Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
On 10/14/2014 03:59 PM, Jan Cholasta wrote: > Dne 14.10.2014 v 15:18 David Kupka napsal(a): >> On 10/14/2014 02:28 PM, Jan Cholasta wrote: >>> Dne 14.10.2014 v 14:19 David Kupka napsal(a): On 10/14/2014 01:39 PM, Jan Cholasta wrote: > Dne 14.10.2014 v 12:47 David Kupka napsal(a): >> >> >> On 10/10/2014 03:24 PM, Jan Cholasta wrote: >>> Dne 8.10.2014 v 12:36 David Kupka napsal(a): On 10/08/2014 09:29 AM, Jan Cholasta wrote: > Hi, > > Dne 8.10.2014 v 09:09 David Kupka napsal(a): >> https://fedorahosted.org/freeipa/ticket/4569 > > In renew_ca_cert and cainstance.py, dogtag should already be > stopped in > the places you modified, so why the change? I didn't noticed that it is already stopped, fixed. > > Also I don't think it's a good idea to backup CS.cfg when dogtag is > still running (in cainstance.py). If the file is being modified by > dogtag at the time it is backed up, the backup may be corrupted. > Fixed, thanks. >>> >>> CAInstance.backup_config should be called only when Dogtag is >>> stopped as >>> well, you don't need to change it. >>> >> >> backup_config is callable from outside of cainstance.py so it's >> safer to >> check that dogtag is stopped and stop it if necessary. When dogtag is >> already stopped it won't do anything. > > If dogtag is not stopped in backup_config, it's an error, so an > exception should be raised. >>> >>> What I meant by this is that you should add this check to backup_config, >>> because it's not there ATM. Sorry for confusing you. >>> >> >> Ok, hope that I finally understood. >> > > ACK. > Pushed to: master: c44f4dcbea210e7802deda1909a3ec70aa6b6460 ipa-4-1: 080c8635de15e3954333e402e9a750d551ff8abd ipa-4-0: 320ea12373f0172a9505c5e4f7c12b20c3439ac5 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
Dne 14.10.2014 v 15:18 David Kupka napsal(a): On 10/14/2014 02:28 PM, Jan Cholasta wrote: Dne 14.10.2014 v 14:19 David Kupka napsal(a): On 10/14/2014 01:39 PM, Jan Cholasta wrote: Dne 14.10.2014 v 12:47 David Kupka napsal(a): On 10/10/2014 03:24 PM, Jan Cholasta wrote: Dne 8.10.2014 v 12:36 David Kupka napsal(a): On 10/08/2014 09:29 AM, Jan Cholasta wrote: Hi, Dne 8.10.2014 v 09:09 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4569 In renew_ca_cert and cainstance.py, dogtag should already be stopped in the places you modified, so why the change? I didn't noticed that it is already stopped, fixed. Also I don't think it's a good idea to backup CS.cfg when dogtag is still running (in cainstance.py). If the file is being modified by dogtag at the time it is backed up, the backup may be corrupted. Fixed, thanks. CAInstance.backup_config should be called only when Dogtag is stopped as well, you don't need to change it. backup_config is callable from outside of cainstance.py so it's safer to check that dogtag is stopped and stop it if necessary. When dogtag is already stopped it won't do anything. If dogtag is not stopped in backup_config, it's an error, so an exception should be raised. What I meant by this is that you should add this check to backup_config, because it's not there ATM. Sorry for confusing you. Ok, hope that I finally understood. ACK. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
On 10/14/2014 02:28 PM, Jan Cholasta wrote: Dne 14.10.2014 v 14:19 David Kupka napsal(a): On 10/14/2014 01:39 PM, Jan Cholasta wrote: Dne 14.10.2014 v 12:47 David Kupka napsal(a): On 10/10/2014 03:24 PM, Jan Cholasta wrote: Dne 8.10.2014 v 12:36 David Kupka napsal(a): On 10/08/2014 09:29 AM, Jan Cholasta wrote: Hi, Dne 8.10.2014 v 09:09 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4569 In renew_ca_cert and cainstance.py, dogtag should already be stopped in the places you modified, so why the change? I didn't noticed that it is already stopped, fixed. Also I don't think it's a good idea to backup CS.cfg when dogtag is still running (in cainstance.py). If the file is being