Re: [Freeipa-devel] [PATCH 0230] Server upgrade: fix comment in ldapupdater
On 04/16/2015 05:14 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/4904 Patch attached I guess the rest of the comment is also outdated. Can you update it, too? -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command
On 04/27/2015 04:45 PM, Martin Basti wrote: On 27/04/15 13:38, Martin Basti wrote: On 23/04/15 12:55, Martin Basti wrote: On 21/04/15 10:31, Martin Basti wrote: On 21/04/15 08:12, Jan Cholasta wrote: Hi, Dne 15.4.2015 v 16:26 Martin Basti napsal(a): https://fedorahosted.org/freeipa/ticket/4904 Patches attached. Also ipa-upgradeconfig part is called as a subprocess. This will be removed after installer modifications. This patch may cause temporal upgrade issues (corner cases), until installer part will be finished. If somebody will be hit by them, please use --skip-version-check for ipactl and ipa-server-upgrade. Regarding that option vs. --force: I think the common assumption is that --force ignores *all* non-fatal errors, but you break that assumption in ipactl. IMO --force should both ignore errors in service startup *and* skip version check, and a new option should be added to just ignore errors in service startup (e.g. --ignore-service-failures). Originally I used --force option to skip detection, but there was objections against it on list. However, to have option --force, which set true for both --ignore-service-failures and --skip-version-check options, might be better. ipa-server-upgrade should probably also have --force, even if it does the same thing as --skip-version-check, again because --force is common. This is a weird API: +if data_upgrade.badsyntax: +raise admintool.ScriptError( +'Bad syntax detected in upgrade file(s).', 1) +elif data_upgrade.upgradefailed: +raise admintool.ScriptError('IPA upgrade failed.', 1) +elif data_upgrade.modified: +self.log.info('Data update complete') +else: +self.log.info('Data update complete, no data were modified') Why does not IPAUpgrade raise errors instead? For historical reasons, I can investigate what would break this change, I will send it in separate patch. +class IPAVersionError(Exception): +pass + +class PlatformMismatchError(IPAVersionError): +pass + +class DataUpgradeRequiredError(IPAVersionError): +pass + +class DataInNewerVersionError(IPAVersionError): +pass I don't like the "IPA" in "IPAVersionError", it does not tell you much about what kind of version is that. Also data version errors should only tell you what is wrong, not how you fix it. IMO better names for these would be e.g. "UpgradeVersionError", "UpgradePlatformError", "UpgradeDataOlderVersionError", "UpgradeDataNewerVersionError". Similar for store_ipa_version and check_ipa_version. Ok. Why is it not an error if there is no version in check_ipa_version? IMO it should, even if you then ignore the exception most of the time. I can raise error in that case and ignore the exception. Honza Martin^2 Updated patches attached. Updated patches attached -- Martin Basti Updated patch attached Looks good to me and works as expected. Honza, are you OK with the patches? -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0047] Unsaved changes dialog inconsistent
On 04/27/2015 03:03 PM, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4926 Thanks, Gabe PatternFly has new recommendations for terminology and wording [1]. I'm not entirely sure if the usage of 'save' here is good. PF defines 'edit' as the recommended term. The page doesn't say if 'save' is not recommended, though. Save seems to me as a confirmation of editing. Kyle, could you advise what is the best term for reflecting user changes and for confirmation of this action? Technical notes: 1. it would be better to add a new string and then use it in the button instead of having 'Save' text for '@i18n:buttons.update' definition. 2. String changes in internal.py should be also reflected in install/ui/test/data/ipa_init.json (for static web ui demo). 3. optional: in addition to text change, buttons and related actions could also be renamed (same reasons as in 1). It's more proper but much more complicated. [1] https://www.patternfly.org/styles/terminology-and-wording/#action-labels -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command
On 27/04/15 13:38, Martin Basti wrote: On 23/04/15 12:55, Martin Basti wrote: On 21/04/15 10:31, Martin Basti wrote: On 21/04/15 08:12, Jan Cholasta wrote: Hi, Dne 15.4.2015 v 16:26 Martin Basti napsal(a): https://fedorahosted.org/freeipa/ticket/4904 Patches attached. Also ipa-upgradeconfig part is called as a subprocess. This will be removed after installer modifications. This patch may cause temporal upgrade issues (corner cases), until installer part will be finished. If somebody will be hit by them, please use --skip-version-check for ipactl and ipa-server-upgrade. Regarding that option vs. --force: I think the common assumption is that --force ignores *all* non-fatal errors, but you break that assumption in ipactl. IMO --force should both ignore errors in service startup *and* skip version check, and a new option should be added to just ignore errors in service startup (e.g. --ignore-service-failures). Originally I used --force option to skip detection, but there was objections against it on list. However, to have option --force, which set true for both --ignore-service-failures and --skip-version-check options, might be better. ipa-server-upgrade should probably also have --force, even if it does the same thing as --skip-version-check, again because --force is common. This is a weird API: +if data_upgrade.badsyntax: +raise admintool.ScriptError( +'Bad syntax detected in upgrade file(s).', 1) +elif data_upgrade.upgradefailed: +raise admintool.ScriptError('IPA upgrade failed.', 1) +elif data_upgrade.modified: +self.log.info('Data update complete') +else: +self.log.info('Data update complete, no data were modified') Why does not IPAUpgrade raise errors instead? For historical reasons, I can investigate what would break this change, I will send it in separate patch. +class IPAVersionError(Exception): +pass + +class PlatformMismatchError(IPAVersionError): +pass + +class DataUpgradeRequiredError(IPAVersionError): +pass + +class DataInNewerVersionError(IPAVersionError): +pass I don't like the "IPA" in "IPAVersionError", it does not tell you much about what kind of version is that. Also data version errors should only tell you what is wrong, not how you fix it. IMO better names for these would be e.g. "UpgradeVersionError", "UpgradePlatformError", "UpgradeDataOlderVersionError", "UpgradeDataNewerVersionError". Similar for store_ipa_version and check_ipa_version. Ok. Why is it not an error if there is no version in check_ipa_version? IMO it should, even if you then ignore the exception most of the time. I can raise error in that case and ignore the exception. Honza Martin^2 Updated patches attached. Updated patches attached -- Martin Basti Updated patch attached -- Martin Basti From 9ba1dc90b12c70053a926e3dbfbd6aaa4d9fc920 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 2 Apr 2015 14:14:15 +0200 Subject: [PATCH 1/3] Server Upgrade: ipa-server-upgrade command https://fedorahosted.org/freeipa/ticket/4904 --- freeipa.spec.in | 2 + install/tools/Makefile.am | 1 + install/tools/ipa-server-upgrade| 12 ++ install/tools/man/Makefile.am | 1 + install/tools/man/ipa-server-upgrade.1 | 40 ++ ipaserver/install/ipa_server_upgrade.py | 72 + 6 files changed, 128 insertions(+) create mode 100644 install/tools/ipa-server-upgrade create mode 100644 install/tools/man/ipa-server-upgrade.1 create mode 100644 ipaserver/install/ipa_server_upgrade.