Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

[Simo Sorce]

On 01/10/15 10:33, Oleg Fayans wrote:

First glance on the packages built from today's tree reveal the
following problems:

1.
Having PTR sync enabled in global DNS configuration and installing
client with --enable-dns-updates option, ipa master still does not
create a PTR record for the client machine. As a result,
ipa-repolica-install throws the following error:

ipa : ERRORReverse DNS resolution of address 192.168.122.171
(f22replica1.pesen.net) failed. Clients may not function properly.
Please check your DNS setup. (Note that this check queries IPA DNS
directly and ignores /etc/hosts.)


I work around this by passing in --no-host-dns for now


2.
When corresponding PTR record is created manually, ipa-replica-install
still fails:

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORno matching
entry found

The same error was catched by Jan Pazdziora (current discussion in #ipa
channel)


I pushed a rebase patchset on top of current master that includes a 
small patch that should deal with the kra detection bug properly.



HTH,
Simo.




On 08/26/2015 11:27 PM, Simo Sorce wrote:

This patchset implements https://fedorahosted.org/freeipa/ticket/2888
and introduces a number of required  changes and dependencies to achieve
this goal.
This work requires the custodia project to securely transfer keys
between ipa servers.

This work is not 100% complete, it still misses the ability to install
kra instances and the ability to install a CA (via ipa-ca-install) with
externally signed certs.

However it is massive enough that warrants review and pushing, the resat
of the changes can be applied later as this work should not disrupt the
classic install methods.

In order to build my previous patches (530-533) are needed as well as a
number of updated components.

I used the following coprs for testing:
simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

Ludwig's copr is necessary to have a functional DNA plugin in replicas,
eventually his patches should be committed in 389-ds-base 1.3.4.4 when
it will be released.

We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
that may cause installation issues in some case (re-install of a
replica).

The domain must be raised to level 1 in order to use replica promotion.

In order to promote a replica the server must be first joined as a
regular client to the domain.

This is the flow I usually use for testing:

# ipa-client-install
# kinit admin
# ipa-replica-install --promote --setup-ca


These patches are also available in this git tree rebnase on current
master:
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review


Simo.








--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0068] backup/restore CI TESTS: re-kinit after ipa-restore in some tests

[Martin Babinsky]

This patch fixes failing DNS/DSSEC/KRA tests for backup and restore into 
already installed IPA master.


It may require my PATCH 0065 to apply cleanly.

Additionally, applying my PATCH 0066 (acked but not pushed as of writing 
this) should result in all backup/restore tests passing.


--
Martin^3 Babinsky
From 18b7f256c94f0becff8511f338ae5c32d961f6db Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 23 Sep 2015 12:47:13 +0200
Subject: [PATCH] re-kinit after ipa-restore in backup/restore CI tests

In FreeIPA CI-tests the install_master task automatically performs kinit after
successfull installation. This may break some backup/restore tests which
perform backup into previously installed IPA master. In this case it is
neccessary to re-kinit after restore.
---
 ipatests/test_integration/test_backup_and_restore.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
index 82d056063809b9e54aa68d62f21749ab860f6613..1eefb3e39d07bf54f26a1603f55e07cb150aafda 100644
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@@ -273,6 +273,7 @@ class BaseBackupAndRestoreWithDNS(IntegrationTest):
 
 tasks.resolve_record(self.master.ip, self.example_test_zone)
 
+tasks.kinit_admin(self.master)
 self.master.run_command([
 'ipa', 'dnszone-add',
 self.example2_test_zone,
@@ -343,6 +344,7 @@ class BaseBackupAndRestoreWithDNSSEC(IntegrationTest):
 self.example_test_zone, self.log), ("Zone is not signed after "
 "restore")
 
+tasks.kinit_admin(self.master)
 self.master.run_command([
 'ipa', 'dnszone-add',
 self.example2_test_zone,
@@ -423,6 +425,7 @@ class BaseBackupAndRestoreWithKRA(IntegrationTest):
 self.master.run_command(['ipa-restore', backup_path],
 stdin_text=dirman_password + '\nyes')
 
+tasks.kinit_admin(self.master)
 # retrieve secret after restore
 self.master.run_command([
 "ipa", "vault-retrieve",
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

[Oleg Fayans]

First glance on the packages built from today's tree reveal the 
following problems:


1.
Having PTR sync enabled in global DNS configuration and installing 
client with --enable-dns-updates option, ipa master still does not 
create a PTR record for the client machine. As a result, 
ipa-repolica-install throws the following error:


ipa : ERRORReverse DNS resolution of address 192.168.122.171 
(f22replica1.pesen.net) failed. Clients may not function properly. 
Please check your DNS setup. (Note that this check queries IPA DNS 
directly and ignores /etc/hosts.)


2.
When corresponding PTR record is created manually, ipa-replica-install 
still fails:


Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORno matching 
entry found


The same error was catched by Jan Pazdziora (current discussion in #ipa 
channel)




On 08/26/2015 11:27 PM, Simo Sorce wrote:

This patchset implements https://fedorahosted.org/freeipa/ticket/2888
and introduces a number of required  changes and dependencies to achieve
this goal.
This work requires the custodia project to securely transfer keys
between ipa servers.

This work is not 100% complete, it still misses the ability to install
kra instances and the ability to install a CA (via ipa-ca-install) with
externally signed certs.

However it is massive enough that warrants review and pushing, the resat
of the changes can be applied later as this work should not disrupt the
classic install methods.

In order to build my previous patches (530-533) are needed as well as a
number of updated components.

I used the following coprs for testing:
simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

Ludwig's copr is necessary to have a functional DNA plugin in replicas,
eventually his patches should be committed in 389-ds-base 1.3.4.4 when
it will be released.

We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
that may cause installation issues in some case (re-install of a
replica).

The domain must be raised to level 1 in order to use replica promotion.

In order to promote a replica the server must be first joined as a
regular client to the domain.

This is the flow I usually use for testing:

# ipa-client-install
# kinit admin
# ipa-replica-install --promote --setup-ca


These patches are also available in this git tree rebnase on current
master:
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review

Simo.





--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0067] ipa-server-install: mark master_password Knob as deprecated

[Jan Cholasta]

On 1.10.2015 15:43, Martin Babinsky wrote:

On 10/01/2015 02:49 PM, Martin Babinsky wrote:

Pave Picka found out that the fix for
https://fedorahosted.org/freeipa/ticket/4516
was partially undone during 4.2 installer rectofaring efforts.

This one-liner should fix it for good (or at least until we move the
code around again).





created anew ticket for this regression
(https://fedorahosted.org/freeipa/ticket/5335) and closed the original
one again.

Sorry for confusion and thanks to Honza for correcting me.


Works for me, ACK.

Pushed to:
master: e3cb6305cc39caf8323ed0d1b729369910c97505
ipa-4-2: 63c888406b2a59e0640ceba57f6db551177a804f

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0067] ipa-server-install: mark master_password Knob as deprecated

[Martin Babinsky]

On 10/01/2015 02:49 PM, Martin Babinsky wrote:

Pave Picka found out that the fix for
https://fedorahosted.org/freeipa/ticket/4516
was partially undone during 4.2 installer rectofaring efforts.

