On Mon, 06 Feb 2012, Rob Crittenden wrote:
Seems to work ok, Fix this and you have ACK x3:
pylint error:
init/systemd/freeipa-systemd-upgrade:38: [E0602] Undefined variable
'IPAConfigError'
My fix:
+++ b/init/systemd/freeipa-systemd-upgrade
@@ -35,7 +35,7 @@ def convert_java_link(foo, topdir, filepaths):
# 0. Init config
try:
config.init_config()
-except IPAConfigError, e:
+except config.IPAConfigError, e:
# No configured IPA install, no need to upgrade anything
exit(0)
Did the same. Attached new version. I'm not attaching other patches as
they are intact.
--
/ Alexander Bokovoy
From a9c0a0bc8d3fcf27bb16a92002d944c2a71f7ce7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Wed, 1 Feb 2012 17:51:24 +0200
Subject: [PATCH 3/3] Handle upgrade issues with systemd in Fedora 16 and
above
Since 389-ds-base-1.2.10-0.8.a7 Directory Server's systemd settings are
configured via /etc/sysconfig/dirsrv.systemd. It means logic change in
systemd/fedora16 platform of FreeIPA.
Additionally, existing installs need to be handled during upgrade.
Fixes:
https://fedorahosted.org/freeipa/ticket/2117
https://fedorahosted.org/freeipa/ticket/2300
---
init/systemd/freeipa-systemd-upgrade | 96 ++
ipapython/platform/fedora16.py | 22
ipapython/platform/systemd.py| 16 ++
3 files changed, 113 insertions(+), 21 deletions(-)
create mode 100755 init/systemd/freeipa-systemd-upgrade
diff --git a/init/systemd/freeipa-systemd-upgrade
b/init/systemd/freeipa-systemd-upgrade
new file mode 100755
index
..572d69df64b335e1a06b358fc9a0f2132807d6a6
--- /dev/null
+++ b/init/systemd/freeipa-systemd-upgrade
@@ -0,0 +1,96 @@
+#! /usr/bin/python -E
+from ipaserver.install.krbinstance import update_key_val_in_file
+from ipapython import ipautil, config
+from ipapython import services as ipaservices
+import os, platform
+
+def convert_java_link(foo, topdir, filepaths):
+cwd = os.getcwd()
+os.chdir(topdir)
+for filepath in filepaths:
+# All this shouldn't happen because java system upgrade should properly
+# move files and symlinks but if this is a broken link
+if os.path.islink(filepath):
+print Checking %s ... % (filepath),
+if not os.path.exists(filepath):
+rpath = os.path.realpath(filepath)
+# .. and it points to jss in /usr/lib
+if rpath.find('/usr/lib/') != -1 and rpath.find('jss') != -1:
+base = os.path.basename(rpath)
+bitness = platform.architecture()[0][:2]
+# rewrite it to /usr/lib64 for x86_64 platform
+if bitness == '64':
+npath = /usr/lib%s/jss/%s % (bitness, base)
+os.unlink(filepath)
+os.symlink(npath, filepath)
+print %s - %s % (filepath, npath)
+else:
+print Ok
+else:
+print Ok
+else:
+print Ok
+os.chdir(cwd)
+
+# 0. Init config
+try:
+config.init_config()
+except config.IPAConfigError, e:
+# No configured IPA install, no need to upgrade anything
+exit(0)
+
+# 1. Convert broken symlinks, if any, in /var/lib/pki-ca
+if os.path.exists('/var/lib/pki-ca/common/lib'):
+print Analyzing symlinks in PKI-CA install
+os.path.walk('/var/lib/pki-ca/common/lib', convert_java_link, None)
+
+try:
+print Found IPA server for domain %s % (config.config.default_realm)
+# 1. Make sure Dogtag instance (if exists) has proper OIDs for IPA CA
+ipa_ca_cfg = /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
+if os.path.exists(ipa_ca_cfg):
+print Make sure PKI-CA has Extended Key Usage OIDs for the
certificates (Server and Client Authentication),
+key = 'policyset.serverCertSet.7.default.params.exKeyUsageOIDs'
+value = '1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2'
+replacevars = {key:value}
+appendvars = {}
+old_values = ipautil.config_replace_variables(ipa_ca_cfg,
replacevars=replacevars, appendvars=appendvars)
+ipaservices.restore_context(ipa_ca_cfg)
+if key in old_values and old_values[key] != value:
+print
+print WARNING: Previously issued certificate didn't have both
Server and Client Authentication usage
+print Old usage OID(s): %(oids)s % (old_values[key])
+print Please make sure to revoke old certificates and
re-issue them again to add both usages when needed
+ipaservices.service('pki-cad').restart()
+else:
+print ... ok
+print Converting services setup to systemd
+# 2. Upgrade /etc/sysconfig/dirsrv for systemd
+print Upgrade /etc/sysconfig/dirsrv
+