Re: [Freeipa-devel] [PATCH 0036] Bump minimal BIND version for CentOS
On 23/06/15 14:14, Petr Spacek wrote: Hello, Bump minimal BIND version for CentOS. DNSSEC support added dependency on bind-pkcs11 sub-package. https://fedorahosted.org/freeipa/ticket/4657 ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0053] upgrade: Raise error when certmonger is not running.
https://fedorahosted.org/freeipa/ticket/5080 -- David Kupka From f5467b5a338647a20aef5e5657b9e21be5b0a2f5 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Fri, 26 Jun 2015 10:42:23 +0200 Subject: [PATCH] upgrade: Raise error when certmonger is not running. Certmonger should be running (should be started on system boot). Either user decided to stop it or it crashed. We should just error out and let user check fix it. https://fedorahosted.org/freeipa/ticket/5080 --- ipaserver/install/server/upgrade.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 43beb6799befcad8d512d15409b363f02c3bad08..784a03b195ab99c865935b6e51cc86a3b81842ee 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1477,6 +1477,9 @@ def upgrade_check(options): print unicode(e) sys.exit(1) +if not services.knownservices.certmonger.is_running(): +raise RuntimeError('Certmonger is not running. Start certmonger and run upgrade again.') + if not options.skip_version_check: # check IPA version and data version try: -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0041] DNSSEC: Accept ipa-ods-exporter commands from command line
Hello, DNSSEC: Accept ipa-ods-exporter commands from command line. Previously only systemd socket activation was supported. Ability to call the command directly is handy in special cases, e.g. for debugging or moving key master role from one server to another. -- Petr^2 Spacek From 7381ae8abefab20f975cd64b93161c1c546d4a7f Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 26 Jun 2015 17:39:47 +0200 Subject: [PATCH] DNSSEC: Accept ipa-ods-exporter commands from command line. Previously only systemd socket activation was supported. Ability to call the command directly is handy in special cases, e.g. for debugging or moving key master role from one server to another. --- daemons/dnssec/ipa-ods-exporter | 88 ++--- 1 file changed, 56 insertions(+), 32 deletions(-) diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter index 913b418af2806e2660a7db221e06394b501bbb18..63a83f2e785371e2530be837941000a8051347f9 100755 --- a/daemons/dnssec/ipa-ods-exporter +++ b/daemons/dnssec/ipa-ods-exporter @@ -9,6 +9,9 @@ This program uses the same socket and protocol as original signerd and should be activated via systemd socket activation using ods-signer command line utility. +Alternativelly, it can be called directly and a command can be supplied as +first command line argument. + Purpose of this replacement is to upload keys generated by OpenDNSSEC to LDAP. @@ -334,7 +337,7 @@ def hex_set(s): out.add(0x%s % hexlify(i)) return out -def receive_zone_name(log): +def receive_systemd_command(log): fds = systemd.daemon.listen_fds() if len(fds) != 1: raise KeyError('Exactly one socket is expected.') @@ -345,52 +348,60 @@ def receive_zone_name(log): log.debug('accepted new connection %s', repr(conn)) # this implements cmdhandler_handle_cmd() logic -cmd = conn.recv(ODS_SE_MAXLINE) -cmd = cmd.strip() +cmd = conn.recv(ODS_SE_MAXLINE).strip() +log.debug('received command %s from systemd socket', cmd) +return (cmd, conn) -try: -if cmd == 'ipa-hsm-update': -msg = 'HSM synchronization finished, exiting.' -conn.send('%s\n' % msg) -log.info(msg) -sys.exit(0) +def parse_command(cmd): +Parse command to (exit code, message, zone_name) tuple. -elif not cmd.startswith('update '): -conn.send('Command %s is not supported by IPA; ' \ - 'HSM synchronization was finished and the command ' \ - 'will be ignored.\n' % cmd) -log.info('Ignoring unsupported command %s.', cmd) -sys.exit(0) +Exit code None means that execution should continue. + +if cmd == 'ipa-hsm-update': +return (0, +'HSM synchronization finished, exiting.', +None) -else: -zone_name = cmd2ods_zone_name(cmd) -conn.send('Update request for zone %s queued.\n' % zone_name) -log.info('Processing command: %s', cmd) +elif not cmd.startswith('update '): +return (0, +'Command %s is not supported by IPA; ' +'HSM synchronization was finished and the command ' +'will be ignored.\n' % cmd, +None) -finally: +else: +zone_name = cmd2ods_zone_name(cmd) +return (None, +'Update request for zone %s queued.