Re: [Freeipa-devel] [PATCH 0230] Server upgrade: fix comment in ldapupdater
On 04/16/2015 05:14 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/4904 Patch attached I guess the rest of the comment is also outdated. Can you update it, too? -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command
On 04/27/2015 04:45 PM, Martin Basti wrote:
On 27/04/15 13:38, Martin Basti wrote:
On 23/04/15 12:55, Martin Basti wrote:
On 21/04/15 10:31, Martin Basti wrote:
On 21/04/15 08:12, Jan Cholasta wrote:
Hi,
Dne 15.4.2015 v 16:26 Martin Basti napsal(a):
https://fedorahosted.org/freeipa/ticket/4904
Patches attached.
Also ipa-upgradeconfig part is called as a subprocess. This will be
removed after installer modifications.
This patch may cause temporal upgrade issues (corner cases), until
installer part will be finished.
If somebody will be hit by them, please use --skip-version-check for
ipactl and ipa-server-upgrade.
Regarding that option vs. --force: I think the common assumption is
that --force ignores *all* non-fatal errors, but you break that
assumption in ipactl. IMO --force should both ignore errors in
service startup *and* skip version check, and a new option should
be added to just ignore errors in service startup (e.g.
--ignore-service-failures).
Originally I used --force option to skip detection, but there was
objections against it on list.
However, to have option --force, which set true for both
--ignore-service-failures and --skip-version-check options, might be
better.
ipa-server-upgrade should probably also have --force, even if it
does the same thing as --skip-version-check, again because --force
is common.
This is a weird API:
+if data_upgrade.badsyntax:
+raise admintool.ScriptError(
+'Bad syntax detected in upgrade file(s).', 1)
+elif data_upgrade.upgradefailed:
+raise admintool.ScriptError('IPA upgrade failed.', 1)
+elif data_upgrade.modified:
+self.log.info('Data update complete')
+else:
+self.log.info('Data update complete, no data were
modified')
Why does not IPAUpgrade raise errors instead?
For historical reasons, I can investigate what would break this
change, I will send it in separate patch.
+class IPAVersionError(Exception):
+pass
+
+class PlatformMismatchError(IPAVersionError):
+pass
+
+class DataUpgradeRequiredError(IPAVersionError):
+pass
+
+class DataInNewerVersionError(IPAVersionError):
+pass
I don't like the "IPA" in "IPAVersionError", it does not tell you
much about what kind of version is that. Also data version errors
should only tell you what is wrong, not how you fix it. IMO better
names for these would be e.g. "UpgradeVersionError",
"UpgradePlatformError", "UpgradeDataOlderVersionError",
"UpgradeDataNewerVersionError". Similar for store_ipa_version and
check_ipa_version.
Ok.
Why is it not an error if there is no version in check_ipa_version?
IMO it should, even if you then ignore the exception most of the time.
I can raise error in that case and ignore the exception.
Honza
Martin^2
Updated patches attached.
Updated patches attached
--
Martin Basti
Updated patch attached
Looks good to me and works as expected. Honza, are you OK with the patches?
--
David Kupka
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0047] Unsaved changes dialog inconsistent
On 04/27/2015 03:03 PM, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4926 Thanks, Gabe PatternFly has new recommendations for terminology and wording [1]. I'm not entirely sure if the usage of 'save' here is good. PF defines 'edit' as the recommended term. The page doesn't say if 'save' is not recommended, though. Save seems to me as a confirmation of editing. Kyle, could you advise what is the best term for reflecting user changes and for confirmation of this action? Technical notes: 1. it would be better to add a new string and then use it in the button instead of having 'Save' text for '@i18n:buttons.update' definition. 2. String changes in internal.py should be also reflected in install/ui/test/data/ipa_init.json (for static web ui demo). 3. optional: in addition to text change, buttons and related actions could also be renamed (same reasons as in 1). It's more proper but much more complicated. [1] https://www.patternfly.org/styles/terminology-and-wording/#action-labels -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command
On 27/04/15 13:38, Martin Basti wrote:
On 23/04/15 12:55, Martin Basti wrote:
On 21/04/15 10:31, Martin Basti wrote:
On 21/04/15 08:12, Jan Cholasta wrote:
Hi,
Dne 15.4.2015 v 16:26 Martin Basti napsal(a):
https://fedorahosted.org/freeipa/ticket/4904
Patches attached.
Also ipa-upgradeconfig part is called as a subprocess. This will be
removed after installer modifications.
This patch may cause temporal upgrade issues (corner cases), until
installer part will be finished.
If somebody will be hit by them, please use --skip-version-check for
ipactl and ipa-server-upgrade.
Regarding that option vs. --force: I think the common assumption is
that --force ignores *all* non-fatal errors, but you break that
assumption in ipactl. IMO --force should both ignore errors in
service startup *and* skip version check, and a new option should
be added to just ignore errors in service startup (e.g.
--ignore-service-failures).
Originally I used --force option to skip detection, but there was
objections against it on list.
However, to have option --force, which set true for both
--ignore-service-failures and --skip-version-check options, might be
better.
ipa-server-upgrade should probably also have --force, even if it
does the same thing as --skip-version-check, again because --force
is common.
This is a weird API:
+if data_upgrade.badsyntax:
+raise admintool.ScriptError(
+'Bad syntax detected in upgrade file(s).', 1)
+elif data_upgrade.upgradefailed:
+raise admintool.ScriptError('IPA upgrade failed.', 1)
+elif data_upgrade.modified:
+self.log.info('Data update complete')
+else:
+self.log.info('Data update complete, no data were
modified')
Why does not IPAUpgrade raise errors instead?
For historical reasons, I can investigate what would break this
change, I will send it in separate patch.
+class IPAVersionError(Exception):
+pass
+
+class PlatformMismatchError(IPAVersionError):
+pass
+
+class DataUpgradeRequiredError(IPAVersionError):
+pass
+
+class DataInNewerVersionError(IPAVersionError):
+pass
I don't like the "IPA" in "IPAVersionError", it does not tell you
much about what kind of version is that. Also data version errors
should only tell you what is wrong, not how you fix it. IMO better
names for these would be e.g. "UpgradeVersionError",
"UpgradePlatformError", "UpgradeDataOlderVersionError",
"UpgradeDataNewerVersionError". Similar for store_ipa_version and
check_ipa_version.
Ok.
Why is it not an error if there is no version in check_ipa_version?
IMO it should, even if you then ignore the exception most of the time.
I can raise error in that case and ignore the exception.
Honza
Martin^2
Updated patches attached.
