Re: [Freeipa-devel] [PATCHES 297-299] Improvements for idviews xmlrpc tests
On 01/21/2015 04:51 PM, Tomas Babej wrote: Hi, this couple of patches adds coverage for the scenario in https://fedorahosted.org/freeipa/ticket/4839 , plus fixes issues that caused ipa-run-tests to skip this test file. Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi, thanks for patches. Works for me, ACK. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 493 Print PublicError traceback when in debug mode
The framework only shows traceback for the internal/unknown errors, recognized PublicErrors are simply passed back to the FreeIPA clients. However, sometimes it would help to see a traceback of the PublicError to for example see exactly which line returns it. https://fedorahosted.org/freeipa/ticket/4847 if api.env.debug may seem redundant in this case, my motivation was not to invoke exception trace formatting every time a public error is thrown even when debug is not enabled. Martin From 36b926bce1117d7ea370b8a75890c9711450fb5a Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 20 Jan 2015 23:13:23 +0100 Subject: [PATCH] Print PublicError traceback when in debug mode The framework only shows traceback for the internal/unknown errors, recognized PublicErrors are simply passed back to the FreeIPA clients. However, sometimes it would help to see a traceback of the PublicError to for example see exactly which line returns it. https://fedorahosted.org/freeipa/ticket/4847 --- ipaserver/rpcserver.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 18de23d3a5bed485d35adb18b22d04255f933448..d6bc955b9d9910a24eec5df1def579310eb54786 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -29,6 +29,7 @@ import datetime import urlparse import json +import traceback import ldap.controls from pyasn1.type import univ, namedtype @@ -347,6 +348,8 @@ def wsgi_execute(self, environ): else: result = self.Command[name](*args, **options) except PublicError, e: +if self.api.env.debug: +self.debug('WSGI wsgi_execute PublicError: %s', traceback.format_exc()) error = e except StandardError, e: self.exception( -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 300] Fix incorrect python shebang usage
Hi, attached patch fixes few python2 non-explicit shebangs that lurked into the codebase. TomasFrom ce5938cbf3df4b9ff6da08ebb114c342e763cc22 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Thu, 22 Jan 2015 12:47:13 +0100 Subject: [PATCH] ipapython: Fix incorrect python shebangs Make sure shebangs explicitly reference python2. --- daemons/dnssec/ipa-dnskeysync-replica | 2 +- daemons/dnssec/ipa-dnskeysyncd| 2 +- daemons/dnssec/ipa-ods-exporter | 2 +- ipapython/dnssec/abshsm.py| 1 - ipapython/dnssec/bindmgr.py | 1 - ipapython/dnssec/keysyncer.py | 1 - ipapython/dnssec/ldapkeydb.py | 1 - ipapython/dnssec/localhsm.py | 2 +- ipapython/dnssec/odsmgr.py| 2 +- ipapython/dnssec/syncrepl.py | 1 - ipapython/dnssec/temp.py | 1 - ipapython/ipap11helper/setup.py | 2 +- ipapython/p11helper.py| 1 - 13 files changed, 6 insertions(+), 13 deletions(-) diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica index 23c95a01c3e4f0f6527e4fc449244dc487f04119..d04f360e04ee018dcdd1ba9b2ca42b1844617af9 100755 --- a/daemons/dnssec/ipa-dnskeysync-replica +++ b/daemons/dnssec/ipa-dnskeysync-replica @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python2 # # Copyright (C) 2014 FreeIPA Contributors see COPYING for license # diff --git a/daemons/dnssec/ipa-dnskeysyncd b/daemons/dnssec/ipa-dnskeysyncd index c7475bd65ba7ad38af99f2e8c3ae3bc8837f2c9b..b78f3539863a4a81c9d144a26e246b74d6360d41 100755 --- a/daemons/dnssec/ipa-dnskeysyncd +++ b/daemons/dnssec/ipa-dnskeysyncd @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python2 # # Copyright (C) 2014 FreeIPA Contributors see COPYING for license # diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter index 228589151387b6d1ab6df252c587234edf529eaa..dc1851d3a34bb09c1a87c86d101b11afe35e49fe 100755 --- a/daemons/dnssec/ipa-ods-exporter +++ b/daemons/dnssec/ipa-ods-exporter @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python2 # # Copyright (C) 2014 FreeIPA Contributors see COPYING for license # diff --git a/ipapython/dnssec/abshsm.py b/ipapython/dnssec/abshsm.py index cc8119865e3f24d1328f2312c2e2fabcaf0856aa..80292e5a727e03ca805c866790ef9e628a4973d5 100644 --- a/ipapython/dnssec/abshsm.py +++ b/ipapython/dnssec/abshsm.py @@ -1,4 +1,3 @@ -#!