing certificate for DS.

https://fedorahosted.org/freeipa/ticket/5586
---
 ipaserver/install/dsinstance.py | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 3d5734efe7ad0ed2ccf03120b8461db9f99aa318..1def76b575dd10dcf2f737c37cce8e499440d319 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -968,6 +968,16 @@ class DsInstance(service.Service):
 dsdb = certs.CertDB(self.realm, nssdir=dirname)
 dsdb.untrack_server_cert(self.nickname)
 
+def start_tracking_certificates(self, serverid=None):
+if serverid is None:
+serverid = self.get_state("serverid")
+if serverid is not None:
+dirname = config_dirname(serverid)[:-1]
+dsdb = certs.CertDB(self.realm, nssdir=dirname)
+dsdb.track_server_cert(self.nickname, self.principal,
+   dsdb.passwd_fname,
+   'restart_dirsrv %s' % serverid)
+
 # we could probably move this function into the service.Service
 # class - it's very generic - all we need is a way to get an
 # instance of a particular Service
-- 
2.5.0

From a324e680e9d7603f9175f92c44e4002c2917d83a Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 17 Feb 2016 15:18:17 +0100
Subject: [PATCH 2/2] httpinstance: add start_tracking_certificates method

Configure certmonger to start tracking certificate for httpd.

https://fedorahosted.org/freeipa/ticket/5586
---
 ipaserver/install/httpinstance.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 3b46dce82cae017328c9555c543e78b64e642c89..437016b88a7f813744d29fa37f257a744c590fd8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -533,3 +533,8 @@ class HTTPInstance(service.Service):
 def stop_tracking_certificates(self):
 db = certs.CertDB(api.env.realm)
 db.untrack_server_cert(self.cert_nickname)
+
+def start_tracking_certificates(self):
+db = certs.CertDB(self.realm)
+db.track_server_cert(self.cert_nickname, self.principal,
+ db.passwd_fname, 'restart_httpd')
-- 
2.5.0

From 9952937f207f9a0afae8211276f1b7d7e762fd4e Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 19 Jan 2016 12:37:56 +0100
Subject: [PATCH] Move freeipa certmonger helpers to libexecdir.

The scripts in this directory are simple python scripts, nothing arch-specific
in them. Having them under libexec would simplify the code a bit too, since
there would be no need to worry 

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[David Kupka]

On 19/01/16 16:10, David Kupka wrote:

On 19/01/16 14:38, Jan Cholasta wrote:

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on the old path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
post-save command: /usr/lib64/ipa/certmonger/restart_httpd






You're right it will break the upgrade. I haven't noticed that
Server-Cert for DS and HTTPD are not handled by
certificate_renewal_update (ipaserver.install.server.upgrade) where all
the other trackings are stopped and then configured again with the
paths.CERTMONGER_COMMAND_TEMPLATE already updated.

Thanks for the catch.



I've updated Timo's patch little more and added 
start_tracking_certificates() for dsinstance and httpinstance. Now the 
upgrade works as expected.


--
David Kupka
From 64927531ec69b77f705691590070fcb8dc634aed Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 17 Feb 2016 15:18:04 +0100
Subject: [PATCH 1/2] dsinstance: add start_tracking_certificates method

Configure certmonger to start tracing certificate for DS.

https://fedorahosted.org/freeipa/ticket/5586
---
 ipaserver/install/dsinstance.py | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 3d5734efe7ad0ed2ccf03120b8461db9f99aa318..1def76b575dd10dcf2f737c37cce8e499440d319 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -968,6 +968,16 @@ class DsInstance(service.Service):
 dsdb = certs.CertDB(self.realm, nssdir=dirname)
 dsdb.untrack_server_cert(self.nickname)
 
+def start_tracking_certificates(self, serverid=None):
+if serverid is None:
+serverid = self.get_state("serverid")
+if serverid is not None:
+dirname = config_dirname(serverid)[:-1]
+dsdb = certs.CertDB(self.realm, nssdir=dirname)
+dsdb.track_server_cert(self.nickname, self.principal,
+   dsdb.passwd_fname,
+   'restart_dirsrv %s' % serverid)
+
 # we could probably move this function into the service.Service
 # class - it's very generic - all we need is a way to get an
 # instance of a particular Service
-- 
2.5.0

From a324e680e9d7603f9175f92c44e4002c2917d83a Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 17 Feb 2016 15:18:17 +0100
Subject: [PATCH 2/2] httpinstance: add start_tracking_certificates method