Updated patches attached
--
Martin Basti
Updated patch attached
--
Martin Basti
From 9ba1dc90b12c70053a926e3dbfbd6aaa4d9fc920 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Thu, 2 Apr 2015 14:14:15 +0200
Subject: [PATCH 1/3] Server Upgrade: ipa-server-upgrade command
https://fedorahosted.org/freeipa/ticket/4904
---
freeipa.spec.in | 2 +
install/tools/Makefile.am | 1 +
install/tools/ipa-server-upgrade| 12 ++
install/tools/man/Makefile.am | 1 +
install/tools/man/ipa-server-upgrade.1 | 40 ++
ipaserver/install/ipa_server_upgrade.py | 72 +
6 files changed, 128 insertions(+)
create mode 100644 install/tools/ipa-server-upgrade
create mode 100644 install/tools/man/ipa-server-upgrade.1
create mode 100644 ipaserver/install/ipa_server_upgrade.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 608242b5adbc43efbbf0ae30a6d7a933bebc1084..c661fe574464fdba1b1a8c64710d44a012ec8ede 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -660,6 +660,7 @@ fi
%{_sbindir}/ipa-replica-manage
%{_sbindir}/ipa-csreplica-manage
%{_sbindir}/ipa-server-certinstall
+%{_sbindir}/ipa-server-upgrade
%{_sbindir}/ipa-ldap-updater
%{_sbindir}/ipa-otptoken-import
%{_sbindir}/ipa-compat-manage
@@ -804,6 +805,7 @@ fi
%{_mandir}/man1/ipa-replica-prepare.1.gz
%{_mandir}/man1/ipa-server-certinstall.1.gz
%{_mandir}/man1/ipa-server-install.1.gz
+%{_mandir}/man1/ipa-server-upgrade.1.gz
%{_mandir}/man1/ipa-dns-install.1.gz
%{_mandir}/man1/ipa-ca-install.1.gz
%{_mandir}/man1/ipa-kra-install.1.gz
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index b791a8c748a18602f88522c3a0e3d74499700ae0..e5d45c47966a503da9f25aec13175793a36962e4 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -16,6 +16,7 @@ sbin_SCRIPTS = \
ipa-replica-manage \
ipa-csreplica-manage \
ipa-server-certinstall \
+ ipa-server-upgrade \
ipactl \
ipa-compat-manage \
ipa-nis-manage \
diff --git a/install/tools/ipa-server-upgrade b/install/tools/ipa-server-upgrade
new file mode 100644
index 0
[Freeipa-devel] [PATCH 0083] Fix a signedness bug in OTP code
This bug caused negative token windows to wrap-around, causing issues
with TOTP authentication and (especially) synchronization.
https://fedorahosted.org/freeipa/ticket/4990From 12fadccfbea009196e1e0f2efeee7258c68981ca Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum
Date: Mon, 27 Apr 2015 10:23:49 -0400
Subject: [PATCH] Fix a signedness bug in OTP code
This bug caused negative token windows to wrap-around, causing issues
with TOTP authentication and (especially) synchronization.
https://fedorahosted.org/freeipa/ticket/4990
---
daemons/ipa-slapi-plugins/libotp/otp_token.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/libotp/otp_token.c b/daemons/ipa-slapi-plugins/libotp/otp_token.c
index bc6acc42c8a62dce2f8c715099786a5c0fcc8e07..9b90c6a1137b468103d73cd85fd7e0fcafcee616 100644
--- a/daemons/ipa-slapi-plugins/libotp/otp_token.c
+++ b/daemons/ipa-slapi-plugins/libotp/otp_token.c
@@ -489,7 +489,7 @@ bool otp_token_validate_berval(struct otp_token * const *tokens,
if (time(&now) == (time_t) -1)
return false;
-for (uint32_t i = 0, cnt = 1; cnt != 0; i++) {
+for (ssize_t i = 0, cnt = 1; cnt != 0; i++) {
cnt = 0;
for (int j = 0; tokens[j] != NULL; j++) {
uint32_t *secondp = NULL;
@@ -513,8 +513,8 @@ bool otp_token_validate_berval(struct otp_token * const *tokens,
}
/* Validate the positive/negative steps. */
-if (!validate(tokens[j], now, i, first, secondp) &&
-!validate(tokens[j], now, 0 - i, first, secondp))
+if (!validate(tokens[j], now, i, first, secondp) &&
+!validate(tokens[j], now, -i, first, secondp))
continue;
/* Codes validated; strip. */
--
2.3.5
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] design review: Certificate Profiles
On Fri, Apr 17, 2015 at 02:08:29PM +0200, Martin Kosek wrote: > On 04/16/2015 10:03 AM, Fraser Tweedale wrote: > >Hi everyone, > > > >Please review my Certificate Profiles design proposal: > >http://www.freeipa.org/page/V4/Certificate_Profiles > > > >Let me know what is unclear, what needs expansion, and what is plain > >wrong :) > > > >The schema for storing multiple certificates for a principal is > >still being discussed but I expect it will be agreed soon, and I > >will add it to the document. > > > >I am revising the sub-CAs design proposal and it will soon be > >published for review as well. > > 1) here did you get this feature template? It is the one that is obsolete > (header levels, document structure, missing author in the box)... This is > the right template: > http://www.freeipa.org/page/Feature_template > I saw you updated the formatting and added the `certprofile-mod` command - thanks! > 2) I miss certprofile-find command - to enable Web UI and/or CLI to search > through existing profiles. > The command will exist, but it is still missing from design page; I will add it. > 3) Permissions > So your plan is to allow different groups use different profiles? So there > would be for example profiles allowed to all users (something like > userCattegory:all that we use for HBAC/SUDO)? How do you plan to deal with > authorization? Will be on a FreeIPA framework level or for example by DS > ACIs that would simply not show the profiles? > The design is living in the sub-CAs proposal. The discussion is ongoing (in another thread). > 4) Searching for certificates by profile - FEEDBACK REQUIRED > It would be nice to incorporate this filter to current cert-find command. > I added `cert-find` and the filter. > 5) Default set of profiles > Should we also propose a basic set of canned profiles so that I can picture > what will be the possibilities? > > Would it be something like > * Server profile > * Client profile > We will have a set of included profiles: - The current caIPAserverCert profile (we will rebrand it; "TLS Server and Client Profile" or something) - One for TLS server auth *without* client auth. - User authentication I will include this in design page. > 6) Upgrades > It may happen that FreeIPA needs to upgrade defaults of a canned profile. It > would be nice to have a section how it would do it. > Should be trivial; I have added some commentary to design page. > This is all I could think of so far. > Thanks for your feedback! -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0046] Remove unneeded --ip-address option in ipa-adtrust-install
Hello,
Fix for https://fedorahosted.org/freeipa/ticket/4575
Thanks,
Gabe
From 6c9ac52a18df8bbce33db09c16494159258ff104 Mon Sep 17 00:00:00 2001
From: Gabe
Date: Wed, 15 Apr 2015 09:18:58 -0600
Subject: [PATCH] Remove unneeded ip-address option in ipa-adtrust-install
https://fedorahosted.org/freeipa/ticket/4575
---
install/tools/ipa-adtrust-install | 25 +
install/tools/man/ipa-adtrust-install.1 | 3 ---
ipaserver/install/adtrustinstance.py| 4 +---
3 files changed, 2 insertions(+), 30 deletions(-)
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 6e55bbe3e57f1c609398dc571e90cb8677d91a33..3f8f2105bcaf15bc577aeb87ca4bb0d068909b6e 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -39,8 +39,6 @@ def parse_options():
parser = IPAOptionParser(version=version.VERSION)
parser.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="print debugging information")
-parser.add_option("--ip-address", dest="ip_address",
- type="ip", ip_local=True, help="Master Server IP Address")
parser.add_option("--netbios-name", dest="netbios_name",
help="NetBIOS name of the IPA domain")
parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
@@ -291,37 +289,16 @@ def main():
options.enable_compat = enable_compat_tree()
# Check we have a public IP that is associated with the hostname
-ip = None
try:
hostaddr = resolve_host(api.env.host)
if len(hostaddr) > 1:
print >> sys.stderr, "The server hostname resolves to more than one address:"
for addr in hostaddr:
print >> sys.stderr, " %s" % addr
-
-if options.ip_address:
-if str(options.ip_address) not in hostaddr:
-print >> sys.stderr, "Address passed in --ip-address did not match any resolved"
-print >> sys.stderr, "address!"