This one-liner should fix it for good (or at least until we move the
code around again).





created anew ticket for this regression 
(https://fedorahosted.org/freeipa/ticket/5335) and closed the original 
one again.


Sorry for confusion and thanks to Honza for correcting me.

--
Martin^3 Babinsky
From dcff039a8cf285fe892ff386da0997074bcd8111 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 1 Oct 2015 14:39:19 +0200
Subject: [PATCH] ipa-server-install: mark master_password Knob as deprecated

fixes a regression introduced during fixing
https://fedorahosted.org/freeipa/ticket/5184

https://fedorahosted.org/freeipa/ticket/5335
---
 ipaserver/install/server/install.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 4fe1ed9f25206e7c014e544fcc3e71243e685f86..83b88ebb86eaac1f76f6efcd0ed2cc18ff59fd51 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -1167,6 +1167,7 @@ class Server(BaseServer):
 master_password = Knob(
 str, None,
 sensitive=True,
+deprecated=True,
 description="kerberos master password (normally autogenerated)",
 cli_short_name='P',
 )
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

[Simo Sorce]

On 01/10/15 07:42, Jan Cholasta wrote:

Hi,

I have just imported python-jwcrypto, custodia and pki-core-10.2.7 into
mkosek/freeipa-master as well, to (hopefully) make things easier.

Simo, custodia failed to build F22, any idea why? See
.


On the surface it looks like a missing dependency on cffi, though I am 
not sure why we'd need it, maybe the tests are downloading cryptography 
to build it for non-system python versions ?


Simo.



On 1.10.2015 12:39, Oleg Fayans wrote:

Hi Ludwig,

Thank you! vakwetu/dogtag_10.2.7_test_builds was the bit that was missing

On 10/01/2015 12:29 PM, Ludwig Krispenz wrote:


On 10/01/2015 12:06 PM, Oleg Fayans wrote:

Hi Simo,

I was able to build the packages based on your git repo. However, my
attempt to install the resulting bits failed due to lack of
dependencies:

pki-ca >= 10.2.7 is needed by
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64
pki-kra >= 10.2.7 is needed by
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64

My system has version 10.2.6 of above packages provided by
mkosek/freeipa-master copr repo.

What is the correct repo to get 10.2.7 from?

when Simo first submitted the patches for review he also listed the
repos used:

simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

I'm not sure if all of them are still needed, eg for 389-ds the private
repo is no longer neede, but you can use this for missing rpms




On 09/29/2015 09:31 PM Simo Sorce wrote:

On 29/09/15 14:56, Oleg Fayans wrote:



On 09/29/2015 06:47 PM, Simo Sorce wrote:

On 29/09/15 11:50, Oleg Fayans wrote:

Hi Simo,

It seems to have resolved the initial issue, but now the build
fails
due
to lint complaints:
https://paste.fedoraproject.org/272714/54174014/


These happens if you do not have custodia installed.
I guess I should make it also a BuildRequires ?


I think so, yes.


Turns out it is already there.

Simo.


Simo.


On 09/29/2015 04:54 PM, Simo Sorce wrote:

On 29/09/15 10:39, Oleg Fayans wrote:

Hi Simo,

Is this [1] the correct link to the repo containing all latest
replica-promotion patches? I tried to build the packages from
this
code
and the build failed due to libpdb not having make_pdb_method [2]
I was able to successfully build from the clean upstream tree on
the
same machine.



I rebased it on top of current master, let me know if this helps.

Simo.



[1]
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review









[2] https://paste.fedoraproject.org/272672/53685114/

On 09/29/2015 03:55 PM, Simo Sorce wrote:

On 29/09/15 09:28, Jan Pazdziora wrote:

On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:


I think the problem is that the patch was pushed prematurely.
The option should become unused once the other patches in this
patchset are
applied, that is why that patch was not on top of the list but
rather
down
close to the bottom.


Simo,

could you please add the

How To Test

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier,
spelling
out how the workflow is supposed to work.


Done.

HTH,
Simo.





























--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] More Python 3 porting

[Jan Cholasta]

Hi,

On 1.10.2015 13:01, Martin Basti wrote:



On 09/30/2015 10:25 AM, Petr Viktorin wrote:

On 09/23/2015 04:46 PM, Petr Viktorin wrote:

On 09/22/2015 02:59 PM, David Kupka wrote:

On 18/09/15 17:00, Petr Viktorin wrote:

Hello,
Here are more patches that bring IPA closer to Python 3 compatibility.





Hi Petr,
thanks for another batch of Python 3 compatibility patches.
Unfortunately I hit a lot of pylint errors. Some of them are false
positives for sure. Could you please look at them, mark the false
positive with "pylint: disable=E" directive and fix the rest?

http://fpaste.org/270090/92665414/


Thanks.
I'm actually having some trouble running pylint on an f23 machine; have
you seen this error before?

$ ./make-lint
Traceback (most recent call last):
   File "./make-lint", line 280, in 
 sys.exit(main())
   File "./make-lint", line 251, in main
 linter.check(files)
   File "/usr/lib/python2.7/site-packages/pylint/lint.py", line 747,
in check
 self._do_check(files_or_modules)
   File "/usr/lib/python2.7/site-packages/pylint/lint.py", line 869, in
_do_check
 self.check_astroid_module(ast_node, walker, rawcheckers,
tokencheckers)
   File "/usr/lib/python2.7/site-packages/pylint/lint.py", line 924, in
check_astroid_module
 tokens = utils.tokenize_module(ast_node)
   File "/usr/lib/python2.7/site-packages/pylint/utils.py", line 137, in
tokenize_module
 with module.stream() as stream:
AttributeError: 'Module' object has no attribute 'stream'


Anyway, I've ran pylint on f21. Updated patches attached.

ping, could someone take a look at the patches?



LGTM

I ran xmlrpc tests, DNSSEC ci tests, backup and restore CI test and
everything works


Patches 713-719: ACK


Patch 720:

You missed:

ipa-client/ipa-install/ipa-client-install:32:from ConfigParser 
import RawConfigParser



Patches 721-722: ACK


Patch 723:

Why the "NoneType = type(None)" in parameters.py? It is used only at:

ipalib/parameters.py:388:type = NoneType  # Ouch, this wont be very 
useful in the real world!



Patch 724:

The SSHPublicKey class was written with the assumption that "str" means 
binary data, so unless I'm missing something, you only need to replace 
"str" with "bytes".