\n' % zone_name, +zone_name) + +def send_systemd_reply(conn, reply): # Reply close connection early. # This is necessary to let Enforcer to unlock the ODS DB. +conn.send(reply) conn.shutdown(socket.SHUT_RDWR) conn.close() -return zone_name - def cmd2ods_zone_name(cmd): # ODS stores zone name without trailing period zone_name = cmd[7:].strip() if len(zone_name) 1 and zone_name[-1] == '.': zone_name = zone_name[:-1] return zone_name log = logging.getLogger('root') -# this service is socket-activated +# this service is usually socket-activated log.addHandler(systemd.journal.JournalHandler()) log.setLevel(level=logging.DEBUG) -if len(sys.argv) != 1: +if len(sys.argv) 2: print __doc__ sys.exit(1) +# program was likely invoked from console, log to it +elif len(sys.argv) == 2: +console = logging.StreamHandler() +log.addHandler(console) # IPA framework initialization ipalib.api.bootstrap(in_server=True, log=None) # no logging to file @@ -429,16 +440,29 @@ master2ldap_zone_keys_sync(log, ldapkeydb, localhsm) # command receive is delayed so the command will stay in socket queue until # the problem with LDAP server or HSM is fixed try: -zone_name = receive_zone_name(log) - +cmd, conn = receive_systemd_command(log) +if len(sys.argv) != 1: +log.critical('No additional parameters are accepted when ' + 'socket activation is
Re: [Freeipa-devel] [PATCH 0053] upgrade: Raise error when certmonger is not running.
On 06/26/2015 10:54 AM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5080 ACK -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0038] Add hint how to re-run IPA upgrade
On 06/26/2015 12:41 PM, Petr Spacek wrote: Hello, Add hint how to re-run IPA upgrade. ACK -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0039] Rate-limit while loop in SystemdService.is_active()
Hello, Rate-limit while loop in SystemdService.is_active(). Previously is_active() was frenetically calling systemctl is_active in tight loop which in fact made the process slower. -- Petr^2 Spacek From ce78ce4ab8ba28c4ca7183ea1415ea5e30839f9f Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 26 Jun 2015 15:55:12 +0200 Subject: [PATCH] Rate-limit while loop in SystemdService.is_active(). Previously is_active() was frenetically calling systemctl is_active in tight loop which in fact made the process slower. --- ipaplatform/base/services.py | 5 + 1 file changed, 5 insertions(+) diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py index 24d7a73dfa9b4260be90603e460da3afa1747735..11fa27357e831fe237ea60ce0098bb32f92665c7 100644 --- a/ipaplatform/base/services.py +++ b/ipaplatform/base/services.py @@ -25,6 +25,7 @@ interacting with system services. import os import json +import time import ipalib from ipapython import ipautil @@ -53,6 +54,8 @@ wellknownports = { 'pki-tomcatd': [8080, 8443], # used if the incoming instance name is blank } +SERVICE_POLL_INTERVAL = 0.1 # seconds + class KnownServices(MagicDict): @@ -303,11 +306,13 @@ class SystemdService(PlatformService): ) except ipautil.CalledProcessError as e: if e.returncode == 3 and 'activating' in str(e.output): +time.sleep(SERVICE_POLL_INTERVAL) continue return False else: # activating if rcode == 3 and 'activating' in str(sout): +time.sleep(SERVICE_POLL_INTERVAL) continue # active if rcode == 0: -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0267] Fix broken indicies
Patch fixes wrong value for ntUserDomainId and ntUniqueId indicies. Patch attached. -- Martin Basti From a57fb68c3c8b234bff7df2febe5c0919c2abfdb4 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Fri, 26 Jun 2015 17:14:41 +0200 Subject: [PATCH] Fix indicies ntUserDomainId, ntUniqueId ntUserDomainId and ntUniqueId contained eq,pres index value, which is not valid. --- install/share/indices.ldif| 6 -- install/updates/20-indices.update | 14 ++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/install/share/indices.ldif b/install/share/indices.ldif index 448875dead0486c3fd12b144df96b5d27ee55dfe..8c4913b569eb8be740090e1665349608be4ae932 100644 --- a/install/share/indices.ldif +++ b/install/share/indices.ldif @@ -89,12 +89,14 @@ nsMatchingRule: integerOrderingMatch dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config changetype: modify replace: nsIndexType -nsIndexType: eq,pres +nsIndexType: eq +nsIndexType: pres dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config changetype: modify replace: nsIndexType -nsIndexType: eq,pres +nsIndexType: eq +nsIndexType: pres dn: cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config