-sys.exit(1)
-print "Selected IP address:", str(options.ip_address)
-ip = options.ip_address
-else:
-if options.unattended:
-print >> sys.stderr, "Please use --ip-address option to specify the address"
-sys.exit(1)
-else:
-ip = read_ip_address(api.env.host, fstore)
-else:
-ip = hostaddr and ipautil.CheckedIPAddress(hostaddr[0], match_local=True)
except Exception, e:
-print "Error: Invalid IP Address %s: %s" % (ip, e)
print "Aborting installation"
sys.exit(1)
-ip_address = str(ip)
-root_logger.debug("will use ip_address: %s\n", ip_address)
-
admin_password = options.admin_password
if not (options.unattended or admin_password):
admin_password = read_admin_password(options.admin_name)
@@ -406,7 +383,7 @@ def main():
smb = adtrustinstance.ADTRUSTInstance(fstore)
smb.realm = api.env.realm
smb.autobind = ipaldap.AUTOBIND_ENABLED
-smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
+smb.setup(api.env.host, api.env.realm, api.env.domain,
netbios_name, reset_netbios_name,
options.rid_base, options.secondary_rid_base,
options.no_msdcs, options.add_sids,
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index b0aa8ceefc34698329b2a13d3adbcb204f08b3a9..a32eefb0e2dd4334b6dc3597b3643743ead56847 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -41,9 +41,6 @@ might be affected as well.
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
.TP
-\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
-The IP address of the IPA server. If not provided then this is determined based on the hostname of the server.
-.TP
\fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
The NetBIOS name for the IPA domain. If not provided then this is determined
based on the leading component of the DNS domain name. Running
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index b4d644fdbf784dd7936adc8eb085f4825cab797e..92c05f26a10c8f90bbe62ae9f6723d5e22ff3833 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -108,7 +108,6 @@ class ADTRUSTInstance(service.Service):
FALLBACK_GROUP_NAME = u'Default SMB Group'
def __init__(self, fstore=None):
-self.ip_address = None
self.netbios_name = None
self.reset_netbios_name = None
self.no_msdcs = None
@@ -774,11 +773,10 @@ class ADTRUSTInstance(service.Service):
LDAPI_SOCKET = self.ldapi_socket,
FQDN = self.fqdn)
-def setup(self, fqdn, ip_address, rea
[Freeipa-devel] [PATCH 0047] Unsaved changes dialog inconsistent
Hello,
Fix for https://fedorahosted.org/freeipa/ticket/4926
Thanks,
Gabe
From 053f7dd53e9d1acd6dec4688ab515f138d832ef4 Mon Sep 17 00:00:00 2001
From: Gabe
Date: Mon, 27 Apr 2015 06:49:25 -0600
Subject: [PATCH] Unsaved changes dialog internally inconsistent
- Change "Update" button text to "Save"
- Change "Reset" button text to "Revert"
https://fedorahosted.org/freeipa/ticket/4926
---
ipalib/plugins/internal.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index b85f2d077110128963e26ccf0f43e21141c46f4a..a88d0b8bf3f4632faf98e269363c6e9b523eefa1 100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -218,14 +218,14 @@ class i18n_messages(Command):
"ok": _("OK"),
"refresh": _("Refresh"),
"remove": _("Delete"),
-"reset": _("Reset"),
+"reset": _("Revert"),
"reset_password_and_login": _("Reset Password and Login"),
"restore": _("Restore"),
"retry": _("Retry"),
"revoke": _("Revoke"),
"set": _("Set"),
"unapply": ("Un-apply"),
-"update": _("Update"),
+"update": _("Save"),
"view": _("View"),
},
"details": {
--
1.8.3.1
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] FYI: Fedora 22 and trusts
Hi, if you are playing with Fedora 22 beta, your experience with FreeIPA may be rough. When installing freeipa-server-trust-ad make sure to also install samba-common-tools package. Samba packaging was split to allow samba-common to be an architecture-independent package but samba package didn't get dependency to samba-common-tools subpackage which contains /usr/bin/net utility. This utility is used by FreeIPA when you run ipa-adtrust-install. I've submitted update which fixes this issue [1] but until it reaches stable updates of Fedora 22, simply install samba-common-tools in addition to freeipa-server-trust-ad. As with any pre-release software, it is recommended to always run up-to-date system as bugs get fixed almost every day before release. [1] https://admin.fedoraproject.org/updates/samba-4.2.1-5.fc22 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command
On 23/04/15 12:55, Martin Basti wrote:
On 21/04/15 10:31, Martin Basti wrote:
On 21/04/15 08:12, Jan Cholasta wrote:
Hi,
Dne 15.4.2015 v 16:26 Martin Basti napsal(a):
https://fedorahosted.org/freeipa/ticket/4904
Patches attached.
Also ipa-upgradeconfig part is called as a subprocess. This will be
removed after installer modifications.
This patch may cause temporal upgrade issues (corner cases), until
installer part will be finished.
If somebody will be hit by them, please use --skip-version-check for
ipactl and ipa-server-upgrade.
Regarding that option vs. --force: I think the common assumption is
that --force ignores *all* non-fatal errors, but you break that
assumption in ipactl. IMO --force should both ignore errors in
service startup *and* skip version check, and a new option should be
added to just ignore errors in service startup (e.g.
--ignore-service-failures).
Originally I used --force option to skip detection, but there was
objections against it on list.
However, to have option --force, which set true for both
--ignore-service-failures and --skip-version-check options, might be
better.
ipa-server-upgrade should probably also have --force, even if it
does the same thing as --skip-version-check, again because --force
is common.
This is a weird API:
+if data_upgrade.badsyntax:
+raise admintool.ScriptError(
+'Bad syntax detected in upgrade file(s).', 1)
+elif data_upgrade.upgradefailed:
+raise admintool.ScriptError('IPA upgrade failed.', 1)
+elif data_upgrade.modified:
+self.log.info('Data update complete')
+else:
+self.log.info('Data update complete, no data were
modified')
Why does not IPAUpgrade raise errors instead?
For historical reasons, I can investigate what would break this
change, I will send it in separate patch.
+class IPAVersionError(Exception):
+pass
+
+class PlatformMismatchError(IPAVersionError):
+pass
+
+class DataUpgradeRequiredError(IPAVersionError):
+pass
+
+class DataInNewerVersionError(IPAVersionError):
+pass
I don't like the "IPA" in "IPAVersionError", it does not tell you
much about what kind of version is that. Also data version errors
should only tell you what is wrong, not how you fix it. IMO better
names for these would be e.g. "UpgradeVersionError",
"UpgradePlatformError", "UpgradeDataOlderVersionError",
"UpgradeDataNewerVersionError". Similar for store_ipa_version and
check_ipa_version.
Ok.
Why is it not an error if there is no version in check_ipa_version?
IMO it should, even if you then ignore the exception most of the time.
I can raise error in that case and ignore the exception.
Honza
Martin^2
Updated patches attached.
