Re: [Freeipa-devel] [PATCH 0022-23] Coverity patches
Reworded the commit messages so that they mention Coverity. On 02/22/2016 07:18 AM, Jan Cholasta wrote: On 2.2.2016 13:36, Stanislav Laznicka wrote: On 02/01/2016 02:24 PM, Jan Cholasta wrote: On 1.2.2016 12:11, Petr Spacek wrote: On 1.2.2016 09:03, Jan Cholasta wrote: Hi, On 29.1.2016 15:49, Martin Basti wrote: On 29.01.2016 15:49, Stanislav Laznicka wrote: Reworded the commits so that they better reflect what's going on in those. On 01/29/2016 02:49 PM, Stanislav Laznicka wrote: Hello, I made some patches based on the Coverity report from 18.1.2016. Cheers, Standa NACK, see my previous email I don't think this deserves 9 patches, 1 would be sufficient enough. I would rather have it is separate patches as these fixes are largely not related. It will make bisecting easier. Most of the fixes are cosmetic, which makes them related, and the rest are small isolated changes, so in reality it would hardly make bisecting easier and only increase the overhead. In the past we usually had put such fixes into a single patch and AFAIK nobody complained so far. Squeezed the changes into two new patches, then. One for the very cosmetic changes, one for possible bugs. OK. Patch 0013: 1) I think this unreachable return is intentional, as indicated by the comment: -#we shouldn't get here -return [UNKNOWN_ERROR] I would use assert False, "we shouldn't get here" neither we nor Coverity are confused when we hit the code path one day. UNKNOWN_ERROR would pop up somewhere else and it will be harder to find out why the hell the code behaves as mad. Traceback will clearly indicate that there is a problem with the 'switch'. Sure, my point is that returning None is no better than returning UNKNOWN_ERROR. Added assert as suggested. There should still be no way of getting to it, though. Petr^2 Spacek 2) How is this dead code? -if options.mode == 'validate_pot' or options.mode == 'validate_po': +if options.mode in ('validate_pot', 'validate_po'): -elif options.mode == 'create_test' or 'test_gettext': +elif options.mode in ('create_test', 'test_gettext'): Patch 0014-0015: LGTM Actually scratch that, patch 0015 breaks correct code. The dead code appears in the 'else' branch as the latter of these two conditions always evaluates to True. The first condition change is just a cosmetic one so that both of the conditions look the same. OK. Also removed the changes made in patch 0015. Patch 0016: The original code is in fact correct. Point taken, removed the change. Patch 0017: This will break Python 3. The two branches are performing the same action, but with different data types. This might undergo further investigation in the future as there is no way how "bytes" instance could become an argument of this function (as suggested). Not even the newest Python 3 patches from pviktori mention this code. OK. (This is not what Coverity was complaining about, though.) Patch 0018: LGTM Patch 0019: IMO the original code is better (None has a __class__ too, you know). Made it more "Coverity friendly" yet nice enough modification. Patch 0020: LGTM It seems that there actually is a check that checks whether the input is correct. It is called ad-hoc but that might be the test feature. Therefore just added an assert so that Coverity does not complain. OK. Patch 0021: Please use the original error messages (there are no requests being added to D-Bus, but to certmonger). Honza Added error messages that reflect the situation better, then. Could you please mention Coverity in the commit messages, so that it's clear why are we doing these changes? Otherwise LGTM. From 7e062d48fca49374eac27890c3cb6489764540b1 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 2 Feb 2016 12:50:26 +0100 Subject: [PATCH 1/2] Cosmetic changes to the code Fixes some Coverity issues ipadiscovery.py: added assert should universe break plugins/dns.py: removed dead code dnssec/ldapkeydb.py: attribute assert in the proper object test_automount_plugin.py: fixed possible close() on None xmlrpc_test.py: Coverity does not like accessing None.__class__ https://fedorahosted.org/freeipa/ticket/5661 --- ipaclient/ipadiscovery.py | 2 +- ipalib/plugins/dns.py | 3 --- ipapython/dnssec/ldapkeydb.py | 2 +- ipatests/test_xmlrpc/test_automount_plugin.py | 2 ++ ipatests/test_xmlrpc/xmlrpc_test.py | 2 +- 5 files changed, 5 insertions(+), 6 deletions(-) diff --git a/ipaclient/ipadiscovery.py b/ipaclient/ipadiscovery.py index 45a71e190e56d33d51d37f16ae61a7b4c28df521..772add43a282838539b9b18dc60d3bba041bed1b 100644 --- a/ipaclient/ipadiscovery.py +++ b/ipaclient/ipadiscovery.py @@ -402,7 +402,7 @@ class IPADiscovery(object): return [0, thost, lrealms[0]] #we shouldn't get here -
Re: [Freeipa-devel] [patch 0034] ipatests: extend permission plugin test with new expected output
On 02/18/2016 03:52 PM, Milan Kubík wrote: On 02/15/2016 04:59 PM, Milan Kubík wrote: Patch attached. Applies on ipa-4-3 as well. Updated version of patch fixes test_old_permission_plugin as well. -- Milan Kubik Review bump. -- Milan Kubik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0084-0086] CI: Add double circle topology
On 23/02/16 17:54, Martin Basti wrote: On 23.02.2016 17:33, Martin Basti wrote: On 23.02.2016 17:30, Martin Basti wrote: On 18.02.2016 10:14, David Kupka wrote: On 12/02/16 16:52, Martin Basti wrote: On 12.02.2016 13:03, Milan Kubík wrote: On 02/12/2016 10:59 AM, David Kupka wrote: Sending one more topology test. This one creates a M groups consisting N (N>=2) servers. First two servers in each group are used to connect with nearest four groups and also with the other servers inside the group (when N>2). Servers inside the group (not connecting to other groups) are connected with each other. The patch set needs freeipa-dkupka-8{1,2,3} applied. ACK I cannot apply patches, please rebase [mbasti@dhcp129-96 freeipa-devel]$ git checkout master Switched to branch 'master' Your branch is up-to-date with 'origin/master'. [mbasti@dhcp129-96 freeipa-devel]$ git am freeipa-dkupka-008* -3 Applying: CI: Add '2-connected' topology generator. Applying: CI: Add simple replication test in 2-connected topology. Applying: CI: Add test for 2-connected topology generator. Applying: CI: Add double circle topology. Applying: CI: Add replication test utilizing double-circle topology. Applying: CI: Add test for double-circle topology generator. error: invalid object 100644 e12d141391840cc7f9150a178875393a96dd469b for 'ipatests/test_integration/test_topologies.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Cannot fall back to three-way merge. Patch failed at 0006 CI: Add test for double-circle topology generator. The copy of the patch that failed is found in: /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch When you have resolved this problem, run "git am --continue". If you prefer to skip this patch, run "git am --skip" instead. To restore the original branch and stop patching, run "git am --abort". Martin^2 Git fails to apply patches because wrong version of freeipa-dkupka-008{1,2,3} was pushed. Attached patches should fix it. Sorry my bad. ACK Pushed to: ipa-4-3: ffe3731ae7813fcc3246a83e37d62fc2754bb4ca master: acdabba6ec0f68841f02c1e6ad65232de81bb505 New test: Pushed to: master: a1e582b33c42bcc8a708777afb975e7dc571ee3d ipa-4-3: 2efa60637111e40a9ac9459d507d9f55a2ae301a Revert? IMO this will not work on python3 * Module ipatests.test_integration.test_topologies ipatests/test_integration/test_topologies.py:124: [W1638(range-builtin-not-iterating), test_topology_double_circle_topo] range built-in referenced when not iterating) * Module ipatests.test_integration.tasks ipatests/test_integration/tasks.py:949: [W0110(deprecated-lambda), double_circle_topo] map/filter on lambda could be replaced by comprehension) ipatests/test_integration/tasks.py:949: [W1636(map-builtin-not-iterating), double_circle_topo] map built-in referenced when not iterating) ipatests/test_integration/tasks.py:949: [W1637(zip-builtin-not-iterating), double_circle_topo] zip built-in referenced when not iterating) You can revert it and I will send fixed patches or you can just apply attached patch. -- David Kupka From a46ba01172e666d8afdac5e0605f32110138ea39 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Wed, 24 Feb 2016 08:15:51 +0100 Subject: [PATCH] CI: Make double circle topology python3 compatible --- ipatests/test_integration/tasks.py | 2 +- ipatests/test_integration/test_topologies.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index 9d9a78bb10b463016c646aa921dde722e882da93..60e9e82391077ce6b997d0ed4ad4f2ff19f43d1e 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -946,7 +946,7 @@ def double_circle_topo(master, replicas, site_size=6): # split servers into sites it = [iter(servers)] * site_size -sites = map(lambda x: (x[0], x[1], x[2:]), zip(*it)) +sites = [(x[0], x[1], x[2:]) for x in zip(*it)] num_sites = len(sites) for i in range(num_sites): diff --git a/ipatests/test_integration/test_topologies.py b/ipatests/test_integration/test_topologies.py index a0a1b9d6222779a9ce67b2fa8a29052747eae8f9..4bdff44a162e188c0549b6ecca12ae658839e5cd 100644 --- a/ipatests/test_integration/test_topologies.py +++ b/ipatests/test_integration/test_topologies.py @@ -121,7 +121,7 @@ def test_topology_two_connected(): def test_topology_double_circle_topo(): topo = tasks.get_topo('double-circle') assert topo == tasks.double_circle_topo -assert list(topo('M', range(1, 30))) == [ +assert list(topo('M', [r for r in range(1, 30)])) == [ ('M', 1), (1, 6), (1, 12), -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.
