Re: [Freeipa-devel] Locations design v2: LDAP schema & user interface

[Petr Spacek]

On 4.2.2016 18:21, Petr Spacek wrote:
> On 3.2.2016 18:41, Petr Spacek wrote:
>> Hello,
>>
>> I've updated the design page
>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism
>>
>> Namely it now contains 'Version 2'.
> 
> Okay, here is the idea how we can make it flexible:
> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#Implementation

Hello,

I'm thinking about LDAP schema for DNS locations.

Purpose
===
* Allow admins to define any number of locations.
* 1 DNS server advertises at most 1 location.
* 1 location generally contains set of services with different priorities and
weights (in DNS SRV terms).
* Express server & service priority for each defined location in a way which
is granular and flexible and ad the same time easy to manage.


Proposal

a) Container for locations
--
cn=locations,cn=ipa,cn=etc,dc=example,dc=com


b) 1 location
-
Attributes:
2.16.840.1.113730.3.8.5.32 idnsLocationMember
Server/service assigned to a DNS Location. Usually used to define 'main'
servers for that location. Should it point to service DNs to be sure we have
smooth upgrade to containers?

2.16.840.1.113730.3.8.5.33 idnsBackupLocation
Pointer to another location. Sucks in all servers from that location as one
group with the same priority. Easy to use with _default location where all
'other' servers are used as backup.

These two attributes use sub-type priority and relativeweight.
This is the only way I could express all the information without need for
separate objects.


Object classes:
2.16.840.1.113730.3.8.6.7  idnsLocation
MAY ( idnsLocationMember $ idnsBackupLocation )


1st example:
Location CZ:
- servers czserver1, czserver2
- priority=1
- relative weight = 50 % each
- if both CZ servers fail, use servers in location UK as backup (priority 2)
- if all CZ and UK servers fail, use servers in location US as backup
(priority 3) - servers on the other continent are used only as option of last
resort
DN: cn=cz,cn=locations,cn=ipa,cn=etc,dc=example,dc=com
objectClass: idnsLocation
idnsLocationMember;priority1;relativeweight50:
cn=czserver1,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
idnsLocationMember;priority1;relativeweight50:
cn=czserver2,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
idnsBackupLocation;priority2: cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com
idnsBackupLocation;priority3: cn=us,cn=locations,cn=ipa,cn=etc,dc=example,dc=com

Location UK:
- servers ukserver1, ukserver2
- priority=1
- server ukserver1 is a new beefy machine so it can handle 3 times more load
than ukserver2, thus relative weights 75 % and 25 %
- if both UK servers fail, use servers in location CZ as backup (priority 2)
- if all CZ and UK servers fail, use servers in location US as backup
(priority 3) - servers on the other continent are used only as option of last
resort
DN: cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com
objectClass: idnsLocation
idnsLocationMember;priority1;relativeweight3:
cn=ukserver1,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
idnsLocationMember;priority1;relativeweight1:
cn=ukserver2,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
idnsBackupLocation;priority2: cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com
idnsBackupLocation;priority3: cn=us,cn=locations,cn=ipa,cn=etc,dc=example,dc=com

Location US:
- servers usserver1, usserver2
- priority=1
- relative weight = 50 % each
- if both US servers fail, use servers in location CZ and UK as backup
(priority 2) - it is over ocean anyway, so US clients will not make any
difference between CZ and UK locations
DN: cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com
objectClass: idnsLocation
idnsLocationMember;priority1;relativeweight50:
cn=ukserver1,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
idnsLocationMember;priority1;relativeweight50:
cn=ukserver2,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
idnsBackupLocation;priority2: cn=cz,cn=locations,cn=ipa,cn=etc,dc=example,dc=com
idnsBackupLocation;priority2: cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com


Resulting DNS SRV records (generated by FreeIPA framework). Please note that
only numbers in SRV records matter only relatively. Priorities work as group,
weights are relative only inside the group. Absolute values above are used
only in algorithm which generates SRV records:
Location CZ:
_kerberos._udp SRV 1 50 czserver1
_kerberos._udp SRV 1 50 czserver2
_kerberos._udp SRV 2 75 ukserver1
_kerberos._udp SRV 2 25 ukserver1
_kerberos._udp SRV 3 50 usserver1
_kerberos._udp SRV 3 50 usserver2

