Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 01/13/2016 05:59 PM, Rob Crittenden wrote: Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob Here's the patch that implements the change in URI directive. Please keep in mind that we not only have to change the URI to point to ourselves, we also have to do it in a way consistent with ipa-client-install, i.e. leave a comment with new URI if it was already set by third party. Plain 'addifnotset' directive will not do, however, because then we end up with two comments, one original, and one pointing to ourselves. Plain 'set' may rewrite the URI set by user and thus we would have to test its value anyway. The correct handling of these cases coupled with a way IPAChangeConf is written results in a solution presented here. The fact that it is not much shorter than configure_openldap_conf and is additionally pretty ugly (a fact at least partially caused by me not being very fluent in IPAChangeConf usage) led me to the conclusion that restoring original ldap.conf and reusing already wirrten code for reediting it anew with replica as URI is actually not that bad idea. -- Martin^3 Babinsky From 41d0441d19756a6809fa0c522f7c61980df127d6 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Thu, 14 Jan 2016 17:15:31 +0100 Subject: [PATCH] reset ldap.conf to point to newly installer replica after promotion When promoting a client to replica reset openldap client config so that it no longer uses remote master as default LDAP hosts but uses local connection to replica. Also make sure that the behavior regarding editing of user-customized config is consistent with the client installer. https://fedorahosted.org/freeipa/ticket/5488 --- ipaserver/install/server/replicainstall.py | 44 ++ 1 file changed, 44 insertions(+) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 7edee88e101ff59b516c97934e201bed69671cdb..f0f973160467b2c2b603302949e5c30a46d96953 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -443,6 +443,49 @@ def promote_sssd(host_name): root_logger.warning("SSSD service restart was unsuccessful.") +def promote_openldap_conf(hostname, master): +""" +Reset the URI directive in openldap-client configuration file to point to +newly promoted replica. If this directive was set by third party, then +replace the added comment with the one pointing to replica + +:param hostname: replica FQDN +:param master: FQDN of remote master +""" + +ldap_conf = paths.OPENLDAP_LDAP_CONF + +ldap_change_conf = ipaclient.ipachangeconf.IPAChangeConf( +"IPA replica installer") +ldap_change_conf.setOptionAssignment((" ", "\t")) + +new_opts = [] + +with open(ldap_conf, 'r') as f: +old_opts = ldap_change_conf.parse(f) + +for opt in old_opts: +if opt['type'] == 'comment' and master in opt['value']: +continue +elif (opt['type'] == 'option' and opt['name'] == 'URI' and +master in opt['value']): +continue +new_opts.append(opt) + +change_opts = [ +{'action': 'addifnotset', + 'name': 'URI', + 'type': 'option', + 'value': 'ldaps://' + hostname} +] + +try: +ldap_change_conf.newConf(ldap_conf, new_opts) +ldap_change_conf.changeConf(ldap_conf, change_opts) +except Exception as e: +root_logger.info("Failed to update {}: {}".format(ldap_conf, e)) + + @common_cleanup def install_check(installer): options = installer @@ -1373,6 +1416,7 @@ def promote(installer): custodia.import_dm_password(config.master_host_name) promote_sssd(config.host_name) +promote_openldap_conf(config.host_name, config.master_host_name) # Switch API so that it uses the new servr configuration server_api = create_api(mode=None) -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES] 0752-0757, 0759 Enable pylint --py3k
On 01/12/2016 03:44 PM, Petr Viktorin wrote: > >>> Hello I tried --py3k option and it doesn't print any error, can we >>> enable that check by default to prevent python3 regressions? >>> >>> # ./make-lint --py3k >>> No config file found, using default configuration >> >> Squash in the other attached patch to enable it by default. > > Sorry, please ignore the squash patch -- if --py3k is to be on by > default, I'll also need to add all needed packages to BuildRequires. Actually, after all, that's not true -- the py3 libraries aren't needed for pylint --py3k. So, patches are ready for review as they are (with your choice of what the default should be). -- Petr Viktorin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs
Please see the rebased patches attached. On 01/13/2016 02:01 PM, Martin Basti wrote: On 18.12.2015 12:46, Stanislav Laznicka wrote: Hi, Attached are the patches for auto-find and clean of dangling (cs)ruvs. Currently, the cleaning of an RUV waits for all replicas to be online, even on --force. If that were an issue, I can make the command fail before trying to clean any of RUVs. However, the user is shown a replica is offline and is prompted to confirm the cleaning so the possible wait should not be a problem I believe. Standa L. Hello, patches needs rebase, I cannot apply them. From 46ccb4fc174d1cab8b6631e16689a1047b8dbb28 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Fri, 18 Dec 2015 10:30:44 +0100 Subject: [PATCH 1/2] Listing and cleaning RUV extended for CA suffix https://fedorahosted.org/freeipa/ticket/5411 --- install/tools/ipa-replica-manage | 36 +++- ipaserver/install/replication.py | 2 +- 2 files changed, 24 insertions(+), 14 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index e4af7b2fd9a40482dfa75d275d528221a1bc22ad..188e2c73a41aa1fd476475f74128b85b7383b09e 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -345,7 +345,7 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False): return True -def get_ruv(realm, host, dirman_passwd, nolookup=False): +def get_ruv(realm, host, dirman_passwd, nolookup=False, ca=False): """ Return the RUV entries as a list of tuples: (hostname, rid) """ @@ -354,7 +354,10 @@ def get_ruv(realm, host, dirman_passwd, nolookup=False): enforce_host_existence(host) try: -thisrepl = replication.ReplicationManager(realm, host, dirman_passwd) +if ca: +thisrepl = replication.get_cs_replication_manager(realm, host, dirman_passwd) +else: +thisrepl = replication.ReplicationManager(realm, host, dirman_passwd) except Exception as e: print("Failed to connect to server %s: %s" % (host, e)) sys.exit(1) @@ -362,7 +365,7 @@ def get_ruv(realm, host, dirman_passwd, nolookup=False): search_filter = '(&(nsuniqueid=---)(objectclass=nstombstone))' try: entries = thisrepl.conn.get_entries( -api.env.basedn, thisrepl.conn.SCOPE_SUBTREE, search_filter, +thisrepl.db_suffix, thisrepl.conn.SCOPE_SUBTREE, search_filter, ['nsds50ruv']) except errors.NotFound: print("No RUV records found.") @@ -402,7 +405,7 @@ def get_rid_by_host(realm, sourcehost, host, dirman_passwd, nolookup=False): if '%s:389' % host == netloc: return int(rid) -def clean_ruv(realm, ruv, options): +def clean_ruv(realm, ruv, options, ca=False): """ Given an RID create a CLEANALLRUV task to clean it up. """ @@ -412,7 +415,7 @@ def clean_ruv(realm, ruv, options): sys.exit("Replica ID must be an integer: %s" % ruv) servers = get_ruv(realm, options.host, options.dirman_passwd, - options.nolookup) + options.nolookup, ca=ca) found = False for (netloc, rid) in servers: if ruv == int(rid): @@ -424,14 +427,21 @@ def clean_ruv(realm, ruv, options): sys.exit("Replica ID %s not found" % ruv) print("Clean the Replication Update Vector for %s" % hostname) -print() -print("Cleaning the wrong replica ID will cause that server to no") -print("longer replicate so it may miss updates while the process") -print("is running. It would need to be re-initialized to maintain") -print("consistency. Be very careful.") -if not options.force and not ipautil.user_input("Continue to clean?", False): -sys.exit("Aborted") -thisrepl = replication.ReplicationManager(realm, options.host, + +if not options.force: +print() +print("Cleaning the wrong replica ID will cause that server to no") +print("longer replicate so it may miss updates while the process") +print("is running. It would need to be re-initialized to maintain") +print("consistency. Be very careful.") +if not ipautil.user_input("Continue to clean?", False): +sys.exit("Aborted") + +if ca: +thisrepl = replication.get_cs_replication_manager(realm, options.host, +options.dirman_passwd) +else: +thisrepl = replication.ReplicationManager(realm, options.host, options.dirman_passwd) thisrepl.cleanallruv(ruv) print("Cleanup task created") diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 19592e21f32b2013225036b3ce692f6cdee15a73..3221a1bd00bf9375d4348e5ba44d1645f0911b3e 100644 --- a/ipaserver/install/replication.py +++
Re: [Freeipa-devel] [PATCH 0401] Pylint enable unbalanced tuple unpacking check
On 01/12/2016 01:09 PM, Martin Basti wrote: Patch attached. ACK. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Should we split up ipa-client?