modified by dogtag at the time it is backed up, the backup may be corrupted. Fixed, thanks. CAInstance.backup_config should be called only when Dogtag is stopped as well, you don't need to change it. backup_config is callable from outside of cainstance.py so it's safer to check that dogtag is stopped and stop it if necessary. When dogtag is already stopped it won't do anything. If dogtag is not stopped in backup_config, it's an error, so an exception should be raised. What I meant by this is that you should add this check to backup_config, because it's not there ATM. Sorry for confusing you. Ok, hope that I finally understood. -- David Kupka From f57f22e4753caa7e811aa5b0a0e74fc5902465ae Mon Sep 17 00:00:00 2001 From: David Kupka Date: Tue, 30 Sep 2014 08:41:49 -0400 Subject: [PATCH] Stop dogtag when updating its configuration in ipa-upgradeconfig. Modifying CS.cfg when dogtag is running may (and does) result in corrupting this file. https://fedorahosted.org/freeipa/ticket/4569 --- install/tools/ipa-upgradeconfig | 46 ++--- ipaserver/install/cainstance.py | 3 +++ 2 files changed, 28 insertions(+), 21 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 82e7857d5dec8955935b948df34aab08bfa7f914..e064f38fc963d94c7775f2282402eaaddb682af4 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -233,8 +233,10 @@ def upgrade_pki(ca, fstore): if not installutils.get_directive(configured_constants.CS_CFG_PATH, 'proxy.securePort', '=') and \ os.path.exists(paths.PKI_SETUP_PROXY): -ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' - ,'-pki_instance_name=pki-ca','-subsystem_type=ca']) +# update proxy configuration with stopped dogtag to prevent corruption +# of CS.cfg +ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib', + '-pki_instance_name=pki-ca','-subsystem_type=ca']) root_logger.debug('Proxy configuration updated') else: root_logger.debug('Proxy configuration up-to-date') @@ -1082,28 +1084,30 @@ def main(): ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) ca.backup_config() -# migrate CRL publish dir before the location in ipa.conf is updated -ca_restart = migrate_crl_publish_dir(ca) +with installutils.stopped_service(configured_constants.SERVICE_NAME, +configured_constants.PKI_INSTANCE_NAME): +# migrate CRL publish dir before the location in ipa.conf is updated +ca_restart = migrate_crl_publish_dir(ca) -if ca.is_configured(): -crl = installutils.get_directive(configured_constants.CS_CFG_PATH, - 'ca.crl.MasterCRL.enableCRLUpdates', - '=') -sub_dict['CLONE']='#' if crl.lower() == 'true' else '' +if ca.is_configured(): +crl = installutils.get_directive(configured_constants.CS_CFG_PATH, +'ca.crl.MasterCRL.enableCRLUpdates', '=') +sub_dict['CLONE']='#' if crl.lower() == 'true' else '' -certmap_dir = dsinstance.config_dirname( -dsinstance.realm_to_serverid(api.env.realm)) +certmap_dir = dsinstance.config_dirname( +dsinstance.realm_to_serverid(api.env.realm)) + +upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf") +upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf") +upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) +if subject_base: +upgrade( +sub_dict, +os.path.join(certmap_dir, "certmap.conf"), +os.path.join(ipautil.SHARE_DIR, "certmap.conf.template") +) +upgrade_pki(ca, fstore) -upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf") -upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf") -upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf",
Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