Location UK:
_kerberos._udp SRV 1 75 ukserver1
_kerberos._udp SRV 1 25 ukserver1
_kerberos._udp SRV 2 50 czserver1
_kerberos._udp SRV 2 50 czserver2
_kerberos._udp SRV 3 50 usserver1
_kerberos._udp SRV 3 50 usserver2

Location US:
_kerberos._udp SRV 1 50 usserver1
_kerberos._udp SRV 1 50 usserver2
_kerberos._udp SRV 2 250 czserver1
_kerberos._udp SRV 2 250 czserver2
_kerberos._udp SRV 2 375 ukserver1
_kerberos._udp SRV 2 125 ukserver1


2nd example:
- 10 locations 

Re: [Freeipa-devel] [PATCH] 0004 webui: topology graph: Add pan and zoom functionality

[Petr Vobornik]

On 02/03/2016 03:37 PM, Pavel Vomacka wrote:

Hello,

I'm sending a patch for review. This patch adds pan and zoom
functionality to the topology graph. The page remembers old position and
size of the graph. So, it keeps these settings after refreshing the page.

The patch is in atachement.

Pavel Vomacka




1. if node.fixed should be number then, we can store number in local 
storage as well(only as string, e.g. num + '') instead of 'true' so that 
we make the logic more straightforward/consistent.


2.  following lines are too long: .attr("transform", "translate(" + 
d3.event.translate + ")scale(" + d3.event.scale + ")");


.attr('transform', 'translate(' + trans.translate + ')scale(' + 
trans.scale + ')');


3. 'svg_' prefix for translate and scale keys is too generic, would use 
e.g. topo_graph


--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Timo Aaltonen]

18.02.2016, 18:51, Timo Aaltonen kirjoitti:
> 18.02.2016, 18:41, Timo Aaltonen kirjoitti:
>> 18.02.2016, 13:33, Martin Kosek kirjoitti:
>>> On 02/18/2016 10:10 AM, David Kupka wrote:
 From 9952937f207f9a0afae8211276f1b7d7e762fd4e Mon Sep 17 00:00:00 2001
 From: Timo Aaltonen 
 Date: Tue, 19 Jan 2016 12:37:56 +0100
 Subject: [PATCH] Move freeipa certmonger helpers to libexecdir.

 The scripts in this directory are simple python scripts, nothing 
 arch-specific
 in them. Having them under libexec would simplify the code a bit too, since
 there would be no need to worry about lib vs lib64 (which also cause 
 trouble
 on Debian).
>>>
>>> Isn't this the patch which moves our scripts in different location and thus
>>> breaks existing certmonger tracking requests *after upgrade*?
>>
>> Yes, there are two solutions that I can think of
>>
>> - add symlinks /usr/lib{,64}/certmonger -> /usr/libexec/certmonger
>> - modify existing tracking requests to use the new path
>>
>> the first might suffice with a transition period?
> 
> also, I assumed certmonger would move it's own scripts.. if not, just
> symlink the ipa ones not the whole dir.

Riiight, especially as the certmonger helpers are native binaries, so
those won't move :)

I hope to continue on porting 4.3 soon and revisit this again..

-- 
t

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Timo Aaltonen]

18.02.2016, 18:41, Timo Aaltonen kirjoitti:
> 18.02.2016, 13:33, Martin Kosek kirjoitti:
>> On 02/18/2016 10:10 AM, David Kupka wrote:
>>> From 9952937f207f9a0afae8211276f1b7d7e762fd4e Mon Sep 17 00:00:00 2001
>>> From: Timo Aaltonen 
>>> Date: Tue, 19 Jan 2016 12:37:56 +0100
>>> Subject: [PATCH] Move freeipa certmonger helpers to libexecdir.
>>>
>>> The scripts in this directory are simple python scripts, nothing 
>>> arch-specific
>>> in them. Having them under libexec would simplify the code a bit too, since
>>> there would be no need to worry about lib vs lib64 (which also cause trouble
>>> on Debian).
>>
>> Isn't this the patch which moves our scripts in different location and thus
>> breaks existing certmonger tracking requests *after upgrade*?
> 
> Yes, there are two solutions that I can think of
> 
> - add symlinks /usr/lib{,64}/certmonger -> /usr/libexec/certmonger
> - modify existing tracking requests to use the new path
> 
> the first might suffice with a transition period?

also, I assumed certmonger would move it's own scripts.. if not, just
symlink the ipa ones not the whole dir.