On 14.1.2016 10:48, Petr Viktorin wrote: On 01/14/2016 07:55 AM, Jan Cholasta wrote: Hi, On 13.1.2016 13:03, Martin Babinsky wrote: On 01/13/2016 11:34 AM, Petr Viktorin wrote: Hello, I'm planning to port the ipa-client to Python 3, and I'm likely to end up shaking out some dusty corners of the codebase, rather than doing the minimal amount of work :) So I'd like to get your opinions before I commit significant time to this. [...] client-tools/ - man/* - *.c - *.h - all the automake stuff - current contents of ipa-install (Python scripts that go in /usr/sbin) I would rather s/client-tools/client/, as this stuff goes into the freeipa-*client* subpackage. OK. It's just that there's no admintools/ or server/ either. Putting the scripts into install/tools/ (or install/client/) is another possibility. Right. I guess we have to decide whether we want a directory layout based on the component/subpackage or not. install/tools/ works for me equally well. I'm not sure if this is what you are suggesting or not, but I would like the man page files to be in the same directory as the corresponding source code files. Do you mean not having the man/ subdirectory? Yes. (I don't insist though.) -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0404] Pylint: enable unpacking-non-sequence check
On 01/14/2016 11:02 AM, Martin Basti wrote: Patch attached. ACK. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Should we split up ipa-client?
On 01/14/2016 07:55 AM, Jan Cholasta wrote: > Hi, > > On 13.1.2016 13:03, Martin Babinsky wrote: >> On 01/13/2016 11:34 AM, Petr Viktorin wrote: >>> Hello, >>> I'm planning to port the ipa-client to Python 3, and I'm likely to end >>> up shaking out some dusty corners of the codebase, rather than doing the >>> minimal amount of work :) >>> So I'd like to get your opinions before I commit significant time to >>> this. [...] >>> client-tools/ >>> - man/* >>> - *.c >>> - *.h >>> - all the automake stuff >>> - current contents of ipa-install (Python scripts that go in /usr/sbin) > > I would rather s/client-tools/client/, as this stuff goes into the > freeipa-*client* subpackage. OK. It's just that there's no admintools/ or server/ either. Putting the scripts into install/tools/ (or install/client/) is another possibility. > I'm not sure if this is what you are suggesting or not, but I would like > the man page files to be in the same directory as the corresponding > source code files. Do you mean not having the man/ subdirectory? -- Petr Viktorin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0125] IPA upgrade: move replication ACIs to the mapping tree entry
On 01/13/2016 09:30 AM, Martin Babinsky wrote: On 01/13/2016 07:18 AM, Jan Cholasta wrote: On 12.1.2016 19:13, Martin Babinsky wrote: commit 6ea868e172738bdd6a8fae34e65126cdd134bbbe broke replica install and management on IPA servers upgraded from pre-4.3 version. The attached patch fixes this. https://fedorahosted.org/freeipa/ticket/5575 Any reason to repeat the DN 3 times? Besides that LGTM. No other reason than not using brain during copy-pasting ACIs. Attaching updated patch. Attaching updated patch. -- Martin^3 Babinsky From 9ed4f643e63c371f0377848b0cf61b753301cbe8 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Tue, 12 Jan 2016 18:59:11 +0100 Subject: [PATCH] IPA upgrade: move replication ACIs to the mapping tree entry During IPA server upgrade from pre-4.3 versions, the ACIs permitting manipulation of replication agreements are removed from the 'cn="$SUFFIX",cn=mapping tree,cn=config' and 'cn=o\3Dipaca,cn=mapping tree,cn=config'. However they are never re-added breaking management and installation of replicas. This patch modifies the update process so that the ACIs are first added to the 'cn=mapping tree,cn=config' and then removed from the child entries. https://fedorahosted.org/freeipa/ticket/5575 --- install/updates/20-aci.update | 8 1 file changed, 8 insertions(+) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index cef842bbdf291762ef91d6be63c435b2f2161897..5ede14bbdc99c1ae5bcc589f5f83aa5ce094f2fd 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -66,6 +66,13 @@ add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (rea dn: cn=mapping tree,cn=config add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) + +# replication ACIs should reside in cn=mapping tree,cn=config and be common for both suffixes +dn: cn=mapping tree,cn=config +add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) +add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) +add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) + dn: cn="$SUFFIX",cn=mapping tree,cn=config remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) @@ -76,6 +83,7 @@ remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreement remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) + # Removal of obsolete ACIs dn: cn=config # Replaced by 'System: Read Replication Agreements' -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 562-563] Fix ipa-sam to use the getkeytab control instead of the setkeytab control