/usr/bin/python # # Copyright (C) 2014 FreeIPA Contributors see COPYING for license # diff --git a/ipapython/dnssec/bindmgr.py b/ipapython/dnssec/bindmgr.py index 9c831c241d53ec3dd996b8fd8c3106a92998deb8..2c6781609594fa27812af3a01d16318198a3e120 100644 --- a/ipapython/dnssec/bindmgr.py +++ b/ipapython/dnssec/bindmgr.py @@ -1,4 +1,3 @@ -#!/usr/bin/python # # Copyright (C) 2014 FreeIPA Contributors see COPYING for license # diff --git a/ipapython/dnssec/keysyncer.py b/ipapython/dnssec/keysyncer.py index 1b27573267fff941393360b5a589146d722d098b..837602fb4e7c74a7099a351c727d1435b5645706 100644 --- a/ipapython/dnssec/keysyncer.py +++ b/ipapython/dnssec/keysyncer.py @@ -1,4 +1,3 @@ -#!/usr/bin/python # # Copyright (C) 2014 FreeIPA Contributors see COPYING for license # diff --git a/ipapython/dnssec/ldapkeydb.py b/ipapython/dnssec/ldapkeydb.py index e2e58f8809e2e604dff4ecf0122d866f0986dee0..71c0a95a39b1b460178d0b853ed26bf2cfe5bda1 100644 --- a/ipapython/dnssec/ldapkeydb.py +++ b/ipapython/dnssec/ldapkeydb.py @@ -1,4 +1,3 @@ -#!/usr/bin/python # # Copyright (C) 2014 FreeIPA Contributors see COPYING for license # diff --git a/ipapython/dnssec/localhsm.py b/ipapython/dnssec/localhsm.py index de49641b0a1f789a375f67937d4701901372a4b5..6176fbf0054e0c267dc5f61255b4c1192ff7d1fb 100755 --- a/ipapython/dnssec/localhsm.py +++ b/ipapython/dnssec/localhsm.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python2 # # Copyright (C) 2014 FreeIPA Contributors see COPYING for license # diff --git a/ipapython/dnssec/odsmgr.py b/ipapython/dnssec/odsmgr.py index a91b6c553d9ab7364258bd1ca24d236a3994ec6d..91c7fd1104330e26587f6eaac662f43bfb60e822 100644 --- a/ipapython/dnssec/odsmgr.py +++ b/ipapython/dnssec/odsmgr.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python2 # # Copyright (C) 2014 FreeIPA Contributors see COPYING for license # diff --git a/ipapython/dnssec/syncrepl.py b/ipapython/dnssec/syncrepl.py index 2f657f599e572f4e29bfa87a5d0a2a468b79f207..595582cb876b8af78492a2c3e36bd228ff6ca97b 100644 --- a/ipapython/dnssec/syncrepl.py +++ b/ipapython/dnssec/syncrepl.py @@ -1,4 +1,3 @@ -#!/usr/bin/python # -*- coding: utf-8 -*- # # Copyright (C) 2014 FreeIPA Contributors see COPYING for license diff --git a/ipapython/dnssec/temp.py b/ipapython/dnssec/temp.py index 23ee377bece178ecfb1a0cdaa1168d03fb0b3177..e97d3a0b8a9cd3ca7e808cc198de13590ef420d1 100644 --- a/ipapython/dnssec/temp.py +++ b/ipapython/dnssec/temp.py @@ -1,4 +1,3 @@ -#!/usr/bin/python # # Copyright (C) 2014 FreeIPA Contributors see COPYING for license # diff --git
Re: [Freeipa-devel] [PATCH] Use curl instead of wget
On Thu, Jan 22, 2015, at 12:23 AM, Alexander Bokovoy wrote: In general, I'm not against trimming this dependency. However, please follow existing pattern by defining paths.BIN_CURL and using it instead of paths.BIN_WGET. FreeIPA client runs on Debian GNU/Linux-based platforms as well and we need to keep the abstraction. I understand this would be a separate patch...but I don't understand paths.py at all. First, why not just search $PATH? util.py already sets up a sanitized $PATH (although setting environment variables like this is not threadsafe, but that's another bug). Second, it's also in /usr/bin on Debian: https://packages.debian.org/wheezy/amd64/curl/filelist ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use curl instead of wget
On Thu, 22 Jan 2015, Colin Walters wrote: On Thu, Jan 22, 2015, at 12:23 AM, Alexander Bokovoy wrote: In general, I'm not against trimming this dependency. However, please follow existing pattern by defining paths.BIN_CURL and using it instead of paths.BIN_WGET. FreeIPA client runs on Debian GNU/Linux-based platforms as well and we need to keep the abstraction. I understand this would be a separate patch...but I don't understand paths.py at all. First, why not just search $PATH? util.py already sets up a sanitized $PATH (although setting environment variables like this is not threadsafe, but that's another bug). Second, it's also in /usr/bin on Debian: https://packages.debian.org/wheezy/amd64/curl/filelist We have abstraction layer to take care of different platforms on a wider scale than just this particular binary. We are gradually moving all code to use platform abstraction to allow other platforms to be supported (like FreeBSD or Illumos) and we in general cannot guarantee things will be there at the same locations. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 003] Use 'remove-ds.pl' to remove DS instance during server uninstall