On 23/02/16 16:41, Rob Crittenden wrote: David Kupka wrote: On 23/02/16 10:14, Martin Kosek wrote: On 02/23/2016 09:47 AM, David Kupka wrote: On 22/02/16 16:15, Martin Kosek wrote: On 02/22/2016 04:04 PM, Jan Cholasta wrote: On 22.2.2016 15:56, David Kupka wrote: On 22/02/16 07:28, Jan Cholasta wrote: On 18.2.2016 10:10, David Kupka wrote: On 19/01/16 16:10, David Kupka wrote: On 19/01/16 14:38, Jan Cholasta wrote: On 19.1.2016 14:26, Martin Kosek wrote: On 01/19/2016 01:47 PM, David Kupka wrote: I've polished the patch attached to #5586 by Timo Aaltonen. Thanks for the patch. I've fixed the path in specfile and removed unused import but otherwise it works, ACK. https://fedorahosted.org/freeipa/ticket/5586 Won't this break existing certmonger requests depending on the old path? It will, I don't see any upgrade code. # getcert list | grep '/usr/lib64/ipa/certmonger' pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72 post-save command: /usr/lib64/ipa/certmonger/restart_httpd You're right it will break the upgrade. I haven't noticed that Server-Cert for DS and HTTPD are not handled by certificate_renewal_update (ipaserver.install.server.upgrade) where all the other trackings are stopped and then configured again with the paths.CERTMONGER_COMMAND_TEMPLATE already updated. Thanks for the catch. I've updated Timo's patch little more and added start_tracking_certificates() for dsinstance and httpinstance. Now the upgrade works as expected. The way the patches are split is kind of weird and apparently confusing (see the other thread). IMO there should be 2 patches: the first should add the ability to change DS and HTTP certmonger config during upgrade (i.e. the start_tracking_certificates() methods and certificate_renewal_update() changes), the second should move the helpers (i.e. the actual move and certificate_renewal_update() version bump). Honza, do I understand it correctly that the code is OK but I did not split it to the patches correctly? Yes. Before acking or pushing, can you please explain for me how the upgrade of certmonger tracking requests work? I want to make sure this is right, so please bear with me: 1) How does it edit existing tracking requests with the new helper paths? 2) Does it go and try to edit the requests on every upgrade? Or is there some check that requests were updated? Thanks, Martin Whole upgrade of renewal requests is done in ipaserver/install/server/upgrade.py in certificate_renewal_upgrade(). First there is version of requests and if it's the same as in state file upgrade is skipped. Then every request is searched over certmonger's DBus interface and if at least one is not found it means that there was change in request configuration. All tracking requests are then stopped and started again with new configuration. So to answer you questions: 1) By stopping the old request with the old parameters (including path) and starting new with new parameters. 2) Only if version was bumped which happens only if some of the requests changes. Ah, so IIUC, if you bump the version, requests should be properly updated. The change looks fine then. After discussion with Honza, we decided to drop the part comparing only base names of pre- and post-save commands and use it as whole. I've also split the patches so it's obvious what is going on. Patches should be applied in this order: freeipa-dkupka-0091.0 A cert could silently fail to be tracked in start_tracking_certificates() if no serverid can be found. In that case it also wouldn't be stopped. The behavior is the same as in existing stop_tracking_certificates(). Should we rather raise and stop the upgrade? I guess not but warning would be probably useful. What solution would you prefer, Rob? freeipa-dkupka-0087.1 freeipa-dkupka-0088.1 freeipa-tjaalton-0011.2 freeipa-dkupka-0092.0 -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0420] Set BuildRequires to pylint 1.4
Lukas Slebodnik wrote: > On (23/02/16 17:09), Martin Basti wrote: >> We cannot guarantee that versions older than 1.4 will work with freeipa code. >> >> Patch attached. > >>From a59e72a0b87231c0f2e0d737057550dd532feed7 Mon Sep 17 00:00:00 2001 >> From: Martin Basti>> Date: Tue, 23 Feb 2016 16:58:07 +0100 >> Subject: [PATCH] Set BuildRequires to pylint >= 1.4 >> >> We can guarantee that only pylint 1.4 and newer will work >> >> https://fedorahosted.org/freeipa/ticket/5615 >> --- >> freeipa.spec.in | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/freeipa.spec.in b/freeipa.spec.in >> index >> 54a11bfc8cced643c19c29c5ada70bacf7540395..219c5ca2f13eaac14746ec4689ba611bbc6fc377 >> 100644 >> --- a/freeipa.spec.in >> +++ b/freeipa.spec.in >> @@ -76,7 +76,7 @@ BuildRequires: python-netaddr >> BuildRequires: python-gssapi >= 1.1.2 >> BuildRequires: python-rhsm >> BuildRequires: pyOpenSSL >> -BuildRequires: pylint >= 1.0 >> +BuildRequires: pylint >= 1.4 > > I can build rpms even withour pylint and pylint is not executed > anywhere in spec file. (in other words, my patch was rejected) > Why does it need to be in BuildRequires? pylint is part of the in-tree build process (make rpms). It is not executed when building upstream packages. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Locations design v2: LDAP schema & user interface
On 23.2.2016 18:14, Simo Sorce wrote: >> > Petr Vobornik mentioned an important question: >> > Should we care about non-IPA services? >> > >> > IMHO it is a valid point. It complicates things a lot as soon as we start >> > introducing 'locations per service'. It is certainly doable but I would >> > like >> > to avoid it. >> > >> > It seems easy enough to support custom services as long as there is only >> > one >> > set of locations (which match IPA locations). It would be a management >> > nightmare to support N parallel locations for distinct sets of services. >> > >> > As far as I can tell, AD can live with only 1 set of locations and that >> > sounds >> > reasonable thing to support in the IPA management interface to me. > I think one set of Locations is fine, but we need to be able to assign > services to locations independently from "servers" in some cases, I > think. > > Mostly because a server can have service 1 and 3 but not service 2 and > another server can have service 2 and 3 but not 1. Hmm, I do not follow. Where is the problem? You can assign both servers to the location and get all three services available, the SRV records from all servers will just combine. We should have checks in IPA so it will not allow you to create a Frankenstein IPA server which is missing LDAP or so but this will be needed only when we decide to containerize - or when we allow to select individual services instead of servers :-) For custom services, you are on your own. Still, I would say that assigning services (instead of servers) to location is making it *more* error prone as there is bigger chance of omitting something (like selecting only service 1 from server A) and not the other way around. What did I miss? [...] > >> Priority groups are harder because they express metric based on: > >> * communication costs, > >> * fail-over requirements, > >> * other political requirements in given deployment. > >> These are hard things to see from layer 7. > >> > >> Theoretically we can provide ipa-advise plugin to generate some > >> initial set of > >> groups but this is going to be complicated and error prone. > >> > >> E.g. we can use ICMP ping or LDAP base DN search timings and use some > >> clustering algorithm to create priority groups using measured values. > >> This could work if we use some smart-enough clustering algorithm (= AI > >> library). And of course, we would have to do measurements from at > >> least one > >> server in each location to properly define groups for each location > >> ... > >> > >> It is not that easy as it might seem and I do not see an easy > >> solution. > >> > >> > >> Maybe we should take evolutional approach: > >> Implement this 'expert' UI which exposes groups & weights to the user > >> first. > >> (It will be necessary for special cases anyway.) When this is done, > >> we can > >> play with it, do some usability testing (we can ask RH IT to see if > >> it makes > >> sense to them, for example.) > >> > >> Later we can extend this with a 'simple' variant of UI based on > >> feedback or > >> add the generator). This does not even need to happen in the same > >> release. > >> > >> IMHO it would be better to start with something and refine it later > >> on because > >> right now we are just hand-waving and have no idea what users > >> actually do and > >> want. >>> > > >>> > > As long as we establish a proper CLI I am ok with implementing a very >>> > > bare bone UI first and improving it only later. >>> > > >>> > > Btw we probably want to have this information reported by the topology >>> > > view, and used to automatically group servers there based on location, >>> > > so I CCed Petr to see if there is anything that would make that job >>> > > easier/harder. >> > >> > >> > We were kicking ideas around the drawing board in the Brno office. Finally, >> > after many iterations we arrived to this: >> > >> > Wouldn't it be easier to implement concept of sites and links between >> > sites at >> > the same time? (In the AD spirit.) >> > >> > If we knew the locations/sites and links between them, we could compute >> > priority groups etc. algorithmicaly. Then only remaining thing is weight, >> > which can have default and admin do not have to touch it if not necessary. > You would need to add weights to links, because just the fact there is a > link tells you nothing about how big the link is between 2 locations, it Oh, sure, I was thinking about link metric implicitly :-) > also tells you nothing abut the number of clients in a location which > may influence how you want to distribute them around. Do you have an example in mind? It sounds weird to me that you want to distribute clients outside of local site. If I understand you correctly it means that the
Re: [Freeipa-devel] [PATCH] 0008 Refactor test_sudocmdgroup_plugin, create SudoCmdGroupTracker
NACK. [root@master2 test_xmlrpc]# pep8 test_sudocmdgroup_plugin.py test_sudocmdgroup_plugin.py:26:80: E501 line too long (80 > 79 characters) test_sudocmdgroup_plugin.py:70:80: E501 line too long (80 > 79 characters) test_sudocmdgroup_plugin.py:76:80: E501 line too long (80 > 79 characters) test_sudocmdgroup_plugin.py:84:80: E501 line too long (80 > 79 characters) test_sudocmdgroup_plugin.py:90:80: E501 line too long (80 > 79 characters) test_sudocmdgroup_plugin.py:98:80: E501 line too long (80 > 79 characters) test_sudocmdgroup_plugin.py:104:80: E501 line too long (80 > 79 characters) test_sudocmdgroup_plugin.py:166:80: E501 line too long (80 > 79 characters) test_sudocmdgroup_plugin.py:180:80: E501 line too long (80 > 79 characters) test_sudocmdgroup_plugin.py:186:80: E501 line too long (84 > 79 characters) [root@master2 test_xmlrpc]# pep8 tracker/sudocmdgroup_plugin.py tracker/sudocmdgroup_plugin.py:36:80: E501 line too long (82 > 79 characters) tracker/sudocmdgroup_plugin.py:42:80: E501 line too long (82 > 79 characters) tracker/sudocmdgroup_plugin.py:46:80: E501 line too long (85 > 79 characters) tracker/sudocmdgroup_plugin.py:55:80: E501 line too long (82 > 79 characters) tracker/sudocmdgroup_plugin.py:64:80: E501 line too long (82 > 79 characters) - Original Message - > From: "Filip Skola"> To: "Aleš Mareček" > Cc: freeipa-devel@redhat.com, "Milan Kubík" > Sent: Monday, February 22, 2016 3:41:36 PM > Subject: Re: [Freeipa-devel] [PATCH] 0008 Refactor test_sudocmdgroup_plugin, > create SudoCmdGroupTracker > > Hi, > > the test has been updated so it now uses the SudoCmdTracker (from the > previous patch). > > Filip > > - Original Message - > > NACK. > > > > "create_sudocmd" and "delete_sudocmd" should be imported from Tracker, not > > from the previous test (sudocmd_plugin). > > > > - alich - > > > > - Original Message - > > > From: "Filip Skola" > > > To: freeipa-devel@redhat.com > > > Sent: Thursday, January 28, 2016 12:49:17 PM > > > Subject: [Freeipa-devel] [PATCH] 0008 Refactor test_sudocmdgroup_plugin, > > > create SudoCmdGroupTracker > > > > > > Hi, > > > > > > sending the next sudo patch. This one depends on the previous one > > > (sudocmd_plugin). > > > > > > Filip > > > > > > -- > > > Manage your subscription for the Freeipa-devel mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0416-0419] fix broken configuration of sidgen and extdom plugins
On 23.02.2016 17:31, Tomas Babej wrote: On 02/23/2016 01:25 PM, Martin Basti wrote: On 23.02.2016 13:02, Alexander Bokovoy wrote: On Tue, 23 Feb 2016, Martin Basti wrote: From f2ae1bd129a1741500d2f3dcb86a0da553604d15 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Tue, 23 Feb 2016 10:37:47 +0100 Subject: [PATCH 4/4] fix upgrade: wait for proper DS socket after DS restart Restarting DS executed by upgrade plugin causes that upgrade frameworg was waiting for not proper socket to be ready. This commit fix issue. Please fix the commit message typos. Fixed. Updated patches attached. ACK. Tomas Pushed to master: 0accf8ccb64963954dbe7c137d23f52e5901ac4f Pushed to ipa-4-3: 4734012c8063460f93f3b819a5bbcca797f6059e Pushed to ipa-4-2: 63d8caf0d105f02decc0b5d865fedf6ad063bc1a -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Locations design v2: LDAP schema & user interface