Updated patches attached
--
Martin Basti
From 9ba1dc90b12c70053a926e3dbfbd6aaa4d9fc920 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Thu, 2 Apr 2015 14:14:15 +0200
Subject: [PATCH 1/3] Server Upgrade: ipa-server-upgrade command
https://fedorahosted.org/freeipa/ticket/4904
---
freeipa.spec.in | 2 +
install/tools/Makefile.am | 1 +
install/tools/ipa-server-upgrade| 12 ++
install/tools/man/Makefile.am | 1 +
install/tools/man/ipa-server-upgrade.1 | 40 ++
ipaserver/install/ipa_server_upgrade.py | 72 +
6 files changed, 128 insertions(+)
create mode 100644 install/tools/ipa-server-upgrade
create mode 100644 install/tools/man/ipa-server-upgrade.1
create mode 100644 ipaserver/install/ipa_server_upgrade.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 608242b5adbc43efbbf0ae30a6d7a933bebc1084..c661fe574464fdba1b1a8c64710d44a012ec8ede 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -660,6 +660,7 @@ fi
%{_sbindir}/ipa-replica-manage
%{_sbindir}/ipa-csreplica-manage
%{_sbindir}/ipa-server-certinstall
+%{_sbindir}/ipa-server-upgrade
%{_sbindir}/ipa-ldap-updater
%{_sbindir}/ipa-otptoken-import
%{_sbindir}/ipa-compat-manage
@@ -804,6 +805,7 @@ fi
%{_mandir}/man1/ipa-replica-prepare.1.gz
%{_mandir}/man1/ipa-server-certinstall.1.gz
%{_mandir}/man1/ipa-server-install.1.gz
+%{_mandir}/man1/ipa-server-upgrade.1.gz
%{_mandir}/man1/ipa-dns-install.1.gz
%{_mandir}/man1/ipa-ca-install.1.gz
%{_mandir}/man1/ipa-kra-install.1.gz
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index b791a8c748a18602f88522c3a0e3d74499700ae0..e5d45c47966a503da9f25aec13175793a36962e4 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -16,6 +16,7 @@ sbin_SCRIPTS = \
ipa-replica-manage \
ipa-csreplica-manage \
ipa-server-certinstall \
+ ipa-server-upgrade \
ipactl \
ipa-compat-manage \
ipa-nis-manage \
diff --git a/install/tools/ipa-server-upgrade b/install/tools/ipa-server-upgrade
new file mode 100644
index ..747024847a7c9d8837b4968395e2c63648a792cf
--- /dev/null
+++ b/install/to
Re: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22.
On 04/27/2015 12:42 PM, David Kupka wrote:
> On 04/27/2015 12:18 PM, Martin Basti wrote:
>> On 27/04/15 11:04, Martin Kosek wrote:
>>> On 04/27/2015 10:49 AM, Martin Basti wrote:
On 27/04/15 10:31, David Kupka wrote:
> On 04/24/2015 03:58 PM, Tomas Babej wrote:
>>
>> On 04/24/2015 03:50 PM, Martin Basti wrote:
>>> On 24/04/15 15:22, David Kupka wrote:
On 04/24/2015 03:17 PM, Martin Basti wrote:
> On 23/04/15 15:26, David Kupka wrote:
>> On 04/13/2015 01:23 PM, David Kupka wrote:
>>> On 04/10/2015 02:55 PM, Simo Sorce wrote:
On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote:
> On (08/04/15 08:53), Simo Sorce wrote:
>> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote:
>>> On 04/06/2015 02:48 PM, Simo Sorce wrote:
On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote:
> On 03/30/2015 07:12 AM, Jan Cholasta wrote:
>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a):
>>> On 27.3.2015 14:58, David Kupka wrote:
pylint changed slightly so we must react otherwise
we'll be
unable to
build freeipa rpms on Fedora 22. This patch should go to
master for sure
but I don't know if we want it in 4.1.
>>> ACK
>> Are all the new disables really just false positives?
> It seems to me as a false positives.
>
> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member),
> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1'
> member)
>
> >>> import ssl
> >>> ssl.PROTOCOL_TLSv1
> 3
>
> 2. ipaserver/install/ipa_otptoken_import.py:63:
> [E1101(no-member),
> convertDate] Instance of 'tuple' has no 'tzinfo' member)
> ipaserver/install/ipa_otptoken_import.py:64:
> [E1101(no-member),
> convertDate] Instance of 'tuple' has no 'timetuple' member)
>
> dateutil.parser.parse() returns datetime.datetime object
> and it
> has
> both tzinfo and timetuple methods
> (https://docs.python.org/2/library/datetime.html#datetime-objects)
>
>
>
>
> 3. ipapython/dnssec/ldapkeydb.py:26:
> [E1127(invalid-slice-index),
> uri_escape] Slice index is not an int, None, or instance
> with
> __index__)
>
> This is the line lint is complaining about:
> out += '%'.join(hexval[i:i+2] for i in range(0,
> len(hexval),
> 2))
> I don't see a chance for 'i' or 'i+1' to be anything
> else than
> integers.
>
>>> tested on:
>>> - F21: ipa-4-1, master branch
>>> - F22: master branch.
>>>
>>> IMHO it could got to ipa-4-1 branch because of FreeIPA
>>> 4.1.4 in
>>> F22
This patch doesn't seem to fix all my issues building on
F22, so
tentative NACK.
>>> I tested it this way:
>>> 1. started with Fedora-22-x86_64-minimal system
>>> 2. dnf install git
>>> 3. clone freeipa
>>> 4. make version-update # to get freeipa.spec
>>> 5. dnf install `awk '/^BuildRequires/ {print $2}'
>>> freeipa.spec`
>>> 6. ./make-lint
>>>
It seem the main offenders are "No value for argument
'second' in
method
call" (this one only in test_ipautul.py) and "No value for
argument
'extClass' in method call" sprinkled around various test
plugins.
These cause E1120(no-value-for-parameter).
>>> Could you please paste the output of make-lint somewhere?
>> Here it is.
>> This is with my f22 desktop, fully updated with buildrequires
>> running
>> make-lint straight after applying your patch:
>>
>> * Module ipatests.test_ipapython.test_ipautil
>> ipatests/test_ipapython/test_ipautil.py:93:
>> [E1120(no-value-for-parameter), TestCIDict.test_len] No
>> value for
>> argument 'second' in method call)
>> ipatests/test_ipapython/test_ipautil.py:96:
>> [E1120(no-value-for-para
Re: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22.
On 04/27/2015 12:18 PM, Martin Basti wrote:
On 27/04/15 11:04, Martin Kosek wrote:
On 04/27/2015 10:49 AM, Martin Basti wrote:
On 27/04/15 10:31, David Kupka wrote:
On 04/24/2015 03:58 PM, Tomas Babej wrote:
On 04/24/2015 03:50 PM, Martin Basti wrote:
On 24/04/15 15:22, David Kupka wrote:
On 04/24/2015 03:17 PM, Martin Basti wrote:
On 23/04/15 15:26, David Kupka wrote:
On 04/13/2015 01:23 PM, David Kupka wrote:
On 04/10/2015 02:55 PM, Simo Sorce wrote:
On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote:
On (08/04/15 08:53), Simo Sorce wrote:
On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote:
On 04/06/2015 02:48 PM, Simo Sorce wrote:
On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote:
On 03/30/2015 07:12 AM, Jan Cholasta wrote:
Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a):
On 27.3.2015 14:58, David Kupka wrote:
pylint changed slightly so we must react otherwise
we'll be
unable to
build freeipa rpms on Fedora 22. This patch should go to
master for sure
but I don't know if we want it in 4.1.
ACK
Are all the new disables really just false positives?
It seems to me as a false positives.
1. ipalib/plugins/otptoken.py:552: [E1101(no-member),
otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1'
member)
>>> import ssl
>>> ssl.PROTOCOL_TLSv1
3
2. ipaserver/install/ipa_otptoken_import.py:63:
[E1101(no-member),
convertDate] Instance of 'tuple' has no 'tzinfo' member)
ipaserver/install/ipa_otptoken_import.py:64:
[E1101(no-member),
convertDate] Instance of 'tuple' has no 'timetuple' member)
dateutil.parser.parse() returns datetime.datetime object
and it
has
both tzinfo and timetuple methods
(https://docs.python.org/2/library/datetime.html#datetime-objects)
3. ipapython/dnssec/ldapkeydb.py:26:
[E1127(invalid-slice-index),
uri_escape] Slice index is not an int, None, or instance
with
__index__)
This is the line lint is complaining about:
out += '%'.join(hexval[i:i+2] for i in range(0,
len(hexval),
2))
I don't see a chance for 'i' or 'i+1' to be anything
else than
integers.
tested on:
- F21: ipa-4-1, master branch
- F22: master branch.
