On 10/14/2014 02:28 PM, Jan Cholasta wrote:
Dne 14.10.2014 v 14:19 David Kupka napsal(a):



On 10/14/2014 01:39 PM, Jan Cholasta wrote:
Dne 14.10.2014 v 12:47 David Kupka napsal(a):


On 10/10/2014 03:24 PM, Jan Cholasta wrote:
Dne 8.10.2014 v 12:36 David Kupka napsal(a):
On 10/08/2014 09:29 AM, Jan Cholasta wrote:
Hi,

Dne 8.10.2014 v 09:09 David Kupka napsal(a):
https://fedorahosted.org/freeipa/ticket/4569

In renew_ca_cert and cainstance.py, dogtag should already be
stopped in
the places you modified, so why the change?

I didn't noticed that it is already stopped, fixed.

Also I don't think it's a good idea to backup CS.cfg when dogtag is
still running (in cainstance.py). If the file is being modified by
dogtag at the time it is backed up, the backup may be corrupted.

Fixed, thanks.

CAInstance.backup_config should be called only when Dogtag is
stopped as
well, you don't need to change it.


backup_config is callable from outside of cainstance.py so it's
safer to
check that dogtag is stopped and stop it if necessary. When dogtag is
already stopped it won't do anything.

If dogtag is not stopped in backup_config, it's an error, so an
exception should be raised.

What I meant by this is that you should add this check to backup_config,
because it's not there ATM. Sorry for confusing you.


Ok, hope that I finally understood.

--
David Kupka
From f57f22e4753caa7e811aa5b0a0e74fc5902465ae Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Tue, 30 Sep 2014 08:41:49 -0400
Subject: [PATCH] Stop dogtag when updating its configuration in
 ipa-upgradeconfig.

Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.

https://fedorahosted.org/freeipa/ticket/4569
---
 install/tools/ipa-upgradeconfig | 46 ++++++++++++++++++++++-------------------
 ipaserver/install/cainstance.py |  3 +++
 2 files changed, 28 insertions(+), 21 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 82e7857d5dec8955935b948df34aab08bfa7f914..e064f38fc963d94c7775f2282402eaaddb682af4 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -233,8 +233,10 @@ def upgrade_pki(ca, fstore):
     if not installutils.get_directive(configured_constants.CS_CFG_PATH,
                                       'proxy.securePort', '=') and \
             os.path.exists(paths.PKI_SETUP_PROXY):
-        ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
-                     ,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
+        # update proxy configuration with stopped dogtag to prevent corruption
+        # of CS.cfg
+        ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib',
+                     '-pki_instance_name=pki-ca','-subsystem_type=ca'])
         root_logger.debug('Proxy configuration updated')
     else:
         root_logger.debug('Proxy configuration up-to-date')
@@ -1082,28 +1084,30 @@ def main():
     ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
     ca.backup_config()
 
-    # migrate CRL publish dir before the location in ipa.conf is updated
-    ca_restart = migrate_crl_publish_dir(ca)
+    with installutils.stopped_service(configured_constants.SERVICE_NAME,
+            configured_constants.PKI_INSTANCE_NAME):
+        # migrate CRL publish dir before the location in ipa.conf is updated
+        ca_restart = migrate_crl_publish_dir(ca)
 
-    if ca.is_configured():
-        crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
-                                         'ca.crl.MasterCRL.enableCRLUpdates',
-                                         '=')
-        sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
+        if ca.is_configured():
+            crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
+                    'ca.crl.MasterCRL.enableCRLUpdates', '=')
+            sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
 
-    certmap_dir = dsinstance.config_dirname(
-        dsinstance.realm_to_serverid(api.env.realm))
+        certmap_dir = dsinstance.config_dirname(
+            dsinstance.realm_to_serverid(api.env.realm))
+
+        upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf")
+        upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf")
+        upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
+        if subject_base:
+            upgrade(
+                sub_dict,
+                os.path.join(certmap_dir, "certmap.conf"),
+                os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")
+            )
+        upgrade_pki(ca, fstore)
 