-- 
t

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Timo Aaltonen]

18.02.2016, 13:33, Martin Kosek kirjoitti:
> On 02/18/2016 10:10 AM, David Kupka wrote:
>> From 9952937f207f9a0afae8211276f1b7d7e762fd4e Mon Sep 17 00:00:00 2001
>> From: Timo Aaltonen 
>> Date: Tue, 19 Jan 2016 12:37:56 +0100
>> Subject: [PATCH] Move freeipa certmonger helpers to libexecdir.
>>
>> The scripts in this directory are simple python scripts, nothing 
>> arch-specific
>> in them. Having them under libexec would simplify the code a bit too, since
>> there would be no need to worry about lib vs lib64 (which also cause trouble
>> on Debian).
> 
> Isn't this the patch which moves our scripts in different location and thus
> breaks existing certmonger tracking requests *after upgrade*?

Yes, there are two solutions that I can think of

- add symlinks /usr/lib{,64}/certmonger -> /usr/libexec/certmonger
- modify existing tracking requests to use the new path

the first might suffice with a transition period?

-- 
t

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 947 webui: use API call ca_is_enabled instead of enable_ra env variable.

[Pavel Vomacka]

On 02/18/2016 03:56 PM, Petr Vobornik wrote:

On 01/20/2016 07:02 PM, Petr Vobornik wrote:

To be consistent with backend code.

https://fedorahosted.org/freeipa/ticket/5622




bump for review


Ack.

--
Pavel^3 Vomacka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 946 webui: fixed showing of success message after password change on login

[Pavel Vomacka]

On 02/18/2016 03:56 PM, Petr Vobornik wrote:

On 01/20/2016 06:42 PM, Petr Vobornik wrote:
similar issue and cause as in 
https://fedorahosted.org/freeipa/ticket/5567


root cause is that binding triggers validation which clears messages in
validation summary. Maybe it could be refactored in a future to not use
  the same validation summary field for API calls and fields.

If you think it is actually ticket #5567 (could be in some point of
view) then feel free to push also to 4.2 and 4.3 branch.




bump for review

Ack. Works as expected.

--
Pavel^3 Vomacka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 946 webui: fixed showing of success message after password change on login

[Petr Vobornik]

On 01/20/2016 06:42 PM, Petr Vobornik wrote:

similar issue and cause as in https://fedorahosted.org/freeipa/ticket/5567

root cause is that binding triggers validation which clears messages in
validation summary. Maybe it could be refactored in a future to not use
  the same validation summary field for API calls and fields.

If you think it is actually ticket #5567 (could be in some point of
view) then feel free to push also to 4.2 and 4.3 branch.




bump for review
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 947 webui: use API call ca_is_enabled instead of enable_ra env variable.

[Petr Vobornik]

On 01/20/2016 07:02 PM, Petr Vobornik wrote:

To be consistent with backend code.

https://fedorahosted.org/freeipa/ticket/5622




bump for review

--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [patch 0034] ipatests: extend permission plugin test with new expected output

[Milan Kubík]

On 02/15/2016 04:59 PM, Milan Kubík wrote:

Patch attached. Applies on ipa-4-3 as well.




Updated version of patch fixes test_old_permission_plugin as well.

--
Milan Kubik

From 518f85240a14f256b5cc8542f66d3766a66b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Mon, 15 Feb 2016 16:54:34 +0100
Subject: [PATCH] ipatests: extend permission plugin test with new expected
 output

---
 ipatests/test_xmlrpc/test_old_permission_plugin.py | 12 
 ipatests/test_xmlrpc/test_permission_plugin.py | 16 
 2 files changed, 28 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_old_permission_plugin.py b/ipatests/test_xmlrpc/test_old_permission_plugin.py
index 9e4b561a6f8ff4d6eac767f7f24e35ee4a910eff..c225d784d440751c09e7b16909fc8ad89f55c344 100644
--- a/ipatests/test_xmlrpc/test_old_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_old_permission_plugin.py
@@ -524,6 +524,12 @@ class test_old_permission(Declarative):
 'subtree': u'ldap:///%s' % users_dn,
 },
 ],
+messages=({
+'message': u'Search result has been truncated to configured search limit.',
+'code': 13017,
+'type': u'warning',
+'name': u'SearchResultTruncated'
+},),
 ),
 ),
 
