Re: [Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade
Dne 11.12.2014 v 10:01 Martin Basti napsal(a): On 10/12/14 19:21, Jan Cholasta wrote: Dne 10.12.2014 v 18:01 Jan Cholasta napsal(a): Dne 1.12.2014 v 16:48 Martin Basti napsal(a): On 01/12/14 08:46, Jan Cholasta wrote: Hi, Dne 27.11.2014 v 14:24 Martin Basti napsal(a): Ticket: https://fedorahosted.org/freeipa/ticket/4676 Replaces current workaround. Should go to 4.1.3. Patch attached. When constructing URLs with host:port, please use ipautil.format_netloc(). wget should be added as a dependency of freeipa-python in the spec file. Honza Updated patch attached. Thanks, ACK. Pushed to: master: 337faf506462a01c6dbcd00f2039ed5627691864 ipa-4-1: 5052af773f652bc19e91fe49e15351e5c5c7d976 It turns out I messed up the review (sorry). This fixes the upgrade, but it also breaks ipa-server-install: 2014-12-10T06:06:44Z DEBUG [8/27]: starting certificate server instance 2014-12-10T06:06:44Z DEBUG Starting external process 2014-12-10T06:06:44Z DEBUG args='/bin/systemctl' 'start' 'pki-tomcatd.target' 2014-12-10T06:06:45Z DEBUG Process finished, return code=0 2014-12-10T06:06:45Z DEBUG stdout= 2014-12-10T06:06:45Z DEBUG stderr= 2014-12-10T06:06:45Z DEBUG Starting external process 2014-12-10T06:06:45Z DEBUG args='/bin/systemctl' 'is-active' 'pki-tomcatd.target' 2014-12-10T06:06:45Z DEBUG Process finished, return code=0 2014-12-10T06:06:45Z DEBUG stdout=active 2014-12-10T06:06:45Z DEBUG stderr= 2014-12-10T06:06:45Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2014-12-10T06:06:49Z DEBUG The httpd proxy is not installed, wait on local port 2014-12-10T06:06:49Z DEBUG Waiting until the CA is running 2014-12-10T06:06:49Z DEBUG Starting external process 2014-12-10T06:06:49Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 'https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus' 2014-12-10T06:07:09Z DEBUG Process finished, return code=5 2014-12-10T06:07:09Z DEBUG stdout= 2014-12-10T06:07:09Z DEBUG stderr=--2014-12-10 01:06:49-- https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus Resolving vm-088.idm.lab.bos.redhat.com (vm-088.idm.lab.bos.redhat.com)... 10.16.78.88 Connecting to vm-088.idm.lab.bos.redhat.com (vm-088.idm.lab.bos.redhat.com)|10.16.78.88|:8443... connected. ERROR: cannot verify vm-088.idm.lab.bos.redhat.com's certificate, issued by ‘/O=IDM.LAB.BOS.REDHAT.COM/CN=Certificate Authority’: Self-signed certificate encountered. To connect to vm-088.idm.lab.bos.redhat.com insecurely, use `--no-check-certificate'. 2014-12-10T06:07:09Z DEBUG The CA status is: check interrupted I have reopened the ticket. Patch with '--no-check-certificate' option attached. Before workaround there was no certificate check, so it should not be problem if we ignore the certificate. Martin^2 Thanks, ACK. Pushed to: master: 95becc1d542c78721088398eddbfd0d0ffe9b27f ipa-4-1: 8440c2ee97e1c7e29e20629a2579af28a6d654be -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade
On 10/12/14 19:21, Jan Cholasta wrote: Dne 10.12.2014 v 18:01 Jan Cholasta napsal(a): Dne 1.12.2014 v 16:48 Martin Basti napsal(a): On 01/12/14 08:46, Jan Cholasta wrote: Hi, Dne 27.11.2014 v 14:24 Martin Basti napsal(a): Ticket: https://fedorahosted.org/freeipa/ticket/4676 Replaces current workaround. Should go to 4.1.3. Patch attached. When constructing URLs with host:port, please use ipautil.format_netloc(). wget should be added as a dependency of freeipa-python in the spec file. Honza Updated patch attached. Thanks, ACK. Pushed to: master: 