URL: https://github.com/freeipa/freeipa/pull/2687 Author: xxblx Title: #2687: [Backport][ipa-4-7] Replace nss.conf with zero-length file instead of removing Action: opened
PR body: """ This PR was opened automatically because PR #2672 was pushed to master and backport to ipa-4-7 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2687/head:pr2687 git checkout pr2687
From 4122268bb3205f7f3cca72ef89f2378629829082 Mon Sep 17 00:00:00 2001 From: Oleg Kozlov <okoz...@redhat.com> Date: Tue, 11 Dec 2018 14:00:25 +0100 Subject: [PATCH] Replace nss.conf with zero-length file instead of removing Empty nss.conf avoids recreation of nss.conf in case `mod_nss` package is reinstalled. It is needed because by default (e.g. recreated) nss.conf has `Listen 8443` while this port is used by dogtag. Fixes: https://pagure.io/freeipa/issue/7745 --- ipaserver/install/httpinstance.py | 7 +++++-- ipaserver/install/ipa_restore.py | 20 ++++++++++++++++++-- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 1b1e7a03d4..0e9a4e6794 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -226,7 +226,9 @@ def backup_ssl_conf(self): def disable_nss_conf(self): """ - Backs up and removes the original nss.conf file. + Backs up the original nss.conf file and replace it with the empty one. + Empty file avoids recreation of nss.conf in case the package is + reinstalled. There is no safe way to co-exist since there is no safe port to make mod_nss use, disable it completely. @@ -236,7 +238,8 @@ def disable_nss_conf(self): # (mod_nss -> mod_ssl upgrade scenario) if not self.fstore.has_file(paths.HTTPD_NSS_CONF): self.fstore.backup_file(paths.HTTPD_NSS_CONF) - installutils.remove_file(paths.HTTPD_NSS_CONF) + + open(paths.HTTPD_NSS_CONF, 'w').close() def set_mod_ssl_protocol(self): directivesetter.set_directive(paths.HTTPD_SSL_CONF, diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 1916d30631..b6b02a9ef0 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -144,8 +144,12 @@ class Restore(admintool.AdminTool): paths.DNSSEC_TOKENS_DIR, ] - FILES_TO_BE_REMOVED = [ - paths.HTTPD_NSS_CONF, + FILES_TO_BE_REMOVED = [] + + # files listed here cannot be removed and these files will be + # replaced with zero-length files + FILES_TO_BE_CLEARED = [ + paths.HTTPD_NSS_CONF ] def __init__(self, options, args): @@ -404,6 +408,7 @@ def run(self): # We do either a full file restore or we restore data. if restore_type == 'FULL': self.remove_old_files() + self.clear_old_files() self.cert_restore_prepare() self.file_restore(options.no_logs) self.cert_restore() @@ -721,6 +726,17 @@ def remove_old_files(self): if e.errno != 2: # 2: file does not exist logger.warning("Could not remove file: %s (%s)", f, e) + def clear_old_files(self): + """ + Replace exist files that cannot be removed with zero-length files + before backup + """ + for f in self.FILES_TO_BE_CLEARED: + if os.access(f, os.W_OK): + open(f, 'w').close() + else: + logger.warning('Could not open file for writing: %s', f) + def file_restore(self, nologs=False): ''' Restore all the files in the tarball.
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