changetype: add diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index d65905e184587e375ab22757b984524650ba3c21..9c12e0cb804066feaa7e9e3f93a06018a8d43ddd 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -217,3 +217,17 @@ default:ObjectClass: nsIndex only:nsSystemIndex: false only:nsIndexType: eq only:nsIndexType: pres + +dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ntUniqueId +default:ObjectClass: top +default:ObjectClass: nsIndex +only:nsIndexType: eq +only:nsIndexType: pres + +dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ntUserDomainId +default:ObjectClass: top +default:ObjectClass: nsIndex +only:nsIndexType: eq +only:nsIndexType: pres -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 878 topology: check topology in ipa-replica-manage del
On 06/26/2015 02:15 PM, Petr Vobornik wrote: On 06/17/2015 02:00 PM, Petr Vobornik wrote: ipa-replica-manage del now: - checks the whole current topology(before deletion), reports issues - simulates deletion of server and checks the topology again, reports issues Asks admin if he wants to continue with the deletion if any errors are found. https://fedorahosted.org/freeipa/ticket/4302 Patch with * changed error messages * removed question to force removal (--force is needed) attached. Fixed bug, in a broken topology, where there was a segment with removed replica, building a graph failed. -- Petr Vobornik From cd3ed940d809c4c859b6a9082d46cbd4d234f53a Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 17 Jun 2015 13:33:24 +0200 Subject: [PATCH] topology: check topology in ipa-replica-manage del ipa-replica-manage del now: - checks the whole current topology(before deletion), reports issues - simulates deletion of server and checks the topology again, reports issues Asks admin if he wants to continue with the deletion if any errors are found. https://fedorahosted.org/freeipa/ticket/4302 --- install/tools/ipa-replica-manage | 48 ++ ipalib/util.py | 51 ipapython/graph.py | 73 3 files changed, 166 insertions(+), 6 deletions(-) create mode 100644 ipapython/graph.py diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 57e30bc54ae030a4620660d1fa7539626721ebbd..71eb992f969666cadfb9e0025b177cb3696abddc 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -35,6 +35,7 @@ from ipaserver.plugins import ldap2 from ipapython import version, ipaldap from ipalib import api, errors, util from ipalib.constants import CACERT +from ipalib.util import create_topology_graph, get_topology_connection_errors from ipapython.ipa_log_manager import * from ipapython.dn import DN from ipapython.config import IPAOptionParser @@ -566,11 +567,46 @@ def check_last_link(delrepl, realm, dirman_passwd, force): return None def check_last_link_managed(api, masters, hostname, force): -# segments = api.Command.topologysegment_find(u'realm', sizelimit=0).get('result') -# replica_names = [m.single_value('cn') for m in masters] -# orphaned = [] -# TODO add proper graph traversing algorithm here -return None + +Check if 'hostname' is safe to delete. + +:returns: list of errors after future deletion + + +segments = api.Command.topologysegment_find(u'realm', sizelimit=0).get('result') +graph = create_topology_graph(masters, segments) + +# check topology before removal +orig_errors = get_topology_connection_errors(graph) +if orig_errors: +print Current topology is disconnected: +print Changes are not replicated to all servers and data are probably inconsistent. +print You need to add segments to reconnect the topology. +print_connect_errors(orig_errors) + +# after removal +graph.remove_vertex(hostname) +new_errors = get_topology_connection_errors(graph) +if new_errors: +print WARNING: Topology after removal of %s will be disconnected. % hostname +print Changes will not be replicated to all servers and data will become inconsistent. +print You need to add segments to prevent disconnection of the topology. +print Errors in topology after removal: +print_connect_errors(new_errors) + +if orig_errors or new_errors: +if not force: +sys.exit(Aborted) +else: +print Forcing removal of %s % hostname + +return new_errors + +def print_connect_errors(errors): +for error in errors: +print Topology does not allow server %s to replicate with servers: % error[0] +for srv in error[2]: +print %s % srv def enforce_host_existence(host, message=None): if host is not None and not ipautil.host_exists(host): @@ -680,7 +716,7 @@ def del_master_managed(realm, hostname, options): masters = api.Command.server_find('', sizelimit=0)['result'] # 3. Check topology -orphans = check_last_link_managed(api, masters, hostname, options.force) +check_last_link_managed(api, masters, hostname, options.force) # 4. Check that we are not leaving the installation without CA and/or DNS #And pick new CA master. diff --git a/ipalib/util.py b/ipalib/util.py index 44478a2d1eed6d66e54949e0840e6d62310830c5..75797229b5800037e352ddf02257d0b4157743d0 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -42,6 +42,7 @@ from ipalib.text import _ from ipapython.ssh import SSHPublicKey from ipapython.dn import DN, RDN from ipapython.dnsutil import DNSName +from ipapython.graph import Graph def json_serialize(obj): @@ -780,3 +781,53 @@ def validate_idna_domain(value): if error:
[Freeipa-devel] [PATCH 0040] DNSSEC: Detect invalid master keys in LDAP
Hello, DNSSEC: Detect invalid master keys in LDAP. -- Petr^2 Spacek From 280c5a51dd5d048fda5eb0e349df93d795d60662 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 26 Jun 2015 16:04:00 +0200 Subject: [PATCH] DNSSEC: Detect invalid master keys in LDAP. --- daemons/dnssec/ipa-dnskeysync-replica | 2 ++ 1 file changed, 2 insertions(+) diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica index c2c4c2725a9c46db4db04894a326ddf40e254eab..c5f8131a1f18dafe45cdd62d52cf01194e352d3d 100755 --- a/daemons/dnssec/ipa-dnskeysync-replica +++ b/daemons/dnssec/ipa-dnskeysync-replica @@ -74,6 +74,7 @@ def ldap2replica_master_keys_sync(log, ldapkeydb, localhsm): log.debug(new master keys in LDAP HSM: %s, hex_set(new_keys)) for mkey_id in new_keys: mkey_ldap = ldapkeydb.master_keys[mkey_id] +assert mkey_ldap.wrapped_entries, Master key 0x%s in LDAP is missing key material referenced by ipaSecretKeyRefObject attribute % hexlify(mkey_id) for wrapped_ldap in mkey_ldap.wrapped_entries: unwrapping_key = find_unwrapping_key(log, localhsm, wrapped_ldap.single_value['ipaWrappingKey']) @@ -140,6 +141,7 @@ log.setLevel(level=logging.DEBUG) PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host)) log.debug('Kerberos principal: %s', PRINCIPAL) ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysync-replica.ccache') +ipautil.run(['id']) ipautil.kinit_keytab(PRINCIPAL, paths.IPA_DNSKEYSYNCD_KEYTAB, ccache_filename) os.environ['KRB5CCNAME'] = ccache_filename log.debug('Got TGT') -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0053] upgrade: Raise error when certmonger is not running.
Petr Vobornik wrote: On 06/26/2015 10:54 AM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5080 ACK Is there a reason we don't simply start certmonger and quit if it fails to start? Woudln't that be friendlier? rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0040-0045] DNSSEC improvements
Hello, attached patches implement a portion of improvements for ticket https://fedorahosted.org/freeipa/ticket/4657 It came to my mind that it will be better to review them at once - the previous threads with my patches 40 and 41 can be abandoned. I'm sorry for the mess. -- Petr^2 Spacek From 999017d75f3044bd9abf6d8c2a4a70cede77886f Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 26 Jun 2015 16:04:00 +0200 Subject: [PATCH] DNSSEC: Detect invalid master keys in LDAP. This should never happen ... https://fedorahosted.org/freeipa/ticket/4657 --- daemons/dnssec/ipa-dnskeysync-replica | 1 + 1 file changed, 1 insertion(+) diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica index c2c4c2725a9c46db4db04894a326ddf40e254eab..551c2f21d5b85b76a7281f719ce722a6c5830cf7 100755 --- a/daemons/dnssec/ipa-dnskeysync-replica +++ b/daemons/dnssec/ipa-dnskeysync-replica @@ -74,6 +74,7 @@ def ldap2replica_master_keys_sync(log, ldapkeydb, localhsm): log.debug(new master keys in LDAP HSM: %s, hex_set(new_keys)) for mkey_id in new_keys: mkey_ldap = ldapkeydb.master_keys[mkey_id] +assert mkey_ldap.wrapped_entries, Master key 0x%s in LDAP is missing key material referenced by ipaSecretKeyRefObject attribute % hexlify(mkey_id) for wrapped_ldap in mkey_ldap.wrapped_entries: unwrapping_key = find_unwrapping_key(log, localhsm, wrapped_ldap.single_value['ipaWrappingKey']) -- 2.1.0 From c927f884eaed11506587c6dbb82ccd7e07896987 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 26 Jun 2015 17:39:47 +0200 Subject: [PATCH] DNSSEC: Accept ipa-ods-exporter commands from command line. Previously only systemd socket activation was supported. Ability to call the command directly is handy in special cases, e.g. for