When creating replica from a Dogtag 9 based IPA server, the port 7389 which is required for the installation is never checked by ipa-replica-conncheck even though it knows that it is being installed from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by firewall, installation would stuck with no hint to user.
Make sure that the port configuration parsed from replica info file is used consistently in the installers. https://fedorahosted.org/freeipa/ticket/4240 -- Martin Kosek <mko...@redhat.com> Supervisor, Software Engineering - Identity Management Team Red Hat Inc.
From e7273b69f21db44bda38f5ffbc84eabbaae2a943 Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Tue, 11 Mar 2014 16:28:19 +0100 Subject: [PATCH] ipa-replica-install never checks for 7389 port When creating replica from a Dogtag 9 based IPA server, the port 7389 which is required for the installation is never checked by ipa-replica-conncheck even though it knows that it is being installed from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by firewall, installation would stuck with no hint to user. Make sure that the port configuration parsed from replica info file is used consistently in the installers. https://fedorahosted.org/freeipa/ticket/4240 --- install/tools/ipa-ca-install | 17 +++++------------ install/tools/ipa-replica-install | 18 ++++++------------ ipaserver/install/cainstance.py | 12 +++++------- ipaserver/install/installutils.py | 16 ++++++++++++++++ 4 files changed, 32 insertions(+), 31 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 4edd26d337a50eebe686daae539c257f706e0158..bb3e595a3df47f00b3929f546db7b04dd7eda32a 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -30,7 +30,7 @@ from ipaserver.install import installutils, service from ipaserver.install import certs from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig, expand_replica_info, read_replica_info, get_host_name, BadHostError, - private_ccache) + private_ccache, read_replica_info_dogtag_port) from ipaserver.install import dsinstance, cainstance, bindinstance from ipaserver.install.replication import replica_conn_check from ipapython import version @@ -159,31 +159,24 @@ def main(): sys.exit(0) config.dir = dir config.setup_ca = True + config.ca_ds_port = read_replica_info_dogtag_port(config.dir) if not ipautil.file_exists(config.dir + "/cacert.p12"): print 'CA cannot be installed in CA-less setup.' sys.exit(1) - portfile = config.dir + "/dogtag_directory_port.txt" - if not ipautil.file_exists(portfile): - dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT) - else: - with open(portfile) as fd: - dogtag_master_ds_port = fd.read() - if not options.skip_conncheck: replica_conn_check( config.master_host_name, config.host_name, config.realm_name, True, - dogtag_master_ds_port, options.admin_password) + config.ca_ds_port, options.admin_password) if options.skip_schema_check: root_logger.info("Skipping CA DS schema check") else: - cainstance.replica_ca_install_check(config, dogtag_master_ds_port) + cainstance.replica_ca_install_check(config) # Configure the CA if necessary - CA = cainstance.install_replica_ca( - config, dogtag_master_ds_port, postinstall=True) + CA = cainstance.install_replica_ca(config, postinstall=True) # We need to ldap_enable the CA now that DS is up and running CA.ldap_enable('CA', config.host_name, config.dirman_password, diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 0e7aefef48d47fefa290607e0604c014d9469fdd..e039fd1e7cb213b3269d0a5d2305a96f68e36e29 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -37,8 +37,8 @@ from ipaserver.install import memcacheinstance from ipaserver.install import otpdinstance from ipaserver.install.replication import replica_conn_check, ReplicationManager from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info, - read_replica_info ,get_host_name, - BadHostError, private_ccache) + read_replica_info, get_host_name, BadHostError, private_ccache, + read_replica_info_dogtag_port) from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install import cainstance from ipalib import api, errors, util @@ -534,6 +534,7 @@ def main(): sys.exit(0) config.dir = dir config.setup_ca = options.setup_ca + config.ca_ds_port = read_replica_info_dogtag_port(config.dir) if config.setup_ca and not ipautil.file_exists(config.dir + "/cacert.p12"): print 'CA cannot be installed in CA-less setup.' @@ -541,18 +542,11 @@ def main(): installutils.verify_fqdn(config.master_host_name, options.no_host_dns) - portfile = config.dir + "/dogtag_directory_port.txt" - if not ipautil.file_exists(portfile): - dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT) - else: - with open(portfile) as fd: - dogtag_master_ds_port = fd.read() - # check connection if not options.skip_conncheck: replica_conn_check( config.master_host_name, config.host_name, config.realm_name, - options.setup_ca, dogtag_master_ds_port, options.admin_password) + options.setup_ca, config.ca_ds_port, options.admin_password) # check replica host IP resolution @@ -657,7 +651,7 @@ def main(): if options.skip_schema_check: root_logger.info("Skipping CA DS schema check") else: - cainstance.replica_ca_install_check(config, dogtag_master_ds_port) + cainstance.replica_ca_install_check(config) # Configure ntpd if options.conf_ntp: @@ -669,7 +663,7 @@ def main(): ds = install_replica_ds(config) # Configure the CA if necessary - CA = cainstance.install_replica_ca(config, dogtag_master_ds_port) + CA = cainstance.install_replica_ca(config) # Always try to install DNS records install_dns_records(config, options) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 52c91b68c2d073a9b1c6aedc1811aa26db046e6b..126bbae66e8a9ae8d9cc6e624745ab1cc37bf4c1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1574,7 +1574,7 @@ def is_master(self): return master == 'New' -def replica_ca_install_check(config, master_ds_port): +def replica_ca_install_check(config): if not config.setup_ca: return @@ -1583,8 +1583,6 @@ def replica_ca_install_check(config, master_ds_port): # Replica of old "self-signed" master - CA won't be installed return - master_ds_port = int(master_ds_port) - # Exit if we have an old-style (Dogtag 9) CA already installed ca = CAInstance(config.realm_name, certs.NSS_DIR, dogtag_constants=dogtag.Dogtag9Constants) @@ -1592,13 +1590,13 @@ def replica_ca_install_check(config, master_ds_port): root_logger.info('Dogtag 9 style CA instance found') sys.exit("A CA is already configured on this system.") - if master_ds_port != dogtag.Dogtag9Constants.DS_PORT: + if config.ca_ds_port != dogtag.Dogtag9Constants.DS_PORT: root_logger.debug( 'Installing CA Replica from master with a merged database') return # Check if the master has the necessary schema in its CA instance - ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, master_ds_port) + ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, config.ca_ds_port) objectclass = 'ipaObject' root_logger.debug('Checking if IPA schema is present in %s', ca_ldap_url) try: @@ -1627,7 +1625,7 @@ def replica_ca_install_check(config, master_ds_port): exit('IPA schema missing on master CA directory server') -def install_replica_ca(config, master_ds_port, postinstall=False): +def install_replica_ca(config, postinstall=False): """ Install a CA on a replica. @@ -1676,7 +1674,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False): config.dirman_password, config.dirman_password, pkcs12_info=(cafile,), master_host=config.master_host_name, - master_replication_port=master_ds_port, + master_replication_port=config.ca_ds_port, subject_base=config.subject_base) # Restart httpd since we changed it's config and added ipa-pki-proxy.conf diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 32671adc895b0cb2632729e8bdb44b5df02c1314..8be8cd3ffa86256c096ddc99227210f2daeb3185 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -538,6 +538,22 @@ def read_replica_info(dir, rconfig): except NoOptionError: pass +def read_replica_info_dogtag_port(config_dir): + portfile = config_dir + "/dogtag_directory_port.txt" + default_port = dogtag.Dogtag9Constants.DS_PORT + if not ipautil.file_exists(portfile): + dogtag_master_ds_port = default_port + else: + with open(portfile) as fd: + try: + dogtag_master_ds_port = int(fd.read()) + except (ValueError, IOError), e: + root_logger.debug('Cannot parse dogtag DS port: %s', e) + root_logger.debug('Default to %d', default_port) + dogtag_master_ds_port = default_port + + return dogtag_master_ds_port + def check_server_configuration(): """ Check if IPA server is configured on the system. -- 1.8.5.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