IMHO it could got to ipa-4-1 branch because of FreeIPA
4.1.4 in
F22
This patch doesn't seem to fix all my issues building on
F22, so
tentative NACK.
I tested it this way:
1. started with Fedora-22-x86_64-minimal system
2. dnf install git
3. clone freeipa
4. make version-update # to get freeipa.spec
5. dnf install `awk '/^BuildRequires/ {print $2}'
freeipa.spec`
6. ./make-lint
It seem the main offenders are "No value for argument
'second' in
method
call" (this one only in test_ipautul.py) and "No value for
argument
'extClass' in method call" sprinkled around various test
plugins.
These cause E1120(no-value-for-parameter).
Could you please paste the output of make-lint somewhere?
Here it is.
This is with my f22 desktop, fully updated with buildrequires
running
make-lint straight after applying your patch:
* Module ipatests.test_ipapython.test_ipautil
ipatests/test_ipapython/test_ipautil.py:93:
[E1120(no-value-for-parameter), TestCIDict.test_len] No
value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:96:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No
value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:97:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No
value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:98:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No
value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:99:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No
value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:100:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No
value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:101:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No
value
for argument 'excClass' in method call)
ipatests/test_ipapython/test_ipautil.py:105:
[E1120(no-value-for-parameter), TestCIDict.test_get] No
value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:106:
[E1120(no-value-for-parameter), TestCIDict.test_get] No
value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:107:
[E1120(no-value-for-parameter), TestCIDict.test_get] No
value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:108:
[E1120(no-value-for-parameter), TestCIDict.test_get] No
value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:109:
[E1120(no-value-for-parameter), TestCIDict.test_get] No
value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:110:
[E1120(no-value-for-parameter), TestCIDict.test_get] No
value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:114:
[E1120(no-value-for-parameter), TestCIDict.test_se
Re: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22.
On 27/04/15 11:04, Martin Kosek wrote:
On 04/27/2015 10:49 AM, Martin Basti wrote:
On 27/04/15 10:31, David Kupka wrote:
On 04/24/2015 03:58 PM, Tomas Babej wrote:
On 04/24/2015 03:50 PM, Martin Basti wrote:
On 24/04/15 15:22, David Kupka wrote:
On 04/24/2015 03:17 PM, Martin Basti wrote:
On 23/04/15 15:26, David Kupka wrote:
On 04/13/2015 01:23 PM, David Kupka wrote:
On 04/10/2015 02:55 PM, Simo Sorce wrote:
On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote:
On (08/04/15 08:53), Simo Sorce wrote:
On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote:
On 04/06/2015 02:48 PM, Simo Sorce wrote:
On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote:
On 03/30/2015 07:12 AM, Jan Cholasta wrote:
Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a):
On 27.3.2015 14:58, David Kupka wrote:
pylint changed slightly so we must react otherwise we'll be
unable to
build freeipa rpms on Fedora 22. This patch should go to
master for sure
but I don't know if we want it in 4.1.
ACK
Are all the new disables really just false positives?
It seems to me as a false positives.
1. ipalib/plugins/otptoken.py:552: [E1101(no-member),
otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1'
member)
>>> import ssl
>>> ssl.PROTOCOL_TLSv1
3
2. ipaserver/install/ipa_otptoken_import.py:63:
[E1101(no-member),
convertDate] Instance of 'tuple' has no 'tzinfo' member)
ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member),
convertDate] Instance of 'tuple' has no 'timetuple' member)
dateutil.parser.parse() returns datetime.datetime object and it
has
both tzinfo and timetuple methods
(https://docs.python.org/2/library/datetime.html#datetime-objects)
3. ipapython/dnssec/ldapkeydb.py:26:
[E1127(invalid-slice-index),
uri_escape] Slice index is not an int, None, or instance with
__index__)
This is the line lint is complaining about:
out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval),
2))
I don't see a chance for 'i' or 'i+1' to be anything else than
integers.
tested on:
- F21: ipa-4-1, master branch
- F22: master branch.
IMHO it could got to ipa-4-1 branch because of FreeIPA
4.1.4 in
F22
This patch doesn't seem to fix all my issues building on F22, so
tentative NACK.
I tested it this way:
1. started with Fedora-22-x86_64-minimal system
2. dnf install git
3. clone freeipa
4. make version-update # to get freeipa.spec
5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec`
6. ./make-lint
It seem the main offenders are "No value for argument
'second' in
method
call" (this one only in test_ipautul.py) and "No value for
argument
'extClass' in method call" sprinkled around various test
plugins.
These cause E1120(no-value-for-parameter).
Could you please paste the output of make-lint somewhere?
Here it is.
This is with my f22 desktop, fully updated with buildrequires
running
make-lint straight after applying your patch:
* Module ipatests.test_ipapython.test_ipautil
ipatests/test_ipapython/test_ipautil.py:93:
[E1120(no-value-for-parameter), TestCIDict.test_len] No value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:96:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:97:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:98:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:99:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:100:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:101:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No value
for argument 'excClass' in method call)
ipatests/test_ipapython/test_ipautil.py:105:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:106:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:107:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:108:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:109:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:110:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:114:
[E1120(no-value-for-parameter), TestCIDict.test_setitem] No value
for argument 'second' in metho
Re: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22.
On 04/27/2015 10:49 AM, Martin Basti wrote:
> On 27/04/15 10:31, David Kupka wrote:
>> On 04/24/2015 03:58 PM, Tomas Babej wrote:
>>>
>>>
>>> On 04/24/2015 03:50 PM, Martin Basti wrote:
On 24/04/15 15:22, David Kupka wrote:
> On 04/24/2015 03:17 PM, Martin Basti wrote:
>> On 23/04/15 15:26, David Kupka wrote:
>>> On 04/13/2015 01:23 PM, David Kupka wrote:
On 04/10/2015 02:55 PM, Simo Sorce wrote:
> On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote:
>> On (08/04/15 08:53), Simo Sorce wrote:
>>> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote:
On 04/06/2015 02:48 PM, Simo Sorce wrote:
> On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote:
>> On 03/30/2015 07:12 AM, Jan Cholasta wrote:
>>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a):
On 27.3.2015 14:58, David Kupka wrote:
> pylint changed slightly so we must react otherwise we'll be
> unable to
> build freeipa rpms on Fedora 22. This patch should go to
> master for sure
> but I don't know if we want it in 4.1.
>
ACK
>>>
>>> Are all the new disables really just false positives?
>>
>> It seems to me as a false positives.
>>
>> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member),
>> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1'
>> member)
>>
>>>>> import ssl
>>>>> ssl.PROTOCOL_TLSv1
>> 3
>>
>> 2. ipaserver/install/ipa_otptoken_import.py:63:
>> [E1101(no-member),
>> convertDate] Instance of 'tuple' has no 'tzinfo' member)
>> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member),
>> convertDate] Instance of 'tuple' has no 'timetuple' member)
>>
>> dateutil.parser.parse() returns datetime.datetime object and it
>> has
>> both tzinfo and timetuple methods
>> (https://docs.python.org/2/library/datetime.html#datetime-objects)
>>
>>
>> 3. ipapython/dnssec/ldapkeydb.py:26:
>> [E1127(invalid-slice-index),
>> uri_escape] Slice index is not an int, None, or instance with
>> __index__)
>>
>> This is the line lint is complaining about:
>> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval),
>> 2))
>> I don't see a chance for 'i' or 'i+1' to be anything else than
>> integers.