@@ -577,6 +583,12 @@ class test_old_permission(Declarative):
 DN(res['dn']).endswith(DN(api.env.container_permission,
   api.env.basedn)) and
 'ipapermission' in res['objectclass']],
+		messages=({
+'message': u'Search result has been truncated to configured search limit.',
+'code': 13017,
+'type': u'warning',
+'name': u'SearchResultTruncated'
+		},),
 ),
 ),
 
diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py
index 01294665814fc667f932272ee8bc3077583b67df..d641a2d078e0f275a44bbc539aef1352c023ae9b 100644
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@@ -816,6 +816,14 @@ class test_permission(Declarative):
 'ipapermlocation': [users_dn],
 },
 ],
+messages=(
+{
+'message': u'Search result has been truncated to configured search limit.',
+'code': 13017,
+'type': u'warning',
+'name': u'SearchResultTruncated'
+},
+),
 ),
 ),
 
@@ -871,6 +879,14 @@ class test_permission(Declarative):
 DN(res['dn']).endswith(DN(api.env.container_permission,
   api.env.basedn)) and
 'ipapermission' in res['objectclass']],
+messages=(
+{
+'message': u'Search result has been truncated to configured search limit.',
+'code': 13017,
+'type': u'warning',
+'name': u'SearchResultTruncated'
+},
+),
 ),
 ),
 
-- 
2.7.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[Martin Kosek]

On 02/18/2016 10:10 AM, David Kupka wrote:
> From 9952937f207f9a0afae8211276f1b7d7e762fd4e Mon Sep 17 00:00:00 2001
> From: Timo Aaltonen 
> Date: Tue, 19 Jan 2016 12:37:56 +0100
> Subject: [PATCH] Move freeipa certmonger helpers to libexecdir.
> 
> The scripts in this directory are simple python scripts, nothing arch-specific
> in them. Having them under libexec would simplify the code a bit too, since
> there would be no need to worry about lib vs lib64 (which also cause trouble
> on Debian).

Isn't this the patch which moves our scripts in different location and thus
breaks existing certmonger tracking requests *after upgrade*?

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0134] CI tests: use old schema when testing hostmask-based sudo rules

[Martin Babinsky]

https://fedorahosted.org/freeipa/ticket/5625

--
Martin^3 Babinsky
From 34dddb8be8dfaf6116af35cfa80929f46dc29deb Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 17 Feb 2016 16:55:56 +0100
Subject: [PATCH] CI tests: use old schema when testing hostmask-based sudo
 rules

Newer versions of sssd use native IPA schema to process sudo rules.
However, this schema currently has no support for hostmask-based rules
and causes some sudo CI tests to fail. We have to temporarily set
sssd.conf to use ou=sudoers,$SUFFIX as a sudo rule search base when
executing them.

https://fedorahosted.org/freeipa/ticket/5625
---
 ipatests/test_integration/tasks.py | 43 ++
 ipatests/test_integration/test_sudo.py | 27 -
 2 files changed, 69 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 7f1b1eac325c0609214b5837d57635d5972a4c32..6c4f70aa535050989a8c1312e4179b4f5744a59c 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -24,11 +24,13 @@ import textwrap
 import re
 import collections
 import itertools
+import tempfile
 import time
 import StringIO
 import dns
 
 from ldif import LDIFWriter
+from SSSDConfig import SSSDConfig
 
 from ipapython import ipautil
 from ipaplatform.paths import paths
@@ -509,6 +511,47 @@ def setup_sssd_debugging(host):
 clear_sssd_cache(host)
 
