[Freeipa-devel] [freeipa PR#1116][opened] Enable ephemeral KRA requests

rcritten via FreeIPA-devel Thu, 28 Sep 2017 08:36:27 -0700

   URL: https://github.com/freeipa/freeipa/pull/1116
Author: rcritten
 Title: #1116: Enable ephemeral KRA requests
Action: opened


PR body:
"""
Enabling ephemeral KRA requests will reduce the amount of LDAP
write operations and improve overall performance.

https://pagure.io/freeipa/issue/6703

NOTE: I'm not 100% sure on the upgrade for existing instances. My logic is that 
tomcat is always stopped and then within that block the CA (if any) will be 
updated. Given that the KRA runs in the same service that is why I stuck that 
update code there. It worked in my testing.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1116/head:pr1116
git checkout pr1116

From b45657d6cec3b89dd73d61748861b56ab428e757 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 27 Sep 2017 17:45:38 -0400
Subject: [PATCH] Enable ephemeral KRA requests

Enabling ephemeral KRA requests will reduce the amount of LDAP
write operations and improve overall performance.

https://pagure.io/freeipa/issue/6703
---
 ipaserver/install/cainstance.py     |  3 +--
 ipaserver/install/krainstance.py    | 14 ++++++++++++++
 ipaserver/install/server/upgrade.py | 18 ++++++++++++++++++
 3 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 6b3ad3fb1b..c377c9a631 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1326,11 +1326,10 @@ def replica_ca_install_check(config, promote):
         exit('IPA schema missing on master CA directory server')
 
 
-def backup_config():
+def backup_config(path=paths.CA_CS_CFG_PATH):
     """
     Create a backup copy of CS.cfg
     """
-    path = paths.CA_CS_CFG_PATH
     if services.knownservices['pki_tomcatd'].is_running('pki-tomcat'):
         raise RuntimeError(
             "Dogtag must be stopped when creating backup of %s" % path)
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index c1af7c0bd6..5e63f85dab 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -120,6 +120,7 @@ def configure_instance(self, realm_name, host_name, dm_password,
         if promote:
             self.step("destroying installation admin user",
                       self.teardown_admin)
+        self.step("enabling ephemeral requests", self.enable_ephemeral)
         self.step("restarting KRA", self.restart_instance)
         self.step("configure certmonger for renewals",
                   self.configure_certmonger_renewal)
@@ -348,6 +349,19 @@ def __apply_updates(self):
                                    sub_dict=sub_dict)
         ld.update([os.path.join(paths.UPDATES_DIR, '40-vault.update')])
 
+    def enable_ephemeral(self):
+        """
+        Enable ephemeral KRA requests to reduce the number of LDAP
+        write operations.
+        """
+        with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'):
+            installutils.set_directive(
+                paths.KRA_CS_CFG_PATH,
+                'kra.ephemeralRequests',
+                'true', quotes=False, separator='=')
+
+        # A restart is required
+
     @staticmethod
     def update_cert_config(nickname, cert):
         """
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 06e188615a..b6f369c2b1 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -44,6 +44,7 @@
 from ipaserver.install import bindinstance
 from ipaserver.install import service
 from ipaserver.install import cainstance
+from ipaserver.install import krainstance
 from ipaserver.install import certs
 from ipaserver.install import otpdinstance
 from ipaserver.install import schemaupdate
@@ -1651,6 +1652,8 @@ def upgrade_configuration():
             api.env.realm, host_name=api.env.host)
     ca_running = ca.is_running()
 
+    kra = krainstance.KRAInstance(api.env.realm)
+
     # create passswd.txt file in PKI_TOMCAT_ALIAS_DIR if it does not exist
     # this file will be required on most actions over this NSS DB in FIPS
     if ca.is_configured() and not os.path.exists(os.path.join(
@@ -1692,11 +1695,26 @@ def upgrade_configuration():
             )
         upgrade_pki(ca, fstore)
 
+        if kra.is_configured():
+            logger.info('[Ensuring ephemeralRequest is enabled in KRA]')
+            cainstance.backup_config(path=paths.KRA_CS_CFG_PATH)
+            value = installutils.get_directive(
+                paths.KRA_CS_CFG_PATH,
+                'kra.ephemeralRequests',
+                separator='=')
+            if value is None or value.lower() != 'true':
+                logger.info('Enabling ephemeralRequest')
+                kra.enable_ephemeral()
+            else:
+                logger.info('ephemeralRequest is already enabled')
+
     # several upgrade steps require running CA.  If CA is configured,
     # always run ca.start() because we need to wait until CA is really ready
     # by checking status using http
     if ca.is_configured():
         ca.start('pki-tomcat')
+    if kra.is_configured() and not kra.is_running():
+        kra.start('pki-tomcat')
 
     certmonger_service = services.knownservices.certmonger
     if ca.is_configured() and not certmonger_service.is_running():

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1116][opened] Enable ephemeral KRA requests

Reply via email to