>>
>>>
tested on:
- F21: ipa-4-1, master branch
- F22: master branch.
IMHO it could got to ipa-4-1 branch because of FreeIPA
4.1.4 in
F22
>>>
>
> This patch doesn't seem to fix all my issues building on F22, so
> tentative NACK.
I tested it this way:
1. started with Fedora-22-x86_64-minimal system
2. dnf install git
3. clone freeipa
4. make version-update # to get freeipa.spec
5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec`
6. ./make-lint
>
> It seem the main offenders are "No value for argument
> 'second' in
> method
> call" (this one only in test_ipautul.py) and "No value for
> argument
> 'extClass' in method call" sprinkled around various test
> plugins.
> These cause E1120(no-value-for-parameter).
Could you please paste the output of make-lint somewhere?
>>>
>>> Here it is.
>>> This is with my f22 desktop, fully updated with buildrequires
>>> running
>>> make-lint straight after applying your patch:
>>>
>>> * Module ipatests.test_ipapython.test_ipautil
>>> ipatests/test_ipapython/test_ipautil.py:93:
>>> [E1120(no-value-for-parameter), TestCIDict.test_len] No value for
>>> argument 'second' in method call)
>>> ipatests/test_ipapython/test_ipautil.py:96:
>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value
>>> for argument 'second' in method call)
>>> ipatests/test_ipapython/test_ipautil.py:97:
>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value
>>> for argument 'second' in method call)
>>> ipatests/test_ipapython/test_ipautil.py:98:
>>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value
>>> for argument 'second' in met
Re: [Freeipa-devel] [PATCH 0014] emit a more helpful error messages when CA configuration fails
On 04/24/2015 04:15 PM, Martin Basti wrote:
On 20/04/15 12:59, Martin Babinsky wrote:
On 04/17/2015 03:56 PM, Martin Babinsky wrote:
On 03/05/2015 01:11 PM, Martin Babinsky wrote:
https://fedorahosted.org/freeipa/ticket/4900
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Nobody to review this?
Attaching updated patches, one for ipa-4-1 (no DogtagInstance) and one
for master.
Hello, thank for patches:
1)
why is there
+PKI_UNINSTALL_LOG = paths.PKI_CA_UNINSTALL_LOG
I cannot find it used in patches?
Martin^2
--
Martin Basti
That was likely only my oversight. Attaching updated patches.
--
Martin^3 Babinsky
From c11aebd883bce6e506f5ecd7773bb51837be4cb2 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Fri, 17 Apr 2015 17:27:55 +0200
Subject: [PATCH] point the users to PKI-related logs when CA configuration
fails
This patch adds an error handler which prints out the paths to logs related to
configuration and installation of Dogtag/CA in the case of failure.
https://fedorahosted.org/freeipa/ticket/4900
---
ipapython/dogtag.py | 4
ipaserver/install/cainstance.py | 19 +++
2 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 675d2a77fe30b9109c17089f129b189282ffa57b..e291045a69ed765084edaef5a8ca63834068ea3f 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -55,7 +55,9 @@ class Dogtag10Constants(object):
DESTROY_BINARY = paths.PKIDESTROY
SERVER_ROOT = paths.VAR_LIB_PKI_DIR
+PKI_INSTALL_LOG = paths.PKI_CA_INSTALL_LOG
PKI_INSTANCE_NAME = 'pki-tomcat'
+PKI_LOG_TOP_LEVEL = os.path.join(paths.VAR_LOG_PKI_DIR, PKI_INSTANCE_NAME)
PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
CRL_PUBLISH_PATH = paths.PKI_CA_PUBLISH_DIR
CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT
@@ -88,7 +90,9 @@ class Dogtag9Constants(object):
DESTROY_BINARY = paths.PKISILENT
SERVER_ROOT = paths.VAR_LIB
+PKI_INSTALL_LOG = paths.PKI_CA_INSTALL_LOG
PKI_INSTANCE_NAME = 'pki-ca'
+PKI_LOG_TOP_LEVEL = paths.PKI_CA_LOG_DIR
PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
CRL_PUBLISH_PATH = paths.PKI_CA_PUBLISH_DIR
CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index cf80d17e04fc59d97ad02116ccfbd3f8bbc10823..54f2f6c53c0103786b3a866f76df8ed365f64788 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -669,8 +669,7 @@ class CAInstance(service.Service):
try:
ipautil.run(args, nolog=nolog)
except ipautil.CalledProcessError, e:
-root_logger.critical("failed to configure ca instance %s" % e)
-raise RuntimeError('Configuration of CA failed')
+self.handle_setup_error(e)
finally:
os.remove(cfg_file)
@@ -820,8 +819,7 @@ class CAInstance(service.Service):
ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog)
except ipautil.CalledProcessError, e:
-root_logger.critical("failed to configure ca instance %s" % e)
-raise RuntimeError('Configuration of CA failed')
+self.handle_setup_error(e)
if self.external == 1:
print "The next step is to get %s signed by your CA and re-run %s as:" % (self.csr_file, sys.argv[0])
@@ -1764,6 +1762,19 @@ class CAInstance(service.Service):
master_entry['ipaConfigString'].append('caRenewalMaster')
self.admin_conn.update_entry(master_entry)
+def handle_setup_error(self, e):
+root_logger.critical("Failed to configure CA instance: %s"
+ % e)
+root_logger.critical("See the installation logs and the following "
+ "files/directories for more information:")
+logs = [self.dogtag_constants.PKI_INSTALL_LOG,
+self.dogtag_constants.PKI_LOG_TOP_LEVEL]
+
+for log in logs:
+root_logger.critical(" %s" % log)
+
+raise RuntimeError("CA configuration failed.")
+
def replica_ca_install_check(config):
if not config.setup_ca:
--
2.1.0
From 1f50525b9840de33cfd4fa0ec3ebb10c04fbf75c Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Mon, 20 Apr 2015 12:34:38 +0200
Subject: [PATCH] point the users to PKI-related logs when CA configuration
fails
This patch adds an error handler which prints out the paths to logs related to
configuration and installation of Dogtag/CA in the case of failure.
https://fedorahosted.org/freeipa/ticket/4900
---
ipapython/dogtag.py | 4
ipaserver/install/cainstance.py | 3 +--
ipaserver/install/dogtaginstance.py | 17 ++---
3 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/ipapython/dogtag.py b/ipapython/dogtag
Re: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22.
On 27/04/15 10:31, David Kupka wrote:
On 04/24/2015 03:58 PM, Tomas Babej wrote:
On 04/24/2015 03:50 PM, Martin Basti wrote:
On 24/04/15 15:22, David Kupka wrote:
On 04/24/2015 03:17 PM, Martin Basti wrote:
On 23/04/15 15:26, David Kupka wrote:
On 04/13/2015 01:23 PM, David Kupka wrote:
On 04/10/2015 02:55 PM, Simo Sorce wrote:
On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote:
On (08/04/15 08:53), Simo Sorce wrote:
On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote:
On 04/06/2015 02:48 PM, Simo Sorce wrote:
On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote:
On 03/30/2015 07:12 AM, Jan Cholasta wrote:
Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a):
On 27.3.2015 14:58, David Kupka wrote:
pylint changed slightly so we must react otherwise
we'll be
unable to
build freeipa rpms on Fedora 22. This patch should go to
master for sure
but I don't know if we want it in 4.1.