On Tue, 2016-02-23 at 18:04 +0100, Petr Spacek wrote: > On 23.2.2016 15:19, Simo Sorce wrote: > > On Tue, 2016-02-23 at 12:43 +0100, Petr Spacek wrote: > >> On 23.2.2016 11:00, Jan Cholasta wrote: > >>> Hi, > >>> > >>> On 19.2.2016 16:31, Simo Sorce wrote: > On Fri, 2016-02-19 at 08:58 +0100, Petr Spacek wrote: > > On 4.2.2016 18:21, Petr Spacek wrote: > >> On 3.2.2016 18:41, Petr Spacek wrote: > >>> Hello, > >>> > >>> I've updated the design page > >>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism > >>> > >>> Namely it now contains 'Version 2'. > >> > >> Okay, here is the idea how we can make it flexible: > >> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#Implementation > > > > Hello, > > > > I'm thinking about LDAP schema for DNS locations. > > > > Purpose > > === > > * Allow admins to define any number of locations. > > * 1 DNS server advertises at most 1 location. > > * 1 location generally contains set of services with different > > priorities and > > weights (in DNS SRV terms). > > * Express server & service priority for each defined location in a way > > which > > is granular and flexible and ad the same time easy to manage. > > > > > > Proposal > > > > a) Container for locations > > -- > > cn=locations,cn=ipa,cn=etc,dc=example,dc=com > > > > > > b) 1 location > > - > > Attributes: > > 2.16.840.1.113730.3.8.5.32 idnsLocationMember > > Server/service assigned to a DNS Location. Usually used to define 'main' > > servers for that location. Should it point to service DNs to be sure we > > have > > smooth upgrade to containers? > >>> > >>> Services always live on a host (call it server or not), so IMO it makes > >>> sense > >>> to point to servers. > >> > >> Fine with me. We just need something which will be able to accommodate > >> containerization without upgrade headache. > >> > >> Do I undestand correctly that 1 container is going to have 1 host object > >> with > >> one service object inside it? > >> > >> Like: > >> cn=container > >> - cn=DNS, cn=container > >> ? > > > > Do we think we will ever need to define different locations on a per > > service basis ? > > No, I hope that we will avoid this. > > I suppose that when we containerize IPA things will get 'more interesting', > but hopefully not in direction 'location per service'. If we have the > possibility to have 1 DNS container and 2 CA containers attached to 1 LDAP > container things will be complicated ... > > I would expect that we will need some additional logic to ensure that one > location advertises all the services (so e.g. LDAP is not missing in that > particular location). I would not go beyond that. > > > We based or hypothesis on the fact we only have one location and at most > > different weights per services ? > > Is there anything in here that will make it hard for us should we change > > our mind in future ? (I think the single _tcp DNAME may be an > > architectural issue anyway, but that could be resolved perhaps by moving > > the location DNAME on a per service basis in future should we need it ? > > Yes, that is a possible approach but I hope it will not be necessary. > > Hopefully the logic for assigning containers/server to locations can be made > smart enough to guarantee that we do not need more layers of CNAME/DNAME hacks > or so. > > The DNAME trick should be seen as a cheap way to emulate views without > actually using views. If you want more fancy things, go and use views on > full-featured DNS server ... > > > > 2.16.840.1.113730.3.8.5.33 idnsBackupLocation > > Pointer to another location. Sucks in all servers from that location as > > one > > group with the same priority. Easy to use with _default location where > > all > > 'other' servers are used as backup. > > > > These two attributes use sub-type priority and > > relativeweight. > > This is the only way I could express all the information without need > > for > > separate objects. > >>> > >>> I don't see the benefit here. What is wrong with separate objects? Why is > >>> it > >>> necessary to reinvent the wheel and abuse attribute sub-types for this, > >>> losing > >>> schema integrity checks provided by DS and making the implementation more > >>> complex along the way? > >> > >> AFAIK Simo did not like separate objects because we could not use > >> referential > >> integrity plugin to prune references to removed servers. > >> > >> This can surely be done in framework, I do not insist on subtypes. > >> > >> > >> Talk is cheap, show me your schema :-) > > > > I had a preference, but I m ok also with multiplle objects one per > > server/service if we think this will make things easier to handle. > > > > Given we are going to need a Server object
Re: [Freeipa-devel] Locations design v2: LDAP schema & user interface
On 23.2.2016 15:19, Simo Sorce wrote: > On Tue, 2016-02-23 at 12:43 +0100, Petr Spacek wrote: >> On 23.2.2016 11:00, Jan Cholasta wrote: >>> Hi, >>> >>> On 19.2.2016 16:31, Simo Sorce wrote: On Fri, 2016-02-19 at 08:58 +0100, Petr Spacek wrote: > On 4.2.2016 18:21, Petr Spacek wrote: >> On 3.2.2016 18:41, Petr Spacek wrote: >>> Hello, >>> >>> I've updated the design page >>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism >>> >>> Namely it now contains 'Version 2'. >> >> Okay, here is the idea how we can make it flexible: >> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#Implementation > > Hello, > > I'm thinking about LDAP schema for DNS locations. > > Purpose > === > * Allow admins to define any number of locations. > * 1 DNS server advertises at most 1 location. > * 1 location generally contains set of services with different priorities > and > weights (in DNS SRV terms). > * Express server & service priority for each defined location in a way > which > is granular and flexible and ad the same time easy to manage. > > > Proposal > > a) Container for locations > -- > cn=locations,cn=ipa,cn=etc,dc=example,dc=com > > > b) 1 location > - > Attributes: > 2.16.840.1.113730.3.8.5.32 idnsLocationMember > Server/service assigned to a DNS Location. Usually used to define 'main' > servers for that location. Should it point to service DNs to be sure we > have > smooth upgrade to containers? >>> >>> Services always live on a host (call it server or not), so IMO it makes >>> sense >>> to point to servers. >> >> Fine with me. We just need something which will be able to accommodate >> containerization without upgrade headache. >> >> Do I undestand correctly that 1 container is going to have 1 host object with >> one service object inside it? >> >> Like: >> cn=container >> - cn=DNS, cn=container >> ? > > Do we think we will ever need to define different locations on a per > service basis ? No, I hope that we will avoid this. I suppose that when we containerize IPA things will get 'more interesting', but hopefully not in direction 'location per service'. If we have the possibility to have 1 DNS container and 2 CA containers attached to 1 LDAP container things will be complicated ... I would expect that we will need some additional logic to ensure that one location advertises all the services (so e.g. LDAP is not missing in that particular location). I would not go beyond that. > We based or hypothesis on the fact we only have one location and at most > different weights per services ? > Is there anything in here that will make it hard for us should we change > our mind in future ? (I think the single _tcp DNAME may be an > architectural issue anyway, but that could be resolved perhaps by moving > the location DNAME on a per service basis in future should we need it ? Yes, that is a possible approach but I hope it will not be necessary. Hopefully the logic for assigning containers/server to locations can be made smart enough to guarantee that we do not need more layers of CNAME/DNAME hacks or so. The DNAME trick should be seen as a cheap way to emulate views without actually using views. If you want more fancy things, go and use views on full-featured DNS server ... > 2.16.840.1.113730.3.8.5.33 idnsBackupLocation > Pointer to another location. Sucks in all servers from that location as > one > group with the same priority. Easy to use with _default location where all > 'other' servers are used as backup. > > These two attributes use sub-type priority and > relativeweight. > This is the only way I could express all the information without need for > separate objects. >>> >>> I don't see the benefit here. What is wrong with separate objects? Why is it >>> necessary to reinvent the wheel and abuse attribute sub-types for this, >>> losing >>> schema integrity checks provided by DS and making the implementation more >>> complex along the way? >> >> AFAIK Simo did not like separate objects because we could not use referential >> integrity plugin to prune references to removed servers. >> >> This can surely be done in framework, I do not insist on subtypes. >> >> >> Talk is cheap, show me your schema :-) > > I had a preference, but I m ok also with multiplle objects one per > server/service if we think this will make things easier to handle. > > Given we are going to need a Server object in DNS anyway (so that things > are self contained for non IPA use cases) then I think the referential > integrity thing goes out the window. Back to the drawing board! :-) > [...] > > Attributes: > 2.16.840.1.113730.3.8.5.34 idnsAdvertisedLocation > Pointer to a idnsLocation object. On DNS service object / external server.
Re: [Freeipa-devel] [PATCH 0084-0086] CI: Add double circle topology
On 23.02.2016 17:33, Martin Basti wrote: On 23.02.2016 17:30, Martin Basti wrote: On 18.02.2016 10:14, David Kupka wrote: On 12/02/16 16:52, Martin Basti wrote: On 12.02.2016 13:03, Milan Kubík wrote: On 02/12/2016 10:59 AM, David Kupka wrote: Sending one more topology test. This one creates a M groups consisting N (N>=2) servers. First two servers in each group are used to connect with nearest four groups and also with the other servers inside the group (when N>2). Servers inside the group (not connecting to other groups) are connected with each other. The patch set needs freeipa-dkupka-8{1,2,3} applied. ACK I cannot apply patches, please rebase [mbasti@dhcp129-96 freeipa-devel]$ git checkout master Switched to branch 'master' Your branch is up-to-date with 'origin/master'. [mbasti@dhcp129-96 freeipa-devel]$ git am freeipa-dkupka-008* -3 Applying: CI: Add '2-connected' topology generator. Applying: CI: Add simple replication test in 2-connected topology. Applying: CI: Add test for 2-connected topology generator. Applying: CI: Add double circle topology. Applying: CI: Add replication test utilizing double-circle topology. Applying: CI: Add test for double-circle topology generator. error: invalid object 100644 e12d141391840cc7f9150a178875393a96dd469b for 'ipatests/test_integration/test_topologies.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Cannot fall back to three-way merge. Patch failed at 0006 CI: Add test for double-circle topology generator. The copy of the patch that failed is found in: /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch When you have resolved this problem, run "git am --continue". If you prefer to skip this patch, run "git am --skip" instead. To restore the original branch and stop patching, run "git am --abort". Martin^2 Git fails to apply patches because wrong version of freeipa-dkupka-008{1,2,3} was pushed. Attached patches should fix it. Sorry my bad. ACK Pushed to: ipa-4-3: ffe3731ae7813fcc3246a83e37d62fc2754bb4ca master: acdabba6ec0f68841f02c1e6ad65232de81bb505 New test: Pushed to: master: a1e582b33c42bcc8a708777afb975e7dc571ee3d ipa-4-3: 2efa60637111e40a9ac9459d507d9f55a2ae301a Revert? IMO this will not work on python3 * Module ipatests.test_integration.test_topologies ipatests/test_integration/test_topologies.py:124: [W1638(range-builtin-not-iterating), test_topology_double_circle_topo] range built-in referenced when not iterating) * Module ipatests.test_integration.tasks ipatests/test_integration/tasks.py:949: [W0110(deprecated-lambda), double_circle_topo] map/filter on lambda could be replaced by comprehension) ipatests/test_integration/tasks.py:949: [W1636(map-builtin-not-iterating), double_circle_topo] map built-in referenced when not iterating) ipatests/test_integration/tasks.py:949: [W1637(zip-builtin-not-iterating), double_circle_topo] zip built-in referenced when not iterating) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0420] Set BuildRequires to pylint 1.4
On (23/02/16 17:09), Martin Basti wrote: >We cannot guarantee that versions older than 1.4 will work with freeipa code. > >Patch attached. >From a59e72a0b87231c0f2e0d737057550dd532feed7 Mon Sep 17 00:00:00 2001 >From: Martin Basti>Date: Tue, 23 Feb 2016 16:58:07 +0100 >Subject: [PATCH] Set BuildRequires to pylint >= 1.4 > >We can guarantee that only pylint 1.4 and newer will work > >https://fedorahosted.org/freeipa/ticket/5615 >--- > freeipa.spec.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/freeipa.spec.in b/freeipa.spec.in >index >54a11bfc8cced643c19c29c5ada70bacf7540395..219c5ca2f13eaac14746ec4689ba611bbc6fc377 > 100644 >--- a/freeipa.spec.in >+++ b/freeipa.spec.in >@@ -76,7 +76,7 @@ BuildRequires: python-netaddr > BuildRequires: python-gssapi >= 1.1.2 > BuildRequires: python-rhsm > BuildRequires: pyOpenSSL >-BuildRequires: pylint >= 1.0 >+BuildRequires: pylint >= 1.4 I can build rpms even withour pylint and pylint is not executed anywhere in spec file. (in other words, my patch was rejected) Why does it need to be in BuildRequires? LS -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0084-0086] CI: Add double circle topology
On 23.02.2016 17:30, Martin Basti wrote: On 18.02.2016 10:14, David Kupka wrote: On 12/02/16 16:52, Martin Basti wrote: On 12.02.2016 13:03, Milan Kubík wrote: On 02/12/2016 10:59 AM, David Kupka wrote: Sending one more topology test. This one creates a M groups consisting N (N>=2) servers. First two servers in each group are used to connect with nearest four groups and also with the other servers inside the group (when N>2). Servers inside the group (not connecting to other groups) are connected with each other. The patch set needs freeipa-dkupka-8{1,2,3} applied. ACK I cannot apply patches, please rebase [mbasti@dhcp129-96 freeipa-devel]$ git checkout master Switched to branch 'master' Your branch is up-to-date with 'origin/master'. [mbasti@dhcp129-96 freeipa-devel]$ git am freeipa-dkupka-008* -3 Applying: CI: Add '2-connected' topology generator. Applying: CI: Add simple replication test in 2-connected topology. Applying: CI: Add test for 2-connected topology generator. Applying: CI: Add double circle topology. Applying: CI: Add replication test utilizing double-circle topology. Applying: CI: Add test for double-circle topology generator. error: invalid object 100644 e12d141391840cc7f9150a178875393a96dd469b for 'ipatests/test_integration/test_topologies.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Cannot fall back to three-way merge. Patch failed at 0006 CI: Add test for double-circle topology generator. The copy of the patch that failed is found in: /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch When you have resolved this problem, run "git am --continue". If you prefer to skip this patch, run "git am --skip" instead. To restore the original branch and stop patching, run "git am --abort". Martin^2 Git fails to apply patches because wrong version of freeipa-dkupka-008{1,2,3} was pushed. Attached patches should fix it. Sorry my bad. ACK Pushed to: ipa-4-3: ffe3731ae7813fcc3246a83e37d62fc2754bb4ca master: acdabba6ec0f68841f02c1e6ad65232de81bb505 New test: Pushed to: master: a1e582b33c42bcc8a708777afb975e7dc571ee3d ipa-4-3: 2efa60637111e40a9ac9459d507d9f55a2ae301a -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0416-0419] fix broken configuration of sidgen and extdom plugins
On 02/23/2016 01:25 PM, Martin Basti wrote: > > > On 23.02.2016 13:02, Alexander Bokovoy wrote: >> On Tue, 23 Feb 2016, Martin Basti wrote: >>> From f2ae1bd129a1741500d2f3dcb86a0da553604d15 Mon Sep 17 00:00:00 2001 >>> From: Martin Basti>>> Date: Tue, 23 Feb 2016 10:37:47 +0100 >>> Subject: [PATCH 4/4] fix upgrade: wait for proper DS socket after DS >>> restart >>> >>> Restarting DS executed by upgrade plugin causes that upgrade frameworg >>> was waiting for not proper socket to be ready. This commit fix issue. >> Please fix the commit message typos. >> > Fixed. Updated patches attached. ACK. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0084-0086] CI: Add double circle topology