Dne 14.10.2014 v 14:19 David Kupka napsal(a): On 10/14/2014 01:39 PM, Jan Cholasta wrote: Dne 14.10.2014 v 12:47 David Kupka napsal(a): On 10/10/2014 03:24 PM, Jan Cholasta wrote: Dne 8.10.2014 v 12:36 David Kupka napsal(a): On 10/08/2014 09:29 AM, Jan Cholasta wrote: Hi, Dne 8.10.2014 v 09:09 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4569 In renew_ca_cert and cainstance.py, dogtag should already be stopped in the places you modified, so why the change? I didn't noticed that it is already stopped, fixed. Also I don't think it's a good idea to backup CS.cfg when dogtag is still running (in cainstance.py). If the file is being modified by dogtag at the time it is backed up, the backup may be corrupted. Fixed, thanks. CAInstance.backup_config should be called only when Dogtag is stopped as well, you don't need to change it. backup_config is callable from outside of cainstance.py so it's safer to check that dogtag is stopped and stop it if necessary. When dogtag is already stopped it won't do anything. If dogtag is not stopped in backup_config, it's an error, so an exception should be raised. What I meant by this is that you should add this check to backup_config, because it's not there ATM. Sorry for confusing you. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
On 10/14/2014 01:39 PM, Jan Cholasta wrote: Dne 14.10.2014 v 12:47 David Kupka napsal(a): On 10/10/2014 03:24 PM, Jan Cholasta wrote: Dne 8.10.2014 v 12:36 David Kupka napsal(a): On 10/08/2014 09:29 AM, Jan Cholasta wrote: Hi, Dne 8.10.2014 v 09:09 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4569 In renew_ca_cert and cainstance.py, dogtag should already be stopped in the places you modified, so why the change? I didn't noticed that it is already stopped, fixed. Also I don't think it's a good idea to backup CS.cfg when dogtag is still running (in cainstance.py). If the file is being modified by dogtag at the time it is backed up, the backup may be corrupted. Fixed, thanks. CAInstance.backup_config should be called only when Dogtag is stopped as well, you don't need to change it. backup_config is callable from outside of cainstance.py so it's safer to check that dogtag is stopped and stop it if necessary. When dogtag is already stopped it won't do anything. If dogtag is not stopped in backup_config, it's an error, so an exception should be raised. You should use stopped_service only in places where you actually want dogtag to become stopped. If there were multiple consecutive stopped_service calls when dogtag should be stopped but isn't, it would cause multiple dogtag restarts, which would work, but it would waste time and be hard to debug. Ok, thanks for explanation. Honza It would be better to stop and start dogtag only once in ipa-upgradeconfig, not every time there is a modification to CS.cfg. OK. -- David Kupka From 686fb86684470f801c46c3179c184c663e503df7 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Tue, 30 Sep 2014 08:41:49 -0400 Subject: [PATCH] Stop dogtag when updating its configuration in ipa-upgradeconfig. Modifying CS.cfg when dogtag is running may (and does) result in corrupting this file. https://fedorahosted.org/freeipa/ticket/4569 --- install/tools/ipa-upgradeconfig | 46 ++--- 1 file changed, 25 insertions(+), 21 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 82e7857d5dec8955935b948df34aab08bfa7f914..e064f38fc963d94c7775f2282402eaaddb682af4 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -233,8 +233,10 @@ def upgrade_pki(ca, fstore): if not installutils.get_directive(configured_constants.CS_CFG_PATH, 'proxy.securePort', '=') and \ os.path.exists(paths.PKI_SETUP_PROXY): -ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' - ,'-pki_instance_name=pki-ca','-subsystem_type=ca']) +# update proxy configuration with stopped dogtag to prevent corruption +# of CS.cfg +ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib', + '-pki_instance_name=pki-ca','-subsystem_type=ca']) root_logger.debug('Proxy configuration updated') else: root_logger.debug('Proxy configuration up-to-date') @@ -1082,28 +1084,30 @@ def main(): ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) ca.backup_config() -# migrate CRL publish dir before the location in ipa.conf is updated -ca_restart = migrate_crl_publish_dir(ca) +with installutils.stopped_service(configured_constants.SERVICE_NAME, +configured_constants.PKI_INSTANCE_NAME): +# migrate