URL: https://github.com/freeipa/freeipa/pull/229 Author: flo-renaud Title: #229: Remove the renewal lock file upon uninstall Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/229/head:pr229 git checkout pr229
From 1222e8f509151a0f4cc40f4604f21db559bacd7c Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Thu, 10 Nov 2016 13:14:34 +0100 Subject: [PATCH] Fix renewal lock issues on installation - Make sure that the file /var/run/ipa/renewal.lock is deleted upon uninstallation, in order to avoid subsequent installation issues. - Modify certmonger renewal script: restart the http/dirsrv services only if they were already running - Cleanup certmonger ra renewal script: no need to restart httpd - Reorder during http install: request the SSL cert before adding ipa-service-guard Rationale: when a CA helper is modified, certmonger launches the helper with various operations (FETCH_ROOTS, ...) If the CA helper is once again modified, the on-going helper is killed. This can lead to ipa-service-guard being killed and not releasing the renew lock. If the SSL cert is requested with IPA helper before ipa-service-guard is added, we avoid this locking issue. Part of the refactoring effort, certificates sub-effort. https://fedorahosted.org/freeipa/ticket/6433 --- install/restart_scripts/renew_ra_cert | 10 ---------- install/restart_scripts/restart_dirsrv | 3 ++- install/restart_scripts/restart_httpd | 3 ++- ipaserver/install/httpinstance.py | 4 ++-- ipaserver/install/server/install.py | 9 +++++++++ 5 files changed, 15 insertions(+), 14 deletions(-) diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index d71d6e2..40ef728 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -30,7 +30,6 @@ import traceback from ipapython import ipautil from ipalib import api from ipaserver.install import certs, cainstance, krainstance -from ipaplatform import services from ipaplatform.paths import paths @@ -68,15 +67,6 @@ def _main(): shutil.rmtree(tmpdir) api.Backend.ldap2.disconnect() - # Now restart Apache so the new certificate is available - syslog.syslog(syslog.LOG_NOTICE, "Restarting httpd") - try: - services.knownservices.httpd.restart() - except Exception as e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % e) - else: - syslog.syslog(syslog.LOG_NOTICE, "Restarted httpd") - def main(): try: diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv index a8e7818..72d3c54 100644 --- a/install/restart_scripts/restart_dirsrv +++ b/install/restart_scripts/restart_dirsrv @@ -39,7 +39,8 @@ def _main(): syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance) try: - services.knownservices.dirsrv.restart(instance) + if services.knownservices.dirsrv.is_running(): + services.knownservices.dirsrv.restart(instance) except Exception as e: syslog.syslog(syslog.LOG_ERR, "Cannot restart dirsrv (instance: '%s'): %s" % (instance, str(e))) diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index 50348d4..d168481 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -29,7 +29,8 @@ def _main(): syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: - services.knownservices.httpd.restart() + if services.knownservices.httpd.is_running(): + services.knownservices.httpd.restart() except Exception as e: syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e)) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 39d43f2..4e8107e 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -166,11 +166,11 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) + self.step("setting up httpd keytab", self._request_service_keytab) + self.step("setting up ssl", self.__setup_ssl) if self.ca_is_configured: self.step("configure certmonger for renewals", self.configure_certmonger_renewal_guard) - self.step("setting up httpd keytab", self._request_service_keytab) - self.step("setting up ssl", self.__setup_ssl) self.step("importing CA certificates from LDAP", self.__import_ca_certs) self.step("publish CA cert", self.__publish_ca_cert) self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 091992a..b8a46f5 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -4,6 +4,7 @@ from __future__ import print_function +import errno import os import pickle import shutil @@ -1118,6 +1119,14 @@ def uninstall(installer): ' # getcert stop-tracking -i <request_id>\n' 'for each id in: %s' % ', '.join(ids)) + # Remove the cert renewal lock file + try: + os.remove(paths.IPA_RENEWAL_LOCK) + except OSError as e: + if e.errno != errno.ENOENT: + root_logger.warning("Failed to remove file %s: %s", + paths.IPA_RENEWAL_LOCK, e) + print("Removing IPA client configuration") try: result = run([paths.IPA_CLIENT_INSTALL, "--on-master",
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