 
+def modify_sssd_conf(host, domain, mod_dict, provider='ipa',
+ provider_subtype=None):
+"""
+modify options in a single domain section of host's sssd.conf
+:param host: multihost.Host object
+:param domain: domain section name to modify
+:param mod_dict: dictionary of options which will be passed to
+SSSDDomain.set_option(). To remove an option specify its value as
+None
+:param provider: provider backend to set. Defaults to ipa
+:param provider_subtype: backend subtype (e.g. id or sudo), will be added
+to the domain config if not present
+"""
+try:
+temp_config_file = tempfile.mkstemp()[1]
+current_config = host.transport.get_file_contents(paths.SSSD_CONF)
+
+with open(temp_config_file, 'wb') as f:
+f.write(current_config)
+
+sssd_config = SSSDConfig()
+sssd_config.import_config(temp_config_file)
+sssd_domain = sssd_config.get_domain(domain)
+
+if provider_subtype is not None:
+sssd_domain.add_provider(provider, provider_subtype)
+
+for m in mod_dict:
+sssd_domain.set_option(m, mod_dict[m])
+
+sssd_config.save_domain(sssd_domain)
+
+new_config = sssd_config.dump(sssd_config.opts).encode('utf-8')
+host.transport.put_file_contents(paths.SSSD_CONF, new_config)
+finally:
+try:
+os.remove(temp_config_file)
+except OSError:
+pass
+
+
 def clear_sssd_cache(host):
 """
 Clears SSSD cache by removing the cache files. Restarts SSSD.
diff --git a/ipatests/test_integration/test_sudo.py b/ipatests/test_integration/test_sudo.py
index b1f31556a96180c3b30b2fcc03dd35b5cd994ff5..21267454dea9696483fe7725c93a7ef92239710a 100644
--- a/ipatests/test_integration/test_sudo.py
+++ b/ipatests/test_integration/test_sudo.py
@@ -20,7 +20,7 @@
 import pytest
 
 from ipatests.test_integration.base import IntegrationTest
-from ipatests.test_integration.tasks import clear_sssd_cache
+from ipatests.test_integration.tasks import clear_sssd_cache, modify_sssd_conf
 from ipatests.test_integration import util
 
 
@@ -287,6 +287,19 @@ class TestSudo(IntegrationTest):
  'testrule',
  '--hostmask', full_ip])
 
+# SSSD >= 1.13.3-3 uses native IPA schema instead of compat entries to
+# pull in sudoers. Since native schema does not (yet) support
+# hostmasks, we need to point ldap_sudo_search_base to the old schema
+domain = self.client.domain
+modify_sssd_conf(
+self.client,
+domain.name,
+{
+'ldap_sudo_search_base': 'ou=sudoers,{}'.format(domain.basedn)
+},
+provider_subtype='sudo'
+)
+
 def test_sudo_rule_restricted_to_one_hostmask(self):
 if self.__class__.skip_hostmask_based:
 raise pytest.skip("Hostmask could not be detected")
@@ -328,6 +341,18 @@ class TestSudo(IntegrationTest):
  'testrule',
  '--hostmask', '%s/32' % ip])
 
+# reset ldap_sudo_search_base back to the default value, the old
+# schema is not needed for the upcoming tests
+domain = self.client.domain
+modify_sssd_conf(
+self.client,
+domain.name,
+{
+'ldap_sudo_search_base': None
+},
+provider_subtype='sudo'

Re: [Freeipa-devel] [PATCH 0084-0086] CI: Add double circle topology

[David Kupka]

On 12/02/16 16:52, Martin Basti wrote:



On 12.02.2016 13:03, Milan Kubík wrote:

On 02/12/2016 10:59 AM, David Kupka wrote:

Sending one more topology test. This one creates a M groups
consisting N (N>=2) servers.
First two servers in each group are used to connect with nearest four
groups and also with the other servers inside the group (when N>2).
Servers inside the group (not connecting to other groups) are
connected with each other.

The patch set needs freeipa-dkupka-8{1,2,3} applied.


ACK


I cannot apply patches, please rebase

[mbasti@dhcp129-96 freeipa-devel]$ git checkout master
Switched to branch 'master'
Your branch is up-to-date with 'origin/master'.
[mbasti@dhcp129-96 freeipa-devel]$ git am freeipa-dkupka-008* -3
Applying: CI: Add '2-connected' topology generator.
Applying: CI: Add simple replication test in 2-connected topology.
Applying: CI: Add test for 2-connected topology generator.
Applying: CI: Add double circle topology.
Applying: CI: Add replication test utilizing double-circle topology.
Applying: CI: Add test for double-circle topology generator.
error: invalid object 100644 e12d141391840cc7f9150a178875393a96dd469b
for 'ipatests/test_integration/test_topologies.py'
fatal: git-write-tree: error building trees
Repository lacks necessary blobs to fall back on 3-way merge.
Cannot fall back to three-way merge.
Patch failed at 0006 CI: Add test for double-circle topology generator.
The copy of the patch that failed is found in:
/home/mbasti/work/freeipa-devel/.git/rebase-apply/patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".


Martin^2


Git fails to apply patches because wrong version of 
freeipa-dkupka-008{1,2,3} was pushed. Attached patches should fix it.