Patch 725: ACK


Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 466-468, 0316] install: Add common base class for server and replica install

[Martin Basti]

On 10/01/2015 12:55 PM, Jan Cholasta wrote:

On 29.9.2015 15:15, Martin Basti wrote:



On 09/29/2015 03:11 PM, Milan Kubík wrote:

On 09/23/2015 05:01 PM, Martin Basti wrote:



On 09/22/2015 12:10 PM, Jan Cholasta wrote:

On 22.9.2015 10:29, Martin Babinsky wrote:

On 09/16/2015 10:44 AM, Jan Cholasta wrote:

On 16.9.2015 08:11, Jan Cholasta wrote:

On 15.9.2015 07:22, Jan Cholasta wrote:

On 10.8.2015 16:58, Martin Babinsky wrote:

On 08/06/2015 08:22 AM, Jan Cholasta wrote:

Hi,

the attached patch fixes part of
.

See also Martin Babinsky's patch 51:
. 









Honza



Sorry but NACK, see below:

1.) it seems that passing kwargs to Server components doesn't
work as
expected. See these logs (install on fresh F22 VM):

http://fpaste.org/253416/21363814/
http://fpaste.org/253419/43921374/


Fixed.



2.) the following code blows up in BaseServers' __init__:
(http://fpaste.org/253400/21225314/)

392 if not self.dns.setup_dns:
393 if self.dns.forwarders:
394 raise RuntimeError(
395 "You cannot specify a --forwarder option
without
the "
396 "--setup-dns option")


I think that the check should be:

392 if not self.setup_dns:
393 if self.dns.forwarders:


Fixed.



IMHO BaseServerDNS class shouldn't have setup_dns knob, that
should be
set in the parent class (BaseServer)


Fixed.



3.) Is there any reason why BaseServer doesn't have
'master_password',
'idmax' and 'idstart' knobs? I know that these are then brought
in by
the derived Server class, but the check for them is in parent's
__init__() method and it is IMHO a bit confusing


The check should be in Server, fixed.



4.) please add license header to the beginning of
'ipaserver/install/server/common.py' file


Added.

Updated patches attached.


Self-NACK, I broke ipa-server-install --uninstall.


Fixed.



ACK to all three patches.



Thanks.

Pushed to:
master: 86edd6abeb9749e159a529b83cfce6443fff4ba5
ipa-4-2: 42d16b02cd153ac89ebd8ae07c98611dc3b6e471


These patches introduced regression.
ipa-replica-install in unattended mode requires to specify -a, -p and
-r options.

Attached patch fixes it.




Works for me, ACK.

Milan

Pushed to ipa-4-2: ad285897f54190fd0113209f32fce7f37fb0ce77
Pushed to master: 74da4f5870edda85039b3bba52fb0a578676fb44


Martin found an additional issued, see the attached patch for a fix.


ACK

Pushed to:
ipa-4-2: 75a8454caeeaf293c0b6be48f2b8476e7707447f
master: 6067824be494745926204a7ba3709c3c0f054326

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0067] ipa-server-install: mark master_password Knob as deprecated

[Martin Babinsky]

Pave Picka found out that the fix for
https://fedorahosted.org/freeipa/ticket/4516
was partially undone during 4.2 installer rectofaring efforts.

This one-liner should fix it for good (or at least until we move the 
code around again).


--
Martin^3 Babinsky
From 2513de2c84b1d28cc07ce3f45e1c3ce7e8618807 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 1 Oct 2015 14:39:19 +0200
Subject: [PATCH] ipa-server-install: mark master_password Knob as deprecated

fixes a regression reintroduced during installer refactoring

https://fedorahosted.org/freeipa/ticket/4516
---
 ipaserver/install/server/install.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 4fe1ed9f25206e7c014e544fcc3e71243e685f86..83b88ebb86eaac1f76f6efcd0ed2cc18ff59fd51 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -1167,6 +1167,7 @@ class Server(BaseServer):
 master_password = Knob(
 str, None,
 sensitive=True,
+deprecated=True,
 description="kerberos master password (normally autogenerated)",
 cli_short_name='P',
 )
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] Proper fix for ticket 5306

[Martin Basti]

On 10/01/2015 02:43 PM, Oleg Fayans wrote:

Hi Martin,

On 10/01/2015 11:18 AM, Martin Basti wrote:



On 09/30/2015 01:24 PM, Martin Basti wrote:



On 09/30/2015 12:19 PM, Oleg Fayans wrote:



On 09/30/2015 11:46 AM, Petr Spacek wrote:

On 29.9.2015 09:12, Oleg Fayans wrote:

+def prepare_reverse_zone(host, ip):
+zone = get_reverse_zone_default(ip)
+host.run_command(["ipa",
+  "dnszone-add",
+  zone,
+  "--name-from-ip=%s" % ip], raiseonerr=False)


There is probably no point in specifying --name-from-ip because you
did that
already by calling get_reverse_zone_default(ip).


Agree. Fixed



Anyway, I'm not sure that this

+prepare_reverse_zone(master, replica.ip)

will not break if the reverse zone already exists (think about case
where two
or more replicas are in the same subnet).


That's why I am using the raiseonerr=False here.



I did not test the code, I simply do not have time for it right now.






 LGTM, I will test it soon, but it needs rebase for ipa-4-2 branch



ACK, please send rebased version for ipa-4-2


Here it is


Pushed to ipa-4-2: c898c968d3979a0d8c2fe0db8e125dfc2268eba0
Pushed to master: 03d696f224642c1c4c4f1a434fecefd1c6270e37

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] Proper fix for ticket 5306

[Oleg Fayans]

Hi Martin,

On 10/01/2015 11:18 AM, Martin Basti wrote:



On 09/30/2015 01:24 PM, Martin Basti wrote:



On 09/30/2015 12:19 PM, Oleg Fayans wrote:



On 09/30/2015 11:46 AM, Petr Spacek wrote:

On 29.9.2015 09:12, Oleg Fayans wrote:

+def prepare_reverse_zone(host, ip):
+zone = get_reverse_zone_default(ip)
+host.run_command(["ipa",
+  "dnszone-add",
+  zone,
+  "--name-from-ip=%s" % ip], raiseonerr=False)


There is probably no point in specifying --name-from-ip because you
did that
already by calling get_reverse_zone_default(ip).


Agree. Fixed



Anyway, I'm not sure that this

+prepare_reverse_zone(master, replica.ip)

will not break if the reverse zone already exists (think about case
where two
or more replicas are in the same subnet).


That's why I am using the raiseonerr=False here.



I did not test the code, I simply do not have time for it right now.






 LGTM, I will test it soon, but it needs rebase for ipa-4-2 branch



ACK, please send rebased version for ipa-4-2


Here it is

--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 112c6dca2cc462bb78c568bed12b2a4a51d34ee9 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Thu, 1 Oct 2015 14:08:08 +0200
Subject: [PATCH] Added a proper workaround for dnssec test failures in Beaker
 environment

In beaker lab the situation when master and replica have ip addresses from
different subnets is quite frequent. When a replica has ip from different
subnet than master's, ipa-replica-prepare looks up a proper reverse zone to
add a pointer record, and if it does not find it, it asks a user for permission
to create it automatically. It breaks the tests adding the unexpected input.
The workaround is to always create a reverse zone for a new replica.