On 18.02.2016 10:14, David Kupka wrote: On 12/02/16 16:52, Martin Basti wrote: On 12.02.2016 13:03, Milan Kubík wrote: On 02/12/2016 10:59 AM, David Kupka wrote: Sending one more topology test. This one creates a M groups consisting N (N>=2) servers. First two servers in each group are used to connect with nearest four groups and also with the other servers inside the group (when N>2). Servers inside the group (not connecting to other groups) are connected with each other. The patch set needs freeipa-dkupka-8{1,2,3} applied. ACK I cannot apply patches, please rebase [mbasti@dhcp129-96 freeipa-devel]$ git checkout master Switched to branch 'master' Your branch is up-to-date with 'origin/master'. [mbasti@dhcp129-96 freeipa-devel]$ git am freeipa-dkupka-008* -3 Applying: CI: Add '2-connected' topology generator. Applying: CI: Add simple replication test in 2-connected topology. Applying: CI: Add test for 2-connected topology generator. Applying: CI: Add double circle topology. Applying: CI: Add replication test utilizing double-circle topology. Applying: CI: Add test for double-circle topology generator. error: invalid object 100644 e12d141391840cc7f9150a178875393a96dd469b for 'ipatests/test_integration/test_topologies.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Cannot fall back to three-way merge. Patch failed at 0006 CI: Add test for double-circle topology generator. The copy of the patch that failed is found in: /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch When you have resolved this problem, run "git am --continue". If you prefer to skip this patch, run "git am --skip" instead. To restore the original branch and stop patching, run "git am --abort". Martin^2 Git fails to apply patches because wrong version of freeipa-dkupka-008{1,2,3} was pushed. Attached patches should fix it. Sorry my bad. ACK Pushed to: ipa-4-3: ffe3731ae7813fcc3246a83e37d62fc2754bb4ca master: acdabba6ec0f68841f02c1e6ad65232de81bb505 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0413] fix permission: Read Replication Agreements
On 22.02.2016 09:00, Jan Cholasta wrote: Hi, On 17.2.2016 14:49, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5631 Patch attached (for master, 4.3, 4.2) 1) All the replication agreement permission ACIs should be located in the same entry. Currently "Read Replication Agreements" is in "cn=config" and everything else in "cn=mapping tree,cn=config", so I guess "cn=mapping tree,cn=config" makes more sense. 2) Instead of literal DN('cn=permissions,cn=pbac'), use api.env.container_permissions. 3) IMO the removal of managed permission attributes could be a little bit more robust. You should check that the original entry contains all the required values before touching it (objectclass=ipapermissionv2, ipapermissiontype=V2, ipapermissiontype=MANAGED) and remove only the values that need to be removed, instead of just overwriting everything. Honza Updated patch attached. From 4332e5d4b52d13b0d08d57691b77bc892999303b Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Thu, 4 Feb 2016 16:23:40 +0100 Subject: [PATCH] fix permission: Read Replication Agreements This permission cannot be MANAGED permission because it is located in nonreplicating part of the LDAP tree. As side effect, the particular ACI has not been created on all replicas. This commit makes Read Replication Agreements non managed permission and also fix missing ACI on replicas. https://fedorahosted.org/freeipa/ticket/5631 --- ACI.txt| 2 - install/share/delegation.ldif | 9 ++ install/share/replica-acis.ldif| 5 + install/updates/20-aci.update | 4 +- install/updates/90-post_upgrade_plugins.update | 1 + .../install/plugins/update_managed_permissions.py | 133 +++-- 6 files changed, 90 insertions(+), 64 deletions(-) diff --git a/ACI.txt b/ACI.txt index bbc2e660cc0a549421069f2f569f8b1dbf42c724..24cb332ce6e10c82a5bfab76d084fb6c0277800d 100644 --- a/ACI.txt +++ b/ACI.txt @@ -388,8 +388,6 @@ dn: cn=Domain Level,cn=ipa,cn=etc,dc=ipa,dc=example aci: (targetattr = "createtimestamp || entryusn || ipadomainlevel || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipadomainlevelconfig)")(version 3.0;acl "permission:System: Read Domain Level";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || ipaconfigstring || modifytimestamp || objectclass")(targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Read IPA Masters";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example";) -dn: cn=config -aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=replication,cn=etc,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn ||
Re: [Freeipa-devel] [PATCH 0414] py3: remove usage of iteritems
On 23.02.2016 17:13, Martin Babinsky wrote: On 02/17/2016 04:54 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5623 Patch attached. ACK Pushed to: master: 697072cac9d94ebd006d6a0f595d7956d38d58b9 ipa-4-3: 93582ac57533b2c2bb3079da2ebc48b67b2c1655 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0414] py3: remove usage of iteritems
On 02/17/2016 04:54 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5623 Patch attached. ACK -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0415] Pylint: disable new pylint checks
On 19.02.2016 13:00, David Kupka wrote: On 17/02/16 18:02, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5615 Disable unwanted or false positive checks. New checks cannot be disabled inline because pylint < 1.5 will report them as errors, thus must be disable globally until we decide to move completely to pytlint 1.5 (Fedora 25?) Patches attached. Works for me, ACK. All tree branches tested on F23 with pylint 1.4.3-3 Pushed to master: ddda062d58fd9c3c6b4edbea0afb236fc26024ba Pushed to ipa-4-3: 963ce7f117b0cd69590327350b893e755cc38856 Pushed to ipa-4-2: 9136d72ae1feff15a80f162d06a837e7f8cee7ea -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0135] upgrade: unconditional import of certificate profiles into LDAP
On 23.2.2016 09:55, Martin Babinsky wrote: On 02/23/2016 07:43 AM, Fraser Tweedale wrote: On Tue, Feb 23, 2016 at 07:32:31AM +0100, Jan Cholasta wrote: On 23.2.2016 06:40, Fraser Tweedale wrote: On Mon, Feb 22, 2016 at 02:03:49PM +0100, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5682 -- Martin^3 Babinsky Thanks for the patch. Conditional ACK. Patch is tested and works, but I am wary about checking for substring match against RemoteRetrieveError reason string (see hunk below). It would be better to carry the status code as an attribute of RemoteRetrieveError and check whether it is 409. +except errors.RemoteRetrieveError as e: +if "Profile already exists" in e.reason: +root_logger.debug("Profile '{}' already present".format( +profile_id)) +else: +root_logger.error("Error migrating profile '{}': {}".format( +profile_id, e)) +return If you agree, we can file a ticket and I am happy for these patches to be merged as-is. The scope of changing RemoteRetrieveError is larger than #5682 so it makes sense to do it separately, and just for master branch. I don't think this is the right approach. create_profile() should raise DuplicateEntry rather than RemoteRetrieveError if the profile already exists, which can then be properly handled in _create_dogtag_profile(). I am happy with that. Attaching updated patch. Unfortunately, REST API does report only a super-generic error code 400: Bad request when adding profile which already exists, which is not very useful for us (I will open a ticket for Dogtag for this). After consultation with Jan, we decided to log the error at debug level and be done with it (for the moment). Thanks, ACK. Pushed to: master: 2c3b0b1bcd972e6beec4691c03830f37dd27e199 ipa-4-2: 704319c3eaf74e0531dd2aa1e5880db7b6ab830c ipa-4-3: e0ce7e37636969af56a4fa2b1068ae97f1058bdd -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.
David Kupka wrote: > On 23/02/16 10:14, Martin Kosek wrote: >> On 02/23/2016 09:47 AM, David Kupka wrote: >>> On 22/02/16 16:15, Martin Kosek wrote: On 02/22/2016 04:04 PM, Jan Cholasta wrote: > On 22.2.2016 15:56, David Kupka wrote: >> On 22/02/16 07:28, Jan Cholasta wrote: >>> On 18.2.2016 10:10, David Kupka wrote: On 19/01/16 16:10, David Kupka wrote: > On 19/01/16 14:38, Jan Cholasta wrote: >> On 19.1.2016 14:26, Martin Kosek wrote: >>> On 01/19/2016 01:47 PM, David Kupka wrote: I've polished the patch attached to #5586 by Timo Aaltonen. Thanks for the patch. I've fixed the path in specfile and removed unused import but otherwise it works, ACK. https://fedorahosted.org/freeipa/ticket/5586 >>> >>> Won't this break existing certmonger requests depending on >>> the old >>> path? >> >> It will, I don't see any upgrade code. >> >>> >>> # getcert list | grep '/usr/lib64/ipa/certmonger' >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "auditSigningCert >>> cert-pki-ca" >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "ocspSigningCert >>> cert-pki-ca" >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "subsystemCert >>> cert-pki-ca" >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "caSigningCert >>> cert-pki-ca" >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "Server-Cert >>> cert-pki-ca" >>> post-save command: >>> /usr/lib64/ipa/certmonger/restart_dirsrv >>> RHEL72 >>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>> >> >> > > You're right it will break the upgrade. I haven't noticed that > Server-Cert for DS and HTTPD are not handled by > certificate_renewal_update (ipaserver.install.server.upgrade) > where all > the other trackings are stopped and then configured again with the > paths.CERTMONGER_COMMAND_TEMPLATE already updated. > > Thanks for the catch. > I've updated Timo's patch little more and added start_tracking_certificates() for dsinstance and httpinstance. Now the upgrade works as expected. >>> >>> The way the patches are split is kind of weird and apparently >>> confusing >>> (see the other thread). IMO there should be 2 patches: the first >>> should >>> add the ability to change DS and HTTP certmonger config during >>> upgrade >>> (i.e. the start_tracking_certificates() methods and >>> certificate_renewal_update() changes), the second should move the >>> helpers (i.e. the actual move and certificate_renewal_update() >>> version >>> bump). >>> >> Honza, do I understand it correctly that the code is OK but I did not >> split it to the patches correctly? > > Yes. Before acking or pushing, can you please explain for me how the upgrade of certmonger tracking requests work? I want to make sure this is right, so please bear with me: 1) How does it edit existing tracking requests with the new helper paths? 2) Does it go and try to edit the requests on every upgrade? Or is there some check that requests were updated? Thanks, Martin >>> >>> Whole upgrade of renewal requests is done in >>> ipaserver/install/server/upgrade.py in certificate_renewal_upgrade(). >>> >>> First there is version of requests and if it's the same as in state file >>> upgrade is skipped. >>> Then every request is searched over certmonger's DBus interface and >>> if at least >>> one is not found it means that there was change in request >>> configuration. All >>> tracking requests are then stopped and started again with new >>> configuration. >>> >>> So to answer you questions: >>> 1) By stopping the old request with the old parameters (including >>> path) and >>> starting new with new parameters. >>> >>> 2) Only if version was bumped which happens only if some of the >>> requests changes. >> >> Ah, so IIUC, if you bump the version, requests should be properly >> updated. The >> change
Re: [Freeipa-devel] Locations design v2: LDAP schema & user interface
On 02/19/2016 04:31 PM, Simo Sorce wrote: On Fri, 2016-02-19 at 08:58 +0100, Petr Spacek wrote: On 4.2.2016 18:21, Petr Spacek wrote: On 3.2.2016 18:41, Petr Spacek wrote: Hello, I've updated the design page http://www.freeipa.org/page/V4/DNS_Location_Mechanism Namely it now contains 'Version 2'. Okay, here is the idea how we can make it flexible: http://www.freeipa.org/page/V4/DNS_Location_Mechanism#Implementation Hello, I'm thinking about LDAP schema for DNS locations. Purpose === * Allow admins to define any number of locations. * 1 DNS server advertises at most 1 location. * 1 location generally contains set of services with different priorities and weights (in DNS SRV terms). * Express server & service priority for each defined location in a way which is granular and flexible and ad the same time easy to manage. Proposal a) Container for locations -- cn=locations,cn=ipa,cn=etc,dc=example,dc=com b) 1 location - Attributes: 2.16.840.1.113730.3.8.5.32 idnsLocationMember Server/service assigned to a DNS Location. Usually used to define 'main' servers for that location. Should it point to service DNs to be sure we have smooth upgrade to containers? 2.16.840.1.113730.3.8.5.33 idnsBackupLocation Pointer to another location. Sucks in all servers from that location as one group with the same priority. Easy to use with _default location where all 'other' servers are used as backup. These two attributes use sub-type priority and relativeweight. This is the only way I could express all the information without need for separate objects. Object classes: 2.16.840.1.113730.3.8.6.7 idnsLocation MAY ( idnsLocationMember $ idnsBackupLocation ) 1st example: Location CZ: - servers czserver1, czserver2 - priority=1 - relative weight = 50 % each - if both CZ servers fail, use servers in location UK as backup (priority 2) - if all CZ and UK servers fail, use servers in location US as backup (priority 3) - servers on the other continent are used only as option of last resort DN: cn=cz,cn=locations,cn=ipa,cn=etc,dc=example,dc=com objectClass: idnsLocation idnsLocationMember;priority1;relativeweight50: cn=czserver1,cn=masters,cn=ipa,cn=etc,dc=example,dc=com idnsLocationMember;priority1;relativeweight50: cn=czserver2,cn=masters,cn=ipa,cn=etc,dc=example,dc=com idnsBackupLocation;priority2: cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com idnsBackupLocation;priority3: cn=us,cn=locations,cn=ipa,cn=etc,dc=example,dc=com Location UK: - servers ukserver1, ukserver2 - priority=1 - server ukserver1 is a new beefy machine so it can handle 3 times more load than ukserver2, thus relative weights 75 % and 25 % - if both UK servers fail, use servers in location CZ as backup (priority 2) - if all CZ and UK servers fail, use servers in location US as backup (priority 3) - servers on the other continent are used only as option of last resort DN: cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com objectClass: idnsLocation idnsLocationMember;priority1;relativeweight3: cn=ukserver1,cn=masters,cn=ipa,cn=etc,dc=example,dc=com idnsLocationMember;priority1;relativeweight1: cn=ukserver2,cn=masters,cn=ipa,cn=etc,dc=example,dc=com idnsBackupLocation;priority2: cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com idnsBackupLocation;priority3: cn=us,cn=locations,cn=ipa,cn=etc,dc=example,dc=com Location US: - servers usserver1, usserver2 - priority=1 - relative weight = 50 % each - if both US servers fail, use servers in location CZ and UK as backup (priority 2) - it is over ocean anyway, so US clients will not make any difference between CZ and UK locations DN: cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com objectClass: idnsLocation idnsLocationMember;priority1;relativeweight50: cn=ukserver1,cn=masters,cn=ipa,cn=etc,dc=example,dc=com idnsLocationMember;priority1;relativeweight50: cn=ukserver2,cn=masters,cn=ipa,cn=etc,dc=example,dc=com idnsBackupLocation;priority2: cn=cz,cn=locations,cn=ipa,cn=etc,dc=example,dc=com idnsBackupLocation;priority2: cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com Resulting DNS SRV records (generated by FreeIPA framework). Please note that only numbers in SRV records matter only relatively. Priorities work as group, weights are relative only inside the group. Absolute values above are used only in algorithm which generates SRV records: Location CZ: _kerberos._udp SRV 1 50 czserver1 _kerberos._udp SRV 1 50 czserver2 _kerberos._udp SRV 2 75 ukserver1 _kerberos._udp SRV 2 25 ukserver1 _kerberos._udp SRV 3 50 usserver1 _kerberos._udp SRV 3 50 usserver2 Location UK: _kerberos._udp SRV 1 75 ukserver1 _kerberos._udp SRV 1 25 ukserver1 _kerberos._udp SRV 2 50 czserver1 _kerberos._udp SRV 2 50 czserver2 _kerberos._udp SRV 3 50 usserver1 _kerberos._udp SRV 3 50 usserver2 Location US: _kerberos._udp SRV 1 50 usserver1 _kerberos._udp SRV 1 50 usserver2 _kerberos._udp SRV 2 250 czserver1 _kerberos._udp SRV 2 250 czserver2 _kerberos._udp SRV 2
