On 02/22/2016 04:04 PM, Jan Cholasta wrote:
> On 22.2.2016 15:56, David Kupka wrote:
>> On 22/02/16 07:28, Jan Cholasta wrote:
>>> On 18.2.2016 10:10, David Kupka wrote:
>>>> On 19/01/16 16:10, David Kupka wrote:
>>>>> On 19/01/16 14:38, Jan Cholasta wrote:
>>>>>> On 19.1.2016 14:26, Martin Kosek wrote:
>>>>>>> On 01/19/2016 01:47 PM, David Kupka wrote:
>>>>>>>> I've polished the patch attached to #5586 by Timo Aaltonen.
>>>>>>>>
>>>>>>>> Thanks for the patch. I've fixed the path in specfile and removed
>>>>>>>> unused import
>>>>>>>> but otherwise it works, ACK.
>>>>>>>>
>>>>>>>> https://fedorahosted.org/freeipa/ticket/5586
>>>>>>>
>>>>>>> Won't this break existing certmonger requests depending on the old
>>>>>>> path?
>>>>>>
>>>>>> It will, I don't see any upgrade code.
>>>>>>
>>>>>>>
>>>>>>> # getcert list | grep '/usr/lib64/ipa/certmonger'
>>>>>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>>>>> "auditSigningCert
>>>>>>> cert-pki-ca"
>>>>>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>>>>> "ocspSigningCert
>>>>>>> cert-pki-ca"
>>>>>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>>>>> "subsystemCert
>>>>>>> cert-pki-ca"
>>>>>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>>>>> "caSigningCert
>>>>>>> cert-pki-ca"
>>>>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>>>>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>>>>> "Server-Cert
>>>>>>> cert-pki-ca"
>>>>>>>     post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>>>>>>> RHEL72
>>>>>>>     post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> You're right it will break the upgrade. I haven't noticed that
>>>>> Server-Cert for DS and HTTPD are not handled by
>>>>> certificate_renewal_update (ipaserver.install.server.upgrade) where all
>>>>> the other trackings are stopped and then configured again with the
>>>>> paths.CERTMONGER_COMMAND_TEMPLATE already updated.
>>>>>
>>>>> Thanks for the catch.
>>>>>
>>>>
>>>> I've updated Timo's patch little more and added
>>>> start_tracking_certificates() for dsinstance and httpinstance. Now the
>>>> upgrade works as expected.
>>>
>>> The way the patches are split is kind of weird and apparently confusing
>>> (see the other thread). IMO there should be 2 patches: the first should
>>> add the ability to change DS and HTTP certmonger config during upgrade
>>> (i.e. the start_tracking_certificates() methods and
>>> certificate_renewal_update() changes), the second should move the
>>> helpers (i.e. the actual move and certificate_renewal_update() version
>>> bump).
>>>
>> Honza, do I understand it correctly that the code is OK but I did not
>> split it to the patches correctly?
> 
> Yes.

Before acking or pushing, can you please explain for me how the upgrade of
certmonger tracking requests work? I want to make sure this is right, so please
bear with me:

1) How does it edit existing tracking requests with the new helper paths?

2) Does it go and try to edit the requests on every upgrade? Or is there some
check that requests were updated?

Thanks,
Martin

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to