debugging or moving key master role from one server to another. https://fedorahosted.org/freeipa/ticket/4657 --- daemons/dnssec/ipa-ods-exporter | 88 ++--- 1 file changed, 56 insertions(+), 32 deletions(-) diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter index 913b418af2806e2660a7db221e06394b501bbb18..c6de5acbd9966a0cf5bb6a0c35c54c79aec91604 100755 --- a/daemons/dnssec/ipa-ods-exporter +++ b/daemons/dnssec/ipa-ods-exporter @@ -9,6 +9,9 @@ This program uses the same socket and protocol as original signerd and should be activated via systemd socket activation using ods-signer command line utility. +Alternativelly, it can be called directly and a command can be supplied as +first command line argument. + Purpose of this replacement is to upload keys generated by OpenDNSSEC to LDAP. @@ -334,7 +337,7 @@ def hex_set(s): out.add(0x%s % hexlify(i)) return out -def receive_zone_name(log): +def receive_systemd_command(log): fds = systemd.daemon.listen_fds() if len(fds) != 1: raise KeyError('Exactly one socket is expected.') @@ -345,52 +348,60 @@ def receive_zone_name(log): log.debug('accepted new connection %s', repr(conn)) # this implements cmdhandler_handle_cmd() logic -cmd = conn.recv(ODS_SE_MAXLINE) -cmd = cmd.strip() +cmd = conn.recv(ODS_SE_MAXLINE).strip() +log.debug('received command %s from systemd socket', cmd) +return (cmd, conn) -try: -if cmd == 'ipa-hsm-update': -msg = 'HSM synchronization finished, exiting.' -conn.send('%s\n' % msg) -log.info(msg) -sys.exit(0) +def parse_command(cmd): +Parse command to (exit code, message, zone_name) tuple. -elif not cmd.startswith('update '): -conn.send('Command %s is not supported by IPA; ' \ - 'HSM synchronization was finished and the command ' \ - 'will be ignored.\n' % cmd) -log.info('Ignoring unsupported command %s.', cmd) -sys.exit(0) +Exit code None means that execution should continue. + +if cmd == 'ipa-hsm-update': +return (0, +'HSM synchronization finished, exiting.', +None) -else: -zone_name = cmd2ods_zone_name(cmd) -conn.send('Update request for zone %s queued.\n' % zone_name) -log.info('Processing command: %s', cmd) +elif not cmd.startswith('update '): +return (0, +'Command %s is not supported by IPA; ' +'HSM synchronization was finished and the command ' +'will be ignored.\n' % cmd, +None) -finally: +else: +zone_name = cmd2ods_zone_name(cmd) +return (None, +'Update request for zone %s queued.\n' % zone_name, +zone_name) + +def send_systemd_reply(conn, reply): # Reply close connection early. # This is necessary to let Enforcer to unlock the ODS DB. +conn.send(reply + '\n')
[Freeipa-devel] Issues inizializing api
If I try to create a custom api with something like: myapi = create_api(mode=None) myapi.finalize() I get back a stacktrace in the aci plugin. The aci plugin assumes the general 'api' has been already inizialized and dereferences directly api.env.container_user and other stuff. Do I always have to api.finalize() before creating new api objects ? Is there a way to load only the env (all I am really interested in) without loading any plugin ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 879 Verify replication topology for a suffix
On 06/17/2015 04:11 PM, Petr Vobornik wrote: On 06/17/2015 02:15 PM, Ludwig Krispenz wrote: On 06/17/2015 02:04 PM, Petr Vobornik wrote: With patch 878 topology: check topology in ipa-replica-manage del we can use the same logic for POC of ipa topologysuffix-verify command. Checks done: 1. check if the topology is not disconnected. In other words if there are replication paths between all servers. 2. check if servers don't have more than a recommended number of replication agreements (which was set to 4) I'm not sure what else we want to test but these two seemed as low hanging fruit. don't know how hard it is, but I had thought of calculating something like a degree of connectivity, eg to find single points of failure. In a topology A -- B -- C -- D, if B or C are down (temporariliy) the topology is disconnected. If extending to A -- B -- C -- D -- A one server con be taken offline, so a brute force would be to check for each server if it could be removed The original POC(attached) of the graph traversal did such brute force check(only one server removed at a time). In other words, it's easy. Computing indegree and outdegree of each node is easy as well. Additional checks can be also added later. https://fedorahosted.org/freeipa/ticket/4302 Rebased patch attached. No new check was implemented. -- Petr Vobornik From 4fe4009263d8890cd5872e7a4f19923bdf3351d6 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 17 Jun 2015 13:50:32 +0200 Subject: [PATCH] Verify replication topology for a suffix Checks done: 1. check if the topology is not disconnected. In other words if there are replication paths between all servers. 