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 608242b5adbc43efbbf0ae30a6d7a933bebc1084..c661fe574464fdba1b1a8c64710d44a012ec8ede 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -660,6 +660,7 @@ fi %{_sbindir}/ipa-replica-manage %{_sbindir}/ipa-csreplica-manage %{_sbindir}/ipa-server-certinstall +%{_sbindir}/ipa-server-upgrade %{_sbindir}/ipa-ldap-updater %{_sbindir}/ipa-otptoken-import %{_sbindir}/ipa-compat-manage @@ -804,6 +805,7 @@ fi %{_mandir}/man1/ipa-replica-prepare.1.gz %{_mandir}/man1/ipa-server-certinstall.1.gz %{_mandir}/man1/ipa-server-install.1.gz +%{_mandir}/man1/ipa-server-upgrade.1.gz %{_mandir}/man1/ipa-dns-install.1.gz %{_mandir}/man1/ipa-ca-install.1.gz %{_mandir}/man1/ipa-kra-install.1.gz diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index b791a8c748a18602f88522c3a0e3d74499700ae0..e5d45c47966a503da9f25aec13175793a36962e4 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -16,6 +16,7 @@ sbin_SCRIPTS = \ ipa-replica-manage \ ipa-csreplica-manage \ ipa-server-certinstall \ + ipa-server-upgrade \ ipactl \ ipa-compat-manage \ ipa-nis-manage \ diff --git a/install/tools/ipa-server-upgrade b/install/tools/ipa-server-upgrade new file mode 100644 index 0
[Freeipa-devel] [PATCH 0083] Fix a signedness bug in OTP code
This bug caused negative token windows to wrap-around, causing issues with TOTP authentication and (especially) synchronization. https://fedorahosted.org/freeipa/ticket/4990From 12fadccfbea009196e1e0f2efeee7258c68981ca Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Mon, 27 Apr 2015 10:23:49 -0400 Subject: [PATCH] Fix a signedness bug in OTP code This bug caused negative token windows to wrap-around, causing issues with TOTP authentication and (especially) synchronization. https://fedorahosted.org/freeipa/ticket/4990 --- daemons/ipa-slapi-plugins/libotp/otp_token.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-slapi-plugins/libotp/otp_token.c b/daemons/ipa-slapi-plugins/libotp/otp_token.c index bc6acc42c8a62dce2f8c715099786a5c0fcc8e07..9b90c6a1137b468103d73cd85fd7e0fcafcee616 100644 --- a/daemons/ipa-slapi-plugins/libotp/otp_token.c +++ b/daemons/ipa-slapi-plugins/libotp/otp_token.c @@ -489,7 +489,7 @@ bool otp_token_validate_berval(struct otp_token * const *tokens, if (time(&now) == (time_t) -1) return false; -for (uint32_t i = 0, cnt = 1; cnt != 0; i++) { +for (ssize_t i = 0, cnt = 1; cnt != 0; i++) { cnt = 0; for (int j = 0; tokens[j] != NULL; j++) { uint32_t *secondp = NULL; @@ -513,8 +513,8 @@ bool otp_token_validate_berval(struct otp_token * const *tokens, } /* Validate the positive/negative steps. */ -if (!validate(tokens[j], now, i, first, secondp) && -!validate(tokens[j], now, 0 - i, first, secondp)) +if (!validate(tokens[j], now, i, first, secondp) && +!validate(tokens[j], now, -i, first, secondp)) continue; /* Codes validated; strip. */ -- 2.3.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] design review: Certificate Profiles
On Fri, Apr 17, 2015 at 02:08:29PM +0200, Martin Kosek wrote: > On 04/16/2015 10:03 AM, Fraser Tweedale wrote: > >Hi everyone, > > > >Please review my Certificate Profiles design proposal: > >http://www.freeipa.org/page/V4/Certificate_Profiles > > > >Let me know what is unclear, what needs expansion, and what is plain > >wrong :) > > > >The schema for storing multiple certificates for a principal is > >still being discussed but I expect it will be agreed soon, and I > >will add it to the document. > > > >I am revising the sub-CAs design proposal and it will soon be > >published for review as well. > > 1) here did you get this feature template? It is the one that is obsolete > (header levels, document structure, missing author in the box)... This is > the right template: > http://www.freeipa.org/page/Feature_template > I saw you updated the formatting and added the `certprofile-mod` command - thanks! > 2) I miss certprofile-find command - to enable Web UI and/or CLI to search > through existing profiles. > The command will exist, but it is still missing from design page; I will add it. > 3) Permissions > So your plan is to allow different groups use different profiles? So there > would be for example profiles allowed to all users (something like > userCattegory:all that we use for HBAC/SUDO)? How do you plan to deal with > authorization? Will be on a FreeIPA framework level or for example by DS > ACIs that would simply not show the profiles? > The design is living in the sub-CAs proposal. The discussion is ongoing (in another thread). > 4) Searching for certificates by profile - FEEDBACK REQUIRED > It would be nice to incorporate this filter to current cert-find command. > I added `cert-find` and the filter. > 5) Default set of profiles > Should we also propose a basic set of canned profiles so that I can picture > what will be the possibilities? > > Would it be something like > * Server profile > * Client profile > We will have a set of included profiles: - The current caIPAserverCert profile (we will rebrand it; "TLS Server and Client Profile" or something) - One for TLS server auth *without* client auth. - User authentication I will include this in design page. > 6) Upgrades > It may happen that FreeIPA needs to upgrade defaults of a canned profile. It > would be nice to have a section how it would do it. > Should be trivial; I have added some commentary to design page. > This is all I could think of so far. > Thanks for your feedback! -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0046] Remove unneeded --ip-address option in ipa-adtrust-install