337faf506462a01c6dbcd00f2039ed5627691864 ipa-4-1: 5052af773f652bc19e91fe49e15351e5c5c7d976 It turns out I messed up the review (sorry). This fixes the upgrade, but it also breaks ipa-server-install: 2014-12-10T06:06:44Z DEBUG [8/27]: starting certificate server instance 2014-12-10T06:06:44Z DEBUG Starting external process 2014-12-10T06:06:44Z DEBUG args='/bin/systemctl' 'start' 'pki-tomcatd.target' 2014-12-10T06:06:45Z DEBUG Process finished, return code=0 2014-12-10T06:06:45Z DEBUG stdout= 2014-12-10T06:06:45Z DEBUG stderr= 2014-12-10T06:06:45Z DEBUG Starting external process 2014-12-10T06:06:45Z DEBUG args='/bin/systemctl' 'is-active' 'pki-tomcatd.target' 2014-12-10T06:06:45Z DEBUG Process finished, return code=0 2014-12-10T06:06:45Z DEBUG stdout=active 2014-12-10T06:06:45Z DEBUG stderr= 2014-12-10T06:06:45Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2014-12-10T06:06:49Z DEBUG The httpd proxy is not installed, wait on local port 2014-12-10T06:06:49Z DEBUG Waiting until the CA is running 2014-12-10T06:06:49Z DEBUG Starting external process 2014-12-10T06:06:49Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 'https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus' 2014-12-10T06:07:09Z DEBUG Process finished, return code=5 2014-12-10T06:07:09Z DEBUG stdout= 2014-12-10T06:07:09Z DEBUG stderr=--2014-12-10 01:06:49-- https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus Resolving vm-088.idm.lab.bos.redhat.com (vm-088.idm.lab.bos.redhat.com)... 10.16.78.88 Connecting to vm-088.idm.lab.bos.redhat.com (vm-088.idm.lab.bos.redhat.com)|10.16.78.88|:8443... connected. ERROR: cannot verify vm-088.idm.lab.bos.redhat.com's certificate, issued by ‘/O=IDM.LAB.BOS.REDHAT.COM/CN=Certificate Authority’: Self-signed certificate encountered. To connect to vm-088.idm.lab.bos.redhat.com insecurely, use `--no-check-certificate'. 2014-12-10T06:07:09Z DEBUG The CA status is: check interrupted I have reopened the ticket. Patch with '--no-check-certificate' option attached. Before workaround there was no certificate check, so it should not be problem if we ignore the certificate. Martin^2 -- Martin Basti From 94ebe22c56bb311072e207e6380a5638bf422c82 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 11 Dec 2014 09:38:46 +0100 Subject: [PATCH] Fix don't check certificate during getting CA status Due workaroud we accidentaly started to check certificate, which causes problems during installation. Ticket: https://fedorahosted.org/freeipa/ticket/4676 --- ipaplatform/redhat/services.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 20d0adec421ecd3285464e2a51b9d5c61a0e3d92..8759cab76c7d72a3abbf935e7f15f7a32a0b6987 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -204,6 +204,7 @@ class RedHatCAService(RedHatService): paths.BIN_WGET, '-S', '-O', '-', '--timeout=30', +'--no-check-certificate', url ] -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade
Dne 10.12.2014 v 18:01 Jan Cholasta napsal(a): Dne 1.12.2014 v 16:48 Martin Basti napsal(a): On 01/12/14 08:46, Jan Cholasta wrote: Hi, Dne 27.11.2014 v 14:24 Martin Basti napsal(a): Ticket: https://fedorahosted.org/freeipa/ticket/4676 Replaces current workaround. Should go to 4.1.3. Patch attached. When constructing URLs with host:port, please use ipautil.format_netloc(). wget should be added as a dependency of freeipa-python in the spec file. Honza Updated patch attached. Thanks, ACK. Pushed to: master: 337faf506462a01c6dbcd00f2039ed5627691864 ipa-4-1: 5052af773f652bc19e91fe49e15351e5c5c7d976 It turns out I messed