Re: [Freeipa-devel] [PATCH 0012] Use HTTPD_USER in dogtaginstance.py
On 19.01.2016 13:48, David Kupka wrote: I've converted the diff attached to #5587 by Timo Aaltonen. Works for me, ACK. https://fedorahosted.org/freeipa/ticket/5587 Patch has been pushed to master, original email is probably lost. 67c367d0db194d9afa56ecda34dafb46758d99b5 Use HTTPD_USER in dogtaginstance.py Also patch had not been pushed to ipa-4-3, fixed: Pushed to ipa-4-3: 073fdeb57465044bbce981672027253c2dd44c0f -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0006] Refactor test_hostgroup_plugin
On 22.12.2015 11:57, Filip Skola wrote: And also sending refactored hostgroup plugin test. F bump for review -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 811 performance: faster DN implementation
On 22.12.2015 16:59, Petr Spacek wrote: On 14.4.2015 19:32, Petr Vobornik wrote: Pushed to master: 11bd9d96f191066f7ba760549f00179c128a9787 Please be so kind and fix naming. AFAIK the patch refers to 'openldap' DN format but in fact it is python-ldap-ishm. It will surely confuse next generation of FreeIPA developers :-) Will be in separate patch. Petr, Santa found out that you did not send the patch! You are risking Christmas without any presents ... :-) Bump for patch. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0048 Decode HTTP reason phrase as iso-8859-1
On 13.1.2016 08:12, Jan Cholasta wrote: On 8.1.2016 11:56, Fraser Tweedale wrote: On Thu, Jan 07, 2016 at 08:00:51PM +1000, Fraser Tweedale wrote: On Thu, Jan 07, 2016 at 07:56:15AM +0100, Jan Cholasta wrote: Hi, On 6.1.2016 05:26, Fraser Tweedale wrote: Happy new year, all. The attached patch fixes a unicode decode error triggered in some locales, which causes failure of installation (and probably other oprations, if locale is changed under an existing server). https://fedorahosted.org/freeipa/ticket/5578 It seems like this fixes only part of the issue - the installer won't crash anymore. But what happens if the reason phrase uses characters which are not in iso-8859-1 (e.g. "č", a character commonly used in Czech)? Shouldn't we always specify the encoding in requests, so that Dogtag does not have to guess? In this case it will not throw an exception, but it will decode nonsense. However, in my investigation just now of how Tomcat decides what to send in the reason phrase, it turns out that in future releases they will not send a reason phrase[1] at all! [1] https://github.com/apache/tomcat/commit/707ab1c77f3bc189e1c3f29b641506db4c8bce37 (Nice to know about this in advance - I will not be surprised if some clients break) I'll cut a new patch tomorrow that just ignores the reason phrase rather than trying to decode and log it. All the info is in the status code, after all. Thanks for reviewing, Fraser Promised new patch attached - removes the reason phrase and updates call sites accordingly. Thanks, ACK. Pushed to master: fe94222873c4df5118e93cebe7e9d69439266ba0 and to: ipa-4-2: 0aedaf10e1e3fe48df5f57ad0f25c80b91c2eb45 ipa-4-3: 45f7762a9229ff867700432413c434e61fdddc0d -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [TESTS][PATCH 0010] WebUI tests - ID views
Hi, attached is patch providing missing test coverage for ID views in webUI. Lenka From 5940a3e7f63b7b6360a28fd52ba6c7df65e4ea98 Mon Sep 17 00:00:00 2001 From: Lenka DoudovaDate: Fri, 19 Feb 2016 14:59:19 +0100 Subject: [PATCH] WebUI test: ID views Provides missing test coverage for ID views web UI. --- ipatests/test_webui/data_idviews.py | 20 ++ ipatests/test_webui/test_idviews.py | 127 ipatests/test_webui/ui_driver.py| 48 -- 3 files changed, 189 insertions(+), 6 deletions(-) create mode 100644 ipatests/test_webui/data_idviews.py create mode 100644 ipatests/test_webui/test_idviews.py diff --git a/ipatests/test_webui/data_idviews.py b/ipatests/test_webui/data_idviews.py new file mode 100644 index ..9d62f33fe47dcf2cbde525d687ddd80c50b367e0 --- /dev/null +++ b/ipatests/test_webui/data_idviews.py @@ -0,0 +1,20 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +ENTITY = 'idview' +USER_FACET = 'idoverrideuser' +GROUP_FACET = 'idoverridegroup' +HOST_FACET = 'appliedtohosts' + +PKEY = 'itest-view' +DATA = { +'pkey': PKEY, +'add': [ +('textbox', 'cn', PKEY), +('textarea', 'description', 'Description of ID view'), +], +'mod': [ +('textarea', 'description', 'Different description'), +], +} diff --git a/ipatests/test_webui/test_idviews.py b/ipatests/test_webui/test_idviews.py new file mode 100644 index ..b7f5c312eb2a5a7680b55126ae91446b5010a5b8 --- /dev/null +++ b/ipatests/test_webui/test_idviews.py @@ -0,0 +1,127 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +from ipatests.test_webui.ui_driver import UI_driver +from ipatests.test_webui.ui_driver import screenshot +import ipatests.test_webui.data_idviews as idview +import ipatests.test_webui.data_user as user +import ipatests.test_webui.data_group as group +import ipatests.test_webui.data_hostgroup as hostgroup +from ipatests.test_webui.test_host import host_tasks, ENTITY as HOST_ENTITY +import pytest + +DATA_USER = { +'pkey': user.PKEY, +'add': [ +('combobox', 'ipaanchoruuid', user.PKEY), +('textbox', 'uid', 'iduser'), +('textbox', 'gecos', 'id user'), +('textbox', 'uidnumber', 1), +('textbox', 'gidnumber', 1), +('textbox', 'loginshell', 'shell'), +('textbox', 'homedirectory', 'home'), +('textarea', 'description', 'desc'), +], +'mod': [ +('textbox', 'uid', 'moduser'), +('textbox', 'uidnumber', 3), +], +} + +DATA_GROUP = { +'pkey': group.PKEY, +'add': [ +('combobox', 'ipaanchoruuid', group.PKEY), +('textbox', 'cn', 'idgroup'), +('textbox', 'gidnumber', 2), +('textarea', 'description', 'desc'), +], +'mod': [ +('textbox', 'cn', 'modgroup'), +('textbox', 'gidnumber', 3), +], +} + + +@pytest.mark.tier1 +class test_idviews(UI_driver): + +@screenshot +def test_crud(self): +""" +Basic CRUD: ID view +""" +self.init_app() +self.basic_crud( +idview.ENTITY, idview.DATA, default_facet=idview.USER_FACET) + +@screenshot +def test_overrides(self): +""" +User and group overrides +""" +self.init_app() + +self.add_record(user.ENTITY, user.DATA, navigate=False) +self.add_record(group.ENTITY, group.DATA) +self.add_record(idview.ENTITY, idview.DATA) + +self.navigate_to_record(idview.PKEY) +parent_entity = 'idview' + +# user override +self.add_record(parent_entity, DATA_USER, facet=idview.USER_FACET) +self.navigate_to_record(user.PKEY) +self.mod_record(idview.USER_FACET, DATA_USER) +self.delete_action(idview.ENTITY, user.PKEY) + +# group override +self.navigate_to_record(idview.PKEY) +self.switch_to_facet(idview.GROUP_FACET) +self.add_record(parent_entity, DATA_GROUP, facet=idview.GROUP_FACET) +self.navigate_to_record(group.PKEY) +self.mod_record(idview.GROUP_FACET, DATA_GROUP) +self.delete_action(idview.ENTITY, group.PKEY) + +# cleanup +self.delete(idview.ENTITY, [idview.DATA]) +self.delete(user.ENTITY, [user.DATA]) +self.delete(group.ENTITY, [group.DATA]) + +@screenshot +def test_hosts(self): +""" +Apply to hosts and host groups +""" +self.init_app() +host = host_tasks() +host.setup(self.driver, self.config) + +self.add_record(HOST_ENTITY, host.data) +self.add_record(hostgroup.ENTITY, hostgroup.DATA) +self.navigate_to_record(hostgroup.PKEY) +self.add_associations([host.pkey]) +self.add_record(idview.ENTITY, idview.DATA) + +self.navigate_to_record(idview.PKEY) +
Re: [Freeipa-devel] Locations design v2: LDAP schema & user interface
On Tue, 2016-02-23 at 12:43 +0100, Petr Spacek wrote: > On 23.2.2016 11:00, Jan Cholasta wrote: > > Hi, > > > > On 19.2.2016 16:31, Simo Sorce wrote: > >> On Fri, 2016-02-19 at 08:58 +0100, Petr Spacek wrote: > >>> On 4.2.2016 18:21, Petr Spacek wrote: > On 3.2.2016 18:41, Petr Spacek wrote: > > Hello, > > > > I've updated the design page > > http://www.freeipa.org/page/V4/DNS_Location_Mechanism > > > > Namely it now contains 'Version 2'. > > Okay, here is the idea how we can make it flexible: > http://www.freeipa.org/page/V4/DNS_Location_Mechanism#Implementation > >>> > >>> Hello, > >>> > >>> I'm thinking about LDAP schema for DNS locations. > >>> > >>> Purpose > >>> === > >>> * Allow admins to define any number of locations. > >>> * 1 DNS server advertises at most 1 location. > >>> * 1 location generally contains set of services with different priorities > >>> and > >>> weights (in DNS SRV terms). > >>> * Express server & service priority for each defined location in a way > >>> which > >>> is granular and flexible and ad the same time easy to manage. > >>> > >>> > >>> Proposal > >>> > >>> a) Container for locations > >>> -- > >>> cn=locations,cn=ipa,cn=etc,dc=example,dc=com > >>> > >>> > >>> b) 1 location > >>> - > >>> Attributes: > >>> 2.16.840.1.113730.3.8.5.32 idnsLocationMember > >>> Server/service assigned to a DNS Location. Usually used to define 'main' > >>> servers for that location. Should it point to service DNs to be sure we > >>> have > >>> smooth upgrade to containers? > > > > Services always live on a host (call it server or not), so IMO it makes > > sense > > to point to servers. > > Fine with me. We just need something which will be able to accommodate > containerization without upgrade headache. > > Do I undestand correctly that 1 container is going to have 1 host object with > one service object inside it? > > Like: > cn=container > - cn=DNS, cn=container > ? Do we think we will ever need to define different locations on a per service basis ? We based or hypothesis on the fact we only have one location and at most different weights per services ? Is there anything in here that will make it hard for us should we change our mind in future ? (I think the single _tcp DNAME may be an architectural issue anyway, but that could be resolved perhaps by moving the location DNAME on a per service basis in future should we need it ? > >>> 2.16.840.1.113730.3.8.5.33 idnsBackupLocation > >>> Pointer to another location. Sucks in all servers from that location as > >>> one > >>> group with the same priority. Easy to use with _default location where all > >>> 'other' servers are used as backup. > >>> > >>> These two attributes use sub-type priority and > >>> relativeweight. > >>> This is the only way I could express all the information without need for > >>> separate objects. > > > > I don't see the benefit here. What is wrong with separate objects? Why is it > > necessary to reinvent the wheel and abuse attribute sub-types for this, > > losing > > schema integrity checks provided by DS and making the implementation more > > complex along the way? > > AFAIK Simo did not like separate objects because we could not use referential > integrity plugin to prune references to removed servers. > > This can surely be done in framework, I do not insist on subtypes. > > > Talk is cheap, show me your schema :-) I had a preference, but I m ok also with multiplle objects one per server/service if we think this will make things easier to handle. Given we are going to need a Server object in DNS anyway (so that things are self contained for non IPA use cases) then I think the referential integrity thing goes out the window. [...] > >>> Attributes: > >>> 2.16.840.1.113730.3.8.5.34 idnsAdvertisedLocation > >>> Pointer to a idnsLocation object. On DNS service object / external server. > >>> Single-valued. > > > > IMO this should be attribute of server rather than service, > > given that > > idnsLocationMember points to servers rather than services. > > The main reason is why idnsAdvertisedLocation is tied to DNS service is that a > IPA server without a DNS server cannot advertise anything, so the attribute > does not make sense on all server objects. > > Also, the attribute can be (in future) used on external DNS server. The > external server is not going to be an IPA server, it will be just > representation of a DNS endpoint. Likely this external DNS server is not going > to reside in cn=masters at all. It might be in cn=dns so somewhere else. If possible I'd tie it to the DNS server's DNS object, or a new object in the DNS hierarchy. We may want to have locations for servers that are not IPA Server at all, like the preferred local XMPP server or other things like that. > So it seemed to me that it would be good to tie this to 'DNS endpoint' object > instead of IPA server object. > >
Re: [Freeipa-devel] [PATCH] 0007 Refactor test_sudocmd_plugin
NACK. Some little changes still required: * fixing the pep8 errors * fixing the wrong comment [root@master2 freeipa]# pep8 ipatests/test_xmlrpc/test_sudocmd_plugin.py ipatests/test_xmlrpc/test_sudocmd_plugin.py:94:80: E501 line too long (87 > 79 characters) ipatests/test_xmlrpc/test_sudocmd_plugin.py:97:80: E501 line too long (87 > 79 characters) ipatests/test_xmlrpc/test_sudocmd_plugin.py:134:80: E501 line too long (80 > 79 characters) [root@master2 freeipa]# pep8 ipatests/test_xmlrpc/tracker/sudocmd_plugin.py ipatests/test_xmlrpc/tracker/sudocmd_plugin.py:14:80: E501 line too long (81 > 79 characters) [root@master2 freeipa]# grep 'Class for' ipatests/test_xmlrpc/tracker/sudocmd_plugin.py """ Class for host plugin like tests """ - Original Message - > From: "Filip Skola"> To: "Aleš Mareček" > Cc: freeipa-devel@redhat.com, "Milan Kubík" > Sent: Monday, February 22, 2016 1:59:43 PM > Subject: Re: [Freeipa-devel] [PATCH] 0007 Refactor test_sudocmd_plugin > > Hi, > > sudocmd tracker has been created. > > Filip > > - Original Message - > > NACK. > > > > "create_sudocmd" and "delete_sudocmd" should be placed in Tracker. So this > > patch should create the tracker as well. > > > > - Original Message - > > > From: "Filip Skola" > > > To: freeipa-devel@redhat.com > > > Sent: Monday, January 25, 2016 3:57:25 PM > > > Subject: [Freeipa-devel] [PATCH] 0007 Refactor test_sudocmd_plugin > > > > > > Hello, > > > > > > attaching refactored sudocmd_plugin. > > > > > > Filip > > > -- > > > Manage your subscription for the Freeipa-devel mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.