ACK
Are all the new disables really just false positives?
It seems to me as a false positives.
1. ipalib/plugins/otptoken.py:552: [E1101(no-member),
otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1'
member)
>>> import ssl
>>> ssl.PROTOCOL_TLSv1
3
2. ipaserver/install/ipa_otptoken_import.py:63:
[E1101(no-member),
convertDate] Instance of 'tuple' has no 'tzinfo' member)
ipaserver/install/ipa_otptoken_import.py:64:
[E1101(no-member),
convertDate] Instance of 'tuple' has no 'timetuple' member)
dateutil.parser.parse() returns datetime.datetime object
and it
has
both tzinfo and timetuple methods
(https://docs.python.org/2/library/datetime.html#datetime-objects)
3. ipapython/dnssec/ldapkeydb.py:26:
[E1127(invalid-slice-index),
uri_escape] Slice index is not an int, None, or instance with
__index__)
This is the line lint is complaining about:
out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval),
2))
I don't see a chance for 'i' or 'i+1' to be anything else
than
integers.
tested on:
- F21: ipa-4-1, master branch
- F22: master branch.
IMHO it could got to ipa-4-1 branch because of FreeIPA
4.1.4 in
F22
This patch doesn't seem to fix all my issues building on
F22, so
tentative NACK.
I tested it this way:
1. started with Fedora-22-x86_64-minimal system
2. dnf install git
3. clone freeipa
4. make version-update # to get freeipa.spec
5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec`
6. ./make-lint
It seem the main offenders are "No value for argument
'second' in
method
call" (this one only in test_ipautul.py) and "No value for
argument
'extClass' in method call" sprinkled around various test
plugins.
These cause E1120(no-value-for-parameter).
Could you please paste the output of make-lint somewhere?
Here it is.
This is with my f22 desktop, fully updated with buildrequires
running
make-lint straight after applying your patch:
* Module ipatests.test_ipapython.test_ipautil
ipatests/test_ipapython/test_ipautil.py:93:
[E1120(no-value-for-parameter), TestCIDict.test_len] No value
for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:96:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No
value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:97:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No
value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:98:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No
value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:99:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No
value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:100:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No
value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:101:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No
value
for argument 'excClass' in method call)
ipatests/test_ipapython/test_ipautil.py:105:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value
for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:106:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value
for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:107:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value
for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:108:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value
for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:109:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value
for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:110:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value
for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:114:
[E1120(no-value-for-parameter), TestCIDict.test_setitem] No
value
for argument 'second' in method call)
ipatests/test_ipapython/t
Re: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall
On 04/24/2015 03:19 PM, Martin Basti wrote:
On 20/04/15 10:58, Martin Babinsky wrote:
On 04/20/2015 10:32 AM, Martin Basti wrote:
On 17/04/15 14:11, Martin Babinsky wrote:
On 04/17/2015 12:41 PM, Martin Babinsky wrote:
On 04/17/2015 12:36 PM, Martin Basti wrote:
On 17/04/15 12:33, Martin Babinsky wrote:
On 04/17/2015 12:04 PM, Martin Basti wrote:
On 15/04/15 15:53, Martin Babinsky wrote:
On 04/14/2015 04:24 PM, Martin Basti wrote:
On 14/04/15 16:12, Martin Basti wrote:
On 14/04/15 14:25, Martin Babinsky wrote:
This patch addresses
https://fedorahosted.org/freeipa/ticket/4966
The noise during rollback/uninstall is caused mainly by
unsuccessful
attempts to remove files that do not exist anymore. These
errors
are
now logged at debug level and do not pop-up to stdout/stderr.
Hello, thank you for the patch.
1)
The option add_warning is quite unclear to me. It does not show
warning but error. I suggest something like, show_hint,
show_user_action, or something show_additional_..., or
promt_manual_removal
Martin^2
Continue...
2)
if file_exists(preferences_fname):
try:
os.remove(preferences_fname)
except OSError as e:
log_file_removal_error(e, preferences_fname,
True)
In this case file not found error should never happen.
Could you remove the 'if file_exists' part and handle just
exception?
I just reverted this bit to original form in order to not fix
something that isn't broken. Is that ok?
3)
this is inconsistent with change above, choose one style please:
if os.path.exists(ca_file):
try:
os.unlink(ca_file)
except OSError, e:
root_logger.error(
"Failed to remove '%s': %s", ca_file, e)
--
Martin Basti
Attaching updated patch.
thanks,
just one nitpick, can you move the new function into
installutils, it
can be used in different scripts not just in ipaclient.
I'm not sure if it is a good idea as installutils is a part for
freeipa-server package.
Placing it there would create an unnecessary dependency of
freeipa-client on freeipa-server because of a single function.
you are right, I do not why I thought that ipa-client-install uses
installutils.
ACK
self-NACK, I will try to rewrite the patch in a slightly less dumb
way.
Sorry for the confusion.
Attaching updated patch which does the same but using a wrapper around
os.remove().
Jan suggested to keep the new function in 'ipa-client-install' and
move it around when we do installer re#$%@^ing.
Is that ok?
It looks better, ACK.
Jan NACKed your ACK.
Attaching updated patch.
Sorry, NACK
* Module ipa-client-install
ipa-client/ipa-install/ipa-client-install:791:
[E1121(too-many-function-args), uninstall] Too many positional arguments
for function call)
ipa-client/ipa-install/ipa-client-install:797:
[E1121(too-many-function-args), uninstall] Too many positional arguments
for function call)
consult with Honza if option which show prompt user to delete file
manually, should be there or not.
Updated patch attached.
--
Martin^3 Babinsky
From c0fa8fa0896617ba4a4b78dab283fa9ca583d3f2 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Tue, 14 Apr 2015 13:55:33 +0200
Subject: [PATCH] suppress errors arising from deleting non-existent files
during client uninstall
When rolling back partially configured IPA client a number of OSErrors pop up
due to uninstaller trying to remove files that do not exist anymore. This
patch supresses these errors while keeping them in log as debug messages.
https://fedorahosted.org/freeipa/ticket/4966
---
ipa-client/ipa-install/ipa-client-install | 40 +--
1 file changed, 22 insertions(+), 18 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index bb59f47249f27a409683f825f204a501a90a0e7a..b87dd791eff599110e43f3c563e9d0be0c68138e 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -238,6 +238,25 @@ def logging_setup(options):
console_format='%(message)s')
+def remove_file(filename):
+"""
+Deletes a file. If the file does not exist (OSError 2) does nothing.
+Otherwise logs an error message and instructs the user to remove the
+offending file manually
+:param filename: name of the file to be removed
+"""
+
+try:
+os.remove(filename)
+except OSError as e:
+if e.errno == 2:
+return
+
+root_logger.error("Failed to remove file %s: %s", filename, e)
+root_logger.error('Please remove %s manually, as it can cause '
+ 'subsequent installation to fail.', filename)
+
+
def log_service_error(name, action, error):
root_logger.error("%s failed to %s: %s", name, action, str(error))
@@ -543,10 +562,7 @@ def uninstall(options, env)
Re: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22.
