subject:"Re\: \[Freeipa\-devel\] \[PATCH 0477\] upgrade\: always start CA"

Re: [Freeipa-devel] [PATCH 0477] upgrade: always start CA

2016-05-25 Thread Stanislav Laznicka


On 05/20/2016 03:00 PM, Martin Basti wrote:


On 19.05.2016 13:34, Stanislav Laznicka wrote:


Also, I tried to upgrade from 4.2.4 to 4.3.1 and it seems that it 
might be necessary to start the service even earlier in the upgrade 
logic. Attached is the trace that occurred during the upgrade.


I sent the whole log earlier accidentally, hopefully it will not 
arrive here as well.


On 05/19/2016 11:10 AM, Stanislav Laznicka wrote:


NACK, see my comments below

+# following upgrade steps require running CA
This is a nitpicky nitpick but could you please change this comment 
for # the following ...

Took me a while to understand what you were trying to say here.
+if ca_running and not ca.is_running():
+ca.stop('pki-tomcat')
+elif not ca_running and ca.is_running():
+ca.start('pki-tomcat')
+
You should swap ca.stop and ca.start here, you're stopping the 
service when it's stopped and starting it when it's already running.

Shame, shame, shame on me.



On 05/12/2016 04:34 PM, Martin Basti wrote:

Patch attached.

https://fedorahosted.org/freeipa/ticket/5868











I moved starting of CA to the earlier phase and swapped start/stop to 
correct order.


Patch attached.

Seems to work as expected now. ACK.
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0477] upgrade: always start CA

2016-05-20 Thread Martin Basti




On 19.05.2016 13:34, Stanislav Laznicka wrote:


Also, I tried to upgrade from 4.2.4 to 4.3.1 and it seems that it 
might be necessary to start the service even earlier in the upgrade 
logic. Attached is the trace that occurred during the upgrade.


I sent the whole log earlier accidentally, hopefully it will not 
arrive here as well.


On 05/19/2016 11:10 AM, Stanislav Laznicka wrote:


NACK, see my comments below

+# following upgrade steps require running CA
This is a nitpicky nitpick but could you please change this comment 
for # the following ...

Took me a while to understand what you were trying to say here.
+if ca_running and not ca.is_running():
+ca.stop('pki-tomcat')
+elif not ca_running and ca.is_running():
+ca.start('pki-tomcat')
+
You should swap ca.stop and ca.start here, you're stopping the 
service when it's stopped and starting it when it's already running.

Shame, shame, shame on me.



On 05/12/2016 04:34 PM, Martin Basti wrote:

Patch attached.

https://fedorahosted.org/freeipa/ticket/5868











I moved starting of CA to the earlier phase and swapped start/stop to 
correct order.


Patch attached.
From b93d3d7823cf17cb32b25ed8b374155c446743ba Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 12 May 2016 15:39:30 +0200
Subject: [PATCH] Upgrade: always start CA

Some CA upgrade steps in upgrader requires running CA. We have to always
start CA and wait for running status using http, because systemd may
return false positive result that CA is running even if CA is just
starting and unable to serve.

https://fedorahosted.org/freeipa/ticket/5868
---
 ipaserver/install/server/upgrade.py | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 38fe2c3e89da55faa30c624983cb8f9c630357b3..1d5ef0b23e4afc25b44dbce3012fbbac6d68c476 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1448,6 +1448,7 @@ def upgrade_configuration():
 sub_dict['SUBJECT_BASE'] = subject_base
 
 ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+ca_running = ca.is_running()
 
 with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'):
 # Dogtag must be stopped to be able to backup CS.cfg config
@@ -1481,6 +1482,11 @@ def upgrade_configuration():
 )
 upgrade_pki(ca, fstore)
 
+# several upgrade steps require running CA
+# always run ca.start() because we need to wait until CA is really ready
+# by checking status using http
+ca.start('pki-tomcat')
+
 certmonger_service = services.knownservices.certmonger
 if ca.is_configured() and not certmonger_service.is_running():
 certmonger_service.start()
@@ -1650,6 +1656,11 @@ def upgrade_configuration():
 elif not ds_running and ds.is_running():
 ds.stop(ds_serverid)
 
+if ca_running and not ca.is_running():
+ca.start('pki-tomcat')
+elif not ca_running and ca.is_running():
+ca.stop('pki-tomcat')
+
 
 def upgrade_check(options):
 try:
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0477] upgrade: always start CA

2016-05-19 Thread Stanislav Laznicka

Also, I tried to upgrade from 4.2.4 to 4.3.1 and it seems that it might 
be necessary to start the service even earlier in the upgrade logic. 
Attached is the trace that occurred during the upgrade.


I sent the whole log earlier accidentally, hopefully it will not arrive 
here as well.


On 05/19/2016 11:10 AM, Stanislav Laznicka wrote:


NACK, see my comments below

+# following upgrade steps require running CA
This is a nitpicky nitpick but could you please change this comment 
for # the following ...

Took me a while to understand what you were trying to say here.
+if ca_running and not ca.is_running():
+ca.stop('pki-tomcat')
+elif not ca_running and ca.is_running():
+ca.start('pki-tomcat')
+
You should swap ca.stop and ca.start here, you're stopping the service 
when it's stopped and starting it when it's already running.


On 05/12/2016 04:34 PM, Martin Basti wrote:

Patch attached.

https://fedorahosted.org/freeipa/ticket/5868









2016-05-19T09:28:31Z DEBUG stderr=
2016-05-19T09:29:12Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2016-05-19T09:30:11Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run
server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1719, in upgrade
upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1639, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 920, in certificate_renewal_update
ca.configure_renewal()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 321, in configure_renewal
profile=profile)
  File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 509, in dogtag_start_tracking
cm.obj_if.add_request(params)
  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
**keywords)
  File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
message, timeout)

2016-05-19T09:30:11Z DEBUG The ipa-server-upgrade command failed, exception: DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
2016-05-19T09:30:11Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. 
2016-05-19T09:30:11Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0477] upgrade: always start CA

2016-05-19 Thread Stanislav Laznicka


NACK, see my comments below

+# following upgrade steps require running CA

This is a nitpicky nitpick but could you please change this comment for 
# the following ...

Took me a while to understand what you were trying to say here.

+if ca_running and not ca.is_running():
+ca.stop('pki-tomcat')
+elif not ca_running and ca.is_running():
+ca.start('pki-tomcat')
+

You should swap ca.stop and ca.start here, you're stopping the service 
when it's stopped and starting it when it's already running.


On 05/12/2016 04:34 PM, Martin Basti wrote:

Patch attached.

https://fedorahosted.org/freeipa/ticket/5868





-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0477] upgrade: always start CA

Re: [Freeipa-devel] [PATCH 0477] upgrade: always start CA

Re: [Freeipa-devel] [PATCH 0477] upgrade: always start CA

Re: [Freeipa-devel] [PATCH 0477] upgrade: always start CA

4 matches

Site Navigation

Mail list logo

Footer information