On 01/22/2015 12:19 PM, Martin Kosek wrote: On 01/22/2015 11:58 AM, Martin Babinsky wrote: On 01/22/2015 11:04 AM, Martin Babinsky wrote: The attached patch addresses https://fedorahosted.org/freeipa/ticket/4487. Using 'remove-ds.pl' script from 389-ds during server/replica uninstallation should allow for cleaner removal of DS instance with no leftovers (opened ports etc). Martin^3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Thanks to Martin^2 for explaining the rules governing the placement of new attributes into BasePathNamespace class. Attaching updated patch. Martin^3 I see you kept erase_ds_instance_data still in the dsinstance. What is the motivation? I thought that just like with PKI, with DS we will also have uninstall based solely only on the DS uninstall script and remove our custom removal. We can keep the manual removal somewhere in wiki, but I would personally not keep/maintain it in FreeIPA code. I originally thought that I will keep erase_ds_instance-data as a failsafe method to clean up the dirsrv data in th case that remove-ds.pl fails. But I will remove the method altogether and change the code so that it prints out some warning about manual removal of DS data when remove-ds.pl fails. Martin^2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 003] Use 'remove-ds.pl' to remove DS instance during server uninstall
On 01/22/2015 12:38 PM, Martin Babinsky wrote: On 01/22/2015 12:19 PM, Martin Kosek wrote: On 01/22/2015 11:58 AM, Martin Babinsky wrote: On 01/22/2015 11:04 AM, Martin Babinsky wrote: The attached patch addresses https://fedorahosted.org/freeipa/ticket/4487. Using 'remove-ds.pl' script from 389-ds during server/replica uninstallation should allow for cleaner removal of DS instance with no leftovers (opened ports etc). Martin^3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Thanks to Martin^2 for explaining the rules governing the placement of new attributes into BasePathNamespace class. Attaching updated patch. Martin^3 I see you kept erase_ds_instance_data still in the dsinstance. What is the motivation? I thought that just like with PKI, with DS we will also have uninstall based solely only on the DS uninstall script and remove our custom removal. We can keep the manual removal somewhere in wiki, but I would personally not keep/maintain it in FreeIPA code. I originally thought that I will keep erase_ds_instance-data as a failsafe method to clean up the dirsrv data in th case that remove-ds.pl fails. But I will remove the method altogether and change the code so that it prints out some warning about manual removal of DS data when remove-ds.pl fails. Martin^2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Updated patch attached Martin^3 From a1085b6e544bbab7fbd003d1e44a8e53af4e8402 Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Wed, 21 Jan 2015 13:40:36 +0100 Subject: [PATCH] Use 'remove-ds.pl' to remove DS instance The patch adds a function which calls 'remove-ds.pl' during DS instance removal. This should allow for a more thorough removal of DS related data during server uninstallation (such as closing custom ports, cleaning up slapd-* entries etc.) This patch is related to https://fedorahosted.org/freeipa/ticket/4487. --- install/tools/ipa-server-install | 6 - ipaplatform/base/paths.py| 1 + ipaserver/install/cainstance.py | 8 +-- ipaserver/install/dsinstance.py | 51 ++-- 4 files changed, 40 insertions(+), 26 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 11055aee350d258b10a2efc97fd8b184909eae10..d78e8512f43cf6d0d12c761fa4dc6b13a0ba9aaf 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -414,7 +414,11 @@ def signal_handler(signum, frame): print Removing configuration for %s instance % ds.serverid ds.stop() if ds.serverid: -dsinstance.erase_ds_instance_data (ds.serverid) +try: +dsinstance.remove_ds_instance(ds.serverid) +except ipautil.CalledProcessError: +root_logger.error((Failed to remove DS instance. You may + need to remove instance data manually)) sys.exit(1) def read_cache(dm_password): diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 5c52714abaf7c5bddbeb80c68bd7cd6e0cac4459..22a3b9bb90d8b75278cb853d9b15de606db0602b 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -224,6 +224,7 @@ class BasePathNamespace(object): NTPD = /usr/sbin/ntpd PKIDESTROY = /usr/sbin/pkidestroy PKISPAWN = /usr/sbin/pkispawn +REMOVE_DS_PL = /usr/sbin/remove-ds.pl RESTORECON = /usr/sbin/restorecon SELINUXENABLED = /usr/sbin/selinuxenabled SETSEBOOL = /usr/sbin/setsebool diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 2c6933be12bc02877886823c58c506bc6cbf5ed8..dad452b9c816341b03a90c30245e04ad4f16b760 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -308,13 +308,17 @@ class CADSInstance(service.Service): if not enabled is None and not enabled: services.knownservices.dirsrv.disable() -if not serverid is None: +if serverid is not None: # drop the trailing / off the config_dirname so the directory # will match what is in certmonger dirname = dsinstance.config_dirname(serverid)[:-1] dsdb = certs.CertDB(self.realm, nssdir=dirname) dsdb.untrack_server_cert(Server-Cert) -dsinstance.erase_ds_instance_data(serverid) +try: +dsinstance.remove_ds_instance(serverid) +except ipautil.CalledProcessError: +root_logger.error((Failed to remove CA DS instance. You may + need to remove instance data manually)) self.restore_state(user_exists) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index
[Freeipa-devel] [PATCH 003] Use 'remove-ds.pl' to remove DS instance during server uninstall
The attached patch addresses https://fedorahosted.org/freeipa/ticket/4487. Using 'remove-ds.pl' script from 389-ds during server/replica uninstallation should allow for cleaner removal of DS instance with no leftovers (opened ports etc). Martin^3 From ba7bde3b7eaf80e26fed670fd8d863ad56b7e23a Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Wed, 21 Jan 2015 13:40:36 +0100 Subject: [PATCH] Use 'remove-ds.pl' to remove DS instance The patch adds a function which calls 'remove-ds.pl' during DS instance removal. This should allow for a more thorough removal of DS related data during server uninstallation (such as closing custom ports, cleaning up slapd-* entries etc.) This patch is related to https://fedorahosted.org/freeipa/ticket/4487. --- ipaplatform/base/paths.py | 1 + ipaserver/install/dsinstance.py | 35 +-- 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 5c52714abaf7c5bddbeb80c68bd7cd6e0cac4459..14934006034281c90eeb8e6f0e5a0e53b54c0ddb 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -228,6 +228,7 @@ class BasePathNamespace(object): SELINUXENABLED = /usr/sbin/selinuxenabled SETSEBOOL = /usr/sbin/setsebool SETUP_DS_PL = /usr/sbin/setup-ds.pl +REMOVE_DS_PL = /usr/sbin/remove-ds.pl SMBD = /usr/sbin/smbd USERADD = /usr/sbin/useradd USR_SHARE_IPA_DIR = /usr/share/ipa/ diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 66267f4cdde548266b15594e3640bf8247c64859..3a466f5e91d9d303de05d0e0ce55d9e05ce0d20e 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -105,6 +105,31 @@ def erase_ds_instance_data(serverid): #except: #pass + +def remove_ds_instance(serverid, force=False): +A wrapper around the 'remove-ds.pl' script used by +389ds to remove a single directory server instance. In case of error +additional call with the '-f' flag is performed (forced removal). If this +also fails, then an exception is raised. + +instance_name = '-'.join(['slapd', serverid]) +args = [paths.REMOVE_DS_PL, '-i', instance_name] +if force: +args.append('-f') +root_logger.debug(Forcing instance removal) + +try: +ipautil.run(args) +except ipautil.CalledProcessError: +if force: +root_logger.debug((Instance removal failed. + Manual cleanup required)) +raise +root_logger.debug(('%s' failed. + Attempting to force removal % paths.REMOVE_DS_PL)) +remove_ds_instance(serverid, force=True) + + def