Corresponding ticket is https://fedorahosted.org/freeipa/ticket/5306
---
 ipatests/test_integration/tasks.py | 11 ---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index f579f286826f749a8c5f8433f2a8bf7348664ba9..0fcc860a20865063ffb76b0553eb2c2831321bd1 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -41,6 +41,11 @@ from ipatests.test_integration.host import Host
 log = log_mgr.get_logger(__name__)
 
 
+def prepare_reverse_zone(host, ip):
+zone = get_reverse_zone_default(ip)
+host.run_command(["ipa",
+  "dnszone-add",
+  zone], raiseonerr=False)
 def prepare_host(host):
 if isinstance(host, Host):
 env_filename = os.path.join(host.config.test_dir, 'env.sh')
@@ -221,17 +226,17 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False):
 
 apply_common_fixes(replica)
 fix_apache_semaphores(replica)
-
+prepare_reverse_zone(master, replica.ip)
 master.run_command(['ipa-replica-prepare',
 '-p', replica.config.dirman_password,
-'--ip-address', replica.ip, '--no-reverse',
+'--ip-address', replica.ip,
 replica.hostname])
 replica_bundle = master.get_file_contents(
 paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname)
 replica_filename = os.path.join(replica.config.test_dir,
 'replica-info.gpg')
 replica.put_file_contents(replica_filename, replica_bundle)
-args = ['ipa-replica-install', '-U', '--no-host-dns',
+args = ['ipa-replica-install', '-U',
 '-p', replica.config.dirman_password,
 '-w', replica.config.admin_password,
 '--ip-address', replica.ip,
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0066] fix for regression in ipa-restore

[Martin Babinsky]

On 10/01/2015 02:18 PM, Martin Kosek wrote:

On 09/29/2015 03:27 PM, David Kupka wrote:

On 25/09/15 18:13, Martin Babinsky wrote:

fixes https://fedorahosted.org/freeipa/ticket/5328




Fixes the issue for me, ACK.



Just checking - what is the impact here, will ipa-restore still work on a clean
machine without FreeIPA installed, i.e. without dirsrv being in /etc/passwd?



Yes it will since dirsrv/ca users are (re)created during full restore 
anyway.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0066] fix for regression in ipa-restore

[David Kupka]

On 01/10/15 14:18, Martin Kosek wrote:

On 09/29/2015 03:27 PM, David Kupka wrote:

On 25/09/15 18:13, Martin Babinsky wrote:

fixes https://fedorahosted.org/freeipa/ticket/5328




Fixes the issue for me, ACK.



Just checking - what is the impact here, will ipa-restore still work on a clean
machine without FreeIPA installed, i.e. without dirsrv being in /etc/passwd?

Yes, restore on clean machine should not be affected. The problem is in 
scenario such as:

1. install freeipa packages
2. install freeipa-server
3. run ipa-backup
4. *add some system user*
5. run ipa-restore

After restore the newly added system user is gone.
--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0066] fix for regression in ipa-restore

[Martin Kosek]

On 09/29/2015 03:27 PM, David Kupka wrote:
> On 25/09/15 18:13, Martin Babinsky wrote:
>> fixes https://fedorahosted.org/freeipa/ticket/5328
>>
>>
>>
> Fixes the issue for me, ACK.
> 

Just checking - what is the impact here, will ipa-restore still work on a clean
machine without FreeIPA installed, i.e. without dirsrv being in /etc/passwd?

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [patch 0020] ipatests: configure Network Manager not to manage resolv.conf

[Milan Kubík]

On 10/01/2015 12:39 PM, Alexander Bokovoy wrote:

On Thu, 01 Oct 2015, Milan Kubík wrote:

On 10/01/2015 11:23 AM, Martin Basti wrote:



On 10/01/2015 10:18 AM, Milan Kubík wrote:

On 10/01/2015 10:06 AM, Milan Kubík wrote:

Fixes https://fedorahosted.org/freeipa/ticket/5331

Patch attached.



Patch for ipa-4-2 branch.

Milan



NACK

http://fpaste.org/273499/43691381/

I disagree. From [1]:

   Fedora now by default relies on NetworkManager for network 
configuration. This is the case also for minimal installations and 
server installations.


The cloud image, which you are probably using does not have 
NetworkManager installed. I think we can rely on the default here and 
assume

NetworkManager is present.

If you and the list disagree, I will make the fix depend on 
NetworkManager's presence.
Nitpick: there can be other services that manage (and rewrite) 
resolv.conf.

While other tools may do it, please make it so that your fix only
activated if NetworkManager is active.

We'll get to other services once we'll encounter them.

Ok. Now I only apply the config and restart NetworkManager when it is 
already running. I don't check if the service is enabled.


--
Milan Kubik

From c41e5941c7d24575495b8064f6412afcecab55ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Fri, 25 Sep 2015 21:09:24 +0200
Subject: [PATCH] ipatests: configure Network Manager not to manage resolv.conf

For the duration of the test, makes resolv.conf unmanaged.
If NetworkManager is not running, nothing is changed.

https://fedorahosted.org/freeipa/ticket/5331
---
 ipaplatform/base/paths.py  |  2 +-
 ipatests/test_integration/tasks.py | 36 
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 215caf90ea1ca4e5db8f43f8f09002ce5d5cd280..a272143d0053451c017c0df613951cc0e6d52c54 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -354,6 +354,6 @@ class BasePathNamespace(object):
 DB2BAK = '/usr/sbin/db2bak'
 KDCPROXY_CONFIG = '/etc/ipa/kdcproxy/kdcproxy.conf'
 CERTMONGER = '/usr/sbin/certmonger'
-
+NETWORK_MANAGER_CONFIG_DIR = '/etc/NetworkManager/conf.d'
 
 path_namespace = BasePathNamespace
diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index f579f286826f749a8c5f8433f2a8bf7348664ba9..db10a52e8a68b0104cf6f4c8b29b25a655fa742a 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -40,6 +40,8 @@ from ipatests.test_integration.host import Host
 
 log = log_mgr.get_logger(__name__)
 
+IPATEST_NM_CONFIG = '20-ipatest-unmanaged-resolv.conf'
+
 
 def prepare_host(host):
 if isinstance(host, Host):
@@ -56,6 +58,7 @@ def prepare_host(host):
 def apply_common_fixes(host):
 fix_etc_hosts(host)
 fix_hostname(host)
+modify_nm_resolv_conf_settings(host)
 fix_resolv_conf(host)
 
 
@@ -101,6 +104,38 @@ def fix_hostname(host):
 host.run_command('hostname > %s' % ipautil.shell_quote(backupname))
 
