On 10/25/2013 12:33 PM, Petr Viktorin wrote:
On 10/25/2013 10:31 AM, Martin Kosek wrote:
Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).
To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.
https://fedorahosted.org/freeipa/ticket/3974
TO TEST:
1. Install newest mod_nss:
F19: http://koji.fedoraproject.org/koji/buildinfo?buildID=473624
2. Install patched freeipa
3. Install mod_ssl
4. Update /etc/httpd/conf.d/ssl.conf to not listen on 443, but rather on
10443 or others
5. "setenforce 0" to allow httpd listen on that port
6. ipa-server-install
When mod_ssl.rpm is instaled *after* ipa-server-install, no check is done,
Apache just fails to start.
We need to document this.
Document where exactly? Ideas welcome. FreeIPA server uses set of ports,
defined in
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/installing-ipa.html#prerequisites
When any other service binds to any of these port, some IPA service won't work.
Regardless if it is mod_ssl or custom user service. People would probably not
read FreeIPA documentation before installing mod_ssl anyway...
The server should now listen on both 443 with mod_nss and 10443 with
mod_ssl. CLI and Web UI should continue to work, as well as cert
operations like "cert-show 1" - cert operations would not work if new
mod_nss is not updated.
That is the Apache server, right? IPA is only on 443.
Yup. This just refers to testing hints above, where I suggested to configure
mod_ssl to listen on some custom port to prove that both mod_ssl and mod_nss
can run on the same server.
Martin
freeipa-mkosek-433-make-set_directive-and-get_directive-more-strict.patch
ACK
freeipa-mkosek-434-remove-mod_ssl-conflict.patch
Just a comment on logging:
+def httpd_443_configured():
+ """
+ We now allow mod_ssl to be installed so don't automatically disable it.
+ However it can't share the same listen port as mod_nss, so check for that.
+
+ Returns True if something other than mod_nss is listening on 443.
+ False otherwise.
+ """
+ try:
+ (stdout, stderr, rc) = ipautil.run(['/usr/sbin/httpd', '-t', '-D',
'DUMP_VHOSTS'])
+ except ipautil.CalledProcessError, e:
+ print >> sys.stderr, "WARNING: cannot check if port 443 is already
configured."
+ print >> sys.stderr, "httpd returned error when checking:", str(e)
+ return False
+
+ port_line_re = re.compile(r'(?P<address>\S+):(?P<port>\d+)')
+ for line in stdout.splitlines():
+ m = port_line_re.match(line)
+ if m and int(m.group('port')) == 443:
+ print "WARNING: Apache is already configured with a listener on
port 443:"
+ print line
+ return True
Please also log these messages, otherwise the log ends up not being very
helpful.
Since the installation aborts, I think these should be ERROR or CRITICAL, not
WARNING.
Right. I used service.print_msg as you suggested on IRC.
Martin
From 63dbf0fe14a1abbc4cf96922f8213d43c48b93fb Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Fri, 25 Oct 2013 10:22:08 +0200
Subject: [PATCH] Remove mod_ssl conflict
Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).
To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.
https://fedorahosted.org/freeipa/ticket/3974
---
freeipa.spec.in | 9 ++++----
install/tools/ipa-replica-install | 4 ++++
install/tools/ipa-server-install | 4 ++++
install/tools/ipa-upgradeconfig | 1 +
ipaserver/install/httpinstance.py | 46 ++++++++++++++++++++++++++++++++++-----
5 files changed, 54 insertions(+), 10 deletions(-)
mode change 100644 => 100755 install/tools/ipa-server-install
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 34d74f40643a135bcbea15954a7cfbabbac4ae15..eee32a5a2b097339f6ca432c649d4e13c54594c7 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -121,7 +121,7 @@ Requires: mod_auth_kerb >= 5.4-16
%else
Requires: mod_auth_kerb >= 5.4-8
%endif
-Requires: mod_nss
+Requires: mod_nss >= 1.0.8-24
Requires: python-ldap
Requires: python-krbV
Requires: acl
@@ -166,10 +166,6 @@ Conflicts: bind < 9.8.2-0.4.rc2
# member.
Conflicts: nss-pam-ldapd < 0.8.4
-# mod_proxy provides a single API to communicate over SSL. If mod_ssl
-# is even loaded into Apache then it grabs this interface.