get_ds_instances(): ''' Return a sorted list of all 389ds instances. @@ -774,9 +799,15 @@ class DsInstance(service.Service): self.disable() serverid = self.restore_state(serverid) -if not serverid is None: +if serverid is not None: self.stop_tracking_certificates(serverid) -erase_ds_instance_data(serverid) +root_logger.debug(Removing DS instance %s % serverid) +try: +remove_ds_instance(serverid) +except ipautil.CalledProcessError: +root_logger.error(Failed to remove DS instance.) +root_logger.debug(Cleaning up instance data manually.) +erase_ds_instance_data(serverid) # At one time we removed this user on uninstall. That can potentially # orphan files, or worse, if another useradd runs in the intermim, -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 003] Use 'remove-ds.pl' to remove DS instance during server uninstall
On 01/22/2015 11:04 AM, Martin Babinsky wrote: The attached patch addresses https://fedorahosted.org/freeipa/ticket/4487. Using 'remove-ds.pl' script from 389-ds during server/replica uninstallation should allow for cleaner removal of DS instance with no leftovers (opened ports etc). Martin^3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Thanks to Martin^2 for explaining the rules governing the placement of new attributes into BasePathNamespace class. Attaching updated patch. Martin^3 From e89896f1dc4b04f34e19dd5e563209dde2771f2e Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Wed, 21 Jan 2015 13:40:36 +0100 Subject: [PATCH] Use 'remove-ds.pl' to remove DS instance The patch adds a function which calls 'remove-ds.pl' during DS instance removal. This should allow for a more thorough removal of DS related data during server uninstallation (such as closing custom ports, cleaning up slapd-* entries etc.) This patch is related to https://fedorahosted.org/freeipa/ticket/4487. --- ipaplatform/base/paths.py | 1 + ipaserver/install/dsinstance.py | 35 +-- 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 5c52714abaf7c5bddbeb80c68bd7cd6e0cac4459..22a3b9bb90d8b75278cb853d9b15de606db0602b 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -224,6 +224,7 @@ class BasePathNamespace(object): NTPD = /usr/sbin/ntpd PKIDESTROY = /usr/sbin/pkidestroy PKISPAWN = /usr/sbin/pkispawn +REMOVE_DS_PL = /usr/sbin/remove-ds.pl RESTORECON = /usr/sbin/restorecon SELINUXENABLED = /usr/sbin/selinuxenabled SETSEBOOL = /usr/sbin/setsebool diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 66267f4cdde548266b15594e3640bf8247c64859..3a466f5e91d9d303de05d0e0ce55d9e05ce0d20e 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -105,6 +105,31 @@ def erase_ds_instance_data(serverid): #except: #pass + +def remove_ds_instance(serverid, force=False): +A wrapper around the 'remove-ds.pl' script used by +389ds to remove a single directory server instance. In case of error +additional call with the '-f' flag is performed (forced removal). If this +also fails, then an exception is raised. + +instance_name = '-'.join(['slapd', serverid]) +args = [paths.REMOVE_DS_PL, '-i', instance_name] +if force: +args.append('-f') +root_logger.debug(Forcing instance removal) + +try: +ipautil.run(args) +except ipautil.CalledProcessError: +if force: +root_logger.debug((Instance removal failed. + Manual cleanup required)) +raise +root_logger.debug(('%s' failed. + Attempting to force removal % paths.REMOVE_DS_PL)) +remove_ds_instance(serverid, force=True) + + def get_ds_instances(): ''' Return a sorted list of all 389ds instances. @@ -774,9 +799,15 @@ class DsInstance(service.Service): self.disable() serverid = self.restore_state(serverid) -if not serverid is None: +if serverid is not None: self.stop_tracking_certificates(serverid) -erase_ds_instance_data(serverid) +root_logger.debug(Removing DS instance %s % serverid) +try: +remove_ds_instance(serverid) +except ipautil.CalledProcessError: +root_logger.error(Failed to remove DS instance.) +root_logger.debug(Cleaning up instance data manually.) +erase_ds_instance_data(serverid) # At one time we removed this user on uninstall. That can potentially # orphan files, or worse, if another useradd runs in the intermim, -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 003] Use 'remove-ds.pl' to remove DS instance during server uninstall