On 23/02/16 10:14, Martin Kosek wrote: On 02/23/2016 09:47 AM, David Kupka wrote: On 22/02/16 16:15, Martin Kosek wrote: On 02/22/2016 04:04 PM, Jan Cholasta wrote: On 22.2.2016 15:56, David Kupka wrote: On 22/02/16 07:28, Jan Cholasta wrote: On 18.2.2016 10:10, David Kupka wrote: On 19/01/16 16:10, David Kupka wrote: On 19/01/16 14:38, Jan Cholasta wrote: On 19.1.2016 14:26, Martin Kosek wrote: On 01/19/2016 01:47 PM, David Kupka wrote: I've polished the patch attached to #5586 by Timo Aaltonen. Thanks for the patch. I've fixed the path in specfile and removed unused import but otherwise it works, ACK. https://fedorahosted.org/freeipa/ticket/5586 Won't this break existing certmonger requests depending on the old path? It will, I don't see any upgrade code. # getcert list | grep '/usr/lib64/ipa/certmonger' pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72 post-save command: /usr/lib64/ipa/certmonger/restart_httpd You're right it will break the upgrade. I haven't noticed that Server-Cert for DS and HTTPD are not handled by certificate_renewal_update (ipaserver.install.server.upgrade) where all the other trackings are stopped and then configured again with the paths.CERTMONGER_COMMAND_TEMPLATE already updated. Thanks for the catch. I've updated Timo's patch little more and added start_tracking_certificates() for dsinstance and httpinstance. Now the upgrade works as expected. The way the patches are split is kind of weird and apparently confusing (see the other thread). IMO there should be 2 patches: the first should add the ability to change DS and HTTP certmonger config during upgrade (i.e. the start_tracking_certificates() methods and certificate_renewal_update() changes), the second should move the helpers (i.e. the actual move and certificate_renewal_update() version bump). Honza, do I understand it correctly that the code is OK but I did not split it to the patches correctly? Yes. Before acking or pushing, can you please explain for me how the upgrade of certmonger tracking requests work? I want to make sure this is right, so please bear with me: 1) How does it edit existing tracking requests with the new helper paths? 2) Does it go and try to edit the requests on every upgrade? Or is there some check that requests were updated? Thanks, Martin Whole upgrade of renewal requests is done in ipaserver/install/server/upgrade.py in certificate_renewal_upgrade(). First there is version of requests and if it's the same as in state file upgrade is skipped. Then every request is searched over certmonger's DBus interface and if at least one is not found it means that there was change in request configuration. All tracking requests are then stopped and started again with new configuration. So to answer you questions: 1) By stopping the old request with the old parameters (including path) and starting new with new parameters. 2) Only if version was bumped which happens only if some of the requests changes. Ah, so IIUC, if you bump the version, requests should be properly updated. The change looks fine then. After discussion with Honza, we decided to drop the part comparing only base names of pre- and post-save commands and use it as whole. I've also split the patches so it's obvious what is going on. Patches should be applied in this order: freeipa-dkupka-0091.0 freeipa-dkupka-0087.1 freeipa-dkupka-0088.1 freeipa-tjaalton-0011.2 freeipa-dkupka-0092.0 -- David Kupka From 3e43c00c9d90752c28b5e81ddb7827ba00f12eba Mon Sep 17 00:00:00 2001 From: David KupkaDate: Wed, 17 Feb 2016 15:18:04 +0100 Subject: [PATCH 2/5] dsinstance: add start_tracking_certificates method Configure certmonger to start tracing certificate for DS. https://fedorahosted.org/freeipa/ticket/5586 --- ipaserver/install/dsinstance.py | 10 ++ ipaserver/install/server/upgrade.py | 19 +-- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index
Re: [Freeipa-devel] [PATCH 0416-0419] fix broken configuration of sidgen and extdom plugins
On 23.02.2016 13:02, Alexander Bokovoy wrote: On Tue, 23 Feb 2016, Martin Basti wrote: From f2ae1bd129a1741500d2f3dcb86a0da553604d15 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Tue, 23 Feb 2016 10:37:47 +0100 Subject: [PATCH 4/4] fix upgrade: wait for proper DS socket after DS restart Restarting DS executed by upgrade plugin causes that upgrade frameworg was waiting for not proper socket to be ready. This commit fix issue. Please fix the commit message typos. Fixed. Updated patches attached. From 779ca0e230252d40bb275539b4cc512d0460a056 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 18 Feb 2016 19:59:50 +0100 Subject: [PATCH 1/4] upgrade: fix config of sidgen and extdom plugins During upgrade to IPA 4.2, literally "$SUFFIX" value was added to configuration of sidgen and extdom plugins. This cause that SID are not properly configured. Upgrade must fix "$SUFFIX" to reals suffix DN, and run sidgen task against IPA domain (if exists). All trusts added when plugins configuration was broken must be re-added. https://fedorahosted.org/freeipa/ticket/5665 --- install/updates/90-post_upgrade_plugins.update | 2 + ipaserver/install/dsinstance.py| 12 +- ipaserver/install/plugins/adtrust.py | 153 + ipaserver/install/server/upgrade.py| 4 +- 4 files changed, 163 insertions(+), 8 deletions(-) diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index 5642021ad93cf336db2d872bf3ef6db99b5ffa46..9c9ee160fffedbc8e8d59705169e6cf08ddc9779 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -5,6 +5,8 @@ plugin: update_ca_topology plugin: update_dnszones plugin: update_dns_limits +plugin: update_sigden_extdom_broken_config +plugin: update_sids plugin: update_default_range plugin: update_default_trust_view plugin: update_ca_renewal_master diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2905c31c64c4fa8bd034d2cdf6ce5d90ecfea091..f474e189a47f945b7c91cba4ccc17266b9c7e430 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -1054,9 +1054,9 @@ class DsInstance(service.Service): """ Add sidgen directory server plugin configuration if it does not already exist. """ -self._ldap_mod('ipa-sidgen-conf.ldif', self.sub_dict) +self.add_sidgen_plugin(self.sub_dict['SUFFIX']) -def add_sidgen_plugin(self): +def add_sidgen_plugin(self, suffix): """ Add sidgen plugin configuration only if it does not already exist. """ @@ -1064,7 +1064,7 @@ class DsInstance(service.Service): try: self.admin_conn.get_entry(dn) except errors.NotFound: -self._add_sidgen_plugin() +self._ldap_mod('ipa-sidgen-conf.ldif', dict(SUFFIX=suffix)) else: root_logger.debug("sidgen plugin is already configured") @@ -1072,9 +1072,9 @@ class DsInstance(service.Service): """ Add directory server configuration for the extdom extended operation. """ -self._ldap_mod('ipa-extdom-extop-conf.ldif', self.sub_dict) +self.add_extdom_plugin(self.sub_dict['SUFFIX']) -def add_extdom_plugin(self): +def add_extdom_plugin(self, suffix): """ Add extdom configuration if it does not already exist. """ @@ -1082,7 +1082,7 @@ class DsInstance(service.Service): try: self.admin_conn.get_entry(dn) except errors.NotFound: -self._add_extdom_plugin() +self._ldap_mod('ipa-extdom-extop-conf.ldif', dict(SUFFIX=suffix)) else: root_logger.debug("extdom plugin is already configured") diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py index df9412adba833251cc1c70d7d72ebebbdc77c2a4..5b81b2efd5be63f45b02b8d357f89ec5ba142170 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -21,6 +21,8 @@ from ipalib import api, errors from ipalib import Updater from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger +from ipaserver.install import sysupgrade + DEFAULT_ID_RANGE_SIZE = 20 @@ -161,5 +163,156 @@ class update_default_trust_view(Updater): return False, [update] + +class update_sigden_extdom_broken_config(Updater): +"""Fix configuration of sidgen and extdom plugins + +Upgrade to IPA 4.2+ cause that sidgen and extdom plugins have improperly +configured basedn. + +All trusts which have been added when config was broken must to be +re-added manually. + +https://fedorahosted.org/freeipa/ticket/5665 +""" + +sidgen_config_dn = DN("cn=IPA SIDGEN,cn=plugins,cn=config") +extdom_config_dn =
Re: [Freeipa-devel] [PATCH 0416-0419] fix broken configuration of sidgen and extdom plugins
On Tue, 23 Feb 2016, Martin Basti wrote: From f2ae1bd129a1741500d2f3dcb86a0da553604d15 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Tue, 23 Feb 2016 10:37:47 +0100 Subject: [PATCH 4/4] fix upgrade: wait for proper DS socket after DS restart Restarting DS executed by upgrade plugin causes that upgrade frameworg was waiting for not proper socket to be ready. This commit fix issue. Please fix the commit message typos. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0416-0419] fix broken configuration of sidgen and extdom plugins
On 22.02.2016 20:11, Martin Basti wrote: On 22.02.2016 19:15, Martin Basti wrote: On 22.02.2016 17:05, Martin Basti wrote: On 19.02.2016 15:02, Alexander Bokovoy wrote: On Fri, 19 Feb 2016, Petr Vobornik wrote: On 02/19/2016 11:12 AM, Alexander Bokovoy wrote: On Fri, 19 Feb 2016, Martin Basti wrote: WIP patch attached https://fedorahosted.org/freeipa/ticket/5665 Comments inline. +# we need to run sidgen task +sidgen_task_dn = DN("cn=sidgen,cn=ipa-sidgen-task,cn=tasks," +"cn=config") +sidgen_tasks_attr = { +"objectclass": ["top", "extensibleObject"], +"cn": ["sidgen"], +"delay": [0], +"nsslapd-basedn": [self.api.env.basedn], +} May be you are better to name this task more uniquely? Something like 'cn=generate domain sid,cn=...'? + +task_entry = ldap.make_entry(sidgen_task_dn, + **sidgen_tasks_attr) +try: +ldap.add_entry(task_entry) +except errors.DuplicateEntry: +self.log.debug("sidgen task already created") +else: +self.log.debug("sidgen task has been created") There could be multiple tasks running in parallel, that's why it could be good to use a different and unique name. +# we have to check all trusts domains which have been added after the +# upgrade that caused bug was done. + +base_dn = DN(self.api.env.container_adtrusts, self.api.env.basedn) +trust_domain_entries, truncated = ldap.find_entries( +base_dn=base_dn, +scope=ldap.SCOPE_ONELEVEL, +attrs_list=[attr_name, "cn"], +) + +if truncated: +self.log.warning("update_sids: Search results were truncated") + +for entry in trust_domain_entries: +if entry.single_value[attr_name] is None: +domain = entry.single_value["cn"] +self.log.error( +"Your trust to %s is broken. Please re-create it by " +"running 'ipa trust-add' again", domain) + +sysupgrade.set_upgrade_state('sidgen', 'update_sids', False) +return False, () This part looks fine. Basically, a similar check needs to be added to trust_find, trust_show, and may be trust_add. Why trust-add? I'm not a big fan of cluttering existing commands(find, show, mod) with logic to fix one upgrade bug. But I understand a need to communicate it somehow. Would it make sense to move such logic to a separate command, e.g. trust-check/trust-verify? The command can do additional check in a future. No. What is the value of trust-add if it says you 'Trust established and verified' while in reality it didn't? This specific issue is very easy to catch. Patch attached, patch with warning will land soon. Updated patches attached I fixed except clause in 416, added patch with user warnings, IMO to have separate search is the cleanest solution here, command is not used often, I would like to avoid any hacks in find and show command Patches attached. I will look on ldapsearch timeouts after restarting DS tomorrow. Updated patches attached + new patch fixing timeout error From 779ca0e230252d40bb275539b4cc512d0460a056 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Thu, 18 Feb 2016 19:59:50 +0100 Subject: [PATCH 1/4] upgrade: fix config of sidgen and extdom plugins During upgrade to IPA 4.2, literally "$SUFFIX" value was added to configuration of sidgen and extdom plugins. This cause that SID are not properly configured. Upgrade must fix "$SUFFIX" to reals suffix DN, and run sidgen task against IPA domain (if exists). All trusts added when plugins configuration was broken must be re-added. https://fedorahosted.org/freeipa/ticket/5665 --- install/updates/90-post_upgrade_plugins.update | 2 + ipaserver/install/dsinstance.py| 12 +- ipaserver/install/plugins/adtrust.py | 153 + ipaserver/install/server/upgrade.py| 4 +- 4 files changed, 163 insertions(+), 8 deletions(-) diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index 5642021ad93cf336db2d872bf3ef6db99b5ffa46..9c9ee160fffedbc8e8d59705169e6cf08ddc9779 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -5,6 +5,8 @@ plugin: update_ca_topology plugin: update_dnszones plugin: update_dns_limits +plugin: update_sigden_extdom_broken_config +plugin: update_sids plugin: update_default_range plugin: update_default_trust_view plugin: update_ca_renewal_master diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2905c31c64c4fa8bd034d2cdf6ce5d90ecfea091..f474e189a47f945b7c91cba4ccc17266b9c7e430 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -1054,9 +1054,9 @@ class