On 04/24/2015 03:58 PM, Tomas Babej wrote:
On 04/24/2015 03:50 PM, Martin Basti wrote:
On 24/04/15 15:22, David Kupka wrote:
On 04/24/2015 03:17 PM, Martin Basti wrote:
On 23/04/15 15:26, David Kupka wrote:
On 04/13/2015 01:23 PM, David Kupka wrote:
On 04/10/2015 02:55 PM, Simo Sorce wrote:
On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote:
On (08/04/15 08:53), Simo Sorce wrote:
On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote:
On 04/06/2015 02:48 PM, Simo Sorce wrote:
On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote:
On 03/30/2015 07:12 AM, Jan Cholasta wrote:
Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a):
On 27.3.2015 14:58, David Kupka wrote:
pylint changed slightly so we must react otherwise we'll be
unable to
build freeipa rpms on Fedora 22. This patch should go to
master for sure
but I don't know if we want it in 4.1.
ACK
Are all the new disables really just false positives?
It seems to me as a false positives.
1. ipalib/plugins/otptoken.py:552: [E1101(no-member),
otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1'
member)
>>> import ssl
>>> ssl.PROTOCOL_TLSv1
3
2. ipaserver/install/ipa_otptoken_import.py:63:
[E1101(no-member),
convertDate] Instance of 'tuple' has no 'tzinfo' member)
ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member),
convertDate] Instance of 'tuple' has no 'timetuple' member)
dateutil.parser.parse() returns datetime.datetime object and it
has
both tzinfo and timetuple methods
(https://docs.python.org/2/library/datetime.html#datetime-objects)
3. ipapython/dnssec/ldapkeydb.py:26:
[E1127(invalid-slice-index),
uri_escape] Slice index is not an int, None, or instance with
__index__)
This is the line lint is complaining about:
out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval),
2))
I don't see a chance for 'i' or 'i+1' to be anything else than
integers.
tested on:
- F21: ipa-4-1, master branch
- F22: master branch.
IMHO it could got to ipa-4-1 branch because of FreeIPA
4.1.4 in
F22
This patch doesn't seem to fix all my issues building on F22, so
tentative NACK.
I tested it this way:
1. started with Fedora-22-x86_64-minimal system
2. dnf install git
3. clone freeipa
4. make version-update # to get freeipa.spec
5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec`
6. ./make-lint
It seem the main offenders are "No value for argument
'second' in
method
call" (this one only in test_ipautul.py) and "No value for
argument
'extClass' in method call" sprinkled around various test
plugins.
These cause E1120(no-value-for-parameter).
Could you please paste the output of make-lint somewhere?
Here it is.
This is with my f22 desktop, fully updated with buildrequires
running
make-lint straight after applying your patch:
* Module ipatests.test_ipapython.test_ipautil
ipatests/test_ipapython/test_ipautil.py:93:
[E1120(no-value-for-parameter), TestCIDict.test_len] No value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:96:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:97:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:98:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:99:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:100:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:101:
[E1120(no-value-for-parameter), TestCIDict.test_getitem] No value
for argument 'excClass' in method call)
ipatests/test_ipapython/test_ipautil.py:105:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:106:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:107:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:108:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:109:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:110:
[E1120(no-value-for-parameter), TestCIDict.test_get] No value for
argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:114:
[E1120(no-value-for-parameter), TestCIDict.test_setitem] No value
for argument 'second' in method call)
ipatests/test_ipapython/test_ipautil.py:116:
[E1120(no-value-for-parameter), TestCIDict.test_setitem] No
Re: [Freeipa-devel] [PATCH] manage replication topology in the shared tree
On 04/21/2015 10:49 AM, Ludwig Krispenz wrote:
On 04/20/2015 06:00 PM, thierry bordaz wrote:
On 04/13/2015 10:56 AM, Ludwig Krispenz wrote:
Hi,
in the attachment you find the latest state of the "topology
plugin", it implements what is defined in the design page:
http://www.freeipa.org/page/V4/Manage_replication_topology (which is
also waiting for a reviewer)
It contains the plugin itself and a core of ipa commands to manage
a topology. to be really applicable, some work outside is required,
eg the management of the domain level and a decision where the
binddn group should be maintained.
Thanks,
Ludwig
Hello Ludwig,
Quite long review to do. So far I only looked at the startup phase
and I have only few questions and comments.
Thanks for your time, and I'm looking forward to your review of the
other parts, you raise some valid points.
I'll try to answer some of them inline, but will integrate some into a
next version of the patch
In ipa_topo_start, do you need to get argc/argv as you are not using
plugin-argxx attributes ?
no. It was a leftover from a "standard" plugin
topo_plugin_conf configuration parameters are not freed when the
plugin is closed. Is it closed only at shutdown ?
Also I would initiatlize it to {NULL}.
So far it is not planned to be dynamic, but I will addres the memory
management
In case the config does not contain any
nsslapd-topo-plugin-shared-replica-root, I wonder if
ipa_topo_apply_shared_config may crash as shared_replica_root will be
NULL.
or at least in
ipa_topo_apply_shared_replica_config/ipa_topo_util_get_replica_conf.
Also if nsslapd-topo-plugin-shared-replica-root contains an invalid
root suffix (typo), topoRepl remains NULL and
ipa_topo_util_get_replica_conf/ipa_topo_cfg_replica_add can crash.
for the two comments above, I was assuming that plugin conf and shared
tree would be setup by ipa tools and server setup, so assuming only
valid data, but you are right, checking for bad data doesn't hurt.
In ipa_topo_util_segment_from_entry, if the config entry has no
direction/left/right it will crash. Shouldn't it return an error if
the config is invalid.
adding a segment should be done with the ipa command 'ipa
topologysegment-add ...' and this always provides a direction (param
or default). If you try to add a segment directly, direction is a
required attribute of teh segment objectclass, so it should be rejected-
The update of domainLevel may start the plugin. If two mods update
the domainLevel they could be done in parallele.
yes :-(
In ipa_topo_util_update_agmt_list, if there is a marked agmnt but no
segment it deletes the agreement.
Is it possible there is a segment but no agmnt ? For example, if the
server were stopped or crashed after the segment was created but
before the local config was updated.
then it should be created from the segment
Hosts are taken from shared config tree (cn=masters,), is it
possible to have a replica agreement to a host that is not under
'cn=masters,'
yes, it will be ignored by the plugin
thanks
thierry
Hi Ludwig,
I continued the review of the design/topology plugin code. This is
really an interesting plugin but unfortunately I have not yet reviewed
all the parts.
I went through the design and digging the related parts in the code. So
far I need to review the rest starting at
http://www.freeipa.org/page/V4/Manage_replication_topology#connectivity_management.
I think I did ~50% design but may be more than 50% of the code.
Here are additional points:
in ipa_topo_set_domain_level, you may record the new Domain level
value as FATAL (it is already recorded in case of oneline import)
ipa_topo_be_state_change is called for any backend going online.
Domain level and start should be done only for a backend mapping a
shared-replica-root.
Also the plugin can be started many times (each online init),
ipa_topo_util_start is not protected by a lock
Some fields will leak (in ipa_topo_init_shared_config)
Also I wonder if you reinit several times the same replica-root, its
previous config will leak. (replica->repl_segments)
In ipa_topo_apply_shared_replica_config,
I do not see where replica_config is kept (leak ?)
ipa_topo_util_start/ipa_topo_apply_shared_config is called at
startup or during online-init.
For online-init, if the plugin was already active, what is the need
of calling ipa_topo_util_start ?
For online-init, It initializes all the replica-root. Could it init
only the reinitialized replic-root ?
in
http://www.freeipa.org/page/V4/Manage_replication_topology#shared_configuration:_database,
it mentions ipaReplTopoConfigMaster.
Is it implemented ?
in
http://www.freeipa.org/page/V4/Manage_replication_topology#shared_configuration:_segment,
what happens if a server under cn=masters is removed ?
in
http://www.freeipa.org/page/V4/Manage_replication_topology#shared_configurati