2. check if servers don't have more than a recommended number of replication agreements(4) https://fedorahosted.org/freeipa/ticket/4302 --- API.txt| 5 +++ VERSION| 4 +-- ipalib/constants.py| 4 +++ ipalib/plugins/topology.py | 83 ++ 4 files changed, 94 insertions(+), 2 deletions(-) diff --git a/API.txt b/API.txt index 3bcb3bdd24ada4e513f6263fc32a2953c18fc142..bccebe55da8a785cbb6ca782904d7523c4a9322f 100644 --- a/API.txt +++ b/API.txt @@ -4911,6 +4911,11 @@ option: Str('version?', exclude='webui') output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) +command: topologysuffix_verify +args: 1,1,1 +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) +option: Str('version?', exclude='webui') +output: Output('result', None, None) command: trust_add args: 1,13,3 arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, required=True) diff --git a/VERSION b/VERSION index 224d34925685c8ecb6f2db3672d34c40621dc9dc..2f884ff73afad57f35f06ce279add5c078073353 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=135 -# Last change: jcholast - User life cycle: Make user-del flags CLI-specific +IPA_API_VERSION_MINOR=136 +# Last change: pvoborni: add topologysuffix-verify command diff --git a/ipalib/constants.py b/ipalib/constants.py index 330f9df74e604d9875a7a9624312ea8944d5..a062505c349436332d430af4fd29c76d20c85343 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -170,6 +170,10 @@ DEFAULT_CONFIG = ( # KRA plugin ('kra_host', FQDN), # Set in Env._finalize_core() +# Topology plugin +('recommended_max_agmts', 4), # Recommended maximum number of replication + # agreements + # Special CLI: ('prompt_all', False), ('interactive', True), diff --git a/ipalib/plugins/topology.py b/ipalib/plugins/topology.py index 494d3bb0a564e5c8ef3d7c2af50dbf1e83a36e1f..49060d672b6522277014b0b9c1e0ecb92e091077 100644 --- a/ipalib/plugins/topology.py +++ b/ipalib/plugins/topology.py @@ -10,6 +10,7 @@ from ipalib.plugins.baseldap import ( LDAPRetrieve) from ipalib import _, ngettext from ipalib import output +from ipalib.util import create_topology_graph, get_topology_connection_errors from ipapython.dn import DN @@ -401,3 +402,85 @@ class topologysuffix_mod(LDAPUpdate): @register() class topologysuffix_show(LDAPRetrieve): __doc__ = _('Show managed suffix.') + + +@register() +class topologysuffix_verify(LDAPQuery): +__doc__ = _(''' +Verify replication topology for suffix. + +Checks done: + 1. check if a topology is not disconnected. In other words if there are + replication paths between all servers. + 2. check if servers don't have more than the recommended number of + replication agreements
Re: [Freeipa-devel] [PATCH] 878 topology: check topology in ipa-replica-manage del
On 06/17/2015 02:00 PM, Petr Vobornik wrote: ipa-replica-manage del now: - checks the whole current topology(before deletion), reports issues - simulates deletion of server and checks the topology again, reports issues Asks admin if he wants to continue with the deletion if any errors are found. https://fedorahosted.org/freeipa/ticket/4302 Patch with * changed error messages * removed question to force removal (--force is needed) attached. -- Petr Vobornik From c14800c37744bf2df0adb4f8081698868082f2f9 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 17 Jun 2015 13:33:24 +0200 Subject: [PATCH] topology: check topology in ipa-replica-manage del ipa-replica-manage del now: - checks the whole current topology(before deletion), reports issues - simulates deletion of server and checks the topology again, reports issues Asks admin if he wants to continue with the deletion if any errors are found. https://fedorahosted.org/freeipa/ticket/4302 --- install/tools/ipa-replica-manage | 48 ipalib/util.py | 48 ipapython/graph.py | 69 3 files changed, 159 insertions(+), 6 deletions(-) create mode 100644 ipapython/graph.py diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 57e30bc54ae030a4620660d1fa7539626721ebbd..71eb992f969666cadfb9e0025b177cb3696abddc 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -35,6 +35,7 @@ from ipaserver.plugins import ldap2 from ipapython import version, ipaldap from ipalib import api, errors, util from