On 23.9.2015 19:47, Simo Sorce wrote:
On Wed, 2015-09-23 at 08:35 +0200, Jan Cholasta wrote:
What I mean is that installing a replica using an already existing
replica file should be prevented at level 1 as well:

root@ipa1# ipa-server-install --domain-level=0
root@ipa1# ipa-replica-prepare ipa2.example.com
root@ipa1# ipa domainlevel-set 1

root@ipa2# ipa-replica-install replica-info-ipa2.example.com.gpg
ERROR: Can't install replica from a replica file at domain level > 0

Ok I rebased the patchset with a modification to assume promotion if no
file was provided, and then raise appropriate RuntimeErrors if
conditions about the domain level are not met.

This change also prevents installing with a replica file if domain level
is currently at 1.

They are in the usual custodia-review branch.

"Add ipa-custodia service": functional ACK

1) freeipa-python is still missing BuildRequires and Requires on python-jwcrypto:

On 23.9.2015 08:35, Jan Cholasta wrote:
On 23.9.2015 02:47, Simo Sorce wrote:
On Tue, 2015-09-22 at 10:57 -0400, Simo Sorce wrote:
On Tue, 2015-09-22 at 10:45 +0200, Jan Cholasta wrote:
1) python-jwcrypto dependency is missing in the spec file.

It shouldn't be necessary as custodia already depends on it.

IMO it is a good practice to require all direct dependencies, because
you can't control indirect dependencies. For example, if one day
custodia switched from jwcrypto to something different, ipa would lose
the jwcrypto dependency without us knowing.

"Require a DS version that has working DNA plugin": ACK

"Implement replica promotion functionality":

1) You should handle NotFound for the find_entries() call in cainstance.find_ca_server().

2) You can remove ReplicaCA and ReplicaDNS classes as they are unused.

3) I'm getting this on domain level 0 client:

# ipa-replica-install
Password for ad...@abc.idm.lab.eng.brq.redhat.com:
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): No Kerberos credentials available

It comes from the "Try out authentication" conn.connect() in promote_check(), because it is missing the ccache kwarg.

"Change DNS installer code to use passed in api": ACK

"Allow ipa-replica-conncheck to use default creds":

1) ipa-replica-install prompts for admin password twice during connection check:

    Get credentials to log in to remote master
    Check SSH connection to remote master
    ad...@vm-137.abc.idm.lab.eng.brq.redhat.com's password:
    Execute check on remote master
    ad...@vm-137.abc.idm.lab.eng.brq.redhat.com's password:

"Add function to extract CA certs for install": ACK

"topology: manage ca replication agreements": functional ACK

1) This 20-replication.update bit does not seem to be related to the patch:

# add IPA realm managed suffix to master entry
dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
add: objectclass: ipaReplTopoManagedServer
add: ipaReplTopoManagedSuffix: $SUFFIX

Why is it included? (Petr?)

2) In update_ca_topology, call CAInstance.__update_topology() instead of copy & pasting the code.

"enable topology plugin on upgrade": ACK

"topology plugin configuration workaround": ACK

"handle multiple managed suffixes": ACK

"prevent operation on tombstones": ACK

"Allow to setup the CA when promoting a replica": ACK

"Make checks for existing credentials reusable": ACK

"Add low level helper to get domain level": ACK

"Allow ipa-ca-install to use the new promotion code":

1) The --replica option was not removed:

On 22.9.2015 10:45, Jan Cholasta wrote:
1) The --replica option is redundant. You can safely decide whether this
is the first CA master or not based on information in cn=masters.

2) ipa-ca-install prompts for both admin and DM password:

# ipa-ca-install -r
Password for ad...@abc.idm.lab.eng.brq.redhat.com:
Directory Manager (existing master) password:

DM password should not be required, right?

3) ipa-ca-install fails with:

Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 445, in start_creation
    run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 435, in run_step
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 631, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 185, in spawn_instance
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 448, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

I guess I'm hitting the authentication bug in Dogtag. It is supposed to be fixed in pki-core-10.2.6-10, but is it fixed in pki-core-10.2.7-0.2? We might need a new 10.2.7 build.

"Remove unused kra option": ACK

"Allow to install the KRA on a promoted server":

1) ipa-kra-install fails with:

Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", line 220, in run
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", line 200, in _run
    if config.subject_base is None:
AttributeError: 'NoneType' object has no attribute 'subject_base'

Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to