-    upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf")
-    upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf")
-    upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
-    if subject_base:
-        upgrade(
-            sub_dict,
-            os.path.join(certmap_dir, "certmap.conf"),
-            os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")
-        )
-    upgrade_pki(ca, fstore)
     update_dbmodules(api.env.realm)
     uninstall_ipa_kpasswd()
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 978b98a58deb0752d0eab20f4813ac30f960e17a..d7562cafa100f23715c1678685c9c9b010d9f344 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1825,6 +1825,9 @@ def backup_config(dogtag_constants=None):
     if dogtag_constants is None:
         dogtag_constants = dogtag.configured_constants()
 
+    if services.knownservices.dogtag.is_running():
+        raise RuntimeError("Dogtag must be stopped when creating backup of %s"
+                           % dogtag_constants.CS_CFG_PATH)
     shutil.copy(dogtag_constants.CS_CFG_PATH,
                 dogtag_constants.CS_CFG_PATH + '.ipabkp')
 
-- 
1.9.3

From cd70fcf7479ecbff7f4a3792e814e637a49fb0e5 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Tue, 30 Sep 2014 08:41:49 -0400
Subject: [PATCH] Stop dogtag when updating its configuration in
 ipa-upgradeconfig.

Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.

https://fedorahosted.org/freeipa/ticket/4569
---
 install/tools/ipa-upgradeconfig | 46 ++++++++++++++++++++++-------------------
 ipaserver/install/cainstance.py |  3 +++
 2 files changed, 28 insertions(+), 21 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 0606c5d0c07d9ded073a661f1b2faa288897685a..d647eb804af16a9733a9a405b2387b2baf27f19b 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -233,8 +233,10 @@ def upgrade_pki(ca, fstore):
     if not installutils.get_directive(configured_constants.CS_CFG_PATH,
                                       'proxy.securePort', '=') and \
             os.path.exists(paths.PKI_SETUP_PROXY):
-        ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
-                     ,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
+        # update proxy configuration with stopped dogtag to prevent corruption
+        # of CS.cfg
+        ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib',
+                     '-pki_instance_name=pki-ca','-subsystem_type=ca'])
         root_logger.debug('Proxy configuration updated')
     else:
         root_logger.debug('Proxy configuration up-to-date')
@@ -1264,28 +1266,30 @@ def main():
     ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
     ca.backup_config()
 
-    # migrate CRL publish dir before the location in ipa.conf is updated
-    ca_restart = migrate_crl_publish_dir(ca)
+    with installutils.stopped_service(configured_constants.SERVICE_NAME,
+            configured_constants.PKI_INSTANCE_NAME):
+        # migrate CRL publish dir before the location in ipa.conf is updated
+        ca_restart = migrate_crl_publish_dir(ca)
 
-    if ca.is_configured():
-        crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
-                                         'ca.crl.MasterCRL.enableCRLUpdates',
-                                         '=')
-        sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
+        if ca.is_configured():
+            crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
+                    'ca.crl.MasterCRL.enableCRLUpdates', '=')
+            sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
 
-    ds_serverid = dsinstance.realm_to_serverid(api.env.realm)
-    ds_dirname = dsinstance.config_dirname(ds_serverid)
+        ds_serverid = dsinstance.realm_to_serverid(api.env.realm)
+        ds_dirname = dsinstance.config_dirname(ds_serverid)
+
+        upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf")
+        upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf")
+        upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
+        if subject_base:
+            upgrade(
+                sub_dict,
+                os.path.join(ds_dirname, "certmap.conf"),
+                os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")
+            )
+        upgrade_pki(ca, fstore)
 
-    upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf")
-    upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf")
-    upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
-    if subject_base:
-        upgrade(
-            sub_dict,
-            os.path.join(ds_dirname, "certmap.conf"),
-            os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")
-        )
-    upgrade_pki(ca, fstore)
     update_dbmodules(api.env.realm)
     uninstall_ipa_kpasswd()
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index ebc2d244839f24a6c83928639fa8d6aabd50a97c..0c31d21648689ad5c577e9112fefdf47857b4915 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1861,6 +1861,9 @@ def backup_config(dogtag_constants=None):
     if dogtag_constants is None:
         dogtag_constants = dogtag.configured_constants()
 
+    if services.knownservices.dogtag.is_running():
+        raise RuntimeError("Dogtag must be stopped when creating backup of %s"
+                           % dogtag_constants.CS_CFG_PATH)
     shutil.copy(dogtag_constants.CS_CFG_PATH,
                 dogtag_constants.CS_CFG_PATH + '.ipabkp')
 
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to