 
+def host_service_active(host, service):
+res = host.run_command(['systemctl', 'is-active', '--quiet', service],
+   raiseonerr=False)
+
+if res.returncode == 0:
+return True
+else:
+return False
+
+
+def modify_nm_resolv_conf_settings(host):
+if not host_service_active(host, 'NetworkManager'):
+return
+
+config = "[main]\ndns=none\n"
+path = os.path.join(paths.NETWORK_MANAGER_CONFIG_DIR, IPATEST_NM_CONFIG)
+
+host.put_file_contents(path, config)
+host.run_command(['systemctl', 'restart', 'NetworkManager'],
+ raiseonerr=False)
+
+
+def undo_nm_resolv_conf_settings(host):
+if not host_service_active(host, 'NetworkManager'):
+return
+
+path = os.path.join(paths.NETWORK_MANAGER_CONFIG_DIR, IPATEST_NM_CONFIG)
+host.run_command(['rm', '-f', path], raiseonerr=False)
+host.run_command(['systemctl', 'restart', 'NetworkManager'],
+ raiseonerr=False)
+
+
 def fix_resolv_conf(host):
 backup_file(host, paths.RESOLV_CONF)
 lines = host.get_file_contents(paths.RESOLV_CONF).splitlines()
@@ -128,6 +163,7 @@ def fix_apache_semaphores(master):
 def unapply_fixes(host):
 restore_files(host)
 restore_hostname(host)
+undo_nm_resolv_conf_settings(host)
 
 # Clean up the test directory
 host.run_command(['rm', '-rvf', host.config.test_dir])
-- 
2.6.0

From fb8ab435c71f08c6fcb9cc8f4a983a278824de44 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Fri, 25 Sep 2015 21:09:24 +0200
Subject: [PATCH] ipatests: configure Network Manager not to manage resolv.conf

For the duration of the test, makes resolv.conf unmanaged.
If NetworkManager is not running, nothing is changed.

https://fedorahosted.org/freeipa/ticket/5331
---
 ipaplatform/base/paths.py  |  2 +-
 ipatests/test_integration/tasks.py | 36 ++

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

[Jan Cholasta]

Hi,

I have just imported python-jwcrypto, custodia and pki-core-10.2.7 into 
mkosek/freeipa-master as well, to (hopefully) make things easier.


Simo, custodia failed to build F22, any idea why? See 
.


On 1.10.2015 12:39, Oleg Fayans wrote:

Hi Ludwig,

Thank you! vakwetu/dogtag_10.2.7_test_builds was the bit that was missing

On 10/01/2015 12:29 PM, Ludwig Krispenz wrote:


On 10/01/2015 12:06 PM, Oleg Fayans wrote:

Hi Simo,

I was able to build the packages based on your git repo. However, my
attempt to install the resulting bits failed due to lack of
dependencies:

pki-ca >= 10.2.7 is needed by
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64
pki-kra >= 10.2.7 is needed by
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64

My system has version 10.2.6 of above packages provided by
mkosek/freeipa-master copr repo.

What is the correct repo to get 10.2.7 from?

when Simo first submitted the patches for review he also listed the
repos used:

simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

I'm not sure if all of them are still needed, eg for 389-ds the private
repo is no longer neede, but you can use this for missing rpms




On 09/29/2015 09:31 PM Simo Sorce wrote:

On 29/09/15 14:56, Oleg Fayans wrote:



On 09/29/2015 06:47 PM, Simo Sorce wrote:

On 29/09/15 11:50, Oleg Fayans wrote:

Hi Simo,

It seems to have resolved the initial issue, but now the build fails
due
to lint complaints: https://paste.fedoraproject.org/272714/54174014/


These happens if you do not have custodia installed.
I guess I should make it also a BuildRequires ?


I think so, yes.


Turns out it is already there.

Simo.


Simo.


On 09/29/2015 04:54 PM, Simo Sorce wrote:

On 29/09/15 10:39, Oleg Fayans wrote:

Hi Simo,

Is this [1] the correct link to the repo containing all latest
replica-promotion patches? I tried to build the packages from this
code
and the build failed due to libpdb not having make_pdb_method [2]
I was able to successfully build from the clean upstream tree on
the
same machine.



I rebased it on top of current master, let me know if this helps.

Simo.



[1]
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review








[2] https://paste.fedoraproject.org/272672/53685114/

On 09/29/2015 03:55 PM, Simo Sorce wrote:

On 29/09/15 09:28, Jan Pazdziora wrote:

On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:


I think the problem is that the patch was pushed prematurely.
The option should become unused once the other patches in this
patchset are
applied, that is why that patch was not on top of the list but
rather
down
close to the bottom.


Simo,

could you please add the

How To Test

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier,
spelling
out how the workflow is supposed to work.


Done.

HTH,
Simo.


























--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] More Python 3 porting

[Martin Basti]

On 09/30/2015 10:25 AM, Petr Viktorin wrote:

On 09/23/2015 04:46 PM, Petr Viktorin wrote:

On 09/22/2015 02:59 PM, David Kupka wrote:

On 18/09/15 17:00, Petr Viktorin wrote:

Hello,
Here are more patches that bring IPA closer to Python 3 compatibility.





Hi Petr,
thanks for another batch of Python 3 compatibility patches.
Unfortunately I hit a lot of pylint errors. Some of them are false
positives for sure. Could you please look at them, mark the false
positive with "pylint: disable=E" directive and fix the rest?

http://fpaste.org/270090/92665414/


Thanks.
I'm actually having some trouble running pylint on an f23 machine; have
you seen this error before?

$ ./make-lint
Traceback (most recent call last):
   File "./make-lint", line 280, in 
 sys.exit(main())
   File "./make-lint", line 251, in main
 linter.check(files)
   File "/usr/lib/python2.7/site-packages/pylint/lint.py", line 747, in check
 self._do_check(files_or_modules)
   File "/usr/lib/python2.7/site-packages/pylint/lint.py", line 869, in
_do_check
 self.check_astroid_module(ast_node, walker, rawcheckers, tokencheckers)
   File "/usr/lib/python2.7/site-packages/pylint/lint.py", line 924, in
check_astroid_module
 tokens = utils.tokenize_module(ast_node)
   File "/usr/lib/python2.7/site-packages/pylint/utils.py", line 137, in
tokenize_module
 with module.stream() as stream:
AttributeError: 'Module' object has no attribute 'stream'


Anyway, I've ran pylint on f21. Updated patches attached.

ping, could someone take a look at the patches?



LGTM

I ran xmlrpc tests, DNSSEC ci tests, backup and restore CI test and 
everything works


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 466-468, 0316] install: Add common base class for server and replica install

[Jan Cholasta]

On 29.9.2015 15:15, Martin Basti wrote:



On 09/29/2015 03:11 PM, Milan Kubík wrote:

On 09/23/2015 05:01 PM, Martin Basti wrote:



On 09/22/2015 12:10 PM, Jan Cholasta wrote:

On 22.9.2015 10:29, Martin Babinsky wrote:

On 09/16/2015 10:44 AM, Jan Cholasta wrote:

On 16.9.2015 08:11, Jan Cholasta wrote:

On 15.9.2015 07:22, Jan Cholasta wrote:

On 10.8.2015 16:58, Martin Babinsky wrote:

On 08/06/2015 08:22 AM, Jan Cholasta wrote:

Hi,

the attached patch fixes part of
.

See also Martin Babinsky's patch 51:
.







Honza



Sorry but NACK, see below:

1.) it seems that passing kwargs to Server components doesn't
work as
expected. See these logs (install on fresh F22 VM):

http://fpaste.org/253416/21363814/
http://fpaste.org/253419/43921374/


Fixed.



