On 26.1.2016 10:23, Martin Babinsky wrote:
On 01/26/2016 10:14 AM, Martin Babinsky wrote:
On 01/25/2016 08:56 AM, Alexander Bokovoy wrote:
On Mon, 25 Jan 2016, Jan Cholasta wrote:
Hi,

the attached patch fixes
<https://fedorahosted.org/freeipa/ticket/5611>.

Note that this is a 4.2-specific fix.

Honza

--
Jan Cholasta

From c2a0684c64538166809883a235bd131518b6e78f Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 25 Jan 2016 08:48:42 +0100
Subject: [PATCH] CA install: explicitly set dogtag_version to 10

When installing new CA master, explicitly set the dogtag_version
option to
10 in api.bootstrap() to prevent failures in code which expects the
value
to be 10 rather than the default value of 9.

https://fedorahosted.org/freeipa/ticket/5611
---
install/tools/ipa-ca-install | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/tools/ipa-ca-install
b/install/tools/ipa-ca-install
index 6564e4d..e8ccaef 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -162,7 +162,7 @@ def install_master(safe_options, options):

    # override ra_plugin setting read from default.conf so that we have
    # functional dogtag backend plugins during CA install
-    api.bootstrap(in_server=True, ra_plugin='dogtag')
+    api.bootstrap(in_server=True, ra_plugin='dogtag',
dogtag_version=10)
    api.finalize()

    dm_password = options.password
--
ACK.


Not so fast, I have this patch applied on top of ipa-4-2 and it does not
fix the crash described in the ticket.


See the end of CA install log (http://fpaste.org/314777/14537999/), it
seems that despite setting dogtag version to 10 in API initialization,
CA instance still thinks it needs to work with version 9.

It seems that dogtag.configured_constants() function is to blame:

"""
In [4]: from ipalib import api

In [5]: api.bootstrap(dogtag_version=10)

In [6]: api.finalize()

In [7]: dogtag.configured_constants()
Out[7]: ipapython.dogtag.Dogtag9Constants

In [8]: dogtag.configured_constants(api)
Out[8]: ipapython.dogtag.Dogtag10Constants
"""

Updated patch attached.

--
Jan Cholasta
From 0834afa2e1f38c211f94ea94c3f3ab1b9a24f428 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 25 Jan 2016 08:48:42 +0100
Subject: [PATCH] CA install: explicitly set dogtag_version to 10

When installing new CA master, explicitly set the dogtag_version option to
10 in api.bootstrap() to prevent failures in code which expects the value
to be 10 rather than the default value of 9.

https://fedorahosted.org/freeipa/ticket/5611
---
 install/tools/ipa-ca-install        | 2 +-
 ipaserver/install/cainstance.py     | 6 +++---
 ipaserver/install/server/upgrade.py | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 6564e4d..e8ccaef 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -162,7 +162,7 @@ def install_master(safe_options, options):
 
     # override ra_plugin setting read from default.conf so that we have
     # functional dogtag backend plugins during CA install
-    api.bootstrap(in_server=True, ra_plugin='dogtag')
+    api.bootstrap(in_server=True, ra_plugin='dogtag', dogtag_version=10)
     api.finalize()
 
     dm_password = options.password
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d9bf4f3..369902a 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -478,7 +478,7 @@ class CAInstance(DogtagInstance):
                       self.http_proxy)
             self.step("restarting certificate server", self.restart_instance)
             self.step("migrating certificate profiles to LDAP",
-                      migrate_profiles_to_ldap)
+                      lambda: migrate_profiles_to_ldap(self.dogtag_constants))
             self.step("importing IPA certificate profiles",
                       import_included_profiles)
             self.step("adding default CA ACL", ensure_default_caacl)
@@ -1768,7 +1768,7 @@ def import_included_profiles():
     conn.disconnect()
 
 
-def migrate_profiles_to_ldap():
+def migrate_profiles_to_ldap(dogtag_constants):
     """Migrate profiles from filesystem to LDAP.
 
     This must be run *after* switching to the LDAPProfileSubsystem
@@ -1783,7 +1783,7 @@ def migrate_profiles_to_ldap():
     api.Backend.ra_certprofile._read_password()
     api.Backend.ra_certprofile.override_port = 8443
 
-    with open(dogtag.configured_constants().CS_CFG_PATH) as f:
+    with open(dogtag_constants.CS_CFG_PATH) as f:
         cs_cfg = f.read()
     match = re.search(r'^profile\.list=(\S*)', cs_cfg, re.MULTILINE)
     profile_ids = match.group(1).split(',')
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 616fba5..2d97196 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -354,7 +354,7 @@ def ca_enable_ldap_profile_subsystem(ca):
             separator='=')
 
         ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
-        cainstance.migrate_profiles_to_ldap()
+        cainstance.migrate_profiles_to_ldap(caconfig)
 
     return needs_update
 
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to