Re: [Freeipa-devel] [PATCHES] 0287 and 0288 for Proxy upgrade

Rob Crittenden Thu, 06 Oct 2011 19:23:01 -0700

Adam Young wrote:

Not yet ready for prime time.


I've tested the changes to updateinstance by hand, so I know they work.
I'm having problems with the python import setup.

RPM build fails with:


install/tools/ipa-upgradeconfig:36: [F0401] Unable to import 'installutils'


And, if I uncomment the import for http utils, I get an error at run
time as well. That confuses me, as I am able to import installutils at
runtime.

I think these patches fix it. Please double check my comments. I testedthis on a non-updated dogtag install (e.g. it doesn't have the newscript) and it didn't seem to break anything.

rob

>From ddbb78fde74e07e67805ed0a3aee22a4e8aaf8d5 Mon Sep 17 00:00:00 2001
From: Adam Young <ayo...@redhat.com>
Date: Thu, 6 Oct 2011 20:37:57 -0400
Subject: [PATCH 1/2] Make mod_nss renegotiation configuration a public
 function

---
 ipaserver/install/httpinstance.py |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index dbb0dd5..c5c047c 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -76,7 +76,7 @@ class HTTPInstance(service.Service):
         self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
         self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
         self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
-        self.step("enabling mod_nss renegotiate", self.__enable_mod_nss_renegotiate)
+        self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
         self.step("adding URL rewriting rules", self.__add_include)
         self.step("configuring httpd", self.__configure_http)
         self.step("setting up ssl", self.__setup_ssl)
@@ -166,9 +166,9 @@ class HTTPInstance(service.Service):
     def __set_mod_nss_nickname(self, nickname):
         installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
 
-    def __enable_mod_nss_renegotiate(self):
-        installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
-        installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False)
+    def enable_mod_nss_renegotiate(self):
+        installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on', False)
+        installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
     def __set_mod_nss_passwordfile(self):
         installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
-- 
1.7.6.4

>From 41f6544ea55afd0229e18769853c1e6227baa191 Mon Sep 17 00:00:00 2001
From: Adam Young <ayo...@redhat.com>
Date: Thu, 6 Oct 2011 20:37:18 -0400
Subject: [PATCH 2/2] Execute pki proxy setup when server is upgraded if
 needed

---
 install/tools/ipa-upgradeconfig |   23 +++++++++++++++++++++--
 1 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 1b08382..406da93 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -25,7 +25,10 @@ Upgrade configuration files to a newer template.
 
 import sys
 try:
-    from ipapython import ipautil
+    from ipapython import ipautil, sysrestore
+    from ipaserver.install import installutils
+    from ipaserver.install import dsinstance
+    from ipaserver.install import httpinstance
     import krbV
     import re
     import os
@@ -135,6 +138,22 @@ def check_certs():
             print "Missing Certification Authority file."
             print "You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt"
 
+def upgrade_pki():
+    """
+    Update/add the dogtag proxy configuration. The IPA side of this is
+    handled in ipa-pki-proxy.conf.
+
+    This requires enabling SSL renegotiation.
+    """
+    fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+    http = httpinstance.HTTPInstance(fstore)
+    http.enable_mod_nss_renegotiate()
+    if not installutils.get_directive('/etc/pki-ca/CS.cfg',
+                                      'proxy.securePort', '=') and \
+            os.path.exists('/usr/bin/pki-setup-proxy'):
+        ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib'
+                     ,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
+
 def main():
     """
     Get some basics about the system. If getting those basics fail then
@@ -162,7 +181,7 @@ def main():
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
-
+    upgrade_pki()
 try:
     if __name__ == "__main__":
         sys.exit(main())
-- 
1.7.6.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0287 and 0288 for Proxy upgrade

Reply via email to