Hello, Fix for https://fedorahosted.org/freeipa/ticket/4575 Thanks, Gabe From 6c9ac52a18df8bbce33db09c16494159258ff104 Mon Sep 17 00:00:00 2001 From: Gabe Date: Wed, 15 Apr 2015 09:18:58 -0600 Subject: [PATCH] Remove unneeded ip-address option in ipa-adtrust-install https://fedorahosted.org/freeipa/ticket/4575 --- install/tools/ipa-adtrust-install | 25 + install/tools/man/ipa-adtrust-install.1 | 3 --- ipaserver/install/adtrustinstance.py| 4 +--- 3 files changed, 2 insertions(+), 30 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 6e55bbe3e57f1c609398dc571e90cb8677d91a33..3f8f2105bcaf15bc577aeb87ca4bb0d068909b6e 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -39,8 +39,6 @@ def parse_options(): parser = IPAOptionParser(version=version.VERSION) parser.add_option("-d", "--debug", dest="debug", action="store_true", default=False, help="print debugging information") -parser.add_option("--ip-address", dest="ip_address", - type="ip", ip_local=True, help="Master Server IP Address") parser.add_option("--netbios-name", dest="netbios_name", help="NetBIOS name of the IPA domain") parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true", @@ -291,37 +289,16 @@ def main(): options.enable_compat = enable_compat_tree() # Check we have a public IP that is associated with the hostname -ip = None try: hostaddr = resolve_host(api.env.host) if len(hostaddr) > 1: print >> sys.stderr, "The server hostname resolves to more than one address:" for addr in hostaddr: print >> sys.stderr, " %s" % addr - -if options.ip_address: -if str(options.ip_address) not in hostaddr: -print >> sys.stderr, "Address passed in --ip-address did not match any resolved" -print >> sys.stderr, "address!" -sys.exit(1) -print "Selected IP address:", str(options.ip_address) -ip = options.ip_address -else: -if options.unattended: -print >> sys.stderr, "Please use --ip-address option to specify the address" -sys.exit(1) -else: -ip = read_ip_address(api.env.host, fstore) -else: -ip = hostaddr and ipautil.CheckedIPAddress(hostaddr[0], match_local=True) except Exception, e: -print "Error: Invalid IP Address %s: %s" % (ip, e) print "Aborting installation" sys.exit(1) -ip_address = str(ip) -root_logger.debug("will use ip_address: %s\n", ip_address) - admin_password = options.admin_password if not (options.unattended or admin_password): admin_password = read_admin_password(options.admin_name) @@ -406,7 +383,7 @@ def main(): smb = adtrustinstance.ADTRUSTInstance(fstore) smb.realm = api.env.realm smb.autobind = ipaldap.AUTOBIND_ENABLED -smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, +smb.setup(api.env.host, api.env.realm, api.env.domain, netbios_name, reset_netbios_name, options.rid_base, options.secondary_rid_base, options.no_msdcs, options.add_sids, diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 index b0aa8ceefc34698329b2a13d3adbcb204f08b3a9..a32eefb0e2dd4334b6dc3597b3643743ead56847 100644 --- a/install/tools/man/ipa-adtrust-install.1 +++ b/install/tools/man/ipa-adtrust-install.1 @@ -41,9 +41,6 @@ might be affected as well. \fB\-d\fR, \fB\-\-debug\fR Enable debug logging when more verbose output is needed .TP -\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR -The IP address of the IPA server. If not provided then this is determined based on the hostname of the server. -.TP \fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR The NetBIOS name for the IPA domain. If not provided then this is determined based on the leading component of the DNS domain name. Running diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index b4d644fdbf784dd7936adc8eb085f4825cab797e..92c05f26a10c8f90bbe62ae9f6723d5e22ff3833 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -108,7 +108,6 @@ class ADTRUSTInstance(service.Service): FALLBACK_GROUP_NAME = u'Default SMB Group' def __init__(self, fstore=None): -self.ip_address = None self.netbios_name = None self.reset_netbios_name = None self.no_msdcs = None @@ -774,11 +773,10 @@ class ADTRUSTInstance(service.Service): LDAPI_SOCKET = self.ldapi_socket, FQDN = self.fqdn) -def setup(self, fqdn, ip_address, rea
[Freeipa-devel] [PATCH 0047] Unsaved changes dialog inconsistent
Hello, Fix for https://fedorahosted.org/freeipa/ticket/4926 Thanks, Gabe From 053f7dd53e9d1acd6dec4688ab515f138d832ef4 Mon Sep 17 00:00:00 2001 From: Gabe Date: Mon, 27 Apr 2015 06:49:25 -0600 Subject: [PATCH] Unsaved changes dialog internally inconsistent - Change "Update" button text to "Save" - Change "Reset" button text to "Revert" https://fedorahosted.org/freeipa/ticket/4926 --- ipalib/plugins/internal.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py index b85f2d077110128963e26ccf0f43e21141c46f4a..a88d0b8bf3f4632faf98e269363c6e9b523eefa1 100644 --- a/ipalib/plugins/internal.py +++ b/ipalib/plugins/internal.py @@ -218,14 +218,14 @@ class i18n_messages(Command): "ok": _("OK"), "refresh": _("Refresh"), "remove": _("Delete"), -"reset": _("Reset"), +"reset": _("Revert"), "reset_password_and_login": _("Reset Password and Login"), "restore": _("Restore"), "retry": _("Retry"), "revoke": _("Revoke"), "set": _("Set"), "unapply": ("Un-apply"), -"update": _("Update"), +"update": _("Save"), "view": _("View"), }, "details": { -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] FYI: Fedora 22 and trusts
Hi, if you are playing with Fedora 22 beta, your experience with FreeIPA may be rough. When installing freeipa-server-trust-ad make sure to also install samba-common-tools package. Samba packaging was split to allow samba-common to be an architecture-independent package but samba package didn't get dependency to samba-common-tools subpackage which contains /usr/bin/net utility. This utility is used by FreeIPA when you run ipa-adtrust-install. I've submitted update which fixes this issue [1] but until it reaches stable updates of Fedora 22, simply install samba-common-tools in addition to freeipa-server-trust-ad. As with any pre-release software, it is recommended to always run up-to-date system as bugs get fixed almost every day before release. [1] https://admin.fedoraproject.org/updates/samba-4.2.1-5.fc22 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0227-0229] Server upgrade: introduce ipa-server-upgrade command
On 23/04/15 12:55, Martin Basti wrote: On 21/04/15 10:31, Martin Basti wrote: On 21/04/15 08:12, Jan Cholasta wrote: Hi, Dne 15.4.2015 v 16:26 Martin Basti napsal(a): https://fedorahosted.org/freeipa/ticket/4904 Patches attached. Also ipa-upgradeconfig part is called as a subprocess. This will be removed after installer modifications. This patch may cause temporal upgrade issues (corner cases), until installer part will be finished. If somebody will be hit by them, please use --skip-version-check for ipactl and ipa-server-upgrade. Regarding that option vs. --force: I think the common assumption is that --force ignores *all* non-fatal errors, but you break that assumption in ipactl. IMO --force should both ignore errors in service startup *and* skip version check, and a new option should be added to just ignore errors in service startup (e.g. --ignore-service-failures). Originally I used --force option to skip detection, but there was objections against it on list. However, to have option --force, which set true for both --ignore-service-failures and --skip-version-check options, might be better. ipa-server-upgrade should probably also have --force, even if it does the same thing as --skip-version-check, again because --force is