Re: [Freeipa-devel] Locations design v2: LDAP schema & user interface
On 23.2.2016 11:00, Jan Cholasta wrote: > Hi, > > On 19.2.2016 16:31, Simo Sorce wrote: >> On Fri, 2016-02-19 at 08:58 +0100, Petr Spacek wrote: >>> On 4.2.2016 18:21, Petr Spacek wrote: On 3.2.2016 18:41, Petr Spacek wrote: > Hello, > > I've updated the design page > http://www.freeipa.org/page/V4/DNS_Location_Mechanism > > Namely it now contains 'Version 2'. Okay, here is the idea how we can make it flexible: http://www.freeipa.org/page/V4/DNS_Location_Mechanism#Implementation >>> >>> Hello, >>> >>> I'm thinking about LDAP schema for DNS locations. >>> >>> Purpose >>> === >>> * Allow admins to define any number of locations. >>> * 1 DNS server advertises at most 1 location. >>> * 1 location generally contains set of services with different priorities >>> and >>> weights (in DNS SRV terms). >>> * Express server & service priority for each defined location in a way which >>> is granular and flexible and ad the same time easy to manage. >>> >>> >>> Proposal >>> >>> a) Container for locations >>> -- >>> cn=locations,cn=ipa,cn=etc,dc=example,dc=com >>> >>> >>> b) 1 location >>> - >>> Attributes: >>> 2.16.840.1.113730.3.8.5.32 idnsLocationMember >>> Server/service assigned to a DNS Location. Usually used to define 'main' >>> servers for that location. Should it point to service DNs to be sure we have >>> smooth upgrade to containers? > > Services always live on a host (call it server or not), so IMO it makes sense > to point to servers. Fine with me. We just need something which will be able to accommodate containerization without upgrade headache. Do I undestand correctly that 1 container is going to have 1 host object with one service object inside it? Like: cn=container - cn=DNS, cn=container ? >>> 2.16.840.1.113730.3.8.5.33 idnsBackupLocation >>> Pointer to another location. Sucks in all servers from that location as one >>> group with the same priority. Easy to use with _default location where all >>> 'other' servers are used as backup. >>> >>> These two attributes use sub-type priority and >>> relativeweight. >>> This is the only way I could express all the information without need for >>> separate objects. > > I don't see the benefit here. What is wrong with separate objects? Why is it > necessary to reinvent the wheel and abuse attribute sub-types for this, losing > schema integrity checks provided by DS and making the implementation more > complex along the way? AFAIK Simo did not like separate objects because we could not use referential integrity plugin to prune references to removed servers. This can surely be done in framework, I do not insist on subtypes. Talk is cheap, show me your schema :-) >>> Object classes: >>> 2.16.840.1.113730.3.8.6.7 idnsLocation >>> MAY ( idnsLocationMember $ idnsBackupLocation ) >>> >>> >>> 1st example: >>> Location CZ: >>> - servers czserver1, czserver2 >>> - priority=1 >>> - relative weight = 50 % each >>> - if both CZ servers fail, use servers in location UK as backup (priority 2) >>> - if all CZ and UK servers fail, use servers in location US as backup >>> (priority 3) - servers on the other continent are used only as option of >>> last >>> resort >>> DN: cn=cz,cn=locations,cn=ipa,cn=etc,dc=example,dc=com >>> objectClass: idnsLocation >>> idnsLocationMember;priority1;relativeweight50: >>> cn=czserver1,cn=masters,cn=ipa,cn=etc,dc=example,dc=com >>> idnsLocationMember;priority1;relativeweight50: >>> cn=czserver2,cn=masters,cn=ipa,cn=etc,dc=example,dc=com >>> idnsBackupLocation;priority2: >>> cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com >>> idnsBackupLocation;priority3: >>> cn=us,cn=locations,cn=ipa,cn=etc,dc=example,dc=com >>> >>> Location UK: >>> - servers ukserver1, ukserver2 >>> - priority=1 >>> - server ukserver1 is a new beefy machine so it can handle 3 times more load >>> than ukserver2, thus relative weights 75 % and 25 % >>> - if both UK servers fail, use servers in location CZ as backup (priority 2) >>> - if all CZ and UK servers fail, use servers in location US as backup >>> (priority 3) - servers on the other continent are used only as option of >>> last >>> resort >>> DN: cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com >>> objectClass: idnsLocation >>> idnsLocationMember;priority1;relativeweight3: >>> cn=ukserver1,cn=masters,cn=ipa,cn=etc,dc=example,dc=com >>> idnsLocationMember;priority1;relativeweight1: >>> cn=ukserver2,cn=masters,cn=ipa,cn=etc,dc=example,dc=com >>> idnsBackupLocation;priority2: >>> cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com >>> idnsBackupLocation;priority3: >>> cn=us,cn=locations,cn=ipa,cn=etc,dc=example,dc=com >>> >>> Location US: >>> - servers usserver1, usserver2 >>> - priority=1 >>> - relative weight = 50 % each >>> - if both US servers fail, use servers in location CZ and UK as backup >>> (priority 2) - it is over ocean anyway, so US clients will not make any >>> difference between CZ and UK
Re: [Freeipa-devel] Locations design v2: LDAP schema & user interface
Hi, On 19.2.2016 16:31, Simo Sorce wrote: On Fri, 2016-02-19 at 08:58 +0100, Petr Spacek wrote: On 4.2.2016 18:21, Petr Spacek wrote: On 3.2.2016 18:41, Petr Spacek wrote: Hello, I've updated the design page http://www.freeipa.org/page/V4/DNS_Location_Mechanism Namely it now contains 'Version 2'. Okay, here is the idea how we can make it flexible: http://www.freeipa.org/page/V4/DNS_Location_Mechanism#Implementation Hello, I'm thinking about LDAP schema for DNS locations. Purpose === * Allow admins to define any number of locations. * 1 DNS server advertises at most 1 location. * 1 location generally contains set of services with different priorities and weights (in DNS SRV terms). * Express server & service priority for each defined location in a way which is granular and flexible and ad the same time easy to manage. Proposal a) Container for locations -- cn=locations,cn=ipa,cn=etc,dc=example,dc=com b) 1 location - Attributes: 2.16.840.1.113730.3.8.5.32 idnsLocationMember Server/service assigned to a DNS Location. Usually used to define 'main' servers for that location. Should it point to service DNs to be sure we have smooth upgrade to containers? Services always live on a host (call it server or not), so IMO it makes sense to point to servers. 2.16.840.1.113730.3.8.5.33 idnsBackupLocation Pointer to another location. Sucks in all servers from that location as one group with the same priority. Easy to use with _default location where all 'other' servers are used as backup. These two attributes use sub-type priority and relativeweight. This is the only way I could express all the information without need for separate objects. I don't see the benefit here. What is wrong with separate objects? Why is it necessary to reinvent the wheel and abuse attribute sub-types for this, losing schema integrity checks provided by DS and making the implementation more complex along the way? Object classes: 2.16.840.1.113730.3.8.6.7 idnsLocation MAY ( idnsLocationMember $ idnsBackupLocation ) 1st example: Location CZ: - servers czserver1, czserver2 - priority=1 - relative weight = 50 % each - if both CZ servers fail, use servers in location UK as backup (priority 2) - if all CZ and UK servers fail, use servers in location US as backup (priority 3) - servers on the other continent are used only as option of last resort DN: cn=cz,cn=locations,cn=ipa,cn=etc,dc=example,dc=com objectClass: idnsLocation idnsLocationMember;priority1;relativeweight50: cn=czserver1,cn=masters,cn=ipa,cn=etc,dc=example,dc=com idnsLocationMember;priority1;relativeweight50: cn=czserver2,cn=masters,cn=ipa,cn=etc,dc=example,dc=com idnsBackupLocation;priority2: cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com idnsBackupLocation;priority3: cn=us,cn=locations,cn=ipa,cn=etc,dc=example,dc=com Location UK: - servers ukserver1, ukserver2 - priority=1 - server ukserver1 is a new beefy machine so it can handle 3 times more load than ukserver2, thus relative weights 75 % and 25 % - if both UK servers fail, use servers in location CZ as backup (priority 2) - if all CZ and UK servers fail, use servers in location US as backup (priority 3) - servers on the other continent are used only as option of last resort DN: cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com objectClass: idnsLocation idnsLocationMember;priority1;relativeweight3: cn=ukserver1,cn=masters,cn=ipa,cn=etc,dc=example,dc=com idnsLocationMember;priority1;relativeweight1: cn=ukserver2,cn=masters,cn=ipa,cn=etc,dc=example,dc=com idnsBackupLocation;priority2: cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com idnsBackupLocation;priority3: cn=us,cn=locations,cn=ipa,cn=etc,dc=example,dc=com Location US: - servers usserver1, usserver2 - priority=1 - relative weight = 50 % each - if both US servers fail, use servers in location CZ and UK as backup (priority 2) - it is over ocean anyway, so US clients will not make any difference between CZ and UK locations DN: cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com objectClass: idnsLocation idnsLocationMember;priority1;relativeweight50: cn=ukserver1,cn=masters,cn=ipa,cn=etc,dc=example,dc=com idnsLocationMember;priority1;relativeweight50: cn=ukserver2,cn=masters,cn=ipa,cn=etc,dc=example,dc=com idnsBackupLocation;priority2: cn=cz,cn=locations,cn=ipa,cn=etc,dc=example,dc=com idnsBackupLocation;priority2: cn=uk,cn=locations,cn=ipa,cn=etc,dc=example,dc=com Resulting DNS SRV records (generated by FreeIPA framework). Please note that only numbers in SRV records matter only relatively. Priorities work as group, weights are relative only inside the group. Absolute values above are used only in algorithm which generates SRV records: Location CZ: _kerberos._udp SRV 1 50 czserver1 _kerberos._udp SRV 1 50 czserver2 _kerberos._udp SRV 2 75 ukserver1 _kerberos._udp SRV 2 25 ukserver1 _kerberos._udp SRV 3 50 usserver1 _kerberos._udp SRV 3 50 usserver2 Location UK:
Re: [Freeipa-devel] [PATCH] 946 webui: fixed showing of success message after password change on login
On 02/18/2016 03:58 PM, Pavel Vomacka wrote: On 02/18/2016 03:56 PM, Petr Vobornik wrote: On 01/20/2016 06:42 PM, Petr Vobornik wrote: similar issue and cause as in https://fedorahosted.org/freeipa/ticket/5567 root cause is that binding triggers validation which clears messages in validation summary. Maybe it could be refactored in a future to not use the same validation summary field for API calls and fields. If you think it is actually ticket #5567 (could be in some point of view) then feel free to push also to 4.2 and 4.3 branch. bump for review Ack. Works as expected. Pushed to master: b9c27b672218c30d669d085b5a57045711542fb9 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 947 webui: use API call ca_is_enabled instead of enable_ra env variable.
