On 08/05/2013 05:43 PM, Martin Kosek wrote:
On 08/02/2013 03:32 PM, Tomas Babej wrote:
Hi,
This patch makes sure that all edits to CS.cfg configuration file
are performed while pki-tomcatd service is stopped.
Introduces a new contextmanager stopped_service for handling
a general problem of performing a task that needs certain service
being stopped.
https://fedorahosted.org/freeipa/ticket/3804
Tomas
1) I think it would make sense to ideally run the steps updating CS.cfg close
together, stop PKI before this group and start it after it finishes. Otherwise,
installer runs many service stops and starts which may be error prone,
especially given the fragile (and sometimes slow) java server handling.
2) I am thinking that stopped_service context manager could be as well defined
in ipaserver/install/service.py, as a context manager of the class. That way,
every installer class could use that like:
class CAInstance():
...
def __some_step(self):
with self.stopped_service(start_when_finished=True):
# do something
I considered this approach, but this might introduce unnecessary errors if
we ever reorder the install steps in cainstance.py. I rather added two
explicit steps to stop and start the CA instance.
That way, context manager could just use self.name to avoid numerous hardcoded
service names like:
...
with stopped_service('pki_tomcatd',
instance_name=self.dogtag_constants.PKI_INSTANCE_NAME):
...
Yes, but there are functions outside CAInstance class that leverage this
context.
3) After I installed pki-ca, I saw no published CRL files:
# ls -la /var/lib/ipa/pki-ca/publish/
I am not sure what is the root cause, maybe some of the numerous start/restarts
broke the publisher process.
I'm not seeing this with the updated version of the patch anymore.
Martin
Updated patch attached.
--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
From 176439068e4b3e0668f78eafe21b94411705a810 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Thu, 1 Aug 2013 14:47:52 +0200
Subject: [PATCH] Make CS.cfg edits with CA instance stopped
This patch makes sure that all edits to CS.cfg configuration file
are performed while pki-tomcatd service is stopped.
Introduces a new contextmanager stopped_service for handling
a general problem of performing a task that needs certain service
being stopped.
https://fedorahosted.org/freeipa/ticket/3804
---
install/restart_scripts/renew_ca_cert | 1 +
install/tools/ipa-ca-install | 2 +-
install/tools/ipa-replica-install | 3 +-
install/tools/ipa-server-install | 3 +-
ipaserver/install/cainstance.py | 94 +--
ipaserver/install/installutils.py | 36 ++
6 files changed, 100 insertions(+), 39 deletions(-)
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 5768db3f77d2c708dd9bacccf48365933c377aaf..ab394b970eaee28bc386d4d1ba737643414e2680 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -83,6 +83,7 @@ except Exception, e:
finally:
shutil.rmtree(tmpdir)
+# Done withing stopped_service context, CA restarted here
update_cert_config(nickname, cert)
if nickname == 'subsystemCert cert-pki-ca':
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 636f63da37787b0ad3715323e6e2f18032f3f514..4edd26d337a50eebe686daae539c257f706e0158 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -189,8 +189,8 @@ def main():
CA.ldap_enable('CA', config.host_name, config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
+# This is done within stopped_service context, which restarts CA
CA.enable_client_auth_to_db()
-CA.restart()
# Install CA DNS records
install_dns_records(config, options)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index c6d69fca6959fb3e082475b1e5323efe1375c7ce..947c51f6f287ffce52994408352601388faf56a6 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -675,8 +675,9 @@ def main():
if CA and config.setup_ca:
CA.ldap_enable('CA', config.host_name, config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
+
+# This is done within stopped_service context, which restarts CA
CA.enable_client_auth_to_db()
-CA.restart()
krb = install_krb(config, setup_pkinit=options.setup_pkinit)
http = install_http(config, auto_redirect=options.ui_redirect)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 06e99134e35ae67910002edee4c34269080f233e..86ca3447bfaab1763324ce57c67c073a8fa93963 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@