Re: [Freeipa-devel] [PATCHES] 391-392 Make certificate renewal process synchronized

2015-01-13 Thread David Kupka 

On 01/13/2015 12:17 PM, Jan Cholasta wrote:

Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/4803.

Note that if you want to test upgrades on CA-less, you need to apply my
patch 390 as well:
https://www.redhat.com/archives/freeipa-devel/2015-January/msg00103.html.

Honza



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Hi!
Thanks for the patch. It works as expected. I would prefer refactoring 
the certmonger-interacting code but since we're out time and needs this 
fix ASAP I'll cope with it. ACK.

--
David Kupka

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 391-392 Make certificate renewal process synchronized

2015-01-13 Thread Jan Cholasta 

Dne 13.1.2015 v 18:47 David Kupka napsal(a):

On 01/13/2015 12:17 PM, Jan Cholasta wrote:

Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/4803.

Note that if you want to test upgrades on CA-less, you need to apply my
patch 390 as well:
https://www.redhat.com/archives/freeipa-devel/2015-January/msg00103.html.


Honza



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Hi!
Thanks for the patch. It works as expected. I would prefer refactoring
the certmonger-interacting code but since we're out time and needs this
fix ASAP I'll cope with it. ACK.


Thanks for the review. I would prefer that too, but I wanted to keep the 
changes minimal. It can be refactored in 4.2.


Pushed to:
master: b9ae7690489368ead9f4983d386fa210dc265dfa
ipa-4-1: 760ebaa6852b12f1d58032b33ef538d9894dc3ef

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCHES] 391-392 Make certificate renewal process synchronized

2015-01-13 Thread Jan Cholasta 

Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/4803.

Note that if you want to test upgrades on CA-less, you need to apply my 
patch 390 as well: 
https://www.redhat.com/archives/freeipa-devel/2015-January/msg00103.html.


Honza

--
Jan Cholasta
From 9b6f5f227996fd4b5fbc714c44a766311294a06a Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 6 Jan 2015 13:08:54 +
Subject: [PATCH 1/2] Restart dogtag when its server certificate is renewed

https://fedorahosted.org/freeipa/ticket/4803
---
 install/tools/ipa-upgradeconfig | 6 +++---
 ipaserver/install/cainstance.py | 7 ---
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index c155e95..f4a6e0d 100755
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -779,7 +779,7 @@ def certificate_renewal_update(ca):
 dogtag_constants = dogtag.configured_constants()
 
 # bump version when requests is changed
-version = 2
+version = 3
 requests = (
 (
 dogtag_constants.ALIAS_DIR,
@@ -825,8 +825,8 @@ def certificate_renewal_update(ca):
 dogtag_constants.ALIAS_DIR,
 'Server-Cert cert-pki-ca',
 'dogtag-ipa-renew-agent',
-None,
-None,
+'stop_pkicad',
+'renew_ca_cert',
 None,
 ),
 )
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 6b4317f..951a384 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1534,16 +1534,17 @@ class CAInstance(service.Service):
 done by the renewal script, renew_ca_cert once all the subsystem
 certificates are renewed.
 
+nickname = 'Server-Cert cert-pki-ca'
 pin = self.__get_ca_pin()
 try:
 certmonger.dogtag_start_tracking(
 ca='dogtag-ipa-renew-agent',
-nickname='Server-Cert cert-pki-ca',
+nickname=nickname,
 pin=pin,
 pinfile=None,
 secdir=self.dogtag_constants.ALIAS_DIR,
-pre_command=None,
-post_command=None)
+pre_command='stop_pkicad',
+post_command='renew_ca_cert %s' % nickname)
 except RuntimeError, e:
 root_logger.error(
 certmonger failed to start tracking certificate: %s % e)
-- 
2.1.0

From 2423f45bacf43c789f6eb3f392b15fbd1d5dd2c9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Thu, 8 Jan 2015 09:06:46 +
Subject: [PATCH 2/2] Make certificate renewal process synchronized

Synchronization is achieved using a global renewal lock.

https://fedorahosted.org/freeipa/ticket/4803
---
 freeipa.spec.in|   1 +
 install/certmonger/Makefile.am |   1 +
 .../certmonger/dogtag-ipa-ca-renew-agent-submit|   4 +-
 install/certmonger/ipa-server-guard|  55 +++
 install/restart_scripts/renew_ca_cert  |  11 ++-
 install/restart_scripts/renew_ra_cert  |  11 ++-
 install/restart_scripts/restart_dirsrv |  10 +-
 install/restart_scripts/restart_httpd  |  10 +-
 install/restart_scripts/stop_pkicad|   4 +
 install/tools/ipa-upgradeconfig|   3 +
 ipaplatform/base/paths.py  |   2 +
 ipaserver/install/cainstance.py|  38 
 ipaserver/install/certs.py | 104 +
 ipaserver/install/httpinstance.py  |  42 +
 14 files changed, 290 insertions(+), 6 deletions(-)
 create mode 100755 install/certmonger/ipa-server-guard

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 40bad04..3175512 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -660,6 +660,7 @@ fi
 %{_sbindir}/ipa-advise
 %{_sbindir}/ipa-cacert-manage
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
+%{_libexecdir}/certmonger/ipa-server-guard
 %{_libexecdir}/ipa-otpd
 %dir %{_libexecdir}/ipa
 %{_libexecdir}/ipa/ipa-dnskeysyncd
diff --git a/install/certmonger/Makefile.am b/install/certmonger/Makefile.am
index ef6a0a6..2dc476f 100644
--- a/install/certmonger/Makefile.am
+++ b/install/certmonger/Makefile.am
@@ -3,6 +3,7 @@ NULL =
 appdir = $(libexecdir)/certmonger/
 app_SCRIPTS =	\
 	dogtag-ipa-ca-renew-agent-submit	\
+	ipa-server-guard			\
 	$(NULL)
 
 EXTRA_DIST =\
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index c63c0c2..0bebb49 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -38,7 +38,7 @@ from ipapython.dn import DN
 from ipalib import api, errors, pkcs10, x509
 from ipaplatform.paths import paths
 from