up the review (sorry). This fixes the upgrade, but it also breaks ipa-server-install: 2014-12-10T06:06:44Z DEBUG [8/27]: starting certificate server instance 2014-12-10T06:06:44Z DEBUG Starting external process 2014-12-10T06:06:44Z DEBUG args='/bin/systemctl' 'start' 'pki-tomcatd.target' 2014-12-10T06:06:45Z DEBUG Process finished, return code=0 2014-12-10T06:06:45Z DEBUG stdout= 2014-12-10T06:06:45Z DEBUG stderr= 2014-12-10T06:06:45Z DEBUG Starting external process 2014-12-10T06:06:45Z DEBUG args='/bin/systemctl' 'is-active' 'pki-tomcatd.target' 2014-12-10T06:06:45Z DEBUG Process finished, return code=0 2014-12-10T06:06:45Z DEBUG stdout=active 2014-12-10T06:06:45Z DEBUG stderr= 2014-12-10T06:06:45Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2014-12-10T06:06:49Z DEBUG The httpd proxy is not installed, wait on local port 2014-12-10T06:06:49Z DEBUG Waiting until the CA is running 2014-12-10T06:06:49Z DEBUG Starting external process 2014-12-10T06:06:49Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 'https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus' 2014-12-10T06:07:09Z DEBUG Process finished, return code=5 2014-12-10T06:07:09Z DEBUG stdout= 2014-12-10T06:07:09Z DEBUG stderr=--2014-12-10 01:06:49-- https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus Resolving vm-088.idm.lab.bos.redhat.com (vm-088.idm.lab.bos.redhat.com)... 10.16.78.88 Connecting to vm-088.idm.lab.bos.redhat.com (vm-088.idm.lab.bos.redhat.com)|10.16.78.88|:8443... connected. ERROR: cannot verify vm-088.idm.lab.bos.redhat.com's certificate, issued by ‘/O=IDM.LAB.BOS.REDHAT.COM/CN=Certificate Authority’: Self-signed certificate encountered. To connect to vm-088.idm.lab.bos.redhat.com insecurely, use `--no-check-certificate'. 2014-12-10T06:07:09Z DEBUG The CA status is: check interrupted I have reopened the ticket. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade
Dne 1.12.2014 v 16:48 Martin Basti napsal(a): On 01/12/14 08:46, Jan Cholasta wrote: Hi, Dne 27.11.2014 v 14:24 Martin Basti napsal(a): Ticket: https://fedorahosted.org/freeipa/ticket/4676 Replaces current workaround. Should go to 4.1.3. Patch attached. When constructing URLs with host:port, please use ipautil.format_netloc(). wget should be added as a dependency of freeipa-python in the spec file. Honza Updated patch attached. Thanks, ACK. Pushed to: master: 337faf506462a01c6dbcd00f2039ed5627691864 ipa-4-1: 5052af773f652bc19e91fe49e15351e5c5c7d976 -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade
On 01/12/14 08:46, Jan Cholasta wrote: Hi, Dne 27.11.2014 v 14:24 Martin Basti napsal(a): Ticket: https://fedorahosted.org/freeipa/ticket/4676 Replaces current workaround. Should go to 4.1.3. Patch attached. When constructing URLs with host:port, please use ipautil.format_netloc(). wget should be added as a dependency of freeipa-python in the spec file. Honza Updated patch attached. -- Martin Basti From daf56e4e4a0126f0dd528876a209f0687ca3ad06 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 18 Nov 2014 19:49:15 +0100 Subject: [PATCH] Using wget to get status of CA This is just workaround Ticket: https://fedorahosted.org/freeipa/ticket/4676 --- freeipa.spec.in | 1 + install/tools/ipa-upgradeconfig | 4 ipaplatform/redhat/services.py | 27 ++- ipapython/dogtag.py | 18 +++--- 4 files changed, 38 insertions(+), 12 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 95ec6210a157fd158d81d97efbd46f3d35facbc6..39166057ecd0d5a4bacef4e79bed49135f72fff4 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -292,6 +292,7 @@ Requires: python-qrcode-core >= 5.0.0 Requires: python-pyasn1 Requires: python-dateutil Requires: python-yubico +Requires: wget Conflicts: %{alt_name}-python Obsoletes: %{alt_name}-python < %{version} diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 32fea4d0a42ac7607fffaa17339b23267f2760f6..628fe20d7c7dbdc5aaae5cd60eb357694a3b51a5 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1486,10 +1486,6 @@ def main(): ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) except ipautil.CalledProcessError, e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) -# FIXME https://fedorahosted.org/freeipa/ticket/4676 -# workaround -except RuntimeError as e: -root_logger.warning(str(e)) set_sssd_domain_option('ipa_server_mode', 'True') diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 58ffebc48477193c7203161d2578b3040862b4e6..20d0adec421ecd3285464e2a51b9d5c61a0e3d92 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -24,6 +24,7 @@ Contains Red Hat OS family-specific service class implementations. import os import time +import xml.dom.minidom from ipaplatform.tasks import tasks from ipaplatform.base import services as base_services @@ -185,7 +186,31 @@ class RedHatCAService(RedHatService): op_timeout = time.time() + timeout while time.time() < op_timeout: try: -status = dogtag.ca_status(use_proxy=use_proxy) +# FIXME https://fedorahosted.org/freeipa/ticket/4716 +# workaround +# +# status = dogtag.ca_status(use_proxy=use_proxy) +# +port = 8443 +if use_proxy: +port = 443 + +url = "https://%(host_port)s%(path)s" % { +"host_port": ipautil.format_netloc(api.env.ca_host, port), +"path": "/ca/admin/ca/getStatus" +} + +args = [ +paths.BIN_WGET, +'-S', '-O', '-', +'--timeout=30', +url +] + +stdout, stderr, returncode = ipautil.run(args) + +status = dogtag._parse_ca_status(stdout) +# end of workaround except Exception: status = 'check interrupted' root_logger.debug('The CA status is: %s' % status) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 0e0aacca798377517244075ed6b07dff63e87358..675d2a77fe30b9109c17089f129b189282ffa57b 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -191,6 +191,16 @@ def get_ca_certchain(ca_host=None, dogtag_constants=None): return chain +def _parse_ca_status(body): +doc = xml.dom.minidom.parseString(body) +try: +item_node = doc.getElementsByTagName("XMLResponse")[0] +item_node = item_node.getElementsByTagName("Status")[0] +return item_node.childNodes[0].data +except IndexError: +raise error_from_xml(doc, _("Retrieving CA status failed: %s")) + + def ca_status(ca_host=None, use_proxy=True): """Return the status of the CA, and the httpd proxy in front of it @@ -214,13 +224,7 @@ def ca_status(ca_host=None, use_proxy=True): elif status != 200: raise errors.RemoteRetrieveError( reason=_("Retrieving CA status failed: %s") % reason) -doc = xml.dom.minidom.parseString(body) -try: -item_node = doc.getElementsByTagName("XMLResponse")[0] -item_node = item_node.getElementsByTagName("Status")[0] -return item_node.childNodes[0].data -except IndexError: -
Re: [Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade
Hi, Dne 27.11.2014 v 14:24 Martin Basti napsal(a): Ticket: https://fedorahosted.org/freeipa/ticket/4676 Replaces current workaround. Should go to 4.1.3. Patch attached. When constructing URLs with host:port, please use ipautil.format_netloc(). wget should be added as a dependency of freeipa-python in the spec file. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade
Ticket: https://fedorahosted.org/freeipa/ticket/4676 Replaces current workaround. Should go to 4.1.3. Patch attached. -- Martin Basti From aceecd06d3174101dd1f7d63f2b22eb1d1447fa1 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 18 Nov 2014 19:49:15 +0100 Subject: [PATCH] Using wget to get status of CA This is just workaround Ticket: https://fedorahosted.org/freeipa/ticket/4676 --- install/tools/ipa-upgradeconfig | 4 ipaplatform/redhat/services.py | 28 +++- ipapython/dogtag.py | 18 +++--- 3 files changed, 38 insertions(+), 12 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 02bfe3a79f83e65f428fe2220d940eb39fdbd928..b81a474b2bb14f1582dabd649400c13f7ce6d369 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1473,10 +1473,6 @@ def main(): ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) except ipautil.CalledProcessError, e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) -# FIXME https://fedorahosted.org/freeipa/ticket/4676 -# workaround -except RuntimeError as e: -root_logger.warning(str(e)) set_sssd_domain_option('ipa_server_mode', 'True') diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 58ffebc48477193c7203161d2578b3040862b4e6..a2ff10824edde8832c48613dcc456092441b3097 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -24,6 +24,7 @@ Contains Red Hat OS family-specific service class implementations. import os import time +import xml.dom.minidom from ipaplatform.tasks import tasks from ipaplatform.base import services as base_services @@ -185,7 +186,32 @@ class RedHatCAService(RedHatService): op_timeout = time.time() + timeout while time.time() < op_timeout: try: -status = dogtag.ca_status(use_proxy=use_proxy) +# FIXME https://fedorahosted.org/freeipa/ticket/4716 +# workaround +# +# status = dogtag.ca_status(use_proxy=use_proxy) +# +port = 8443 +if use_proxy: +port = 443 + +url = "https://%(host)s:%(port)s%(path)s" % { +"host": api.env.ca_host, +"port": port, +"path": "/ca/admin/ca/getStatus", +} + +args = [ +paths.BIN_WGET, +'-S', '-O', '-', +'--timeout=30', +url +] + +stdout, stderr, returncode = ipautil.run(args) + +status = dogtag._parse_ca_status(stdout) +# end of workaround except Exception: status = 'check interrupted' root_logger.debug('The CA status is: %s' % status) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 14824b99431e85dd73613befd72e500d370cfe2c..d03e596146e1ef4f65f616792d90ac2d869c9db4 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -191,6 +191,16 @@ def get_ca_certchain(ca_host=None, dogtag_constants=None): return chain +def _parse_ca_status(body): +doc = xml.dom.minidom.parseString(body) +try: +item_node = doc.getElementsByTagName("XMLResponse")[0] +item_node = item_node.getElementsByTagName("Status")[0] +return item_node.childNodes[0].data +except IndexError: +raise error_from_xml(doc, _("Retrieving CA status failed: %s")) + + def ca_status(ca_host=None, use_proxy=True): """Return the status of the CA, and the httpd proxy in front of it @@ -214,13 +224,7 @@ def ca_status(ca_host=None, use_proxy=True): elif status != 200: raise errors.RemoteRetrieveError( reason=_("Retrieving CA status failed: %s") % reason) -doc = xml.dom.minidom.parseString(body) -try: -item_node = doc.getElementsByTagName("XMLResponse")[0] -item_node = item_node.getElementsByTagName("Status")[0] -return item_node.childNodes[0].data -except IndexError: -raise error_from_xml(doc, _("Retrieving CA status failed: %s")) +return _parse_ca_status(body) def https_request(host, port, url, secdir, password, nickname, **kw): -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel