URL: https://github.com/freeipa/freeipa/pull/5167 Author: tiran Title: #5167: Speed up PKI installer steps Action: opened
PR body: """ ## Skip duplicate import of cert profiles All supported Dogtag versions import the cert profiles during pkispawn when using the LDAP profile backend. This reduces the installation time by 9 to 14 seconds ## Dogtag: Remove set_audit_renewal step The step set_audit_renewal modifies Dogtag's caSignedLogCert.cfg to bump renewal to 2 years. The problem was fixed in Dogtag upstream in 2012 before Dogtag 10.0 came out, see https://github.com/dogtagpki/pki/commit/f5b8ea5b087f642a0208c228dce6f700cd7d91c1 The update step would also no longer work. Profiles have been migrated to LDAP several FreeIPA releases ago. pkispawn populates LDAP with all of Dogtag's default profiles. FreeIPA does not overwrite any existing profiles. Win: 11 to 50 seconds ## Spawn PKI: Execute more steps early Move several steps to an earlier phase of CA spawn. RA and ACME agent ACLs are now configured while the server is down. This avoids yet another restart and saves between 11 and 50 seconds per installation. Total: ~30s to ~90s Related: https://pagure.io/freeipa/issue/8521 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5167/head:pr5167 git checkout pr5167
From 0ac68df452b9ad8a7a182012dc8da1d7d688af6e Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Mon, 21 Sep 2020 14:57:14 +0200 Subject: [PATCH 1/3] Skip duplicate import of cert profiles All supported Dogtag versions import the cert profiles during pkispawn when using the LDAP profile backend. This reduces the installation time by 9 to 14 seconds. Related: https://pagure.io/freeipa/issue/8521 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaserver/install/cainstance.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 4d96a099c1..9399cb5e74 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -463,8 +463,6 @@ def configure_instance(self, host_name, dm_password, admin_password, self.step("exposing CA instance on LDAP", self.__expose_ca_in_ldap) - self.step("migrating certificate profiles to LDAP", - migrate_profiles_to_ldap) self.step("importing IPA certificate profiles", import_included_profiles) self.step("adding default CA ACL", ensure_default_caacl) From de625ceb4af8bc3b977553bf3574f6dff84a5c7c Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Fri, 25 Sep 2020 11:53:28 +0200 Subject: [PATCH 2/3] Dogtag: Remove set_audit_renewal step The step set_audit_renewal modifies Dogtag's caSignedLogCert.cfg to bump renewal to 2 years. The problem was fixed in Dogtag upstream in 2012 before Dogtag 10.0 came out, see https://github.com/dogtagpki/pki/commit/f5b8ea5b087f642a0208c228dce6f700cd7d91c1 The update step would also no longer work. Profiles have been migrated to LDAP several FreeIPA releases ago. pkispawn populates LDAP with all of Dogtag's default profiles. FreeIPA does not overwrite any existing profiles. Related: https://pagure.io/freeipa/issue/8521 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaserver/install/cainstance.py | 37 ----------------------------- ipaserver/install/server/upgrade.py | 15 ------------ 2 files changed, 52 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 9399cb5e74..8f73998955 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -435,8 +435,6 @@ def configure_instance(self, host_name, dm_password, admin_password, self.__import_ra_cert) if not ra_only: - self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) - self.step("restarting certificate server", self.restart_instance) if not self.clone: self.step("publishing the CA certificate", self.__export_ca_chain) @@ -1087,41 +1085,6 @@ def stop_tracking_certificates(self, stop_certmonger=True): if stop_certmonger: services.knownservices.certmonger.stop() - - def set_audit_renewal(self): - """ - The default renewal time for the audit signing certificate is - six months rather than two years. Fix it. This is BZ 843979. - """ - # Check the default validity period of the audit signing cert - # and set it to 2 years if it is 6 months. - cert_range = directivesetter.get_directive( - paths.CASIGNEDLOGCERT_CFG, - 'policyset.caLogSigningSet.2.default.params.range', - separator='=' - ) - logger.debug( - 'caSignedLogCert.cfg profile validity range is %s', cert_range) - if cert_range == "180": - directivesetter.set_directive( - paths.CASIGNEDLOGCERT_CFG, - 'policyset.caLogSigningSet.2.default.params.range', - '720', - quotes=False, - separator='=' - ) - directivesetter.set_directive( - paths.CASIGNEDLOGCERT_CFG, - 