Re: [Freeipa-devel] [PATCH] 0040-0042 Fedora packages fixes merge

2012-02-09 Thread Rob Crittenden 

Alexander Bokovoy wrote:

On Mon, 06 Feb 2012, Rob Crittenden wrote:

Seems to work ok, Fix this and you have ACK x3:

pylint error:

init/systemd/freeipa-systemd-upgrade:38: [E0602] Undefined variable
'IPAConfigError'

My fix:

+++ b/init/systemd/freeipa-systemd-upgrade
@@ -35,7 +35,7 @@ def convert_java_link(foo, topdir, filepaths):
  # 0. Init config
  try:
  config.init_config()
-except IPAConfigError, e:
+except config.IPAConfigError, e:
  # No configured IPA install, no need to upgrade anything
  exit(0)


Did the same. Attached new version. I'm not attaching other patches as
they are intact.



ACK, pushed all three to master, ipa-2-2 and ipa-2-1

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0040-0042 Fedora packages fixes merge

2012-02-06 Thread Rob Crittenden 

Alexander Bokovoy wrote:

Hi,

attached are three patches that differentiate current freeipa-2.1.4
builds in Fedora 16/Rawhide from upstream. These are primarily to
adopt to systemd and python-ldap changes.

1. freeipa-abbra-0040-inifiles-support.patch introduces a way to
modify sectioned inifiles used by freedesktop.org software like
systemd service units. The patch also fixes a subtle bug in
traditional config files handling when variables do not exist before
replacement.

2. freeipa-abbra-0041-upgrade-systemd.patch introduces an upgrade
script to fix common issues found when migrating from SysV to systemd
and to adopt to systemd changes done recently for 389-ds (as of
1.2.10-0.8.a7 and above). freeipa.spec.in part is not included as this
script is actual only for Fedora 16/Rawhide repos.

3. freeipa-abbra-0042-python-ldap-2.4.6-support.patch one-line fix to
support python-ldap 2.4.6 from Rawhide.

All patches are in freeipa-2.1.4-5.fc16 (.fc17) available from
updates-testing (in case of F16) or directly in Rawhide.

Fixes:
 https://fedorahosted.org/freeipa/ticket/2117
 https://fedorahosted.org/freeipa/ticket/2300



Seems to work ok, Fix this and you have ACK x3:

pylint error:

init/systemd/freeipa-systemd-upgrade:38: [E0602] Undefined variable 
'IPAConfigError'


My fix:

+++ b/init/systemd/freeipa-systemd-upgrade
@@ -35,7 +35,7 @@ def convert_java_link(foo, topdir, filepaths):
 # 0. Init config
 try:
 config.init_config()
-except IPAConfigError, e:
+except config.IPAConfigError, e:
 # No configured IPA install, no need to upgrade anything
 exit(0)

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0040-0042 Fedora packages fixes merge

2012-02-06 Thread Alexander Bokovoy 
On Mon, 06 Feb 2012, Rob Crittenden wrote:
 Seems to work ok, Fix this and you have ACK x3:
 
 pylint error:
 
 init/systemd/freeipa-systemd-upgrade:38: [E0602] Undefined variable
 'IPAConfigError'
 
 My fix:
 
 +++ b/init/systemd/freeipa-systemd-upgrade
 @@ -35,7 +35,7 @@ def convert_java_link(foo, topdir, filepaths):
  # 0. Init config
  try:
  config.init_config()
 -except IPAConfigError, e:
 +except config.IPAConfigError, e:
  # No configured IPA install, no need to upgrade anything
  exit(0)
 
Did the same. Attached new version. I'm not attaching other patches as 
they are intact.

-- 
/ Alexander Bokovoy
From a9c0a0bc8d3fcf27bb16a92002d944c2a71f7ce7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Wed, 1 Feb 2012 17:51:24 +0200
Subject: [PATCH 3/3] Handle upgrade issues with systemd in Fedora 16 and
 above

Since 389-ds-base-1.2.10-0.8.a7 Directory Server's systemd settings are
configured via /etc/sysconfig/dirsrv.systemd. It means logic change in
systemd/fedora16 platform of FreeIPA.