common. This is a weird API: +if data_upgrade.badsyntax: +raise admintool.ScriptError( +'Bad syntax detected in upgrade file(s).', 1) +elif data_upgrade.upgradefailed: +raise admintool.ScriptError('IPA upgrade failed.', 1) +elif data_upgrade.modified: +self.log.info('Data update complete') +else: +self.log.info('Data update complete, no data were modified') Why does not IPAUpgrade raise errors instead? For historical reasons, I can investigate what would break this change, I will send it in separate patch. +class IPAVersionError(Exception): +pass + +class PlatformMismatchError(IPAVersionError): +pass + +class DataUpgradeRequiredError(IPAVersionError): +pass + +class DataInNewerVersionError(IPAVersionError): +pass I don't like the "IPA" in "IPAVersionError", it does not tell you much about what kind of version is that. Also data version errors should only tell you what is wrong, not how you fix it. IMO better names for these would be e.g. "UpgradeVersionError", "UpgradePlatformError", "UpgradeDataOlderVersionError", "UpgradeDataNewerVersionError". Similar for store_ipa_version and check_ipa_version. Ok. Why is it not an error if there is no version in check_ipa_version? IMO it should, even if you then ignore the exception most of the time. I can raise error in that case and ignore the exception. Honza Martin^2 Updated patches attached. Updated patches attached -- Martin Basti From 9ba1dc90b12c70053a926e3dbfbd6aaa4d9fc920 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 2 Apr 2015 14:14:15 +0200 Subject: [PATCH 1/3] Server Upgrade: ipa-server-upgrade command https://fedorahosted.org/freeipa/ticket/4904 --- freeipa.spec.in | 2 + install/tools/Makefile.am | 1 + install/tools/ipa-server-upgrade| 12 ++ install/tools/man/Makefile.am | 1 + install/tools/man/ipa-server-upgrade.1 | 40 ++ ipaserver/install/ipa_server_upgrade.py | 72 + 6 files changed, 128 insertions(+) create mode 100644 install/tools/ipa-server-upgrade create mode 100644 install/tools/man/ipa-server-upgrade.1 create mode 100644 ipaserver/install/ipa_server_upgrade.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 608242b5adbc43efbbf0ae30a6d7a933bebc1084..c661fe574464fdba1b1a8c64710d44a012ec8ede 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -660,6 +660,7 @@ fi %{_sbindir}/ipa-replica-manage %{_sbindir}/ipa-csreplica-manage %{_sbindir}/ipa-server-certinstall +%{_sbindir}/ipa-server-upgrade %{_sbindir}/ipa-ldap-updater %{_sbindir}/ipa-otptoken-import %{_sbindir}/ipa-compat-manage @@ -804,6 +805,7 @@ fi %{_mandir}/man1/ipa-replica-prepare.1.gz %{_mandir}/man1/ipa-server-certinstall.1.gz %{_mandir}/man1/ipa-server-install.1.gz +%{_mandir}/man1/ipa-server-upgrade.1.gz %{_mandir}/man1/ipa-dns-install.1.gz %{_mandir}/man1/ipa-ca-install.1.gz %{_mandir}/man1/ipa-kra-install.1.gz diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index b791a8c748a18602f88522c3a0e3d74499700ae0..e5d45c47966a503da9f25aec13175793a36962e4 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -16,6 +16,7 @@ sbin_SCRIPTS = \ ipa-replica-manage \ ipa-csreplica-manage \ ipa-server-certinstall \ + ipa-server-upgrade \ ipactl \ ipa-compat-manage \ ipa-nis-manage \ diff --git a/install/tools/ipa-server-upgrade b/install/tools/ipa-server-upgrade new file mode 100644 index ..747024847a7c9d8837b4968395e2c63648a792cf --- /dev/null +++ b/install/to
Re: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22.
On 04/27/2015 12:42 PM, David Kupka wrote: > On 04/27/2015 12:18 PM, Martin Basti wrote: >> On 27/04/15 11:04, Martin Kosek wrote: >>> On 04/27/2015 10:49 AM, Martin Basti wrote: On 27/04/15 10:31, David Kupka wrote: > On 04/24/2015 03:58 PM, Tomas Babej wrote: >> >> On 04/24/2015 03:50 PM, Martin Basti wrote: >>> On 24/04/15 15:22, David Kupka wrote: On 04/24/2015 03:17 PM, Martin Basti wrote: > On 23/04/15 15:26, David Kupka wrote: >> On 04/13/2015 01:23 PM, David Kupka wrote: >>> On 04/10/2015 02:55 PM, Simo Sorce wrote: On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: > On (08/04/15 08:53), Simo Sorce wrote: >> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: >>> On 04/06/2015 02:48 PM, Simo Sorce wrote: On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: > On 03/30/2015 07:12 AM, Jan Cholasta wrote: >> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): >>> On 27.3.2015 14:58, David Kupka wrote: pylint changed slightly so we must react otherwise we'll be unable to build freeipa rpms on Fedora 22. This patch should go to master for sure but I don't know if we want it in 4.1. >>> ACK >> Are all the new disables really just false positives? > It seems to me as a false positives. > > 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), > otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' > member) > > >>> import ssl > >>> ssl.PROTOCOL_TLSv1 > 3 > > 2. ipaserver/install/ipa_otptoken_import.py:63: > [E1101(no-member), > convertDate] Instance of 'tuple' has no 'tzinfo' member) > ipaserver/install/ipa_otptoken_import.py:64: > [E1101(no-member), > convertDate] Instance of 'tuple' has no 'timetuple' member) > > dateutil.parser.parse() returns datetime.datetime object > and it > has > both tzinfo and timetuple methods > (https://docs.python.org/2/library/datetime.html#datetime-objects) > > > > > 3. ipapython/dnssec/ldapkeydb.py:26: > [E1127(invalid-slice-index), > uri_escape] Slice index is not an int, None, or instance > with > __index__) > > This is the line lint is complaining about: > out += '%'.join(hexval[i:i+2] for i in range(0, > len(hexval), > 2)) > I don't see a chance for 'i' or 'i+1' to be anything > else than > integers. > >>> tested on: >>> - F21: ipa-4-1, master branch >>> - F22: master branch. >>> >>> IMHO it could got to ipa-4-1 branch because of FreeIPA >>> 4.1.4 in >>> F22 This patch doesn't seem to fix all my issues building on F22, so tentative NACK. >>> I tested it this way: >>> 1. started with Fedora-22-x86_64-minimal system >>> 2. dnf install git >>> 3. clone freeipa >>> 4. make version-update # to get freeipa.spec >>> 5. dnf install `awk '/^BuildRequires/ {print $2}' >>> freeipa.spec` >>> 6. ./make-lint >>> It seem the main offenders are "No value for argument 'second' in method call" (this one only in test_ipautul.py) and "No value for argument 'extClass' in method call" sprinkled around various test plugins. These cause E1120(no-value-for-parameter). >>> Could you please paste the output of make-lint somewhere? >> Here it is. >> This is with my f22 desktop, fully updated with buildrequires >> running >> make-lint straight after applying your patch: >> >> * Module ipatests.test_ipapython.test_ipautil >> ipatests/test_ipapython/test_ipautil.py:93: >> [E1120(no-value-for-parameter), TestCIDict.test_len] No >> value for >> argument 'second' in method call) >> ipatests/test_ipapython/test_ipautil.py:96: >> [E1120(no-value-for-para
Re: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22.