2.) the following code blows up in BaseServers' __init__:
(http://fpaste.org/253400/21225314/)

392 if not self.dns.setup_dns:
393 if self.dns.forwarders:
394 raise RuntimeError(
395 "You cannot specify a --forwarder option
without
the "
396 "--setup-dns option")


I think that the check should be:

392 if not self.setup_dns:
393 if self.dns.forwarders:


Fixed.



IMHO BaseServerDNS class shouldn't have setup_dns knob, that
should be
set in the parent class (BaseServer)


Fixed.



3.) Is there any reason why BaseServer doesn't have
'master_password',
'idmax' and 'idstart' knobs? I know that these are then brought
in by
the derived Server class, but the check for them is in parent's
__init__() method and it is IMHO a bit confusing


The check should be in Server, fixed.



4.) please add license header to the beginning of
'ipaserver/install/server/common.py' file


Added.

Updated patches attached.


Self-NACK, I broke ipa-server-install --uninstall.


Fixed.



ACK to all three patches.



Thanks.

Pushed to:
master: 86edd6abeb9749e159a529b83cfce6443fff4ba5
ipa-4-2: 42d16b02cd153ac89ebd8ae07c98611dc3b6e471


These patches introduced regression.
ipa-replica-install in unattended mode requires to specify -a, -p and
-r options.

Attached patch fixes it.




Works for me, ACK.

Milan

Pushed to ipa-4-2: ad285897f54190fd0113209f32fce7f37fb0ce77
Pushed to master: 74da4f5870edda85039b3bba52fb0a578676fb44


Martin found an additional issued, see the attached patch for a fix.

--
Jan Cholasta
From ef371ec68e8b41feae70d9bd9c6155a01a6e2f85 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 1 Oct 2015 11:41:39 +0200
Subject: [PATCH] install: fix ipa-server-install fail on missing --forwarder

https://fedorahosted.org/freeipa/ticket/4517
---
 ipaserver/install/server/common.py | 4 
 ipaserver/install/server/install.py| 6 ++
 ipaserver/install/server/replicainstall.py | 7 +++
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/server/common.py b/ipaserver/install/server/common.py
index 0648b40..3eb7279 100644
--- a/ipaserver/install/server/common.py
+++ b/ipaserver/install/server/common.py
@@ -401,10 +401,6 @@ class BaseServer(common.Installable, common.Interactive, core.Composite):
 raise RuntimeError(
 "You cannot specify a --forwarder option together with "
 "--no-forwarders")
-elif not self.dns.forwarders and not self.dns.no_forwarders:
-raise RuntimeError(
-"You must specify at least one --forwarder option or "
-"--no-forwarders option")
 elif self.dns.reverse_zones and self.dns.no_reverse:
 raise RuntimeError(
 "You cannot specify a --reverse-zone option together with "
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 4fe1ed9..32eef1c 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -1269,6 +1269,12 @@ class Server(BaseServer):
 raise RuntimeError(
 "In unattended mode you need to provide at least -r, -p "
 "and -a options")
+if self.setup_dns:
+#pylint: disable=no-member
+if not self.dns.forwarders and not self.dns.no_forwarders:
+raise RuntimeError(
+"You must specify at least one --forwarder option or "
+"--no-forwarders option")
 
 if self.idmax < self.idstart:
 raise RuntimeError(
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 79bbcda..3087091 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -741,6 +741,13 @@ class Replica(BaseServer):
 raise RuntimeError(
 "Replica file %s does not exist" % self.replica_file)
 
+if self.setup

Re: [Freeipa-devel] [patch 0020] ipatests: configure Network Manager not to manage resolv.conf

[Alexander Bokovoy]

On Thu, 01 Oct 2015, Milan Kubík wrote:

On 10/01/2015 11:23 AM, Martin Basti wrote:



On 10/01/2015 10:18 AM, Milan Kubík wrote:

On 10/01/2015 10:06 AM, Milan Kubík wrote:

Fixes https://fedorahosted.org/freeipa/ticket/5331

Patch attached.



Patch for ipa-4-2 branch.

Milan



NACK

http://fpaste.org/273499/43691381/

I disagree. From [1]:

   Fedora now by default relies on NetworkManager for network 
configuration. This is the case also for minimal installations and 
server installations.


The cloud image, which you are probably using does not have 
NetworkManager installed. I think we can rely on the default here and 
assume

NetworkManager is present.

If you and the list disagree, I will make the fix depend on 
NetworkManager's presence.

Nitpick: there can be other services that manage (and rewrite) resolv.conf.

While other tools may do it, please make it so that your fix only
activated if NetworkManager is active.

We'll get to other services once we'll encounter them.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

[Oleg Fayans]

Hi Ludwig,

Thank you! vakwetu/dogtag_10.2.7_test_builds was the bit that was missing

On 10/01/2015 12:29 PM, Ludwig Krispenz wrote:


On 10/01/2015 12:06 PM, Oleg Fayans wrote:

Hi Simo,

I was able to build the packages based on your git repo. However, my
attempt to install the resulting bits failed due to lack of dependencies:

pki-ca >= 10.2.7 is needed by
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64
pki-kra >= 10.2.7 is needed by
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64

My system has version 10.2.6 of above packages provided by
mkosek/freeipa-master copr repo.

What is the correct repo to get 10.2.7 from?

when Simo first submitted the patches for review he also listed the
repos used:

simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

I'm not sure if all of them are still needed, eg for 389-ds the private
repo is no longer neede, but you can use this for missing rpms




On 09/29/2015 09:31 PM Simo Sorce wrote:

On 29/09/15 14:56, Oleg Fayans wrote:



On 09/29/2015 06:47 PM, Simo Sorce wrote:

On 29/09/15 11:50, Oleg Fayans wrote:

Hi Simo,

It seems to have resolved the initial issue, but now the build fails
due
to lint complaints: https://paste.fedoraproject.org/272714/54174014/


These happens if you do not have custodia installed.
I guess I should make it also a BuildRequires ?


I think so, yes.


Turns out it is already there.

Simo.


Simo.


On 09/29/2015 04:54 PM, Simo Sorce wrote:

On 29/09/15 10:39, Oleg Fayans wrote:

Hi Simo,

Is this [1] the correct link to the repo containing all latest
replica-promotion patches? I tried to build the packages from this
code
and the build failed due to libpdb not having make_pdb_method [2]
I was able to successfully build from the clean upstream tree on
the
same machine.



I rebased it on top of current master, let me know if this helps.

Simo.



[1]
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review







[2] https://paste.fedoraproject.org/272672/53685114/

On 09/29/2015 03:55 PM, Simo Sorce wrote:

On 29/09/15 09:28, Jan Pazdziora wrote:

On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:


I think the problem is that the patch was pushed prematurely.
The option should become unused once the other patches in this
patchset are
applied, that is why that patch was not on top of the list but
rather
down
close to the bottom.


