Re: [Freeipa-devel] [PATCH] 0040-0042 Fedora packages fixes merge
Alexander Bokovoy wrote: On Mon, 06 Feb 2012, Rob Crittenden wrote: Seems to work ok, Fix this and you have ACK x3: pylint error: init/systemd/freeipa-systemd-upgrade:38: [E0602] Undefined variable 'IPAConfigError' My fix: +++ b/init/systemd/freeipa-systemd-upgrade @@ -35,7 +35,7 @@ def convert_java_link(foo, topdir, filepaths): # 0. Init config try: config.init_config() -except IPAConfigError, e: +except config.IPAConfigError, e: # No configured IPA install, no need to upgrade anything exit(0) Did the same. Attached new version. I'm not attaching other patches as they are intact. ACK, pushed all three to master, ipa-2-2 and ipa-2-1 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0040-0042 Fedora packages fixes merge
Alexander Bokovoy wrote: Hi, attached are three patches that differentiate current freeipa-2.1.4 builds in Fedora 16/Rawhide from upstream. These are primarily to adopt to systemd and python-ldap changes. 1. freeipa-abbra-0040-inifiles-support.patch introduces a way to modify sectioned inifiles used by freedesktop.org software like systemd service units. The patch also fixes a subtle bug in traditional config files handling when variables do not exist before replacement. 2. freeipa-abbra-0041-upgrade-systemd.patch introduces an upgrade script to fix common issues found when migrating from SysV to systemd and to adopt to systemd changes done recently for 389-ds (as of 1.2.10-0.8.a7 and above). freeipa.spec.in part is not included as this script is actual only for Fedora 16/Rawhide repos. 3. freeipa-abbra-0042-python-ldap-2.4.6-support.patch one-line fix to support python-ldap 2.4.6 from Rawhide. All patches are in freeipa-2.1.4-5.fc16 (.fc17) available from updates-testing (in case of F16) or directly in Rawhide. Fixes: https://fedorahosted.org/freeipa/ticket/2117 https://fedorahosted.org/freeipa/ticket/2300 Seems to work ok, Fix this and you have ACK x3: pylint error: init/systemd/freeipa-systemd-upgrade:38: [E0602] Undefined variable 'IPAConfigError' My fix: +++ b/init/systemd/freeipa-systemd-upgrade @@ -35,7 +35,7 @@ def convert_java_link(foo, topdir, filepaths): # 0. Init config try: config.init_config() -except IPAConfigError, e: +except config.IPAConfigError, e: # No configured IPA install, no need to upgrade anything exit(0) rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0040-0042 Fedora packages fixes merge
On Mon, 06 Feb 2012, Rob Crittenden wrote: Seems to work ok, Fix this and you have ACK x3: pylint error: init/systemd/freeipa-systemd-upgrade:38: [E0602] Undefined variable 'IPAConfigError' My fix: +++ b/init/systemd/freeipa-systemd-upgrade @@ -35,7 +35,7 @@ def convert_java_link(foo, topdir, filepaths): # 0. Init config try: config.init_config() -except IPAConfigError, e: +except config.IPAConfigError, e: # No configured IPA install, no need to upgrade anything exit(0) Did the same. Attached new version. I'm not attaching other patches as they are intact. -- / Alexander Bokovoy From a9c0a0bc8d3fcf27bb16a92002d944c2a71f7ce7 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 1 Feb 2012 17:51:24 +0200 Subject: [PATCH 3/3] Handle upgrade issues with systemd in Fedora 16 and above Since 389-ds-base-1.2.10-0.8.a7 Directory Server's systemd settings are configured via /etc/sysconfig/dirsrv.systemd. It means logic change in systemd/fedora16 platform of FreeIPA. Additionally, existing installs need to be handled during upgrade. Fixes: https://fedorahosted.org/freeipa/ticket/2117 https://fedorahosted.org/freeipa/ticket/2300 --- init/systemd/freeipa-systemd-upgrade | 96 ++ ipapython/platform/fedora16.py | 22 ipapython/platform/systemd.py| 16 ++ 3 files changed, 113 insertions(+), 21 deletions(-) create mode 100755 init/systemd/freeipa-systemd-upgrade diff --git a/init/systemd/freeipa-systemd-upgrade b/init/systemd/freeipa-systemd-upgrade new file mode 100755 index ..572d69df64b335e1a06b358fc9a0f2132807d6a6 --- /dev/null +++ b/init/systemd/freeipa-systemd-upgrade @@ -0,0 +1,96 @@ +#! /usr/bin/python -E +from ipaserver.install.krbinstance import update_key_val_in_file +from ipapython import ipautil, config +from ipapython import services as ipaservices +import os, platform + +def convert_java_link(foo, topdir, filepaths): +cwd = os.getcwd() +os.chdir(topdir) +for filepath in filepaths: +# All this shouldn't happen because java system upgrade should properly +# move files and symlinks but if this is a broken link +if os.path.islink(filepath): +print Checking %s ... % (filepath), +if not os.path.exists(filepath): +rpath = os.path.realpath(filepath) +# .. and it points to jss in /usr/lib +if rpath.find('/usr/lib/') != -1 and rpath.find('jss') != -1: +base = os.path.basename(rpath) +bitness = platform.architecture()[0][:2] +# rewrite it to /usr/lib64 for x86_64 platform +if bitness == '64': +npath = /usr/lib%s/jss/%s % (bitness, base) +os.unlink(filepath) +os.symlink(npath, filepath) +print %s - %s % (filepath, npath) +else: +print Ok +else: +print Ok +else: +print Ok +os.chdir(cwd) + +# 0. Init config +try: +config.init_config() +except config.IPAConfigError, e: +# No configured IPA install, no need to upgrade anything +exit(0) + +# 1. Convert broken symlinks, if any, in /var/lib/pki-ca +if os.path.exists('/var/lib/pki-ca/common/lib'): +print Analyzing symlinks in PKI-CA install +os.path.walk('/var/lib/pki-ca/common/lib', convert_java_link, None) + +try: +print Found IPA server for domain %s % (config.config.default_realm) +# 1. Make sure Dogtag instance (if exists) has proper OIDs for IPA CA +ipa_ca_cfg = /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg +if os.path.exists(ipa_ca_cfg): +print Make sure PKI-CA has Extended Key Usage OIDs for the certificates (Server and Client Authentication), +key = 'policyset.serverCertSet.7.default.params.exKeyUsageOIDs' +value = '1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2' +replacevars = {key:value} +appendvars = {} +old_values = ipautil.config_replace_variables(ipa_ca_cfg, replacevars=replacevars, appendvars=appendvars) +ipaservices.restore_context(ipa_ca_cfg) +if key in old_values and old_values[key] != value: +print +print WARNING: Previously issued certificate didn't have both Server and Client Authentication usage +print Old usage OID(s): %(oids)s % (old_values[key]) +print Please make sure to revoke old certificates and re-issue them again to add both usages when needed +ipaservices.service('pki-cad').restart() +else: +print ... ok +print Converting services setup to systemd +# 2. Upgrade /etc/sysconfig/dirsrv for systemd +print Upgrade /etc/sysconfig/dirsrv +
[Freeipa-devel] [PATCH] 0040-0042 Fedora packages fixes merge
Hi, attached are three patches that differentiate current freeipa-2.1.4 builds in Fedora 16/Rawhide from upstream. These are primarily to adopt to systemd and python-ldap changes. 1. freeipa-abbra-0040-inifiles-support.patch introduces a way to modify sectioned inifiles used by freedesktop.org software like systemd service units. The patch also fixes a subtle bug in traditional config files handling when variables do not exist before replacement. 2. freeipa-abbra-0041-upgrade-systemd.patch introduces an upgrade script to fix common issues found when migrating from SysV to systemd and to adopt to systemd changes done recently for 389-ds (as of 1.2.10-0.8.a7 and above). freeipa.spec.in part is not included as this script is actual only for Fedora 16/Rawhide repos. 3. freeipa-abbra-0042-python-ldap-2.4.6-support.patch one-line fix to support python-ldap 2.4.6 from Rawhide. All patches are in freeipa-2.1.4-5.fc16 (.fc17) available from updates-testing (in case of F16) or directly in Rawhide. Fixes: https://fedorahosted.org/freeipa/ticket/2117 https://fedorahosted.org/freeipa/ticket/2300 -- / Alexander Bokovoy From 16d3d30130215d74295e89ba5a51522eed45e180 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 1 Feb 2012 14:20:53 +0200 Subject: [PATCH 1/3] Add management of inifiles to allow manipulation of systemd units inifile_replace_variables() works similar to config_replace_variables() but allows to apply changes to specific section of an inifile. Inifiles are commonly used by freedesktop.org software and particularly used by systemd. When modifying inifile, all changes will be applied to specific section. Also fixes corner case in config_replace_variables() which would dublicate variables when adding them. --- ipapython/ipautil.py | 100 +- 1 files changed, 99 insertions(+), 1 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 718f209b32649df23177dcab7d5105d01c0cd7bc..e141e00171cb86bec58a6be0b3e7d1f51a24faf1 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -1245,7 +1245,7 @@ $)''', re.VERBOSE) new_vars = replacevars.copy() new_vars.update(appendvars) newvars_view = set(new_vars.keys()) - set(old_values.keys()) -append_view = (set(appendvars.keys()) - set(replacevars.keys())) - set(old_values.keys()) +append_view = (set(appendvars.keys()) - newvars_view) for item in newvars_view: new_config.write(%s=%s\n % (item,new_vars[item])) for item in append_view: @@ -1262,6 +1262,104 @@ $)''', re.VERBOSE) return old_values +def inifile_replace_variables(filepath, section, replacevars=dict(), appendvars=dict()): + +Take a section-structured key=value based configuration file, and write new version +with certain values replaced or appended within the section + +All (key,value) pairs from replacevars and appendvars that were not found +in the configuration file, will be added there. + +It is responsibility of a caller to ensure that replacevars and +appendvars do not overlap. + +It is responsibility of a caller to back up file. + +returns dictionary of affected keys and their previous values + +One have to run restore_context(filepath) afterwards or +security context of the file will not be correct after modification + +pattern = re.compile(''' +(^ +\[ +(?Psection.+) \] +(\s+((\#|;).*)?)? +$)|(^ +\s* +(?Poption [^\#;]+?) +(\s*=\s*) +(?Pvalue .+?)? +(\s*((\#|;).*)?)? +$)''', re.VERBOSE) +def add_options(config, replacevars, appendvars, oldvars): +# add all options from replacevars and appendvars that were not found in the file +new_vars = replacevars.copy() +new_vars.update(appendvars) +newvars_view = set(new_vars.keys()) - set(oldvars.keys()) +append_view = (set(appendvars.keys()) - newvars_view) +for item in newvars_view: +config.write(%s=%s\n % (item,new_vars[item])) +for item in append_view: +config.write(%s=%s\n % (item,appendvars[item])) + +orig_stat = os.stat(filepath) +old_values = dict() +temp_filename = None +with tempfile.NamedTemporaryFile(delete=False) as new_config: +temp_filename = new_config.name +with open(filepath, 'r') as f: +in_section = False +finished = False +line_idx = 1 +for line in f: +line_idx = line_idx + 1 +new_line = line +m = pattern.match(line) +if m: +sect, option, value = m.group('section', 'option', 'value') +if in_section and sect is not None: +# End of the