On 04/27/2015 12:18 PM, Martin Basti wrote: On 27/04/15 11:04, Martin Kosek wrote: On 04/27/2015 10:49 AM, Martin Basti wrote: On 27/04/15 10:31, David Kupka wrote: On 04/24/2015 03:58 PM, Tomas Babej wrote: On 04/24/2015 03:50 PM, Martin Basti wrote: On 24/04/15 15:22, David Kupka wrote: On 04/24/2015 03:17 PM, Martin Basti wrote: On 23/04/15 15:26, David Kupka wrote: On 04/13/2015 01:23 PM, David Kupka wrote: On 04/10/2015 02:55 PM, Simo Sorce wrote: On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: On (08/04/15 08:53), Simo Sorce wrote: On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: On 04/06/2015 02:48 PM, Simo Sorce wrote: On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: On 03/30/2015 07:12 AM, Jan Cholasta wrote: Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): On 27.3.2015 14:58, David Kupka wrote: pylint changed slightly so we must react otherwise we'll be unable to build freeipa rpms on Fedora 22. This patch should go to master for sure but I don't know if we want it in 4.1. ACK Are all the new disables really just false positives? It seems to me as a false positives. 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) >>> import ssl >>> ssl.PROTOCOL_TLSv1 3 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), convertDate] Instance of 'tuple' has no 'tzinfo' member) ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), convertDate] Instance of 'tuple' has no 'timetuple' member) dateutil.parser.parse() returns datetime.datetime object and it has both tzinfo and timetuple methods (https://docs.python.org/2/library/datetime.html#datetime-objects) 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), uri_escape] Slice index is not an int, None, or instance with __index__) This is the line lint is complaining about: out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) I don't see a chance for 'i' or 'i+1' to be anything else than integers. tested on: - F21: ipa-4-1, master branch - F22: master branch. IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 This patch doesn't seem to fix all my issues building on F22, so tentative NACK. I tested it this way: 1. started with Fedora-22-x86_64-minimal system 2. dnf install git 3. clone freeipa 4. make version-update # to get freeipa.spec 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` 6. ./make-lint It seem the main offenders are "No value for argument 'second' in method call" (this one only in test_ipautul.py) and "No value for argument 'extClass' in method call" sprinkled around various test plugins. These cause E1120(no-value-for-parameter). Could you please paste the output of make-lint somewhere? Here it is. This is with my f22 desktop, fully updated with buildrequires running make-lint straight after applying your patch: * Module ipatests.test_ipapython.test_ipautil ipatests/test_ipapython/test_ipautil.py:93: [E1120(no-value-for-parameter), TestCIDict.test_len] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:96: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:97: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:98: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:99: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:100: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:101: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'excClass' in method call) ipatests/test_ipapython/test_ipautil.py:105: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:106: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:107: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:108: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:109: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:110: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:114: [E1120(no-value-for-parameter), TestCIDict.test_se
Re: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22.
On 27/04/15 11:04, Martin Kosek wrote: On 04/27/2015 10:49 AM, Martin Basti wrote: On 27/04/15 10:31, David Kupka wrote: On 04/24/2015 03:58 PM, Tomas Babej wrote: On 04/24/2015 03:50 PM, Martin Basti wrote: On 24/04/15 15:22, David Kupka wrote: On 04/24/2015 03:17 PM, Martin Basti wrote: On 23/04/15 15:26, David Kupka wrote: On 04/13/2015 01:23 PM, David Kupka wrote: On 04/10/2015 02:55 PM, Simo Sorce wrote: On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: On (08/04/15 08:53), Simo Sorce wrote: On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: On 04/06/2015 02:48 PM, Simo Sorce wrote: On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: On 03/30/2015 07:12 AM, Jan Cholasta wrote: Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): On 27.3.2015 14:58, David Kupka wrote: pylint changed slightly so we must react otherwise we'll be unable to build freeipa rpms on Fedora 22. This patch should go to master for sure but I don't know if we want it in 4.1. ACK Are all the new disables really just false positives? It seems to me as a false positives. 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) >>> import ssl >>> ssl.PROTOCOL_TLSv1 3 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), convertDate] Instance of 'tuple' has no 'tzinfo' member) ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), convertDate] Instance of 'tuple' has no 'timetuple' member) dateutil.parser.parse() returns datetime.datetime object and it has both tzinfo and timetuple methods (https://docs.python.org/2/library/datetime.html#datetime-objects) 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), uri_escape] Slice index is not an int, None, or instance with __index__) This is the line lint is complaining about: out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) I don't see a chance for 'i' or 'i+1' to be anything else than integers. tested on: - F21: ipa-4-1, master branch - F22: master branch. IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 This patch doesn't seem to fix all my issues building on F22, so tentative NACK. I tested it this way: 1. started with Fedora-22-x86_64-minimal system 2. dnf install git 3. clone freeipa 4. make version-update # to get freeipa.spec 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` 6. ./make-lint It seem the main offenders are "No value for argument 'second' in method call" (this one only in test_ipautul.py) and "No value for argument 'extClass' in method call" sprinkled around various test plugins. These cause E1120(no-value-for-parameter). Could you please paste the output of make-lint somewhere? Here it is. This is with my f22 desktop, fully updated with buildrequires running make-lint straight after applying your patch: * Module ipatests.test_ipapython.test_ipautil ipatests/test_ipapython/test_ipautil.py:93: [E1120(no-value-for-parameter), TestCIDict.test_len] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:96: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:97: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:98: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:99: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:100: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:101: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'excClass' in method call) ipatests/test_ipapython/test_ipautil.py:105: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:106: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:107: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:108: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:109: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:110: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:114: [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value for argument 'second' in metho
Re: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22.