-Conflicts: mod_ssl
-
Obsoletes: ipa-server >= 1.0
%description server
@@ -836,6 +832,9 @@ fi
%endif # ONLY_CLIENT
%changelog
+* Fri Aug 25 2013 Martin Kosek <mko...@redhat.com> - 3.3.2-1
+- Remove mod_ssl conflict, it can now live with mod_nss installed
+
* Wed Sep 4 2013 Ana Krivokapic <akriv...@redhat.com> - 3.3.0-3
- Conform to tmpfiles.d packaging guidelines
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 5e6941402e8d26c9a8c8e17179832e5bd7f253d7..1cffa48e173e53ab7d9de23cc8fbc693c8757e4f 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -474,6 +474,10 @@ def main():
if options.setup_dns:
check_bind()
+ # Check to see if httpd is already configured to listen on 443
+ if httpinstance.httpd_443_configured():
+ sys.exit("Aborting installation")
+
check_dirsrv()
if options.conf_ntp:
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
old mode 100644
new mode 100755
index cf769f557750c528e579e207d282b5bdfb8850d9..b3dcf6d93a70e2910a3d7fa62139efbf640d1cbe
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -791,6 +791,10 @@ def main():
except ipaclient.ntpconf.NTPConfigurationError:
pass
+ # Check to see if httpd is already configured to listen on 443
+ if httpinstance.httpd_443_configured():
+ sys.exit("Aborting installation")
+
realm_name = ""
host_name = ""
domain_name = ""
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 2ee5983226789511b44cd08ffa34e0ff93ff06a3..41c51263d5fc8b3a0e2f28bab89fc9d2d184fdca 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1047,6 +1047,7 @@ def main():
http.remove_httpd_ccache()
http.configure_selinux_for_httpd()
http.configure_httpd_ccache()
+ http.change_mod_nss_port_to_http()
ds = dsinstance.DsInstance()
ds.configure_dirsrv_ccache()
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 14fa9cc6fcc30b2f37338f69e728b8ed9011888f..689e657e291b93d90038937a61f67915c0d582ec 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -23,6 +23,7 @@ import tempfile
import pwd
import shutil
import stat
+import re
import service
import certs
@@ -32,6 +33,7 @@ from ipapython import ipautil
from ipapython import services as ipaservices
from ipapython import dogtag
from ipapython.ipa_log_manager import *
+from ipaserver.install import sysupgrade
from ipalib import api
HTTPD_DIR = "/etc/httpd"
@@ -46,6 +48,31 @@ change with the command:
Try updating the policycoreutils and selinux-policy packages.
"""
+def httpd_443_configured():
+ """
+ We now allow mod_ssl to be installed so don't automatically disable it.
+ However it can't share the same listen port as mod_nss, so check for that.
+
+ Returns True if something other than mod_nss is listening on 443.
+ False otherwise.
+ """
+ try:
+ (stdout, stderr, rc) = ipautil.run(['/usr/sbin/httpd', '-t', '-D', 'DUMP_VHOSTS'])
+ except ipautil.CalledProcessError, e:
+ service.print_msg("WARNING: cannot check if port 443 is already configured")
+ service.print_msg("httpd returned error when checking: %s" % e)
+ return False
+
+ port_line_re = re.compile(r'(?P<address>\S+):(?P<port>\d+)')
+ for line in stdout.splitlines():
+ m = port_line_re.match(line)
+ if m and int(m.group('port')) == 443:
+ service.print_msg("Apache is already configured with a listener on port 443:")
+ service.print_msg(line)
+ return True
+
+ return False
+
class WebGuiInstance(service.SimpleServiceInstance):
def __init__(self):
service.SimpleServiceInstance.__init__(self, "ipa_webgui")
@@ -87,7 +114,6 @@ class HTTPInstance(service.Service):
self.ldap_connect()
- self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
@@ -227,15 +253,25 @@ class HTTPInstance(service.Service):
http_fd.close()
os.chmod(target_fname, 0644)
- def __disable_mod_ssl(self):
- if os.path.exists(SSL_CONF):
- self.fstore.backup_file(SSL_CONF)
- os.unlink(SSL_CONF)
+ def change_mod_nss_port_to_http(self):
+ # mod_ssl enforces SSLEngine on for vhost on 443 even though
+ # the listener is mod_nss. This then crashes the httpd as mod_nss
+ # listened port obviously does not match mod_ssl requirements.
+ #
+ # Change port to http to workaround the mod_ssl check, the SSL is
+ # enforced in the vhost later, so it is benign.
+ #
+ # Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168
+ # is fixed.
+ if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
+ installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False)
+ sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True)
def __set_mod_nss_port(self):
self.fstore.backup_file(NSS_CONF)
if installutils.update_file(NSS_CONF, '8443', '443') != 0:
print "Updating port in %s failed." % NSS_CONF
+ self.change_mod_nss_port_to_http()
def __set_mod_nss_nickname(self, nickname):
installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
--
1.8.3.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