On 14.01.2016 08:24, Alexander Bokovoy wrote: On Thu, 03 Dec 2015, Simo Sorce wrote: The first patch is preparatory and is needed in general now that we want top allow alias and use krbCanonicalName as the canonical name when multiple values are avilable in krbPrincipalName. The second patch changes slightly how the interdomain trust account is created so that the getkeytab control can generate the proper key (with the right salt) for interop reasons with AD. The change should be upgrade safe because keys are generate at account creation so older accounts lacking the alias won't be a problem. Fixes ##5495 This patchset seems to fall through cracks -- it was ACKed but not committed. IIRC all simo's ACKed patches which haven't been pushed depend on simo's patch 560, which has no ACK If not then, patches need rebase, they have missing blobs -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 562-563] Fix ipa-sam to use the getkeytab control instead of the setkeytab control
On Thu, 14 Jan 2016, Martin Basti wrote: On 14.01.2016 08:24, Alexander Bokovoy wrote: On Thu, 03 Dec 2015, Simo Sorce wrote: The first patch is preparatory and is needed in general now that we want top allow alias and use krbCanonicalName as the canonical name when multiple values are avilable in krbPrincipalName. The second patch changes slightly how the interdomain trust account is created so that the getkeytab control can generate the proper key (with the right salt) for interop reasons with AD. The change should be upgrade safe because keys are generate at account creation so older accounts lacking the alias won't be a problem. Fixes ##5495 This patchset seems to fall through cracks -- it was ACKed but not committed. IIRC all simo's ACKed patches which haven't been pushed depend on simo's patch 560, which has no ACK If not then, patches need rebase, they have missing blobs no, 560 is unrelated. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0404] Pylint: enable unpacking-non-sequence check
Patch attached. From b13ef989eabc361d17fdc5d1d6137a460e650d6b Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Thu, 17 Dec 2015 15:51:32 +0100 Subject: [PATCH] Enable pylint unpacking-non-sequence check Enables check and marks occurences of runtime error in dcerpc.py as false positive. --- ipaserver/dcerpc.py | 12 ++-- make-lint | 1 - 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 13cb7767cc2ba303613a2d4065964d51599d728e..eb646b8af1fd7e9bfae3896424bd4ab66fbfb956 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -813,7 +813,7 @@ class TrustDomainInstance(object): result = lsa.lsarpc(binding, self.parm, self.creds) return result except RuntimeError as e: - num, message = e.args + num, message = e.args # pylint: disable=unpacking-non-sequence raise assess_dcerpc_exception(num=num, message=message) def init_lsa_pipe(self, remote_host): @@ -930,7 +930,7 @@ class TrustDomainInstance(object): self._policy_handle = self._pipe.OpenPolicy2(u"", objectAttribute, security.SEC_FLAG_MAXIMUM_ALLOWED) result = self._pipe.QueryInfoPolicy2(self._policy_handle, lsa.LSA_POLICY_INFO_DNS) except RuntimeError as e: -num, message = e.args +num, message = e.args # pylint: disable=unpacking-non-sequence raise assess_dcerpc_exception(num=num, message=message) self.info['name'] = unicode(result.name.string) @@ -943,7 +943,7 @@ class TrustDomainInstance(object): try: result = self._pipe.QueryInfoPolicy2(self._policy_handle, lsa.LSA_POLICY_INFO_ROLE) except RuntimeError as e: -num, message = e.args +num, message = e.args # pylint: disable=unpacking-non-sequence raise assess_dcerpc_exception(num=num, message=message) self.info['is_pdc'] = (result.role == lsa.LSA_ROLE_PRIMARY) @@ -1069,7 +1069,7 @@ class TrustDomainInstance(object): res = self._pipe.QueryTrustedDomainInfoByName(self._policy_handle, dname, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO) self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid) except RuntimeError as e: -num, message = e.args +num, message = e.args # pylint: disable=unpacking-non-sequence # Ignore anything but access denied (NT_STATUS_ACCESS_DENIED) if num == -1073741790: raise access_denied_error @@ -1077,7 +1077,7 @@ class TrustDomainInstance(object): try: trustdom_handle = self._pipe.CreateTrustedDomainEx2(self._policy_handle, info, self.auth_info, security.SEC_STD_DELETE) except RuntimeError as e: -num, message = e.args +num, message = e.args # pylint: disable=unpacking-non-sequence raise assess_dcerpc_exception(num=num, message=message) # We should use proper trustdom handle in order to modify the @@ -1119,7 +1119,7 @@ class TrustDomainInstance(object): ) return result except RuntimeError as e: -num, message = e.args +num, message = e.args # pylint: disable=unpacking-non-sequence raise assess_dcerpc_exception(num=num, message=message) result = retrieve_netlogon_info_2(None, self, diff --git a/make-lint b/make-lint index 4d21c6e827ed610e57a089b0203abca6dc9619c4..b1780f94adcb56e1b2c5ec014ad73d203b96c351 100755 --- a/make-lint +++ b/make-lint @@ -280,7 +280,6 @@ def main(): linter.set_option('disable', 'unused-variable') linter.set_option('disable', 'useless-else-on-loop') linter.set_option('disable', 'unbalanced-tuple-unpacking') -linter.set_option('disable', 'unpacking-non-sequence') linter.set_option('enable', 'C') linter.set_option('disable', 'bad-classmethod-argument') -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0402] Warn user about possibility to loss CA, KRA, DNSSEC master during uninstall
On 13/01/16 18:18, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5544 Patch attached. Thanks for the patch, works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0401] Pylint enable unbalanced tuple unpacking check
On 14.01.2016 11:23, Martin Babinsky wrote: On 01/12/2016 01:09 PM, Martin Basti wrote: Patch attached. ACK. Pushed to master: 2320be18a34628fa6d05ffc42e695da5dd6dab6e -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0403][test] CI: fix regression in task.install_kra
Regression caused by commit c4b9b295d8184694c50c0d56051e0273445c98ec Patch attached. One-liner rule applied. Pushed to: master: 26899c91afd36b39908a3a73363aff1787c9dc07 ipa-4-3: f3c1856d566cdcce0d411bc59efc63ddd42e5d07 From c47dde756f44c2810646bdf345433b1544d5adda Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Thu, 14 Jan 2016 10:23:11 +0100 Subject: [PATCH] CI test: fix regression in task.install_kra ipa-kra-install needs directory manager password Regression caused by c4b9b295d8184694c50c0d56051e0273445c98ec --- ipatests/test_integration/tasks.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index 346c96ea31185251209f471d1a626b9958925698..6fdcf9a9019244d0ee5ae9f4d456d72df7c0566e 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -957,7 +957,7 @@ def ipa_restore(master, backup_path): def install_kra(host, domain_level=None, first_instance=False, raiseonerr=True): if domain_level is None: domain_level = domainlevel(host) -command = ["ipa-kra-install", "-U"] +command = ["ipa-kra-install", "-U", "-p", host.config.dirman_password] if domain_level == DOMAIN_LEVEL_0 and not first_instance: replica_file = get_replica_filename(host) command.append(replica_file) -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0404] Pylint: enable unpacking-non-sequence check
On 14.01.2016 11:22, Martin Babinsky wrote: On 01/14/2016 11:02 AM, Martin Basti wrote: Patch attached. ACK. Pushed to master: 267bad10a81f101db8b645abf01b2cdd62c91775 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 01/13/2016 05:59 PM, Rob Crittenden wrote: Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob In the hindsight my approach is probably overkill for this case. I will rework the patches to only set the URI directive after promotion. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [TEST][PATCH 0019] A proper fix for reverse-zone creation in integration tests
-- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 249db32dc5a7ce1e6df826c68f2919c07d953c45 Mon Sep 17 00:00:00 2001 From: Oleg FayansDate: Thu, 14 Jan 2016 14:59:37 +0100 Subject: [PATCH] fixed an issue with master installation not creating reverse zone When resolv.conf is set to point to the master's ip before installation, the ipa-server-install does not create a reverse zone for it's ip even despite --auto-reverse option provided. The fix is not to mess around with resolv.conf before master installation. --- ipatests/test_integration/tasks.py | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index 6fdcf9a9019244d0ee5ae9f4d456d72df7c0566e..a1d6cb88a1bfe2ac8c2fae9d758da726a5536ce2 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -88,11 +88,12 @@ def allow_sync_ptr(host): raiseonerr=False) -def apply_common_fixes(host): +def