CRL publish dir before the location in ipa.conf is updated +ca_restart = migrate_crl_publish_dir(ca) -if ca.is_configured(): -crl = installutils.get_directive(configured_constants.CS_CFG_PATH, - 'ca.crl.MasterCRL.enableCRLUpdates', - '=') -sub_dict['CLONE']='#' if crl.lower() == 'true' else '' +if ca.is_configured(): +crl = installutils.get_directive(configured_constants.CS_CFG_PATH, +'ca.crl.MasterCRL.enableCRLUpdates', '=') +sub_dict['CLONE']='#' if crl.lower() == 'true' else '' -certmap_dir = dsinstance.config_dirname( -dsinstance.realm_to_serverid(api.env.realm)) +certmap_dir = dsinstance.config_dirname( +dsinstance.realm_to_serverid(api.env.realm)) + +upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf") +upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf") +upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) +if subject_base: +upgrade( +sub_dict, +os.path.join(certmap_dir, "certmap.conf"), +os.path.join(ipautil.SHARE_DIR, "certmap.conf.template") +) +upgrade_pki(ca, fstore) -upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf") -
Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
Dne 14.10.2014 v 12:47 David Kupka napsal(a): On 10/10/2014 03:24 PM, Jan Cholasta wrote: Dne 8.10.2014 v 12:36 David Kupka napsal(a): On 10/08/2014 09:29 AM, Jan Cholasta wrote: Hi, Dne 8.10.2014 v 09:09 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4569 In renew_ca_cert and cainstance.py, dogtag should already be stopped in the places you modified, so why the change? I didn't noticed that it is already stopped, fixed. Also I don't think it's a good idea to backup CS.cfg when dogtag is still running (in cainstance.py). If the file is being modified by dogtag at the time it is backed up, the backup may be corrupted. Fixed, thanks. CAInstance.backup_config should be called only when Dogtag is stopped as well, you don't need to change it. backup_config is callable from outside of cainstance.py so it's safer to check that dogtag is stopped and stop it if necessary. When dogtag is already stopped it won't do anything. If dogtag is not stopped in backup_config, it's an error, so an exception should be raised. You should use stopped_service only in places where you actually want dogtag to become stopped. If there were multiple consecutive stopped_service calls when dogtag should be stopped but isn't, it would cause multiple dogtag restarts, which would work, but it would waste time and be hard to debug. Honza It would be better to stop and start dogtag only once in ipa-upgradeconfig, not every time there is a modification to CS.cfg. OK. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
On 10/10/2014 03:24 PM, Jan Cholasta wrote: Dne 8.10.2014 v 12:36 David Kupka napsal(a): On 10/08/2014 09:29 AM, Jan Cholasta wrote: Hi, Dne 8.10.2014 v 09:09 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4569 In renew_ca_cert and cainstance.py, dogtag should already be stopped in the places you modified, so why the change? I didn't noticed that it is already stopped, fixed. Also I don't think it's a good idea to backup CS.cfg when dogtag is still running (in cainstance.py). If the file is being modified by dogtag at the time it is backed up, the backup may be corrupted. Fixed, thanks. CAInstance.backup_config should be called only when Dogtag is stopped as well, you don't need to change it. backup_config is callable from outside of cainstance.py so it's safer to check that dogtag is stopped and stop it if necessary. When dogtag is already stopped it won't do anything. Honza It would be better to stop and start dogtag only once in ipa-upgradeconfig, not every time there is a modification to CS.cfg. OK. -- David Kupka From 2332a404f9e53549ccadb925e8c3f267b4034175 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Tue, 30 Sep 2014 08:41:49 -0400 Subject: [PATCH] Stop dogtag when updating its configuration in ipa-upgradeconfig. Modifying CS.cfg