Configure certmonger to start tracking certificate for httpd.

https://fedorahosted.org/freeipa/ticket/5586
---
 ipaserver/install/httpinstance.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 3b46dce82cae017328c9555c543e78b64e642c89..437016b88a7f813744d29fa37f257a744c590fd8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -533,3 +533,8 @@ class HTTPInstance(service.Service):
 def stop_tracking_certificates(self):
 db = certs.CertDB(api.env.realm)
 db.untrack_server_cert(self.cert_nickname)
+
+def start_tracking_certificates(self):
+db = certs.CertDB(self.realm)
+db.track_server_cert(self.cert_nickname, self.principal,
+ db.passwd_fname, 'restart_httpd')
-- 
2.5.0

From 9952937f207f9a0afae8211276f1b7d7e762fd4e Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 19 Jan 2016 12:37:56 +0100
Subject: [PATCH] Move freeipa certmonger helpers to libexecdir.

The scripts in this directory are simple python scripts, nothing arch-specific
in them. Having them under libexec would simplify the code a bit too, since
there would be no need to worry 

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Petr Spacek]

On 19.1.2016 16:10, David Kupka wrote:
> On 19/01/16 14:38, Jan Cholasta wrote:
>> On 19.1.2016 14:26, Martin Kosek wrote:
>>> On 01/19/2016 01:47 PM, David Kupka wrote:
 I've polished the patch attached to #5586 by Timo Aaltonen.

 Thanks for the patch. I've fixed the path in specfile and removed
 unused import
 but otherwise it works, ACK.

 https://fedorahosted.org/freeipa/ticket/5586
>>>
>>> Won't this break existing certmonger requests depending on the old path?
>>
>> It will, I don't see any upgrade code.
>>
>>>
>>> # getcert list | grep '/usr/lib64/ipa/certmonger'
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "auditSigningCert
>>> cert-pki-ca"
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert
>>> cert-pki-ca"
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "subsystemCert
>>> cert-pki-ca"
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "caSigningCert
>>> cert-pki-ca"
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "Server-Cert
>>> cert-pki-ca"
>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>
>>
>>
> 
> You're right it will break the upgrade. I haven't noticed that Server-Cert for
> DS and HTTPD are not handled by certificate_renewal_update
> (ipaserver.install.server.upgrade) where all the other trackings are stopped
> and then configured again with the paths.CERTMONGER_COMMAND_TEMPLATE already
> updated.

LOL, one more reason to centralize the certificate madness to one place? :-)

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Jan Cholasta]

On 20.1.2016 10:05, Petr Spacek wrote:

On 19.1.2016 16:10, David Kupka wrote:

On 19/01/16 14:38, Jan Cholasta wrote:

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on the old path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
 post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
 post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
 post-save command: /usr/lib64/ipa/certmonger/restart_httpd






You're right it will break the upgrade. I haven't noticed that Server-Cert for
DS and HTTPD are not handled by certificate_renewal_update
(ipaserver.install.server.upgrade) where all the other trackings are stopped
and then configured again with the paths.CERTMONGER_COMMAND_TEMPLATE already
updated.


LOL, one more reason to centralize the certificate madness to one place? :-)


Definitely!

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Martin Kosek]

On 01/19/2016 01:47 PM, David Kupka wrote:
> I've polished the patch attached to #5586 by Timo Aaltonen.
> 
> Thanks for the patch. I've fixed the path in specfile and removed unused 
> import
> but otherwise it works, ACK.
> 
> https://fedorahosted.org/freeipa/ticket/5586

Won't this break existing certmonger requests depending on the old path?

# getcert list | grep '/usr/lib64/ipa/certmonger'
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"auditSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"ocspSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"subsystemCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"caSigningCert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
post-save command: /usr/lib64/ipa/certmonger/restart_httpd

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Jan Cholasta]

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and removed unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on the old path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"auditSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"ocspSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"subsystemCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"caSigningCert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
post-save command: /usr/lib64/ipa/certmonger/restart_httpd




--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[David Kupka]

On 19/01/16 14:38, Jan Cholasta wrote:

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on the old path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
post-save command: /usr/lib64/ipa/certmonger/restart_httpd






You're right it will break the upgrade. I haven't noticed that 
Server-Cert for DS and HTTPD are not handled by 
certificate_renewal_update (ipaserver.install.server.upgrade) where all 
the other trackings are stopped and then configured again with the 
paths.CERTMONGER_COMMAND_TEMPLATE already updated.


Thanks for the catch.

--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code