'policyset.caLogSigningSet.2.constraint.params.range', - '720', - quotes=False, - separator='=' - ) - logger.debug( - 'updated caSignedLogCert.cfg profile validity range to 720') - return True - return False - def is_renewal_master(self, fqdn=None): if fqdn is None: fqdn = api.env.host diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 144b340a43..d1d8b3a64e 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -502,20 +502,6 @@ def ca_disable_publish_cert(ca): return True # restart needed -def upgrade_ca_audit_cert_validity(ca): - """ - Update the Dogtag audit signing certificate. - - Returns True if restart is needed, False otherwise. - """ - logger.info('[Verifying that CA audit signing cert has 2 year validity]') - if ca.is_configured(): - return ca.set_audit_renewal() - else: - logger.info('CA is not configured') - return False - - def ca_initialize_hsm_state(ca): """Initializse HSM state as False / internal token """ @@ -1774,7 +1760,6 @@ def upgrade_configuration(): ca_restart = any([ ca_restart, ca_upgrade_schema(ca), - upgrade_ca_audit_cert_validity(ca), certificate_renewal_update(ca, kra, ds, http), ca_enable_pkix(ca), ca_configure_profiles_acl(ca), From 2a0cb0c6c3ccf49516059052f40c320bba097fb0 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Mon, 28 Sep 2020 07:30:30 +0200 Subject: [PATCH 3/3] Spawn PKI: Execute more steps early Move several steps to an earlier phase of CA spawn. RA and ACME agent ACLs are now configured while the server is down. This avoids yet another restart and saves between 11 and 50 seconds per installation. Related: https://pagure.io/freeipa/issue/8521 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaserver/install/cainstance.py | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 8f73998955..3f58b8a06f 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -399,18 +399,28 @@ def configure_instance(self, host_name, dm_password, admin_password, self.step("creating installation admin user", self.setup_admin) self.step("configuring certificate server instance", self.__spawn_instance) + self.step("stopping certificate server instance to update CS.cfg", + self.stop_instance) + self.step("backing up CS.cfg", self.safe_backup_config) self.step("Add ipa-pki-wait-running", self.add_ipa_wait) self.step("secure AJP connector", self.secure_ajp_connector) self.step("reindex attributes", self.reindex_task) self.step("exporting Dogtag certificate store pin", self.create_certstore_passwdfile) - self.step("stopping certificate server instance to update CS.cfg", - self.stop_instance) - self.step("backing up CS.cfg", self.safe_backup_config) self.step("disabling nonces", self.__disable_nonce) self.step("set up CRL publishing", self.__enable_crl_publish) self.step("enable PKIX certificate path discovery and validation", self.enable_pkix) + self.step("authorizing RA to modify profiles", + configure_profiles_acl) + self.step("authorizing RA to manage lightweight CAs", + configure_lightweight_ca_acls) + self.step("Ensure lightweight CAs container exists", + ensure_lightweight_cas_container) + if self.clone and not promote: + self.step( + "Ensuring backward compatibility", + self.__dogtag10_migration) if promote: self.step("destroying installation admin user", self.teardown_admin) @@ -433,26 +443,14 @@ def configure_instance(self, host_name, dm_password, admin_password, else: self.step("importing RA certificate from PKCS #12 file", self.__import_ra_cert) - if not ra_only: if not self.clone: self.step("publishing the CA certificate", self.__export_ca_chain) self.step("adding RA agent as a trusted user", self.__create_ca_agent) - self.step("authorizing RA to modify profiles", configure_profiles_acl) - self.step("authorizing RA to manage lightweight CAs", - configure_lightweight_ca_acls) - self.step("Ensure lightweight CAs container exists", - ensure_lightweight_cas_container) - if self.clone and not promote: - self.step( - "Ensuring backward compatibility", - self.__dogtag10_migration) self.step("configure certificate renewals", self.configure_renewal) self.step("Configure HTTP to proxy connections", self.http_proxy) - # This restart is needed for ACL reload in CA, do not remove it - self.step("restarting certificate server", self.restart_instance) self.step("updating IPA configuration", update_ipa_conf) self.step("enabling CA instance", self.__enable_instance) if not promote:
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org