when dogtag is running may (and does) result in corrupting this file. https://fedorahosted.org/freeipa/ticket/4569 --- install/tools/ipa-upgradeconfig | 46 ++--- ipaserver/install/cainstance.py | 6 -- 2 files changed, 29 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 82e7857d5dec8955935b948df34aab08bfa7f914..e064f38fc963d94c7775f2282402eaaddb682af4 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -233,8 +233,10 @@ def upgrade_pki(ca, fstore): if not installutils.get_directive(configured_constants.CS_CFG_PATH, 'proxy.securePort', '=') and \ os.path.exists(paths.PKI_SETUP_PROXY): -ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' - ,'-pki_instance_name=pki-ca','-subsystem_type=ca']) +# update proxy configuration with stopped dogtag to prevent corruption +# of CS.cfg +ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib', + '-pki_instance_name=pki-ca','-subsystem_type=ca']) root_logger.debug('Proxy configuration updated') else: root_logger.debug('Proxy configuration up-to-date') @@ -1082,28 +1084,30 @@ def main(): ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) ca.backup_config() -# migrate CRL publish dir before the location in ipa.conf is updated -ca_restart = migrate_crl_publish_dir(ca) +with installutils.stopped_service(configured_constants.SERVICE_NAME, +configured_constants.PKI_INSTANCE_NAME): +# migrate CRL publish dir before the location in ipa.conf is updated +ca_restart = migrate_crl_publish_dir(ca) -if ca.is_configured(): -crl = installutils.get_directive(configured_constants.CS_CFG_PATH, - 'ca.crl.MasterCRL.enableCRLUpdates', - '=') -sub_dict['CLONE']='#' if crl.lower() == 'true' else '' +if ca.is_configured(): +crl = installutils.get_directive(configured_constants.CS_CFG_PATH, +'ca.crl.MasterCRL.enableCRLUpdates', '=') +sub_dict['CLONE']='#' if crl.lower() == 'true' else '' -certmap_dir = dsinstance.config_dirname( -dsinstance.realm_to_serverid(api.env.realm)) +certmap_dir = dsinstance.config_dirname( +dsinstance.realm_to_serverid(api.env.realm)) + +upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf") +upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf") +upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) +if subject_base: +upgrade( +sub_dict, +os.path.join(certmap_dir, "certmap.conf"), +os.path.join(ipautil.SHARE_DIR, "certmap.conf.template") +) +upgrade_pki(ca, fstore) -upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf") -upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf") -upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) -if subject_base: -upgrade( -sub_dict, -os.path.join(certmap_dir, "certmap.conf"), -os.path.join(ipautil.SHARE_DIR, "certmap.conf.template") -) -upgrade_pki(ca, fstore) update_dbmodules(api.env.realm) uninstall_i
Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
Dne 8.10.2014 v 12:36 David Kupka napsal(a): On 10/08/2014 09:29 AM, Jan Cholasta wrote: Hi, Dne 8.10.2014 v 09:09 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4569 In renew_ca_cert and cainstance.py, dogtag should already be stopped in the places you modified, so why the change? I didn't noticed that it is already stopped, fixed. Also I don't think it's a good idea to backup CS.cfg when dogtag is still running (in cainstance.py). If the file is being modified by dogtag at the time it is backed up, the backup may be corrupted. Fixed, thanks. CAInstance.backup_config should be called only when Dogtag is stopped as well, you don't need to change it. Honza It would be better to stop and start dogtag only once in ipa-upgradeconfig, not every time there is a modification to CS.cfg. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