Additionally, existing installs need to be handled during upgrade.

Fixes:
https://fedorahosted.org/freeipa/ticket/2117
https://fedorahosted.org/freeipa/ticket/2300
---
 init/systemd/freeipa-systemd-upgrade |   96 ++
 ipapython/platform/fedora16.py   |   22 
 ipapython/platform/systemd.py|   16 ++
 3 files changed, 113 insertions(+), 21 deletions(-)
 create mode 100755 init/systemd/freeipa-systemd-upgrade

diff --git a/init/systemd/freeipa-systemd-upgrade 
b/init/systemd/freeipa-systemd-upgrade
new file mode 100755
index 
..572d69df64b335e1a06b358fc9a0f2132807d6a6
--- /dev/null
+++ b/init/systemd/freeipa-systemd-upgrade
@@ -0,0 +1,96 @@
+#! /usr/bin/python -E
+from ipaserver.install.krbinstance import update_key_val_in_file
+from ipapython import ipautil, config
+from ipapython import services as ipaservices
+import os, platform
+
+def convert_java_link(foo, topdir, filepaths):
+cwd = os.getcwd()
+os.chdir(topdir)
+for filepath in filepaths:
+# All this shouldn't happen because java system upgrade should properly
+# move files and symlinks but if this is a broken link
+if os.path.islink(filepath):
+print Checking %s ...  % (filepath),
+if not os.path.exists(filepath):
+rpath = os.path.realpath(filepath)
+# .. and it points to jss in /usr/lib
+if rpath.find('/usr/lib/') != -1  and rpath.find('jss') != -1:
+base = os.path.basename(rpath)
+bitness = platform.architecture()[0][:2]
+# rewrite it to /usr/lib64 for x86_64 platform
+if bitness == '64':
+npath = /usr/lib%s/jss/%s % (bitness, base)
+os.unlink(filepath)
+os.symlink(npath, filepath)
+print %s - %s % (filepath, npath)
+else:
+print Ok
+else:
+print Ok
+else:
+print Ok
+os.chdir(cwd)
+
+# 0. Init config
+try:
+config.init_config()
+except config.IPAConfigError, e:
+# No configured IPA install, no need to upgrade anything
+exit(0)
+
+# 1. Convert broken symlinks, if any, in /var/lib/pki-ca
+if os.path.exists('/var/lib/pki-ca/common/lib'):
+print Analyzing symlinks in PKI-CA install
+os.path.walk('/var/lib/pki-ca/common/lib', convert_java_link, None)
+
+try:
+print Found IPA server for domain %s % (config.config.default_realm)
+# 1. Make sure Dogtag instance (if exists) has proper OIDs for IPA CA
+ipa_ca_cfg = /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
+if os.path.exists(ipa_ca_cfg):
+print Make sure PKI-CA has Extended Key Usage OIDs for the 
certificates (Server and Client Authentication),
+key = 'policyset.serverCertSet.7.default.params.exKeyUsageOIDs'
+value = '1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2'
+replacevars = {key:value}
+appendvars = {}
+old_values = ipautil.config_replace_variables(ipa_ca_cfg, 
replacevars=replacevars, appendvars=appendvars)
+ipaservices.restore_context(ipa_ca_cfg)
+if key in old_values and old_values[key] != value:
+print
+print WARNING: Previously issued certificate didn't have both 
Server and Client Authentication usage
+print  Old usage OID(s): %(oids)s % (old_values[key])
+print Please make sure to revoke old certificates and 
re-issue them again to add both usages when needed
+ipaservices.service('pki-cad').restart()
+else:
+print ... ok
+print Converting services setup to systemd
+# 2. Upgrade /etc/sysconfig/dirsrv for systemd
+print Upgrade /etc/sysconfig/dirsrv
+