--
David Kupka
From 676701253f034a335f603a917e24926e2bb41992 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 18 Feb 2016 09:52:55 +0100
Subject: [PATCH 1/2] CI: Fix pep8 errors in 2-connected topology generator

---
 ipatests/test_integration/tasks.py | 11 ++-
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index d37b616bd6efe437a1a979cc7a9ad8c7ea803773..77cba89825574f5354017bf184b106e94eb75c59 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -857,6 +857,7 @@ def tree2_topo(master, replicas):
 yield master, replica
 master = replica
 
+
 @_topo('2-connected')
 def two_connected_topo(master, replicas):
 r"""No replica has more than 4 agreements and at least two
@@ -892,24 +893,24 @@ def two_connected_topo(master, replicas):
 
 v2 = pool.pop(0)
 yield v0, v2
-grow.append((v0,v2))
+grow.append((v0, v2))
 
 v3 = pool.pop(0)
 yield v2, v3
 yield v1, v3
-grow.append((v1,v3))
+grow.append((v1, v3))
 
-for (r,s) in grow:
+for (r, s) in grow:
 t = pool.pop(0)
 
-for (u,v) in [(r,t), (s,t)]:
+for (u, v) in [(r, t), (s, t)]:
 yield u, v
 w = pool.pop(0)
 yield u, w
 x = pool.pop(0)
 yield v, x
 yield w, x
-grow.append((w,x))
+grow.append((w, x))
 
 except IndexError:
 return
-- 
2.5.0

From a5e900de20e63896bbca3a3fb53180d8207859eb Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 18 Feb 2016 09:55:53 +0100
Subject: [PATCH 2/2] CI: add empty topology test for 2-connected topology
 generator

---
 ipatests/test_integration/test_topologies.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipatests/test_integration/test_topologies.py b/ipatests/test_integration/test_topologies.py
index f5332adbef12e8c18471592d4fd5c89097e2d4ed..e12d141391840cc7f9150a178875393a96dd469b 100644
--- a/ipatests/test_integration/test_topologies.py
+++ b/ipatests/test_integration/test_topologies.py
@@ -115,3 +115,4 @@ def test_topology_two_connected():
 (4, 8),
 (7, 8),
 ]
+assert list(topo('M', [])) == []
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[David Kupka]

On 19/01/16 16:10, David Kupka wrote:

On 19/01/16 14:38, Jan Cholasta wrote:

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on the old path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
post-save command: /usr/lib64/ipa/certmonger/restart_httpd






You're right it will break the upgrade. I haven't noticed that
Server-Cert for DS and HTTPD are not handled by
certificate_renewal_update (ipaserver.install.server.upgrade) where all
the other trackings are stopped and then configured again with the
paths.CERTMONGER_COMMAND_TEMPLATE already updated.

Thanks for the catch.



I've updated Timo's patch little more and added 
start_tracking_certificates() for dsinstance and httpinstance. Now the 
upgrade works as expected.


--
David Kupka
From 64927531ec69b77f705691590070fcb8dc634aed Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 17 Feb 2016 15:18:04 +0100
Subject: [PATCH 1/2] dsinstance: add start_tracking_certificates method

Configure certmonger to start tracing certificate for DS.

https://fedorahosted.org/freeipa/ticket/5586
---
 ipaserver/install/dsinstance.py | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 3d5734efe7ad0ed2ccf03120b8461db9f99aa318..1def76b575dd10dcf2f737c37cce8e499440d319 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -968,6 +968,16 @@ class DsInstance(service.Service):
 dsdb = certs.CertDB(self.realm, nssdir=dirname)
 dsdb.untrack_server_cert(self.nickname)
 
+def start_tracking_certificates(self, serverid=None):
+if serverid is None:
+serverid = self.get_state("serverid")
+if serverid is not None:
+dirname = config_dirname(serverid)[:-1]
+dsdb = certs.CertDB(self.realm, nssdir=dirname)
+dsdb.track_server_cert(self.nickname, self.principal,
+   dsdb.passwd_fname,
+   'restart_dirsrv %s' % serverid)
+
 # we could probably move this function into the service.Service
 # class - it's very generic - all we need is a way to get an
 # instance of a particular Service
-- 
2.5.0

From a324e680e9d7603f9175f92c44e4002c2917d83a Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 17 Feb 2016 15:18:17 +0100
Subject: [PATCH 2/2] httpinstance: add start_tracking_certificates method

