URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
 Title: #517: [WIP] Use Custodia 0.3 features
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/517/head:pr517
git checkout pr517
From f3c3765c5d2119262d5c6d035cf33075c5c7e597 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 28 Feb 2017 12:07:19 +0100
Subject: [PATCH] Use Custodia 0.3 features

* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
  default setting for IPA's config file. The new file also makes it
  simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia

https://pagure.io/freeipa/issue/5825

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 freeipa.spec.in                      | 13 ++++++++-----
 init/systemd/Makefile.am             |  1 +
 init/systemd/ipa-custodia.service.in |  5 ++---
 install/tools/Makefile.am            |  1 +
 install/tools/ipa-custodia           |  6 ++++++
 ipapython/setup.py                   |  1 -
 ipaserver/secrets/service.py         | 30 ++++++++++++++++++++++++++++++
 ipaserver/setup.py                   |  1 +
 ipasetup.py.in                       |  1 +
 9 files changed, 50 insertions(+), 9 deletions(-)
 create mode 100755 install/tools/ipa-custodia
 create mode 100644 ipaserver/secrets/service.py

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ad35534..378037b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -164,7 +164,8 @@ BuildRequires:  pki-base-python2
 BuildRequires:  python-pytest-multihost
 BuildRequires:  python-pytest-sourceorder
 BuildRequires:  python-jwcrypto
-BuildRequires:  python-custodia
+# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
+BuildRequires:  python-custodia >= 0.3
 BuildRequires:  dbus-python
 BuildRequires:  python-dateutil
 BuildRequires:  python-enum34
@@ -199,7 +200,8 @@ BuildRequires:  pki-base-python3
 BuildRequires:  python3-pytest-multihost
 BuildRequires:  python3-pytest-sourceorder
 BuildRequires:  python3-jwcrypto
-BuildRequires:  python3-custodia
+# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
+BuildRequires:  python3-custodia >= 0.3
 BuildRequires:  python3-dbus
 BuildRequires:  python3-dateutil
 BuildRequires:  python3-enum34
@@ -319,6 +321,7 @@ BuildArch: noarch
 Requires: %{name}-server-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipaclient = %{version}-%{release}
+Requires: python-custodia >= 0.3
 Requires: python-ldap >= 2.4.15
 Requires: python-lxml
 Requires: python-gssapi >= 1.2.0
@@ -349,6 +352,7 @@ BuildArch: noarch
 Requires: %{name}-server-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipaclient = %{version}-%{release}
+Requires: python3-custodia >= 0.3
 Requires: python3-pyldap >= 2.4.15
 Requires: python3-lxml
 Requires: python3-gssapi >= 1.2.0
@@ -378,7 +382,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= 2.4.6-31
 Requires: systemd-units >= 38
-Requires: custodia
+Requires: custodia >= 0.3
 
 Provides: %{alt_name}-server-common = %{version}
 Conflicts: %{alt_name}-server-common
@@ -625,7 +629,6 @@ Requires: python-jwcrypto
 Requires: python-cffi
 Requires: python-ldap >= 2.4.15
 Requires: python-requests
-Requires: python-custodia
 Requires: python-dns >= 1.15
 Requires: python-enum34
 Requires: python-netifaces >= 0.10.4
@@ -674,7 +677,6 @@ Requires: python3-six
 Requires: python3-jwcrypto
 Requires: python3-cffi
 Requires: python3-pyldap >= 2.4.15
-Requires: python3-custodia
 Requires: python3-requests
 Requires: python3-dns >= 1.15
 Requires: python3-netifaces >= 0.10.4
@@ -1127,6 +1129,7 @@ fi
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
 %dir %{_libexecdir}/ipa
+%{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
index 325e857..945f6ac 100644
--- a/init/systemd/Makefile.am
+++ b/init/systemd/Makefile.am
@@ -18,5 +18,6 @@ CLEANFILES = $(systemdsystemunit_DATA)
 		-e 's|@IPA_SYSCONF_DIR[@]|$(IPA_SYSCONF_DIR)|g' \
 		-e 's|@localstatedir[@]|$(localstatedir)|g' \
 		-e 's|@sbindir[@]|$(sbindir)|g' \
+		-e 's|@libexecdir[@]|$(libexecdir)|g' \
 		-e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
 		'$(srcdir)/$@.in' >$@
diff --git a/init/systemd/ipa-custodia.service.in b/init/systemd/ipa-custodia.service.in
index 3f9b128..0247bd8 100644
--- a/init/systemd/ipa-custodia.service.in
+++ b/init/systemd/ipa-custodia.service.in
@@ -2,9 +2,8 @@
 Description=IPA Custodia Service
 