ipalib.constants import CACERT +from ipalib.util import create_topology_graph, get_topology_connection_errors from ipapython.ipa_log_manager import * from ipapython.dn import DN from ipapython.config import IPAOptionParser @@ -566,11 +567,46 @@ def check_last_link(delrepl, realm, dirman_passwd, force): return None def check_last_link_managed(api, masters, hostname, force): -# segments = api.Command.topologysegment_find(u'realm', sizelimit=0).get('result') -# replica_names = [m.single_value('cn') for m in masters] -# orphaned = [] -# TODO add proper graph traversing algorithm here -return None + +Check if 'hostname' is safe to delete. + +:returns: list of errors after future deletion + + +segments = api.Command.topologysegment_find(u'realm', sizelimit=0).get('result') +graph = create_topology_graph(masters, segments) + +# check topology before removal +orig_errors = get_topology_connection_errors(graph) +if orig_errors: +print Current topology is disconnected: +print Changes are not replicated to all servers and data are probably inconsistent. +print You need to add segments to reconnect the topology. +print_connect_errors(orig_errors) + +# after removal +graph.remove_vertex(hostname) +new_errors = get_topology_connection_errors(graph) +if new_errors: +print WARNING: Topology after removal of %s will be disconnected. % hostname +print Changes will not be replicated to all servers and data will become inconsistent. +print You need to add segments to prevent disconnection of the topology. +print Errors in topology after removal: +print_connect_errors(new_errors) + +if orig_errors or new_errors: +if not force: +sys.exit(Aborted) +else: +print Forcing removal of %s % hostname + +return new_errors + +def print_connect_errors(errors): +for error in errors: +print Topology does not allow server %s to replicate with servers: % error[0] +for srv in error[2]: +print %s % srv def enforce_host_existence(host, message=None): if host is not None and not ipautil.host_exists(host): @@ -680,7 +716,7 @@ def del_master_managed(realm, hostname, options): masters = api.Command.server_find('', sizelimit=0)['result'] # 3. Check topology -orphans = check_last_link_managed(api, masters, hostname, options.force) +check_last_link_managed(api, masters, hostname, options.force) # 4. Check that we are not leaving the installation without CA and/or DNS #And pick new CA master. diff --git a/ipalib/util.py b/ipalib/util.py index 44478a2d1eed6d66e54949e0840e6d62310830c5..6f7d4a67174aa2f3df8a92f1a25d20a16d3b3f03 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -42,6 +42,7 @@ from ipalib.text import _ from ipapython.ssh import SSHPublicKey from ipapython.dn import DN, RDN from ipapython.dnsutil import DNSName +from ipapython.graph import Graph def json_serialize(obj): @@ -780,3 +781,50 @@ def validate_idna_domain(value): if error: raise ValueError(error) + + +def create_topology_graph(masters, segments): + +Create an oriented graph from topology defined by masters and
Re: [Freeipa-devel] [PATCH] Use Exception class instead of StandardError
On 10/06/15 00:59, Niranjan wrote: Niranjan wrote: Greetings, Please find the modified patch for ipapython/adminutil.py. I have run few tests manually like running ipa-server-install as non-root user or provide --quiet and --verbose to see if it raises ScriptError properly. Also i checked by running ipa-server-install and using CTRL-C to break and see if the KeyboardInterrupt is properly caught. Please let me know your views on this. Regards Niranjan ACK for IPA 4.3, I don't feel brave enough to push it into IPA 4.2. Also, would be nice to have migrated all occurrences of StandardError to Exception, before push. Martin^2 Niranjan wrote: Greetings, I would like to present patch for replacing StandardError exception with Exception class in ipapython/adminutil.py. Also replacing BaseException class with Exception class. Though the use of StandardError is many places. I would like to start with ipapython/adminutil.py This is my first patch. Please let me know if my approach on this is correct. Could anyone have a look at this please. Regards Niranjan From 018312f76952ea86c8c6e2396657e0531d2d61ba Mon Sep 17 00:00:00 2001 From: Niranjan Mallapadi mrniran...@redhat.com Date: Mon, 1 Jun 2015 09:41:05 +0530 Subject: [PATCH] Use Exception class instead of BaseException 1. Replace BaseException with Exception class. 