Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA

Fri, 05 Oct 2012 12:25:34 -0700 

Agreed with your assessment that the --check-ca is not needed, as we
will be checking this into 3.1 (and not 3.0).

Attached is a patch for the "request object" issue.  Basically, the
replication was not working because ipa-replica-prepare was passing in
the wrong port when creating the replica package.

Let me know if you have issues - and remember to add the missing link to
the master.  That fix to add that link will be checked in today and
should be in the dogtag developer nightly build as of tommorow.

Ade

On Fri, 2012-10-05 at 11:57 +0200, Petr Viktorin wrote:
> On 10/04/2012 10:04 PM, Ade Lee wrote:
> > Attached is a patch to handle the ipa-replica-conncheck issue.  It
> > should be applied on top of your patch.
> >
> > Essentially, the fix is as follows:
> > A. If the DS_PORT = 7389, then we pass --check-ca in the
> > ipa-replica-conncheck to be executed on the master.
> > a1. If the master is ipa 2.x, this will prompt a check for port 7389.
> > a2. If the master is ipa 3, this will default to dogtag_ds_port of 7389.
> >
> > B. Else if DS_PORT = 389, then we pass nothing to the
> > ipa-replica-conncheck to be executed on the master.  This is because we
> > will be checking 389 in any case for the IPA DS check.
> >
> > Ade
> 
> The code works, I got past the connection check, and now I'm getting the 
> same internal server error with a clone from IPA 2.2 as with a clone 
> from "3.0 upgraded from 2.2" (unknown object class "request").
> 
> However, since with this patch IPA will depend on Dogtag 10, 
> install_constants.DS_PORT will always be 389, so case A will never 
> happen. I think the two if-blocks that add the --check-ca can be dropped 
> entirely.
> 
> Assuming that even a clone from an old instance will use the single DB,
> conncheck's --dogtag-master-ds-port option is redundant: iff the server 
> supports it, it uses port 389 which doesn't need re-checking.
> 
> >
> > 0001-Allow-ipa-replica-conncheck-to-work-with-2.2-instanc.patch
> >
> >
> >  From a9cd4cb15e6c230e5690f3fa919fda9c5728ee10 Mon Sep 17 00:00:00 2001
> > From: Ade Lee<a...@redhat.com>
> > Date: Thu, 4 Oct 2012 15:55:29 -0400
> > Subject: [PATCH] Allow ipa-replica-conncheck to work with 2.2 instances
> >
> > ---
> >   install/tools/ipa-replica-conncheck | 15 +++++++--------
> >   1 file changed, 7 insertions(+), 8 deletions(-)
> >
> > diff --git a/install/tools/ipa-replica-conncheck 
> > b/install/tools/ipa-replica-conncheck
> > index 
> > c9fb816be43d873a6ca79396e77270fd0d10aa12..498ef49e84e1dc8325b6fc2d850c8bffb9297e69
> >  100755
> > --- a/install/tools/ipa-replica-conncheck
> > +++ b/install/tools/ipa-replica-conncheck
> > @@ -282,7 +282,11 @@ def main():
> >
> >       required_ports = BASE_PORTS
> >       if options.check_ca:
> > -        ca_port = CheckedPort(int(options.dogtag_master_ds_port), 
> > SOCK_STREAM,
> > +        port_val = 7389
> > +        if options.dogtag_master_ds_port:
> > +            port_val = int(options.dogtag_master_ds_port)
> > +
> > +        ca_port = CheckedPort(port_val, SOCK_STREAM,
> >                                 "PKI-CA: Directory Service port")
> >           required_ports.extend([ca_port])
> >
> > @@ -359,11 +363,8 @@ def main():
> >                   raise RuntimeError("Could not get ticket for master 
> > server: %s" % stderr)
> >
> >               remote_check_opts = ['--replica %s' % options.hostname]
> > -            if options.check_ca:
> > +            if options.check_ca and dogtag.install_constants.DS_PORT == 
> > 7389:
> >                   remote_check_opts.append('--check-ca')
> > -                remote_check_opts.extend(["--dogtag-master-ds-port",
> > -                    str(dogtag.install_constants.DS_PORT)])
> > -
> >
> >               print_info("Execute check on remote master")
> >
> > @@ -387,10 +388,8 @@ def main():
> >               print_info("Please run the following command on remote 
> > master:")
> >
> >               remote_check_opts = ['--replica %s' % options.hostname]
> > -            if options.check_ca:
> > +            if options.check_ca and dogtag.install_constants.DS_PORT == 
> > 7389:
> >                   remote_check_opts.append('--check-ca')
> > -                remote_check_opts.extend(["--dogtag-master-ds-port",
> > -                    str(dogtag.install_constants.DS_PORT)])
> >
> >               print_info("/usr/sbin/ipa-replica-conncheck " + " 
> > ".join(remote_check_opts))
> >               time.sleep(3600)
> > -- 1.7.12
> >
> 
> 


>From 424288306c6682fc99ef518b1c11a49880988564 Mon Sep 17 00:00:00 2001
From: Ade Lee <a...@redhat.com>
Date: Fri, 5 Oct 2012 15:18:50 -0400
Subject: [PATCH] Fix ipa-replica-prepare to include correct port

---
 install/tools/ipa-replica-prepare | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 5a566d61df521d3801c41a07753a2af728a7b6e7..80fb8d1de9555ad1ac957560f2d022e7b41adb1d 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -372,7 +372,7 @@ def main():
         print "Saving dogtag Directory Server port"
         port_fname = dir + "/dogtag_directory_port.txt"
         with open(port_fname, "w") as fd:
-            fd.write("%s\n" % str(dogtag.install_constants.DS_PORT))
+            fd.write("%s\n" % str(dogtag.configured_constants().DS_PORT))
 
     if options.http_pin:
         passwd = options.http_pin
-- 
1.7.12.1


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to