 [Service]
-Type=simple
-
-ExecStart=@sbindir@/custodia @IPA_SYSCONF_DIR@/custodia/custodia.conf
+Type=notify
+ExecStart=@libexecdir@/ipa/ipa-custodia @IPA_SYSCONF_DIR@/custodia/custodia.conf
 PrivateTmp=yes
 Restart=on-failure
 RestartSec=60s
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index f2c2ce2..493e5ff 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -32,6 +32,7 @@ dist_sbin_SCRIPTS =		\
 
 appdir = $(libexecdir)/ipa/
 dist_app_SCRIPTS =		\
+	ipa-custodia		\
 	ipa-httpd-kdcproxy	\
 	ipa-pki-retrieve-key	\
 	$(NULL)
diff --git a/install/tools/ipa-custodia b/install/tools/ipa-custodia
new file mode 100755
index 0000000..5deeeff
--- /dev/null
+++ b/install/tools/ipa-custodia
@@ -0,0 +1,6 @@
+#!/usr/bin/python2
+# Copyright (C) 2017  IPA Project Contributors, see COPYING for license
+from ipaserver.secrets.service import main
+
+if __name__ == '__main__':
+    main()
diff --git a/ipapython/setup.py b/ipapython/setup.py
index 86e4131..2fc039f 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -38,7 +38,6 @@
         ],
         install_requires=[
             "cffi",
-            "custodia",
             "cryptography",
             "dnspython",
             "gssapi",
diff --git a/ipaserver/secrets/service.py b/ipaserver/secrets/service.py
new file mode 100644
index 0000000..f51c46a
--- /dev/null
+++ b/ipaserver/secrets/service.py
@@ -0,0 +1,30 @@
+# Copyright (C) 2017  IPA Project Contributors, see COPYING for license
+import argparse
+
+import custodia.server
+
+
+argparser = argparse.ArgumentParser(
+    prog='ipa-custodia',
+    description='IPA Custodia service'
+)
+argparser.add_argument(
+    '--debug',
+    action='store_true',
+    help='Debug mode'
+)
+argparser.add_argument(
+    'configfile',
+    nargs='?',
+    type=argparse.FileType('r'),
+    help="Path to IPA's custodia server config",
+    default='/etc/ipa/custodia/custodia.conf'
+)
+
+
+def main():
+    return custodia.server.main(argparser)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index d3c735c..42b0c1b 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -47,6 +47,7 @@
         ],
         install_requires=[
             "cryptography",
+            "custodia",
             "dbus-python",
             "dnspython",
             "dogtag-pki",
diff --git a/ipasetup.py.in b/ipasetup.py.in
index 915f0ed..1d39f03 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -64,6 +64,7 @@ if SETUPTOOLS_VERSION < (8, 0, 0):
 
 PACKAGE_VERSION = {
     'cryptography': 'cryptography >= 1.4',
+    'custodia': 'custodia >= 0.3',
     'dnspython': 'dnspython >= 1.15',
     'gssapi': 'gssapi >= 1.2.0',
     'ipaclient': 'ipaclient == {}'.format(VERSION),
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to