On 04/27/2015 10:49 AM, Martin Basti wrote: > On 27/04/15 10:31, David Kupka wrote: >> On 04/24/2015 03:58 PM, Tomas Babej wrote: >>> >>> >>> On 04/24/2015 03:50 PM, Martin Basti wrote: On 24/04/15 15:22, David Kupka wrote: > On 04/24/2015 03:17 PM, Martin Basti wrote: >> On 23/04/15 15:26, David Kupka wrote: >>> On 04/13/2015 01:23 PM, David Kupka wrote: On 04/10/2015 02:55 PM, Simo Sorce wrote: > On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: >> On (08/04/15 08:53), Simo Sorce wrote: >>> On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: On 04/06/2015 02:48 PM, Simo Sorce wrote: > On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: >> On 03/30/2015 07:12 AM, Jan Cholasta wrote: >>> Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): On 27.3.2015 14:58, David Kupka wrote: > pylint changed slightly so we must react otherwise we'll be > unable to > build freeipa rpms on Fedora 22. This patch should go to > master for sure > but I don't know if we want it in 4.1. > ACK >>> >>> Are all the new disables really just false positives? >> >> It seems to me as a false positives. >> >> 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), >> otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' >> member) >> >>>>> import ssl >>>>> ssl.PROTOCOL_TLSv1 >> 3 >> >> 2. ipaserver/install/ipa_otptoken_import.py:63: >> [E1101(no-member), >> convertDate] Instance of 'tuple' has no 'tzinfo' member) >> ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), >> convertDate] Instance of 'tuple' has no 'timetuple' member) >> >> dateutil.parser.parse() returns datetime.datetime object and it >> has >> both tzinfo and timetuple methods >> (https://docs.python.org/2/library/datetime.html#datetime-objects) >> >> >> 3. ipapython/dnssec/ldapkeydb.py:26: >> [E1127(invalid-slice-index), >> uri_escape] Slice index is not an int, None, or instance with >> __index__) >> >> This is the line lint is complaining about: >> out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), >> 2)) >> I don't see a chance for 'i' or 'i+1' to be anything else than >> integers. >> >>> tested on: - F21: ipa-4-1, master branch - F22: master branch. IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 >>> > > This patch doesn't seem to fix all my issues building on F22, so > tentative NACK. I tested it this way: 1. started with Fedora-22-x86_64-minimal system 2. dnf install git 3. clone freeipa 4. make version-update # to get freeipa.spec 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` 6. ./make-lint > > It seem the main offenders are "No value for argument > 'second' in > method > call" (this one only in test_ipautul.py) and "No value for > argument > 'extClass' in method call" sprinkled around various test > plugins. > These cause E1120(no-value-for-parameter). Could you please paste the output of make-lint somewhere? >>> >>> Here it is. >>> This is with my f22 desktop, fully updated with buildrequires >>> running >>> make-lint straight after applying your patch: >>> >>> * Module ipatests.test_ipapython.test_ipautil >>> ipatests/test_ipapython/test_ipautil.py:93: >>> [E1120(no-value-for-parameter), TestCIDict.test_len] No value for >>> argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:96: >>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>> for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:97: >>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>> for argument 'second' in method call) >>> ipatests/test_ipapython/test_ipautil.py:98: >>> [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value >>> for argument 'second' in met
Re: [Freeipa-devel] [PATCH 0014] emit a more helpful error messages when CA configuration fails
On 04/24/2015 04:15 PM, Martin Basti wrote: On 20/04/15 12:59, Martin Babinsky wrote: On 04/17/2015 03:56 PM, Martin Babinsky wrote: On 03/05/2015 01:11 PM, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/4900 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Nobody to review this? Attaching updated patches, one for ipa-4-1 (no DogtagInstance) and one for master. Hello, thank for patches: 1) why is there +PKI_UNINSTALL_LOG = paths.PKI_CA_UNINSTALL_LOG I cannot find it used in patches? Martin^2 -- Martin Basti That was likely only my oversight. Attaching updated patches. -- Martin^3 Babinsky From c11aebd883bce6e506f5ecd7773bb51837be4cb2 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 17 Apr 2015 17:27:55 +0200 Subject: [PATCH] point the users to PKI-related logs when CA configuration fails This patch adds an error handler which prints out the paths to logs related to configuration and installation of Dogtag/CA in the case of failure. https://fedorahosted.org/freeipa/ticket/4900 --- ipapython/dogtag.py | 4 ipaserver/install/cainstance.py | 19 +++ 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 675d2a77fe30b9109c17089f129b189282ffa57b..e291045a69ed765084edaef5a8ca63834068ea3f 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -55,7 +55,9 @@ class Dogtag10Constants(object): DESTROY_BINARY = paths.PKIDESTROY SERVER_ROOT = paths.VAR_LIB_PKI_DIR +PKI_INSTALL_LOG = paths.PKI_CA_INSTALL_LOG PKI_INSTANCE_NAME = 'pki-tomcat' +PKI_LOG_TOP_LEVEL = os.path.join(paths.VAR_LOG_PKI_DIR, PKI_INSTANCE_NAME) PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME) CRL_PUBLISH_PATH = paths.PKI_CA_PUBLISH_DIR CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT @@ -88,7 +90,9 @@ class Dogtag9Constants(object): DESTROY_BINARY = paths.PKISILENT SERVER_ROOT = paths.VAR_LIB +PKI_INSTALL_LOG = paths.PKI_CA_INSTALL_LOG PKI_INSTANCE_NAME = 'pki-ca' +PKI_LOG_TOP_LEVEL = paths.PKI_CA_LOG_DIR PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME) CRL_PUBLISH_PATH = paths.PKI_CA_PUBLISH_DIR CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index cf80d17e04fc59d97ad02116ccfbd3f8bbc10823..54f2f6c53c0103786b3a866f76df8ed365f64788 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -669,8 +669,7 @@ class CAInstance(service.Service): try: ipautil.run(args, nolog=nolog) except ipautil.CalledProcessError, e: -root_logger.critical("failed to configure ca instance %s" % e) -raise RuntimeError('Configuration of CA failed') +self.handle_setup_error(e) finally: os.remove(cfg_file) @@ -820,8 +819,7 @@ class CAInstance(service.Service): ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog) except ipautil.CalledProcessError, e: -root_logger.critical("failed to configure ca instance %s" % e) -raise RuntimeError('Configuration of CA failed') +self.handle_setup_error(e) if self.external == 1: print "The next step is to get %s signed by your CA and re-run %s as:" % (self.csr_file, sys.argv[0]) @@ -1764,6 +1762,19 @@ class CAInstance(service.Service): master_entry['ipaConfigString'].append('caRenewalMaster') self.admin_conn.update_entry(master_entry) +def handle_setup_error(self, e): +root_logger.critical("Failed to configure CA instance: %s" + % e) +root_logger.critical("See the installation logs and the following " + "files/directories for more information:") +logs = [self.dogtag_constants.PKI_INSTALL_LOG, +self.dogtag_constants.PKI_LOG_TOP_LEVEL] + +for log in logs: +root_logger.critical(" %s" % log) + +raise RuntimeError("CA configuration failed.") + def replica_ca_install_check(config): if not config.setup_ca: -- 2.1.0 From 1f50525b9840de33cfd4fa0ec3ebb10c04fbf75c Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 20 Apr 2015 12:34:38 +0200 Subject: [PATCH] point the users to PKI-related logs when CA configuration fails This patch adds an error handler which prints out the paths to logs related to configuration and installation of Dogtag/CA in the case of failure. https://fedorahosted.org/freeipa/ticket/4900 --- ipapython/dogtag.py | 4 ipaserver/install/cainstance.py | 3 +-- ipaserver/install/dogtaginstance.py | 17 ++--- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/ipapython/dogtag.py b/ipapython/dogtag
Re: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22.