apply_common_fixes(host, fix_resolv=True): fix_etc_hosts(host) fix_hostname(host) modify_nm_resolv_conf_settings(host) -fix_resolv_conf(host) +if fix_resolv: +fix_resolv_conf(host) def backup_file(host, filename): @@ -264,7 +265,7 @@ def install_master(host, setup_dns=True, setup_kra=False): host.collect_log(paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst) host.collect_log(paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst) -apply_common_fixes(host) +apply_common_fixes(host, fix_resolv=False) fix_apache_semaphores(host) args = [ -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0402] Warn user about possibility to loss CA, KRA, DNSSEC master during uninstall
On 14.01.2016 14:18, David Kupka wrote: On 13/01/16 18:18, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5544 Patch attached. Thanks for the patch, works for me, ACK. Pushed to: master: 58c42ddac0964a8cce7c1e1faa7516da53f028ad ipa-4-3: 56d921f359a667fc3c5b33ccf6b3767da06f64ab -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs
Stanislav Laznicka wrote: > Please see the rebased patches attached. > > On 01/13/2016 02:01 PM, Martin Basti wrote: >> >> >> On 18.12.2015 12:46, Stanislav Laznicka wrote: >>> Hi, >>> >>> Attached are the patches for auto-find and clean of dangling >>> (cs)ruvs. Currently, the cleaning of an RUV waits for all replicas to >>> be online, even on --force. If that were an issue, I can make the >>> command fail before trying to clean any of RUVs. However, the user is >>> shown a replica is offline and is prompted to confirm the cleaning so >>> the possible wait should not be a problem I believe. >>> >>> Standa L. >>> >>> >> Hello, >> >> patches needs rebase, I cannot apply them. Will this confuse people? Currently, for good or bad, there are two commands for managing the two different topologies. This mixes some CA work into ipa-replica-manage. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs
On 01/14/2016 04:16 PM, Ludwig Krispenz wrote: On 01/14/2016 03:59 PM, Stanislav Laznicka wrote: On 01/14/2016 03:21 PM, Rob Crittenden wrote: Stanislav Laznicka wrote: Please see the rebased patches attached. On 01/13/2016 02:01 PM, Martin Basti wrote: On 18.12.2015 12:46, Stanislav Laznicka wrote: Hi, Attached are the patches for auto-find and clean of dangling (cs)ruvs. Currently, the cleaning of an RUV waits for all replicas to be online, even on --force. If that were an issue, I can make the command fail before trying to clean any of RUVs. However, the user is shown a replica is offline and is prompted to confirm the cleaning so the possible wait should not be a problem I believe. Standa L. Hello, patches needs rebase, I cannot apply them. Will this confuse people? Currently, for good or bad, there are two commands for managing the two different topologies. This mixes some CA work into ipa-replica-manage. rob Well, in the patch, I was just following the discussion at https://fedorahosted.org/freeipa/ticket/5411. Ludwig mentions that ipa-csreplica-manage should go deprecated and does not want to enhance it. Also, the only thing the code does is removing trash from the ds so it makes sense to me to do it in just one command, as well as the users might expect that, too. I guess it would be possible to add an option that would select which of the subtrees should be cleaned of RUVs. It should stay as one command nonetheless. Adding such an option for this command would then probably mean all the commands should have it as it would make more sense, though. Let me add Petr and Ludwig to CC: as they both had inputs on keeping the command in just ipa-replica-manage. yes, that was the idea to keep ipa-csreplica-manage (which does not have clean-ruv,..) for domain-level 0, but not add new features. Also "ipa-replica-manage del" now triggers the ruv cleaning of ipaca Yes, ipa-csreplica-manage should be deprecated. I think that one of the reasons why dangling CA RUVs are not uncommon is that users forget about `ipa-csreplica-manage del` command when removing a replica. New `ipa-replica-manage del` also removes replication agreements and therefore cleans RUVs of CA suffix (on domain level 1). In this context it is not inconsistent. Btw, one of the good example why this commands will be helpful is following bz, especially a sentence in: https://bugzilla.redhat.com/show_bug.cgi?id=1295971#c5 """ I had some mistakes to clean some valid RUV, for example, 52 for eupre1 """ We should think about list-clean-ruv and abort-clean-ruv commands. There is no counterpart for CA suffix now. Could be in different patch. With clean-dangling-ruvs command it would be good to deprecate clean-ruv command of ipa-replica-manage - should be different patch. I'm not sure if it should abort if some replica is down. Maybe yes until https://fedorahosted.org/freeipa/ticket/5396 is fixed. The path set misses update of man page. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails
On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote: > On 01/13/2016 10:31 AM, Martin Babinsky wrote: > > On 01/07/2016 05:38 PM, Martin Babinsky wrote: > >> On 01/07/2016 05:37 PM, Martin Babinsky wrote: > >>> https://fedorahosted.org/freeipa/ticket/5584 > >>> > >> And the patch is here. > >> > >> > >> > > self-NACK, there may be a better way to handle this. I will do some > > investigation and send updated patch. > > > Attaching updated patch. A failure to obtain a tgt may be due to other reasons (for example the KDC crashed), why are you trying to use this test ? Isn't it sufficient to see there is no host entry in the directory ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs
On 01/14/2016 03:21 PM, Rob Crittenden wrote: Stanislav Laznicka wrote: Please see the rebased patches attached. On 01/13/2016 02:01 PM, Martin Basti wrote: On 18.12.2015 12:46, Stanislav Laznicka wrote: Hi, Attached are the patches for auto-find and clean of dangling (cs)ruvs. Currently, the cleaning of an RUV waits for all replicas to be online, even on --force. If that were an issue, I can make the command fail before trying to clean any of RUVs. However, the user is shown a replica is offline and is prompted to confirm the cleaning so the possible wait should not be a problem I believe. Standa L. Hello, patches needs rebase, I cannot apply them. Will this confuse people? Currently, for good or bad, there are two commands for managing the two different topologies. This mixes some CA work into ipa-replica-manage. rob Well, in the patch, I was just following the discussion at https://fedorahosted.org/freeipa/ticket/5411. Ludwig mentions that ipa-csreplica-manage should go deprecated and does not want to enhance it. Also, the only thing the code does is removing trash from the ds so it makes sense to me to do it in just one command, as well as the users might expect that, too. I guess it would be possible to add an option that would select which of the subtrees should be cleaned of RUVs. It should stay as one command nonetheless. Adding such an option for this command would then probably mean all the commands should have it as it would make more sense, though. Let me add Petr and Ludwig to CC: as they both had inputs on keeping the command in just ipa-replica-manage. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs
On 01/14/2016 03:59 PM, Stanislav Laznicka wrote: On 01/14/2016 03:21 PM, Rob Crittenden wrote: Stanislav Laznicka wrote: Please see the rebased patches attached. On 01/13/2016 02:01 PM, Martin Basti wrote: On 18.12.2015 12:46, Stanislav Laznicka wrote: Hi, Attached are the patches for auto-find and clean of dangling (cs)ruvs. Currently, the cleaning of an RUV waits for all replicas to be online, even on --force. If that were an issue, I can make the command fail before trying to clean any of RUVs. However, the user is shown a replica is offline and is prompted to confirm the cleaning so the possible wait should not be a problem I believe. Standa L. Hello, patches needs rebase, I cannot apply them. Will this confuse people? Currently, for good or bad, there are two commands for managing the two different topologies. This mixes some CA work into ipa-replica-manage. rob Well, in the patch, I was just following the discussion at https://fedorahosted.org/freeipa/ticket/5411. Ludwig mentions that ipa-csreplica-manage should go deprecated and does not want to enhance it. Also, the only thing the code does is removing trash from the ds so it makes sense to me to do it in just one command, as well as the users might expect that, too. I guess it would be possible to add an option that would select which of the subtrees should be cleaned of RUVs. It should stay as one command nonetheless. Adding such an option for this command would then probably mean all the commands should have it as it would make more sense, though. Let me add Petr and Ludwig to CC: as they both had inputs on keeping the command in just ipa-replica-manage. yes, that was the idea to keep ipa-csreplica-manage (which does not have clean-ruv,..) for domain-level 0, but not add new features. Also "ipa-replica-manage del" now triggers the ruv cleaning of ipaca -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code