On 10/08/2014 09:29 AM, Jan Cholasta wrote: Hi, Dne 8.10.2014 v 09:09 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4569 In renew_ca_cert and cainstance.py, dogtag should already be stopped in the places you modified, so why the change? I didn't noticed that it is already stopped, fixed. Also I don't think it's a good idea to backup CS.cfg when dogtag is still running (in cainstance.py). If the file is being modified by dogtag at the time it is backed up, the backup may be corrupted. Fixed, thanks. Honza -- David Kupka From 104dca26a87255be2b67652dd0f4c60b71e92e90 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Tue, 30 Sep 2014 08:41:49 -0400 Subject: [PATCH] Stop dogtag when updating its configuration in ipa-upgradeconfig. Modifying CS.cfg when dogtag is running may (and does) result in corrupting this file. https://fedorahosted.org/freeipa/ticket/4569 --- install/tools/ipa-upgradeconfig | 15 +++ ipaserver/install/cainstance.py | 6 -- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index ba4ac93998fa203719e058fdfe557f4f2a67a865..08ff9a224d92245ff2c5845e6c9df22a700df562 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -233,7 +233,12 @@ def upgrade_pki(ca, fstore): if not installutils.get_directive(configured_constants.CS_CFG_PATH, 'proxy.securePort', '=') and \ os.path.exists(paths.PKI_SETUP_PROXY): -ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' +# update proxy configuration with stopped dogtag to prevent corruption +# of CS.cfg +with installutils.stopped_service( +configured_constants.SERVICE_NAME, +configured_constants.PKI_INSTANCE_NAME): +ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' ,'-pki_instance_name=pki-ca','-subsystem_type=ca']) root_logger.debug('Proxy configuration updated') else: @@ -821,9 +826,11 @@ def migrate_crl_publish_dir(ca): root_logger.error('Cannot move CRL file to new directory: %s', e) try: -installutils.set_directive(caconfig.CS_CFG_PATH, -'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', -publishdir, quotes=False, separator='=') +with installutils.stopped_service(caconfig.SERVICE_NAME, +caconfig.PKI_INSTANCE_NAME): +installutils.set_directive(caconfig.CS_CFG_PATH, +'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', +publishdir, quotes=False, separator='=') except OSError, e: root_logger.error('Cannot update CA configuration file "%s": %s', caconfig.CS_CFG_PATH, e) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 521f25d96693efe64b5859901bb3da9da79ee0ec..ac6dd828aa38e14c16e7bb7c7d1c397793222852 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1841,8 +1841,10 @@ def backup_config(dogtag_constants=None): if dogtag_constants is None: dogtag_constants = dogtag.configured_constants() -shutil.copy(dogtag_constants.CS_CFG_PATH, -dogtag_constants.CS_CFG_PATH + '.ipabkp') +with stopped_service(dogtag_constants.SERVICE_NAME, + instance_name=dogtag_constants.PKI_INSTANCE_NAME): +shutil.copy(dogtag_constants.CS_CFG_PATH, +dogtag_constants.CS_CFG_PATH + '.ipabkp') def update_cert_config(nickname, cert, dogtag_constants=None): """ -- 1.9.3 From f322136e5fd0bc1df5edf712c931c328dc5bdb5d Mon Sep 17 00:00:00 2001 From: David Kupka Date: Tue, 30 Sep 2014 08:41:49 -0400 Subject: [PATCH] Stop dogtag when updating its configuration in ipa-upgradeconfig. Modifying CS.cfg when dogtag is running may (and does) result in corrupting this file. https://fedorahosted.org/freeipa/ticket/4569 --- install/tools/ipa-upgradeconfig | 15 +++ ipaserver/install/cainstance.py | 6 -- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 3914eb59066b515d33bebc19ca5afb4f50548bb2..abe3c077ccbaebf7317591eca19be99b686ae37d 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -233,7 +233,12 @@ def upgrade_pki(ca, fstore): if not installutils.get_directive(configured_constants.CS_CFG_PATH, 'proxy.securePort', '=') and \ os.path.exists(paths.PKI_SETUP_PROXY): -ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' +# update proxy configuration with stopped dogtag to prevent corruption +# of CS.cfg +with installutils.stopped_service( +configured_cons
Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