On 01/22/2015 11:58 AM, Martin Babinsky wrote: On 01/22/2015 11:04 AM, Martin Babinsky wrote: The attached patch addresses https://fedorahosted.org/freeipa/ticket/4487. Using 'remove-ds.pl' script from 389-ds during server/replica uninstallation should allow for cleaner removal of DS instance with no leftovers (opened ports etc). Martin^3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Thanks to Martin^2 for explaining the rules governing the placement of new attributes into BasePathNamespace class. Attaching updated patch. Martin^3 I see you kept erase_ds_instance_data still in the dsinstance. What is the motivation? I thought that just like with PKI, with DS we will also have uninstall based solely only on the DS uninstall script and remove our custom removal. We can keep the manual removal somewhere in wiki, but I would personally not keep/maintain it in FreeIPA code. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 300] Fix incorrect python shebang usage
On 22/01/15 12:52, Tomas Babej wrote: Hi, attached patch fixes few python2 non-explicit shebangs that lurked into the codebase. Tomas ACK -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0189] Prevent install scripts to fail silently if timeout exceeded
How to reproduce: 1. stop dirsrv 2. ipa-dns-install 3. insert password Patch attached -- Martin Basti From f20cf71a1230c144d7db9045ffb26ed8464a4bf8 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Thu, 22 Jan 2015 17:09:22 +0100 Subject: [PATCH] Prevent install scripts fail silently if timeout exceeded socket.timeout() exceptions need description, otherwise no error message is printed on console. --- ipapython/ipautil.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 45b334d0a3c2ebf7ee5b6d1cb980e05895fa1e0a..4116d974e620341119b56fad3cff1bda48af3bab 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -1150,7 +1150,7 @@ def wait_for_open_ports(host, ports, timeout=0): if port_open: break if timeout and time.time() op_timeout: # timeout exceeded -raise socket.timeout() +raise socket.timeout(Timeout exceeded) time.sleep(1) def wait_for_open_socket(socket_name, timeout=0): -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use curl instead of wget
On Thu, 22 Jan 2015, Colin Walters wrote: On Thu, Jan 22, 2015, at 08:45 AM, Alexander Bokovoy wrote: We have abstraction layer to take care of different platforms on a wider scale than just this particular binary. We are gradually moving all code to use platform abstraction to allow other platforms to be supported (like FreeBSD or Illumos) and we in general cannot guarantee things will be there at the same locations. That doesn't answer the why not just use $PATH part. Regardless, here's a new patch which adds a BIN_CURL. We had cases in past when a non-working from FreeIPA perspective utility was selected from $PATH due to a local misconfiguration. For something that is packaged as a complex combination of multiple packages, packaging requirements at least allow to establish the environment we expect and which was tested. Relying on $PATH doesn't improve this assumption. And some of cases are pretty subtle, like libxmlrpc-c uses cURL library and if cURL was built without GSSAPI support it will silently fail, leaving no traces at why this has happened. curl utility also doesn't check if SPNEGO support (GSSAPI in our case) was compiled in if you specify 'curl --negotiate' without any option value. From 47701a454ba442f08cd05a77ff6a2dbba76b787a Mon Sep 17 00:00:00 2001 From: Colin Walters walt...@verbum.org Date: Wed, 21 Jan 2015 16:59:52 -0500 Subject: [PATCH] Use curl instead of wget Curl has a shared library, and so ends up being used by more components of the OS. It should be preferred over wget. The motivation for this patch is for Project Atomic hosts; we want to include ipa-client, but trim down its dependencies. If wget isn't installed on the host, it doesn't need to be updated for security errata. Code-wise looks OK. We need to test it, I'll look at it next week. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 493 Print PublicError traceback when in debug mode
