Re: [Freeipa-devel] [PATCH 0416-0417] fix broken configuration of sidgen and extdom plugins

[Tomas Babej]

On 02/22/2016 07:15 PM, Martin Basti wrote:
> 
> 
> On 22.02.2016 17:05, Martin Basti wrote:
>>
>>
>> On 19.02.2016 15:02, Alexander Bokovoy wrote:
>>> On Fri, 19 Feb 2016, Petr Vobornik wrote:
 On 02/19/2016 11:12 AM, Alexander Bokovoy wrote:
> On Fri, 19 Feb 2016, Martin Basti wrote:
>> WIP patch attached
>>
>> https://fedorahosted.org/freeipa/ticket/5665
>>
> Comments inline.
>
>> +# we need to run sidgen task
>> +sidgen_task_dn = DN("cn=sidgen,cn=ipa-sidgen-task,cn=tasks,"
>> +"cn=config")
>> +sidgen_tasks_attr = {
>> +"objectclass": ["top", "extensibleObject"],
>> +"cn": ["sidgen"],
>> +"delay": [0],
>> +"nsslapd-basedn": [self.api.env.basedn],
>> +}
> May be you are better to name this task more uniquely?
> Something like 'cn=generate domain sid,cn=...'?
>
>> +
>> +task_entry = ldap.make_entry(sidgen_task_dn,
>> + **sidgen_tasks_attr)
>> +try:
>> +ldap.add_entry(task_entry)
>> +except errors.DuplicateEntry:
>> +self.log.debug("sidgen task already created")
>> +else:
>> +self.log.debug("sidgen task has been created")
> There could be multiple tasks running in parallel, that's why it could
> be good to use a different and unique name.
>
>> +# we have to check all trusts domains which have been added
>> after the
>> +# upgrade that caused bug was done.
>> +
>> +base_dn = DN(self.api.env.container_adtrusts,
>> self.api.env.basedn)
>> +trust_domain_entries, truncated = ldap.find_entries(
>> +base_dn=base_dn,
>> +scope=ldap.SCOPE_ONELEVEL,
>> +attrs_list=[attr_name, "cn"],
>> +)
>> +
>> +if truncated:
>> +self.log.warning("update_sids: Search results were
>> truncated")
>> +
>> +for entry in trust_domain_entries:
>> +if entry.single_value[attr_name] is None:
>> +domain = entry.single_value["cn"]
>> +self.log.error(
>> +"Your trust to %s is broken. Please re-create it
>> by "
>> +"running 'ipa trust-add' again", domain)
>> +
>> +sysupgrade.set_upgrade_state('sidgen', 'update_sids', False)
>> +return False, ()
> This part looks fine. Basically, a similar check needs to be added to
> trust_find, trust_show, and may be trust_add.
>

 Why trust-add?

 I'm not a big fan of cluttering existing commands(find, show, mod)
 with logic to fix one upgrade bug. But I understand a need to
 communicate it somehow.

 Would it make sense to move such logic to a separate command, e.g.
 trust-check/trust-verify?  The command can do additional check in a
 future.
>>> No. What is the value of trust-add if it says you 'Trust established and
>>> verified' while in reality it didn't? This specific issue is very easy
>>> to catch.
>>>
>> Patch attached, patch with warning will land soon.
>>
>>
> Updated patches attached

During the RPM upgrade, the ipa-server-upgrade times out and leaves
directory server stopped.

Issues seem to be fixed after manual DS start, but we should get
the upgrade during RPM cleanup sorted out to have a seamless experience.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0416-0417] fix broken configuration of sidgen and extdom plugins

[Martin Basti]

On 22.02.2016 17:05, Martin Basti wrote:



On 19.02.2016 15:02, Alexander Bokovoy wrote:

On Fri, 19 Feb 2016, Petr Vobornik wrote:

On 02/19/2016 11:12 AM, Alexander Bokovoy wrote:

On Fri, 19 Feb 2016, Martin Basti wrote:

WIP patch attached

https://fedorahosted.org/freeipa/ticket/5665


Comments inline.