On 27/04/15 10:31, David Kupka wrote: On 04/24/2015 03:58 PM, Tomas Babej wrote: On 04/24/2015 03:50 PM, Martin Basti wrote: On 24/04/15 15:22, David Kupka wrote: On 04/24/2015 03:17 PM, Martin Basti wrote: On 23/04/15 15:26, David Kupka wrote: On 04/13/2015 01:23 PM, David Kupka wrote: On 04/10/2015 02:55 PM, Simo Sorce wrote: On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: On (08/04/15 08:53), Simo Sorce wrote: On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: On 04/06/2015 02:48 PM, Simo Sorce wrote: On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: On 03/30/2015 07:12 AM, Jan Cholasta wrote: Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): On 27.3.2015 14:58, David Kupka wrote: pylint changed slightly so we must react otherwise we'll be unable to build freeipa rpms on Fedora 22. This patch should go to master for sure but I don't know if we want it in 4.1. ACK Are all the new disables really just false positives? It seems to me as a false positives. 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) >>> import ssl >>> ssl.PROTOCOL_TLSv1 3 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), convertDate] Instance of 'tuple' has no 'tzinfo' member) ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), convertDate] Instance of 'tuple' has no 'timetuple' member) dateutil.parser.parse() returns datetime.datetime object and it has both tzinfo and timetuple methods (https://docs.python.org/2/library/datetime.html#datetime-objects) 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), uri_escape] Slice index is not an int, None, or instance with __index__) This is the line lint is complaining about: out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) I don't see a chance for 'i' or 'i+1' to be anything else than integers. tested on: - F21: ipa-4-1, master branch - F22: master branch. IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 This patch doesn't seem to fix all my issues building on F22, so tentative NACK. I tested it this way: 1. started with Fedora-22-x86_64-minimal system 2. dnf install git 3. clone freeipa 4. make version-update # to get freeipa.spec 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` 6. ./make-lint It seem the main offenders are "No value for argument 'second' in method call" (this one only in test_ipautul.py) and "No value for argument 'extClass' in method call" sprinkled around various test plugins. These cause E1120(no-value-for-parameter). Could you please paste the output of make-lint somewhere? Here it is. This is with my f22 desktop, fully updated with buildrequires running make-lint straight after applying your patch: * Module ipatests.test_ipapython.test_ipautil ipatests/test_ipapython/test_ipautil.py:93: [E1120(no-value-for-parameter), TestCIDict.test_len] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:96: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:97: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:98: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:99: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:100: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:101: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'excClass' in method call) ipatests/test_ipapython/test_ipautil.py:105: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:106: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:107: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:108: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:109: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:110: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:114: [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value for argument 'second' in method call) ipatests/test_ipapython/t
Re: [Freeipa-devel] [PATCH 0029] suppress errors arising from deleting non-existent files during client uninstall
On 04/24/2015 03:19 PM, Martin Basti wrote: On 20/04/15 10:58, Martin Babinsky wrote: On 04/20/2015 10:32 AM, Martin Basti wrote: On 17/04/15 14:11, Martin Babinsky wrote: On 04/17/2015 12:41 PM, Martin Babinsky wrote: On 04/17/2015 12:36 PM, Martin Basti wrote: On 17/04/15 12:33, Martin Babinsky wrote: On 04/17/2015 12:04 PM, Martin Basti wrote: On 15/04/15 15:53, Martin Babinsky wrote: On 04/14/2015 04:24 PM, Martin Basti wrote: On 14/04/15 16:12, Martin Basti wrote: On 14/04/15 14:25, Martin Babinsky wrote: This patch addresses https://fedorahosted.org/freeipa/ticket/4966 The noise during rollback/uninstall is caused mainly by unsuccessful attempts to remove files that do not exist anymore. These errors are now logged at debug level and do not pop-up to stdout/stderr. Hello, thank you for the patch. 1) The option add_warning is quite unclear to me. It does not show warning but error. I suggest something like, show_hint, show_user_action, or something show_additional_..., or promt_manual_removal Martin^2 Continue... 2) if file_exists(preferences_fname): try: os.remove(preferences_fname) except OSError as e: log_file_removal_error(e, preferences_fname, True) In this case file not found error should never happen. Could you remove the 'if file_exists' part and handle just exception? I just reverted this bit to original form in order to not fix something that isn't broken. Is that ok? 3) this is inconsistent with change above, choose one style please: if os.path.exists(ca_file): try: os.unlink(ca_file) except OSError, e: root_logger.error( "Failed to remove '%s': %s", ca_file, e) -- Martin Basti Attaching updated patch. thanks, just one nitpick, can you move the new function into installutils, it can be used in different scripts not just in ipaclient. I'm not sure if it is a good idea as installutils is a part for freeipa-server package. Placing it there would create an unnecessary dependency of freeipa-client on freeipa-server because of a single function. you are right, I do not why I thought that ipa-client-install uses installutils. ACK self-NACK, I will try to rewrite the patch in a slightly less dumb way. Sorry for the confusion. Attaching updated patch which does the same but using a wrapper around os.remove(). Jan suggested to keep the new function in 'ipa-client-install' and move it around when we do installer re#$%@^ing. Is that ok? It looks better, ACK. Jan NACKed your ACK. Attaching updated patch. Sorry, NACK * Module ipa-client-install ipa-client/ipa-install/ipa-client-install:791: [E1121(too-many-function-args), uninstall] Too many positional arguments for function call) ipa-client/ipa-install/ipa-client-install:797: [E1121(too-many-function-args), uninstall] Too many positional arguments for function call) consult with Honza if option which show prompt user to delete file manually, should be there or not. Updated patch attached. -- Martin^3 Babinsky From c0fa8fa0896617ba4a4b78dab283fa9ca583d3f2 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 14 Apr 2015 13:55:33 +0200 Subject: [PATCH] suppress errors arising from deleting non-existent files during client uninstall When rolling back partially configured IPA client a number of OSErrors pop up due to uninstaller trying to remove files that do not exist anymore. This patch supresses these errors while keeping them in log as debug messages. https://fedorahosted.org/freeipa/ticket/4966 --- ipa-client/ipa-install/ipa-client-install | 40 +-- 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index bb59f47249f27a409683f825f204a501a90a0e7a..b87dd791eff599110e43f3c563e9d0be0c68138e 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -238,6 +238,25 @@ def logging_setup(options): console_format='%(message)s') +def remove_file(filename): +""" +Deletes a file. If the file does not exist (OSError 2) does nothing. +Otherwise logs an error message and instructs the user to remove the +offending file manually +:param filename: name of the file to be removed +""" + +try: +os.remove(filename) +except OSError as e: +if e.errno == 2: +return + +root_logger.error("Failed to remove file %s: %s", filename, e) +root_logger.error('Please remove %s manually, as it can cause ' + 'subsequent installation to fail.', filename) + + def log_service_error(name, action, error): root_logger.error("%s failed to %s: %s", name, action, str(error)) @@ -543,10 +562,7 @@ def uninstall(options, env)
Re: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22.