2. Remove StandardError and use Exception class. StandError is deprecated (Python3) 3 .From python3.0 use of , is not recommended, instead use as keyword (PEP 3110) Signed-off-by: Niranjan Mallapadi mrniran...@redhat.com --- ipapython/admintool.py | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/ipapython/admintool.py b/ipapython/admintool.py index d55bd18499ac427db8adc0c04096bc2aabdc2bbd..891232b9f387182ac5dbfb279a6f666805261ba1 100644 --- a/ipapython/admintool.py +++ b/ipapython/admintool.py @@ -32,7 +32,7 @@ from ipapython import config from ipapython import ipa_log_manager -class ScriptError(StandardError): +class ScriptError(Exception): An exception that records an error message and a return value def __init__(self, msg='', rval=1): @@ -169,13 +169,20 @@ class AdminTool(object): self.ask_for_options() self.setup_logging() return_value = self.run() -except BaseException, exception: +except Exception as exception: traceback = sys.exc_info()[2] error_message, return_value = self.handle_error(exception) if return_value: self.log_failure(error_message, return_value, exception, traceback) return return_value +except SystemExit as exception: +traceback = sys.exc_info()[2] +error_message, return_value = self.handle_error(exception) +if return_value: +self.log_failure(error_message, return_value, exception, +traceback) +return return_value self.log_success() return return_value -- 1.9.3 Removed an attachment of 322 bytes with the following headers: Content-Type: application/pgp-signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0016] clear start attr from segment after initialization
On 06/22/2015 11:35 AM, Ludwig Krispenz wrote: fix for ticket #5065, removing start - after online init copmpleted - additionally check after startup Hi Ludwig, The fix looks good to me. I have just a clarification regarding ipa_topo_util_reset_init. It resets 'nsds5BeginReplicaRefresh' at the condition the segment-[left,right]-target=localhost. I would expect it resets the flag on the master side and so it tests 'segment-[left,right]-origin=localhost'. thanks thierry -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 881 add python-setuptools to requires
On 19/06/15 14:06, Petr Vobornik wrote: Commit 9f049ca14403f3696d54d186e6b1b15181f055df introduced dependency on python-setuptools on line: from pkg_resources import parse_version This dependency is missing on *minimal* installation and then ipa-server-upgrade fails on rpm install/upgrade. With: Installing : freeipa-server-4.2.0.alpha1-0.fc22.x86_64 213/213 Traceback (most recent call last): File /usr/sbin/ipa-server-upgrade, line 10, in module from ipaserver.install.ipa_server_upgrade import ServerUpgrade File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py, line 10, in module from ipaserver.install import installutils File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 42, in module from ipapython import ipautil, sysrestore, admintool, dogtag, version File /usr/lib/python2.7/site-packages/ipapython/sysrestore.py, line 35, in module from ipaplatform.tasks import tasks File /usr/lib/python2.7/site-packages/ipaplatform/tasks.py, line 26, in module from ipaplatform.redhat.tasks import RedHatTaskNamespace File /usr/lib/python2.7/site-packages/ipaplatform/redhat/tasks.py, line 46, in module from ipaplatform.base.tasks import BaseTaskNamespace File /usr/lib/python2.7/site-packages/ipaplatform/base/tasks.py, line 28, in module from pkg_resources import parse_version ImportError: No module named pkg_resources ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0038] Add hint how to re-run IPA upgrade
Hello, Add hint how to re-run IPA upgrade. -- Petr^2 Spacek From e2202b998038fd0bb6dc801b019f988d3c12f30a Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 26 Jun 2015 12:40:56 +0200 Subject: [PATCH] Add hint how to re-run IPA upgrade. --- freeipa.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 8324bd21b3fa7be56cc2f0121269e6902c6ae307..d152f1edaaffe0c328b7c8e26f84f5e6b4b85ae9 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -520,7 +520,7 @@ fi %posttrans server # This must be run in posttrans so that updates from previous # execution that may no longer be shipped are not applied. -/usr/sbin/ipa-server-upgrade --quiet /dev/null || : +/usr/sbin/ipa-server-upgrade --quiet /dev/null || echo IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. # Restart IPA processes. This must be also run in postrans so that plugins # and software is in consistent state -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code