+# we need to run sidgen task
+sidgen_task_dn = DN("cn=sidgen,cn=ipa-sidgen-task,cn=tasks,"
+"cn=config")
+sidgen_tasks_attr = {
+"objectclass": ["top", "extensibleObject"],
+"cn": ["sidgen"],
+"delay": [0],
+"nsslapd-basedn": [self.api.env.basedn],
+}

May be you are better to name this task more uniquely?
Something like 'cn=generate domain sid,cn=...'?


+
+task_entry = ldap.make_entry(sidgen_task_dn,
+ **sidgen_tasks_attr)
+try:
+ldap.add_entry(task_entry)
+except errors.DuplicateEntry:
+self.log.debug("sidgen task already created")
+else:
+self.log.debug("sidgen task has been created")

There could be multiple tasks running in parallel, that's why it could
be good to use a different and unique name.


+# we have to check all trusts domains which have been added
after the
+# upgrade that caused bug was done.
+
+base_dn = DN(self.api.env.container_adtrusts,
self.api.env.basedn)
+trust_domain_entries, truncated = ldap.find_entries(
+base_dn=base_dn,
+scope=ldap.SCOPE_ONELEVEL,
+attrs_list=[attr_name, "cn"],
+)
+
+if truncated:
+self.log.warning("update_sids: Search results were
truncated")
+
+for entry in trust_domain_entries:
+if entry.single_value[attr_name] is None:
+domain = entry.single_value["cn"]
+self.log.error(
+"Your trust to %s is broken. Please re-create it
by "
+"running 'ipa trust-add' again", domain)
+
+sysupgrade.set_upgrade_state('sidgen', 'update_sids', False)
+return False, ()

This part looks fine. Basically, a similar check needs to be added to
trust_find, trust_show, and may be trust_add.



Why trust-add?

I'm not a big fan of cluttering existing commands(find, show, mod) 
with logic to fix one upgrade bug. But I understand a need to 
communicate it somehow.


Would it make sense to move such logic to a separate command, e.g. 
trust-check/trust-verify?  The command can do additional check in a 
future.

No. What is the value of trust-add if it says you 'Trust established and
verified' while in reality it didn't? This specific issue is very easy
to catch.


Patch attached, patch with warning will land soon.



Updated patches attached
From 65fb67c32abb136fdd5568fd48c68b5e32a78446 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 18 Feb 2016 19:59:50 +0100
Subject: [PATCH] upgrade: fix config of sidgen and extdom plugins

During upgrade to IPA 4.2, literally "$SUFFIX" value was added to
configuration of sidgen and extdom plugins. This cause that SID are not properly configured.

Upgrade must fix "$SUFFIX" to reals suffix DN, and run sidgen task
against IPA domain (if exists).

All trusts added when plugins configuration was broken must be re-added.

https://fedorahosted.org/freeipa/ticket/5665
---
 install/updates/90-post_upgrade_plugins.update |   2 +
 ipaserver/install/dsinstance.py|  12 +-
 ipaserver/install/plugins/adtrust.py   | 151 +
 ipaserver/install/server/upgrade.py|   4 +-
 4 files changed, 161 insertions(+), 8 deletions(-)

diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index 5642021ad93cf336db2d872bf3ef6db99b5ffa46..9c9ee160fffedbc8e8d59705169e6cf08ddc9779 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -5,6 +5,8 @@
 plugin: update_ca_topology
 plugin: update_dnszones
 plugin: update_dns_limits
+plugin: update_sigden_extdom_broken_config
+plugin: update_sids
 plugin: update_default_range
 plugin: update_default_trust_view
 plugin: update_ca_renewal_master
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 2905c31c64c4fa8bd034d2cdf6ce5d90ecfea091..f474e189a47f945b7c91cba4ccc17266b9c7e430 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -1054,9 +1054,9 @@ class DsInstance(service.Service):
 """
 Add sidgen directory server plugin configuration if it does not already exist.
 """
-self._ldap_mod('ipa-sidgen-conf.ldif', self.sub_dict)
+self.add_sidgen_plugin(self.sub_dict['SUFFIX'])
 
-def add_sidgen_plugin(self):
+def add_sidgen_plugin(self, suffix):
 """
 Add sidgen plugin configuration only if it does not already