On 04/24/2015 03:58 PM, Tomas Babej wrote: On 04/24/2015 03:50 PM, Martin Basti wrote: On 24/04/15 15:22, David Kupka wrote: On 04/24/2015 03:17 PM, Martin Basti wrote: On 23/04/15 15:26, David Kupka wrote: On 04/13/2015 01:23 PM, David Kupka wrote: On 04/10/2015 02:55 PM, Simo Sorce wrote: On Fri, 2015-04-10 at 12:55 +0200, Lukas Slebodnik wrote: On (08/04/15 08:53), Simo Sorce wrote: On Wed, 2015-04-08 at 10:22 +0200, David Kupka wrote: On 04/06/2015 02:48 PM, Simo Sorce wrote: On Mon, 2015-03-30 at 12:15 +0200, David Kupka wrote: On 03/30/2015 07:12 AM, Jan Cholasta wrote: Dne 28.3.2015 v 00:05 Petr Vobornik napsal(a): On 27.3.2015 14:58, David Kupka wrote: pylint changed slightly so we must react otherwise we'll be unable to build freeipa rpms on Fedora 22. This patch should go to master for sure but I don't know if we want it in 4.1. ACK Are all the new disables really just false positives? It seems to me as a false positives. 1. ipalib/plugins/otptoken.py:552: [E1101(no-member), otptoken_sync.forward] Module 'ssl' has no 'PROTOCOL_TLSv1' member) >>> import ssl >>> ssl.PROTOCOL_TLSv1 3 2. ipaserver/install/ipa_otptoken_import.py:63: [E1101(no-member), convertDate] Instance of 'tuple' has no 'tzinfo' member) ipaserver/install/ipa_otptoken_import.py:64: [E1101(no-member), convertDate] Instance of 'tuple' has no 'timetuple' member) dateutil.parser.parse() returns datetime.datetime object and it has both tzinfo and timetuple methods (https://docs.python.org/2/library/datetime.html#datetime-objects) 3. ipapython/dnssec/ldapkeydb.py:26: [E1127(invalid-slice-index), uri_escape] Slice index is not an int, None, or instance with __index__) This is the line lint is complaining about: out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) I don't see a chance for 'i' or 'i+1' to be anything else than integers. tested on: - F21: ipa-4-1, master branch - F22: master branch. IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22 This patch doesn't seem to fix all my issues building on F22, so tentative NACK. I tested it this way: 1. started with Fedora-22-x86_64-minimal system 2. dnf install git 3. clone freeipa 4. make version-update # to get freeipa.spec 5. dnf install `awk '/^BuildRequires/ {print $2}' freeipa.spec` 6. ./make-lint It seem the main offenders are "No value for argument 'second' in method call" (this one only in test_ipautul.py) and "No value for argument 'extClass' in method call" sprinkled around various test plugins. These cause E1120(no-value-for-parameter). Could you please paste the output of make-lint somewhere? Here it is. This is with my f22 desktop, fully updated with buildrequires running make-lint straight after applying your patch: * Module ipatests.test_ipapython.test_ipautil ipatests/test_ipapython/test_ipautil.py:93: [E1120(no-value-for-parameter), TestCIDict.test_len] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:96: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:97: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:98: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:99: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:100: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:101: [E1120(no-value-for-parameter), TestCIDict.test_getitem] No value for argument 'excClass' in method call) ipatests/test_ipapython/test_ipautil.py:105: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:106: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:107: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:108: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:109: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:110: [E1120(no-value-for-parameter), TestCIDict.test_get] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:114: [E1120(no-value-for-parameter), TestCIDict.test_setitem] No value for argument 'second' in method call) ipatests/test_ipapython/test_ipautil.py:116: [E1120(no-value-for-parameter), TestCIDict.test_setitem] No
Re: [Freeipa-devel] [PATCH] manage replication topology in the shared tree
On 04/21/2015 10:49 AM, Ludwig Krispenz wrote: On 04/20/2015 06:00 PM, thierry bordaz wrote: On 04/13/2015 10:56 AM, Ludwig Krispenz wrote: Hi, in the attachment you find the latest state of the "topology plugin", it implements what is defined in the design page: http://www.freeipa.org/page/V4/Manage_replication_topology (which is also waiting for a reviewer) It contains the plugin itself and a core of ipa commands to manage a topology. to be really applicable, some work outside is required, eg the management of the domain level and a decision where the binddn group should be maintained. Thanks, Ludwig Hello Ludwig, Quite long review to do. So far I only looked at the startup phase and I have only few questions and comments. Thanks for your time, and I'm looking forward to your review of the other parts, you raise some valid points. I'll try to answer some of them inline, but will integrate some into a next version of the patch In ipa_topo_start, do you need to get argc/argv as you are not using plugin-argxx attributes ? no. It was a leftover from a "standard" plugin topo_plugin_conf configuration parameters are not freed when the plugin is closed. Is it closed only at shutdown ? Also I would initiatlize it to {NULL}. So far it is not planned to be dynamic, but I will addres the memory management In case the config does not contain any nsslapd-topo-plugin-shared-replica-root, I wonder if ipa_topo_apply_shared_config may crash as shared_replica_root will be NULL. or at least in ipa_topo_apply_shared_replica_config/ipa_topo_util_get_replica_conf. Also if nsslapd-topo-plugin-shared-replica-root contains an invalid root suffix (typo), topoRepl remains NULL and ipa_topo_util_get_replica_conf/ipa_topo_cfg_replica_add can crash. for the two comments above, I was assuming that plugin conf and shared tree would be setup by ipa tools and server setup, so assuming only valid data, but you are right, checking for bad data doesn't hurt. In ipa_topo_util_segment_from_entry, if the config entry has no direction/left/right it will crash. Shouldn't it return an error if the config is invalid. adding a segment should be done with the ipa command 'ipa topologysegment-add ...' and this always provides a direction (param or default). If you try to add a segment directly, direction is a required attribute of teh segment objectclass, so it should be rejected- The update of domainLevel may start the plugin. If two mods update the domainLevel they could be done in parallele. yes :-( In ipa_topo_util_update_agmt_list, if there is a marked agmnt but no segment it deletes the agreement. Is it possible there is a segment but no agmnt ? For example, if the server were stopped or crashed after the segment was created but before the local config was updated. then it should be created from the segment Hosts are taken from shared config tree (cn=masters,), is it possible to have a replica agreement to a host that is not under 'cn=masters,' yes, it will be ignored by the plugin thanks thierry Hi Ludwig, I continued the review of the design/topology plugin code. This is really an interesting plugin but unfortunately I have not yet reviewed all the parts. I went through the design and digging the related parts in the code. So far I need to review the rest starting at http://www.freeipa.org/page/V4/Manage_replication_topology#connectivity_management. I think I did ~50% design but may be more than 50% of the code. Here are additional points: in ipa_topo_set_domain_level, you may record the new Domain level value as FATAL (it is already recorded in case of oneline import) ipa_topo_be_state_change is called for any backend going online. Domain level and start should be done only for a backend mapping a shared-replica-root. Also the plugin can be started many times (each online init), ipa_topo_util_start is not protected by a lock Some fields will leak (in ipa_topo_init_shared_config) Also I wonder if you reinit several times the same replica-root, its previous config will leak. (replica->repl_segments) In ipa_topo_apply_shared_replica_config, I do not see where replica_config is kept (leak ?) ipa_topo_util_start/ipa_topo_apply_shared_config is called at startup or during online-init. For online-init, if the plugin was already active, what is the need of calling ipa_topo_util_start ? For online-init, It initializes all the replica-root. Could it init only the reinitialized replic-root ? in http://www.freeipa.org/page/V4/Manage_replication_topology#shared_configuration:_database, it mentions ipaReplTopoConfigMaster. Is it implemented ? in http://www.freeipa.org/page/V4/Manage_replication_topology#shared_configuration:_segment, what happens if a server under cn=masters is removed ? in http://www.freeipa.org/page/V4/Manage_replication_topology#shared_configurati