Configure certmonger to start tracking certificate for httpd.

https://fedorahosted.org/freeipa/ticket/5586
---
 ipaserver/install/httpinstance.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 3b46dce82cae017328c9555c543e78b64e642c89..437016b88a7f813744d29fa37f257a744c590fd8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -533,3 +533,8 @@ class HTTPInstance(service.Service):
 def stop_tracking_certificates(self):
 db = certs.CertDB(api.env.realm)
 db.untrack_server_cert(self.cert_nickname)
+
+def start_tracking_certificates(self):
+db = certs.CertDB(self.realm)
+db.track_server_cert(self.cert_nickname, self.principal,
+ db.passwd_fname, 'restart_httpd')
-- 
2.5.0

From 9952937f207f9a0afae8211276f1b7d7e762fd4e Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 19 Jan 2016 12:37:56 +0100
Subject: [PATCH] Move freeipa certmonger helpers to libexecdir.

The scripts in this directory are simple python scripts, nothing arch-specific
in them. Having them under libexec would simplify the code a bit too, since
there would be no need to worry 

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[David Kupka]

On 19/01/16 16:10, David Kupka wrote:

On 19/01/16 14:38, Jan Cholasta wrote:

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on the old path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
post-save command: /usr/lib64/ipa/certmonger/restart_httpd






You're right it will break the upgrade. I haven't noticed that
Server-Cert for DS and HTTPD are not handled by
certificate_renewal_update (ipaserver.install.server.upgrade) where all
the other trackings are stopped and then configured again with the
paths.CERTMONGER_COMMAND_TEMPLATE already updated.

Thanks for the catch.



I've updated Timo's patch little more and added 
start_tracking_certificates() for dsinstance and httpinstance. Now the 
upgrade works as expected.


--
David Kupka
From 64927531ec69b77f705691590070fcb8dc634aed Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 17 Feb 2016 15:18:04 +0100
Subject: [PATCH 1/2] dsinstance: add start_tracking_certificates method

Configure certmonger to start tracing certificate for DS.

https://fedorahosted.org/freeipa/ticket/5586
---
 ipaserver/install/dsinstance.py | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 3d5734efe7ad0ed2ccf03120b8461db9f99aa318..1def76b575dd10dcf2f737c37cce8e499440d319 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -968,6 +968,16 @@ class DsInstance(service.Service):
 dsdb = certs.CertDB(self.realm, nssdir=dirname)
 dsdb.untrack_server_cert(self.nickname)
 
+def start_tracking_certificates(self, serverid=None):
+if serverid is None:
+serverid = self.get_state("serverid")
+if serverid is not None:
+dirname = config_dirname(serverid)[:-1]
+dsdb = certs.CertDB(self.realm, nssdir=dirname)
+dsdb.track_server_cert(self.nickname, self.principal,
+   dsdb.passwd_fname,
+   'restart_dirsrv %s' % serverid)
+
 # we could probably move this function into the service.Service
 # class - it's very generic - all we need is a way to get an
 # instance of a particular Service
-- 
2.5.0

From a324e680e9d7603f9175f92c44e4002c2917d83a Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 17 Feb 2016 15:18:17 +0100
Subject: [PATCH 2/2] httpinstance: add start_tracking_certificates method

Configure certmonger to start tracking certificate for httpd.

https://fedorahosted.org/freeipa/ticket/5586
---
 ipaserver/install/httpinstance.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 3b46dce82cae017328c9555c543e78b64e642c89..437016b88a7f813744d29fa37f257a744c590fd8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -533,3 +533,8 @@ class HTTPInstance(service.Service):
 def stop_tracking_certificates(self):
 db = certs.CertDB(api.env.realm)
 db.untrack_server_cert(self.cert_nickname)
+
+def start_tracking_certificates(self):
+db = certs.CertDB(self.realm)
+db.track_server_cert(self.cert_nickname, self.principal,
+ db.passwd_fname, 'restart_httpd')
-- 
2.5.0

From 9952937f207f9a0afae8211276f1b7d7e762fd4e Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 19 Jan 2016 12:37:56 +0100
Subject: [PATCH] Move freeipa certmonger helpers to libexecdir.

The scripts in this directory are simple python scripts, nothing arch-specific
in them. Having them under libexec would simplify the code a bit too, since
there would be no need to worry