Hi, Dne 8.10.2014 v 09:09 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4569 In renew_ca_cert and cainstance.py, dogtag should already be stopped in the places you modified, so why the change? Also I don't think it's a good idea to backup CS.cfg when dogtag is still running (in cainstance.py). If the file is being modified by dogtag at the time it is backed up, the backup may be corrupted. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
https://fedorahosted.org/freeipa/ticket/4569 -- David Kupka From a1363fa49a35115cfa15d51d7ae5c298828efc37 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Tue, 30 Sep 2014 08:41:49 -0400 Subject: [PATCH] Stop dogtag when updating its configuration in ipa-upgradeconfig. Modifying CS.cfg when dogtag is running may (and does) result in corrupting this file. https://fedorahosted.org/freeipa/ticket/4569 --- install/restart_scripts/renew_ca_cert | 31 +- install/tools/ipa-upgradeconfig | 15 +++-- ipaserver/install/cainstance.py | 108 ++ 3 files changed, 84 insertions(+), 70 deletions(-) diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 2ad2038703a74fe3549708549091633b35695907..e14e699bf57c631238a342ba19a3a1d483574bbb 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -104,20 +104,23 @@ def main(): cfg_path, 'subsystem.select', '=') if config == 'New': syslog.syslog(syslog.LOG_NOTICE, "Updating CS.cfg") -if x509.is_self_signed(cert, x509.DER): -installutils.set_directive( -cfg_path, 'hierarchy.select', 'Root', -quotes=False, separator='=') -installutils.set_directive( -cfg_path, 'subsystem.count', '1', -quotes=False, separator='=') -else: -installutils.set_directive( -cfg_path, 'hierarchy.select', 'Subordinate', -quotes=False, separator='=') -installutils.set_directive( -cfg_path, 'subsystem.count', '0', -quotes=False, separator='=') +with installutils.stopped_service( +configured_constants.SERVICE_NAME, +configured_constants.PKI_INSTANCE_NAME): +if x509.is_self_signed(cert, x509.DER): +installutils.set_directive( +cfg_path, 'hierarchy.select', 'Root', +quotes=False, separator='=') +installutils.set_directive( +cfg_path, 'subsystem.count', '1', +quotes=False, separator='=') +else: +installutils.set_directive( +cfg_path, 'hierarchy.select', 'Subordinate', +quotes=False, separator='=') +installutils.set_directive( +cfg_path, 'subsystem.count', '0', +quotes=False, separator='=') else: syslog.syslog(syslog.LOG_NOTICE, "Not updating CS.cfg") diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index ba4ac93998fa203719e058fdfe557f4f2a67a865..08ff9a224d92245ff2c5845e6c9df22a700df562 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -233,7 +233,12 @@ def upgrade_pki(ca, fstore): if not installutils.get_directive(configured_constants.CS_CFG_PATH, 'proxy.securePort', '=') and \ os.path.exists(paths.PKI_SETUP_PROXY): -ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' +# update proxy configuration with stopped dogtag to prevent corruption +# of CS.cfg +with installutils.stopped_service( +configured_constants.SERVICE_NAME, +configured_constants.PKI_INSTANCE_NAME): +ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' ,'-pki_instance_name=pki-ca','-subsystem_type=ca']) root_logger.debug('Proxy configuration updated') else: @@ -821,9 +826,11 @@ def migrate_crl_publish_dir(ca): root_logger.error('Cannot move CRL file to new directory: %s', e) try: -installutils.set_directive(caconfig.CS_CFG_PATH, -'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', -publishdir, quotes=False, separator='=') +with installutils.stopped_service(caconfig.SERVICE_NAME, +caconfig.PKI_INSTANCE_NAME): +installutils.set_directive(caconfig.CS_CFG_PATH, +'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', +publishdir, quotes=False, separator='=') except OSError, e: root_logger.error('Cannot update CA configuration file "%s": %s', caconfig.CS_CFG_PATH, e) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 521f25d96693efe64b5859901bb3da9da79ee0ec..2793b407a88f0b5b6592f79a7b6279d2fa41a787 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/in