Simo,

could you please add the

How To Test

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier,
spelling
out how the workflow is supposed to work.


Done.

HTH,
Simo.























--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [patch 0020] ipatests: configure Network Manager not to manage resolv.conf

[Milan Kubík]

On 10/01/2015 11:23 AM, Martin Basti wrote:



On 10/01/2015 10:18 AM, Milan Kubík wrote:

On 10/01/2015 10:06 AM, Milan Kubík wrote:

Fixes https://fedorahosted.org/freeipa/ticket/5331

Patch attached.



Patch for ipa-4-2 branch.

Milan



NACK

http://fpaste.org/273499/43691381/

I disagree. From [1]:

Fedora now by default relies on NetworkManager for network 
configuration. This is the case also for minimal installations and 
server installations.


The cloud image, which you are probably using does not have 
NetworkManager installed. I think we can rely on the default here and assume

NetworkManager is present.

If you and the list disagree, I will make the fix depend on 
NetworkManager's presence.

Nitpick: there can be other services that manage (and rewrite) resolv.conf.

[1]: https://fedoraproject.org/wiki/Tools/NetworkManager

--
Milan Kubik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

[Ludwig Krispenz]

On 10/01/2015 12:06 PM, Oleg Fayans wrote:

Hi Simo,

I was able to build the packages based on your git repo. However, my 
attempt to install the resulting bits failed due to lack of dependencies:


pki-ca >= 10.2.7 is needed by 
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64
pki-kra >= 10.2.7 is needed by 
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64


My system has version 10.2.6 of above packages provided by 
mkosek/freeipa-master copr repo.


What is the correct repo to get 10.2.7 from?
when Simo first submitted the patches for review he also listed the 
repos used:


simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

I'm not sure if all of them are still needed, eg for 389-ds the private repo is 
no longer neede, but you can use this for missing rpms




On 09/29/2015 09:31 PM Simo Sorce wrote:

On 29/09/15 14:56, Oleg Fayans wrote:



On 09/29/2015 06:47 PM, Simo Sorce wrote:

On 29/09/15 11:50, Oleg Fayans wrote:

Hi Simo,

It seems to have resolved the initial issue, but now the build fails
due
to lint complaints: https://paste.fedoraproject.org/272714/54174014/


These happens if you do not have custodia installed.
I guess I should make it also a BuildRequires ?


I think so, yes.


Turns out it is already there.

Simo.


Simo.


On 09/29/2015 04:54 PM, Simo Sorce wrote:

On 29/09/15 10:39, Oleg Fayans wrote:

Hi Simo,

Is this [1] the correct link to the repo containing all latest
replica-promotion patches? I tried to build the packages from this
code
and the build failed due to libpdb not having make_pdb_method [2]
I was able to successfully build from the clean upstream tree on 
the

same machine.



I rebased it on top of current master, let me know if this helps.

Simo.



[1]
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review 








[2] https://paste.fedoraproject.org/272672/53685114/

On 09/29/2015 03:55 PM, Simo Sorce wrote:

On 29/09/15 09:28, Jan Pazdziora wrote:

On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:


I think the problem is that the patch was pushed prematurely.
The option should become unused once the other patches in this
patchset are
applied, that is why that patch was not on top of the list but
rather
down
close to the bottom.


Simo,

could you please add the

How To Test

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier,
spelling
out how the workflow is supposed to work.


Done.

HTH,
Simo.





















--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [patch 0020] ipatests: configure Network Manager not to manage resolv.conf

[Martin Basti]

On 10/01/2015 11:23 AM, Martin Basti wrote:



On 10/01/2015 10:18 AM, Milan Kubík wrote:

On 10/01/2015 10:06 AM, Milan Kubík wrote:

Fixes https://fedorahosted.org/freeipa/ticket/5331

Patch attached.



Patch for ipa-4-2 branch.

Milan



NACK

http://fpaste.org/273499/43691381/


I did investigation, this happened because my VM did not have 
NetworkManager installed (fedora 22 cloud)



-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

[Oleg Fayans]

Hi Simo,

I was able to build the packages based on your git repo. However, my 
attempt to install the resulting bits failed due to lack of dependencies:


pki-ca >= 10.2.7 is needed by 
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64
pki-kra >= 10.2.7 is needed by 
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64


My system has version 10.2.6 of above packages provided by 
mkosek/freeipa-master copr repo.


What is the correct repo to get 10.2.7 from?

On 09/29/2015 09:31 PM Simo Sorce wrote:

On 29/09/15 14:56, Oleg Fayans wrote:



On 09/29/2015 06:47 PM, Simo Sorce wrote:

On 29/09/15 11:50, Oleg Fayans wrote:

Hi Simo,

It seems to have resolved the initial issue, but now the build fails
due
to lint complaints: https://paste.fedoraproject.org/272714/54174014/


These happens if you do not have custodia installed.
I guess I should make it also a BuildRequires ?


I think so, yes.


Turns out it is already there.

Simo.


Simo.


On 09/29/2015 04:54 PM, Simo Sorce wrote:

On 29/09/15 10:39, Oleg Fayans wrote:

Hi Simo,

Is this [1] the correct link to the repo containing all latest
replica-promotion patches? I tried to build the packages from this
code
and the build failed due to libpdb not having make_pdb_method [2]
I was able to successfully build from the clean upstream tree on the
same machine.



I rebased it on top of current master, let me know if this helps.

Simo.



[1]
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review






[2] https://paste.fedoraproject.org/272672/53685114/

On 09/29/2015 03:55 PM, Simo Sorce wrote:

On 29/09/15 09:28, Jan Pazdziora wrote:

On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:


I think the problem is that the patch was pushed prematurely.
The option should become unused once the other patches in this
patchset are
applied, that is why that patch was not on top of the list but
rather
down
close to the bottom.


Simo,

could you please add the

How To Test

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier,
spelling
out how the workflow is supposed to work.


Done.

HTH,
Simo.



















--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [patch 0020] ipatests: configure Network Manager not to manage resolv.conf

[Martin Basti]

On 10/01/2015 10:18 AM, Milan Kubík wrote:

On 10/01/2015 10:06 AM, Milan Kubík wrote:

Fixes https://fedorahosted.org/freeipa/ticket/5331

Patch attached.



Patch for ipa-4-2 branch.

Milan



NACK

http://fpaste.org/273499/43691381/
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] Proper fix for ticket 5306

[Martin Basti]

On 09/30/2015 01:24 PM, Martin Basti wrote:



On 09/30/2015 12:19 PM, Oleg Fayans wrote:



On 09/30/2015 11:46 AM, Petr Spacek wrote:

On 29.9.2015 09:12, Oleg Fayans wrote:

+def prepare_reverse_zone(host, ip):
+zone = get_reverse_zone_default(ip)
+host.run_command(["ipa",
+  "dnszone-add",
+  zone,
+  "--name-from-ip=%s" % ip], raiseonerr=False)


There is probably no point in specifying --name-from-ip because you 
did that

already by calling get_reverse_zone_default(ip).


Agree. Fixed



Anyway, I'm not sure that this

+prepare_reverse_zone(master, replica.ip)
will not break if the reverse zone already exists (think about case 
where two

or more replicas are in the same subnet).


That's why I am using the raiseonerr=False here.



I did not test the code, I simply do not have time for it right now.






 LGTM, I will test it soon, but it needs rebase for ipa-4-2 branch



ACK, please send rebased version for ipa-4-2
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [patch 0020] ipatests: configure Network Manager not to manage resolv.conf

[Milan Kubík]

On 10/01/2015 10:06 AM, Milan Kubík wrote:

Fixes https://fedorahosted.org/freeipa/ticket/5331

Patch attached.



Patch for ipa-4-2 branch.

Milan
From 5d19b29474b577688910a60fbc5efdf38ff6c455 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Fri, 25 Sep 2015 21:09:24 +0200
Subject: [PATCH] ipatests: configure Network Manager not to manage resolv.conf

For the duration of the test, makes resolv.conf unmanaged.

https://fedorahosted.org/freeipa/ticket/5331
---
 ipaplatform/base/paths.py  |  2 +-
 ipatests/test_integration/tasks.py | 17 +
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 215caf90ea1ca4e5db8f43f8f09002ce5d5cd280..a272143d0053451c017c0df613951cc0e6d52c54 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -354,6 +354,6 @@ class BasePathNamespace(object):
 DB2BAK = '/usr/sbin/db2bak'
 KDCPROXY_CONFIG = '/etc/ipa/kdcproxy/kdcproxy.conf'
 CERTMONGER = '/usr/sbin/certmonger'
-
+NETWORK_MANAGER_CONFIG_DIR = '/etc/NetworkManager/conf.d'
 
 path_namespace = BasePathNamespace
diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index f579f286826f749a8c5f8433f2a8bf7348664ba9..d188adbd4d7b3af7dd82b964917770c5afda7a96 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -40,6 +40,7 @@ from ipatests.test_integration.host import Host
 
 log = log_mgr.get_logger(__name__)
 
+IPATEST_NM_CONFIG = '20-ipatest-unmanaged-resolv.conf'
 
 def prepare_host(host):
 if isinstance(host, Host):
@@ -56,6 +57,7 @@ def prepare_host(host):
 def apply_common_fixes(host):
 fix_etc_hosts(host)
 fix_hostname(host)
+modify_nm_resolv_conf_settings(host)
 fix_resolv_conf(host)
 
 
@@ -101,6 +103,20 @@ def fix_hostname(host):
 host.run_command('hostname > %s' % ipautil.shell_quote(backupname))
 
 
+def modify_nm_resolv_conf_settings(host):
+config = "[main]\ndns=none\n"
+path = os.path.join(paths.NETWORK_MANAGER_CONFIG_DIR, IPATEST_NM_CONFIG)
+
+host.put_file_contents(path, config)
+host.run_command(['systemctl', 'restart', 'NetworkManager'], raiseonerr=False)
+
+
+def undo_nm_resolv_conf_settings(host):
+path = os.path.join(paths.NETWORK_MANAGER_CONFIG_DIR, IPATEST_NM_CONFIG)
+host.run_command(['rm', '-f', path], raiseonerr=False)
+host.run_command(['systemctl', 'restart', 'NetworkManager'], raiseonerr=False)
+
+
 def fix_resolv_conf(host):
 backup_file(host, paths.RESOLV_CONF)
 lines = host.get_file_contents(paths.RESOLV_CONF).splitlines()
@@ -128,6 +144,7 @@ def fix_apache_semaphores(master):
 def unapply_fixes(host):
 restore_files(host)
 restore_hostname(host)
+undo_nm_resolv_conf_settings(host)
 
 # Clean up the test directory
 host.run_command(['rm', '-rvf', host.config.test_dir])
-- 
2.6.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [patch 0020] ipatests: configure Network Manager not to manage resolv.conf

[Milan Kubík]

Fixes https://fedorahosted.org/freeipa/ticket/5331

Patch attached.
From 4200b386058489f8ad73ee2d2f7eed582dea70b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Fri, 25 Sep 2015 21:09:24 +0200
Subject: [PATCH] ipatests: configure Network Manager not to manage resolv.conf

For the duration of the test, makes resolv.conf unmanaged.

https://fedorahosted.org/freeipa/ticket/5331
---
 ipaplatform/base/paths.py  |  2 +-
 ipatests/test_integration/tasks.py | 17 +
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 215caf90ea1ca4e5db8f43f8f09002ce5d5cd280..a272143d0053451c017c0df613951cc0e6d52c54 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -354,6 +354,6 @@ class BasePathNamespace(object):
 DB2BAK = '/usr/sbin/db2bak'
 KDCPROXY_CONFIG = '/etc/ipa/kdcproxy/kdcproxy.conf'
 CERTMONGER = '/usr/sbin/certmonger'
-
+NETWORK_MANAGER_CONFIG_DIR = '/etc/NetworkManager/conf.d'
 
 path_namespace = BasePathNamespace
diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 06049d4ae01332e0af4d8775b745342406fc868d..d3d46682d90e749ebf33b5f673217940debf7f1c 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -40,6 +40,7 @@ from ipatests.test_integration.host import Host
 
 log = log_mgr.get_logger(__name__)
 
+IPATEST_NM_CONFIG = '20-ipatest-unmanaged-resolv.conf'
 
 def check_arguments_are(slice, instanceof):
 """
@@ -74,6 +75,7 @@ def prepare_host(host):
 def apply_common_fixes(host):
 fix_etc_hosts(host)
 fix_hostname(host)
+modify_nm_resolv_conf_settings(host)
 fix_resolv_conf(host)
 
 
@@ -119,6 +121,20 @@ def fix_hostname(host):
 host.run_command('hostname > %s' % ipautil.shell_quote(backupname))
 
 
+def modify_nm_resolv_conf_settings(host):
+config = "[main]\ndns=none\n"
+path = os.path.join(paths.NETWORK_MANAGER_CONFIG_DIR, IPATEST_NM_CONFIG)
+
+host.put_file_contents(path, config)
+host.run_command(['systemctl', 'restart', 'NetworkManager'], raiseonerr=False)
+
+
+def undo_nm_resolv_conf_settings(host):
+path = os.path.join(paths.NETWORK_MANAGER_CONFIG_DIR, IPATEST_NM_CONFIG)
+host.run_command(['rm', '-f', path], raiseonerr=False)
+host.run_command(['systemctl', 'restart', 'NetworkManager'], raiseonerr=False)
+
+
 def fix_resolv_conf(host):
 backup_file(host, paths.RESOLV_CONF)
 lines = host.get_file_contents(paths.RESOLV_CONF).splitlines()
@@ -147,6 +163,7 @@ def fix_apache_semaphores(master):
 def unapply_fixes(host):
 restore_files(host)
 restore_hostname(host)
+undo_nm_resolv_conf_settings(host)
 
 # Clean up the test directory
 host.run_command(['rm', '-rvf', host.config.test_dir])
-- 
2.6.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code