On 22/01/15 12:25, Martin Kosek wrote: The framework only shows traceback for the internal/unknown errors, recognized PublicErrors are simply passed back to the FreeIPA clients. However, sometimes it would help to see a traceback of the PublicError to for example see exactly which line returns it. https://fedorahosted.org/freeipa/ticket/4847 if api.env.debug may seem redundant in this case, my motivation was not to invoke exception trace formatting every time a public error is thrown even when debug is not enabled. Martin ACK, works as expected. -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use curl instead of wget
On Thu, Jan 22, 2015, at 08:45 AM, Alexander Bokovoy wrote: We have abstraction layer to take care of different platforms on a wider scale than just this particular binary. We are gradually moving all code to use platform abstraction to allow other platforms to be supported (like FreeBSD or Illumos) and we in general cannot guarantee things will be there at the same locations. That doesn't answer the why not just use $PATH part. Regardless, here's a new patch which adds a BIN_CURL. From 47701a454ba442f08cd05a77ff6a2dbba76b787a Mon Sep 17 00:00:00 2001 From: Colin Walters walt...@verbum.org Date: Wed, 21 Jan 2015 16:59:52 -0500 Subject: [PATCH] Use curl instead of wget Curl has a shared library, and so ends up being used by more components of the OS. It should be preferred over wget. The motivation for this patch is for Project Atomic hosts; we want to include ipa-client, but trim down its dependencies. If wget isn't installed on the host, it doesn't need to be updated for security errata. --- freeipa.spec.in| 4 ++-- ipa-client/ipa-install/ipa-client-install | 2 +- ipaplatform/base/paths.py | 2 +- ipaplatform/redhat/services.py | 8 ipaserver/advise/plugins/legacy_clients.py | 16 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 4da0732..f8fe2ad 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -224,7 +224,7 @@ Requires: ntp Requires: krb5-workstation Requires: authconfig Requires: pam_krb5 -Requires: wget +Requires: curl Requires: libcurl = 7.21.7-2 Requires: xmlrpc-c = 1.27.4 Requires: sssd = 1.12.3 @@ -286,7 +286,7 @@ Requires: python-qrcode-core = 5.0.0 Requires: python-pyasn1 Requires: python-dateutil Requires: python-yubico -Requires: wget +Requires: curl Conflicts: %{alt_name}-python Obsoletes: %{alt_name}-python %{version} diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index dfe0e3b..26cf21a 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1753,7 +1753,7 @@ def get_ca_certs_from_http(url, warn=True): root_logger.debug(trying to retrieve CA cert via HTTP from %s, url) try: -stdout, stderr, rc = run([paths.BIN_WGET, -O, -, url]) +stdout, stderr, rc = run([paths.BIN_CURL, url]) except CalledProcessError, e: raise errors.NoCertificateError(entry=url) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 5c52714..2a54b73 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -187,7 +187,7 @@ class BasePathNamespace(object): SSS_SSH_AUTHORIZEDKEYS = /usr/bin/sss_ssh_authorizedkeys SSS_SSH_KNOWNHOSTSPROXY = /usr/bin/sss_ssh_knownhostsproxy UPDATE_CA_TRUST = /usr/bin/update-ca-trust -BIN_WGET = /usr/bin/wget +BIN_CURL = /usr/bin/curl ZIP = /usr/bin/zip BIND_LDAP_SO = /usr/lib/bind/ldap.so BIND_LDAP_DNS_IPA_WORKDIR = /var/named/dyndb-ldap/ipa/ diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 8759cab..a3b86fb 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -201,10 +201,10 @@ class RedHatCAService(RedHatService): } args = [ -paths.BIN_WGET, -'-S', '-O', '-', -'--timeout=30', -'--no-check-certificate', +paths.BIN_CURL, +'-v', +'--max-time', '30', +'--insecure', url ] diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py index 6d17f7e..93f186e 100644 --- a/ipaserver/advise/plugins/legacy_clients.py +++ b/ipaserver/advise/plugins/legacy_clients.py @@ -48,13 +48,13 @@ class config_base_legacy_client(Advice): 'cacertdir_rehash?format=txt') self.log.comment('Download the CA certificate of the IPA server') self.log.command('mkdir -p -m 755 /etc/openldap/cacerts') -self.log.command('wget http://%s/ipa/config/ca.crt -O ' - '/etc/openldap/cacerts/ipa.crt\n' % api.env.host) +self.log.command('curl -o /etc/openldap/cacerts/ipa.crt http://%s/ipa/config/ca.crt\n' + % api.env.host) self.log.comment('Generate hashes for the openldap library') self.log.command('command -v cacertdir_rehash') self.log.command('if [ $? -ne 0 ] ; then') -self.log.command(' wget %s -O cacertdir_rehash ;' % cacertdir_rehash) +self.log.command(' curl -o cacertdir_rehash %s;' % cacertdir_rehash) self.log.command(' chmod 755 ./cacertdir_rehash ;') self.log.command(' ./cacertdir_rehash /etc/openldap/cacerts/ ;')