On 02/18/2016 03:59 PM, Pavel Vomacka wrote: On 02/18/2016 03:56 PM, Petr Vobornik wrote: On 01/20/2016 07:02 PM, Petr Vobornik wrote: To be consistent with backend code. https://fedorahosted.org/freeipa/ticket/5622 bump for review Ack. Pushed to: master: 31f42bc2e1e931b4c7dec9bf89eb94c844397ea2 ipa-4-3: 814f20100dec5f465b23eb051873ede05480b676 -- Pavel^3 Vomacka -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.
On 02/23/2016 09:47 AM, David Kupka wrote: > On 22/02/16 16:15, Martin Kosek wrote: >> On 02/22/2016 04:04 PM, Jan Cholasta wrote: >>> On 22.2.2016 15:56, David Kupka wrote: On 22/02/16 07:28, Jan Cholasta wrote: > On 18.2.2016 10:10, David Kupka wrote: >> On 19/01/16 16:10, David Kupka wrote: >>> On 19/01/16 14:38, Jan Cholasta wrote: On 19.1.2016 14:26, Martin Kosek wrote: > On 01/19/2016 01:47 PM, David Kupka wrote: >> I've polished the patch attached to #5586 by Timo Aaltonen. >> >> Thanks for the patch. I've fixed the path in specfile and removed >> unused import >> but otherwise it works, ACK. >> >> https://fedorahosted.org/freeipa/ticket/5586 > > Won't this break existing certmonger requests depending on the old > path? It will, I don't see any upgrade code. > > # getcert list | grep '/usr/lib64/ipa/certmonger' > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert > cert-pki-ca" > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert > cert-pki-ca" > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert > cert-pki-ca" > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "caSigningCert > cert-pki-ca" > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "Server-Cert > cert-pki-ca" > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > RHEL72 > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > >>> >>> You're right it will break the upgrade. I haven't noticed that >>> Server-Cert for DS and HTTPD are not handled by >>> certificate_renewal_update (ipaserver.install.server.upgrade) where all >>> the other trackings are stopped and then configured again with the >>> paths.CERTMONGER_COMMAND_TEMPLATE already updated. >>> >>> Thanks for the catch. >>> >> >> I've updated Timo's patch little more and added >> start_tracking_certificates() for dsinstance and httpinstance. Now the >> upgrade works as expected. > > The way the patches are split is kind of weird and apparently confusing > (see the other thread). IMO there should be 2 patches: the first should > add the ability to change DS and HTTP certmonger config during upgrade > (i.e. the start_tracking_certificates() methods and > certificate_renewal_update() changes), the second should move the > helpers (i.e. the actual move and certificate_renewal_update() version > bump). > Honza, do I understand it correctly that the code is OK but I did not split it to the patches correctly? >>> >>> Yes. >> >> Before acking or pushing, can you please explain for me how the upgrade of >> certmonger tracking requests work? I want to make sure this is right, so >> please >> bear with me: >> >> 1) How does it edit existing tracking requests with the new helper paths? >> >> 2) Does it go and try to edit the requests on every upgrade? Or is there some >> check that requests were updated? >> >> Thanks, >> Martin >> > > Whole upgrade of renewal requests is done in > ipaserver/install/server/upgrade.py in certificate_renewal_upgrade(). > > First there is version of requests and if it's the same as in state file > upgrade is skipped. > Then every request is searched over certmonger's DBus interface and if at > least > one is not found it means that there was change in request configuration. All > tracking requests are then stopped and started again with new configuration. > > So to answer you questions: > 1) By stopping the old request with the old parameters (including path) and > starting new with new parameters. > > 2) Only if version was bumped which happens only if some of the requests > changes. Ah, so IIUC, if you bump the version, requests should be properly updated. The change looks fine then. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [TESTS][PATCH 0009] WebUI tests fix
On 02/19/2016 02:53 PM, Lenka Doudova wrote: On 02/19/2016 10:51 AM, Petr Vobornik wrote: On 02/16/2016 10:10 AM, Lenka Doudova wrote: On 02/11/2016 11:13 AM, Lenka Doudova wrote: Hi all, most of webUI tests fail with AssertionError: Can't click on checkbox label: table.table Message: Element is not clickable at point (37, 340.338964844). Other element would receive the click: The problem seems to be that the tests attempt to click on a checkbox label that is no longer there. Since the checkbox is clickable directly, I changed the code accordingly. Most of the tests should now proceed successfully. Lenka Attaching updated patch with minor fix. Lenka would ACK but the commit message is so generic that it doesn't say anything. Also the description in the mail should be in commit message to be usable in a future. Fix attached, hope this is better. Lenka ACK Pushed to master: a3f8e8e71f95c145cbf2e1917bd71c6bedee11d4 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0135] upgrade: unconditional import of certificate profiles into LDAP
On 02/23/2016 07:43 AM, Fraser Tweedale wrote: On Tue, Feb 23, 2016 at 07:32:31AM +0100, Jan Cholasta wrote: On 23.2.2016 06:40, Fraser Tweedale wrote: On Mon, Feb 22, 2016 at 02:03:49PM +0100, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5682 -- Martin^3 Babinsky Thanks for the patch. Conditional ACK. Patch is tested and works, but I am wary about checking for substring match against RemoteRetrieveError reason string (see hunk below). It would be better to carry the status code as an attribute of RemoteRetrieveError and check whether it is 409. +except errors.RemoteRetrieveError as e: +if "Profile already exists" in e.reason: +root_logger.debug("Profile '{}' already present".format( +profile_id)) +else: +root_logger.error("Error migrating profile '{}': {}".format( +profile_id, e)) +return If you agree, we can file a ticket and I am happy for these patches to be merged as-is. The scope of changing RemoteRetrieveError is larger than #5682 so it makes sense to do it separately, and just for master branch. I don't think this is the right approach. create_profile() should raise DuplicateEntry rather than RemoteRetrieveError if the profile already exists, which can then be properly handled in _create_dogtag_profile(). I am happy with that. Attaching updated patch. Unfortunately, REST API does report only a super-generic error code 400: Bad request when adding profile which already exists, which is not very useful for us (I will open a ticket for Dogtag for this). After consultation with Jan, we decided to log the error at debug level and be done with it (for the moment). -- Martin^3 Babinsky From e75576971f9639825e92b234b688cb56e09cb707 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Mon, 22 Feb 2016 13:35:41 +0100 Subject: [PATCH] upgrade: unconditional import of certificate profiles into LDAP During IPA server upgrade, the migration of Dogtag profiles into LDAP backend was bound to the update of CS.cfg which enabled the LDAP profile subsystem. If the subsequent profile migration failed, the subsequent upgrades were not executing the migration code leaving CA subsystem in broken state. Therefore the migration code path should be executed regardless of the status of the main Dogtag config file. https://fedorahosted.org/freeipa/ticket/5682 --- ipaserver/install/cainstance.py | 8 ++-- ipaserver/install/server/upgrade.py | 4 +++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 369902ad04b197c9e9516503c1f81c4de1ef153b..1a98c438786ae7dad208212fff23e3a760c95b3c 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1807,7 +1807,6 @@ def migrate_profiles_to_ldap(dogtag_constants): continue class_id = match.group(1) -root_logger.info("Migrating profile '%s' to LDAP", profile_id) with open(filename) as f: profile_data = f.read() if profile_data[-1] != '\n': @@ -1824,7 +1823,12 @@ def _create_dogtag_profile(profile_id, profile_data): # import the profile try: profile_api.create_profile(profile_data) -except errors.RemoteRetrieveError: +root_logger.info("Profile '%s' successfully migrated to LDAP", + profile_id) +except errors.RemoteRetrieveError as e: +root_logger.debug("Error migrating '{}': {}".format( +profile_id, e)) + # conflicting profile; replace it if we are # installing IPA, but keep it for upgrades if api.env.context == 'installer': diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0a46635979497f8028465c2295b22485fd9c0279..258d976c83844f89c1a939303b685fd6565b79e5 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -336,7 +336,9 @@ def ca_enable_ldap_profile_subsystem(ca): separator='=') ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) -cainstance.migrate_profiles_to_ldap(caconfig) + +root_logger.info('[Migrating certificate profiles to LDAP]') +cainstance.migrate_profiles_to_ldap(caconfig) return needs_update -- 2.5.0 From 148d44fc744c92fc13ce0ac3544e924c7099ff05 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 22 Feb 2016 13:35:41 +0100 Subject: [PATCH] upgrade: unconditional import of certificate profiles into LDAP During IPA server upgrade, the migration of Dogtag profiles into LDAP backend was bound to the update of CS.cfg which enabled the LDAP profile subsystem. If the subsequent profile migration failed, the subsequent upgrades were not executing the migration code leaving CA subsystem
Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.
On 22/02/16 16:15, Martin Kosek wrote: On 02/22/2016 04:04 PM, Jan Cholasta wrote: On 22.2.2016 15:56, David Kupka wrote: On 22/02/16 07:28, Jan Cholasta wrote: On 18.2.2016 10:10, David Kupka wrote: On 19/01/16 16:10, David Kupka wrote: On 19/01/16 14:38, Jan Cholasta wrote: On 19.1.2016 14:26, Martin Kosek wrote: On 01/19/2016 01:47 PM, David Kupka wrote: I've polished the patch attached to #5586 by Timo Aaltonen. Thanks for the patch. I've fixed the path in specfile and removed unused import but otherwise it works, ACK. https://fedorahosted.org/freeipa/ticket/5586 Won't this break existing certmonger requests depending on the old path? It will, I don't see any upgrade code. # getcert list | grep '/usr/lib64/ipa/certmonger' pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72 post-save command: /usr/lib64/ipa/certmonger/restart_httpd You're right it will break the upgrade. I haven't noticed that Server-Cert for DS and HTTPD are not handled by certificate_renewal_update (ipaserver.install.server.upgrade) where all the other trackings are stopped and then configured again with the paths.CERTMONGER_COMMAND_TEMPLATE already updated. Thanks for the catch. I've updated Timo's patch little more and added start_tracking_certificates() for dsinstance and httpinstance. Now the upgrade works as expected. The way the patches are split is kind of weird and apparently confusing (see the other thread). IMO there should be 2 patches: the first should add the ability to change DS and HTTP certmonger config during upgrade (i.e. the start_tracking_certificates() methods and certificate_renewal_update() changes), the second should move the helpers (i.e. the actual move and certificate_renewal_update() version bump). Honza, do I understand it correctly that the code is OK but I did not split it to the patches correctly? Yes. Before acking or pushing, can you please explain for me how the upgrade of certmonger tracking requests work? I want to make sure this is right, so please bear with me: 1) How does it edit existing tracking requests with the new helper paths? 2) Does it go and try to edit the requests on every upgrade? Or is there some check that requests were updated? Thanks, Martin Whole upgrade of renewal requests is done in ipaserver/install/server/upgrade.py in certificate_renewal_upgrade(). First there is version of requests and if it's the same as in state file upgrade is skipped. Then every request is searched over certmonger's DBus interface and if at least one is not found it means that there was change in request configuration. All tracking requests are then stopped and started again with new configuration. So to answer you questions: 1) By stopping the old request with the old parameters (including path) and starting new with new parameters. 2) Only if version was bumped which happens only if some of the requests changes. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code