Re: [Freeipa-devel] [PATCH] 493 Print PublicError traceback when in debug mode
On 01/22/2015 04:09 PM, Martin Basti wrote: On 22/01/15 12:25, Martin Kosek wrote: The framework only shows traceback for the internal/unknown errors, recognized PublicErrors are simply passed back to the FreeIPA clients. However, sometimes it would help to see a traceback of the PublicError to for example see exactly which line returns it. https://fedorahosted.org/freeipa/ticket/4847 if api.env.debug may seem redundant in this case, my motivation was not to invoke exception trace formatting every time a public error is thrown even when debug is not enabled. Martin ACK, works as expected. Pushed to: master: 834c911f9603ae77ac2483f154d62a5f0670c297 ipa-4-1: 877321ec74f9fe1a583257de8cb9c8430f15cb45 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0187, 0188] DNSSEC ipa-dnskeysyncd fixes
Hi, Dne 21.1.2015 v 13:39 Martin Basti napsal(a): Patch 188 catch ldap exceptions to prevent false positive abrt reports Patch 187 fixes issues with removing root zone Patches attached. Patch 187: Is there a reason only SERVER_DOWN and CONNECT_ERROR are handled, instead of any LDAPError? Patch 188: IMO it would be slightly better to do it like this: -name = name.relativize(dns.name.root) +if name != dns.name.root: +name = name.relativize(dns.name.root) Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0184] Always return absolute idnsname in dnszone commands
Dne 20.1.2015 v 12:49 Martin Basti napsal(a): On 15/01/15 16:07, Jan Cholasta wrote: Dne 15.1.2015 v 15:39 Martin Basti napsal(a): On 15/01/15 15:07, Jan Cholasta wrote: Dne 15.1.2015 v 14:58 Martin Basti napsal(a): On 15/01/15 14:25, Jan Cholasta wrote: Hi, Dne 15.1.2015 v 13:27 Martin Basti napsal(a): On 15/01/15 13:17, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/4722 Patch attached. Fast fix. Updated patch attached. 1) Forward zone commands are not fixed. FWzones are new and always normalized to absolute name in ldap Would you bet your money on that? Better be safe than sorry, especially when it's just a matter of moving the code around (right?) 2) It seems that the primary key returned by -mod, -del and -show (.result.value) is made absolute somewhere else in the code. Would it be possible to do it in one place? IMO it is not possible. Value is generated from key, and key is normalized to absolute zone before calling execute. LDAPUpdate: ... if self.obj.primary_key: pkey = keys[-1] else: pkey = None return dict(result=entry_attrs, value=pkey_to_value(pkey, options)) The idnsname attribute is just taken from LDAP without any normalization Right. 3) Attribute values returned from LDAP are never None, so the if should be if 'idnsname' in entry_attrs:. Ok I will revert the change I made. 4) If idnsname always has only single value, use entry_attrs.single_value['idnsname'] = entry_attrs.single_value['idnsname'].make_absolute() Thanks Honza Updated patch attached. Updated patch attached. Thanks. Is there a reason why you put the _make_zone_absolute calls in dnszone_* and dnsforwardzone_* instead of DNSZoneBase_*? I moved callback into Base classes. Patch attached. 1) Multi-line statements should generally use parentheses for implicit line continuation rather than backslashes: +entry_attrs.single_value['idnsname'] = ( +entry_attrs.single_value['idnsname'].make_absolute()) 2) You can remove the DN asserts from dnszone_*, they are already asserted in DNSZoneBase_*. 3) Do not just ignore return values of super().post_callback(): def post_callback(self, something, ...): something = super(...).post_callback(something, ...) ... return something -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel