Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On 11/29/2013 03:50 PM, Alexander Bokovoy wrote: On Fri, 29 Nov 2013, Martin Kosek wrote: On 11/29/2013 03:30 PM, Petr Viktorin wrote: On 11/26/2013 02:35 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 02:15 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? Is this bad? Given that we are close to F20 release, I'd prefer to concentrate on polishing and testing F20. Well, for me it means updating the infrastructure I use for development, including internal CI. It'll cost me some time, which I currently don't have a lot of. Could we switch CI to track 3.3 branch for pre-F20? I just realized we have a problem here: this patch also went to ipa-3-3. That means 3.3 is currently also f20+ only. I see two options here: 1) Update the CI FreeIPA build instruction and remove the F20 httpd Requires. All tests should still work as long as mod_ssl is not installed. 3.3 shouldn't need this require, so we should back out the patch from there. That makes sense. Reverted in ipa-3-3: c6a15335b0406c9d7d57378cbdd9b20252438f65 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On 11/26/2013 02:35 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 02:15 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? Is this bad? Given that we are close to F20 release, I'd prefer to concentrate on polishing and testing F20. Well, for me it means updating the infrastructure I use for development, including internal CI. It'll cost me some time, which I currently don't have a lot of. Could we switch CI to track 3.3 branch for pre-F20? I just realized we have a problem here: this patch also went to ipa-3-3. That means 3.3 is currently also f20+ only. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On 11/29/2013 03:30 PM, Petr Viktorin wrote: On 11/26/2013 02:35 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 02:15 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? Is this bad? Given that we are close to F20 release, I'd prefer to concentrate on polishing and testing F20. Well, for me it means updating the infrastructure I use for development, including internal CI. It'll cost me some time, which I currently don't have a lot of. Could we switch CI to track 3.3 branch for pre-F20? I just realized we have a problem here: this patch also went to ipa-3-3. That means 3.3 is currently also f20+ only. I see two options here: 1) Update the CI FreeIPA build instruction and remove the F20 httpd Requires. All tests should still work as long as mod_ssl is not installed. 2) Migrate our CI tests to F20 :) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On Fri, 29 Nov 2013, Martin Kosek wrote: On 11/29/2013 03:30 PM, Petr Viktorin wrote: On 11/26/2013 02:35 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 02:15 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? Is this bad? Given that we are close to F20 release, I'd prefer to concentrate on polishing and testing F20. Well, for me it means updating the infrastructure I use for development, including internal CI. It'll cost me some time, which I currently don't have a lot of. Could we switch CI to track 3.3 branch for pre-F20? I just realized we have a problem here: this patch also went to ipa-3-3. That means 3.3 is currently also f20+ only. I see two options here: 1) Update the CI FreeIPA build instruction and remove the F20 httpd Requires. All tests should still work as long as mod_ssl is not installed. 3.3 shouldn't need this require, so we should back out the patch from there. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza -- Jan Cholasta From f880aa215ad268a156e5367e9ee8a915c1e07e35 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 26 Nov 2013 08:53:34 + Subject: [PATCH] Remove mod_ssl port workaround. https://fedorahosted.org/freeipa/ticket/4021 --- freeipa.spec.in | 8 ++-- install/tools/ipa-upgradeconfig | 2 +- ipaserver/install/httpinstance.py | 17 - 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ebc2f15..2a738dd 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -114,14 +114,14 @@ Requires: krb5-server = 1.10 Requires: krb5-pkinit-openssl Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp -Requires: httpd +Requires: httpd = 2.4.6-6 Requires: mod_wsgi %if 0%{?fedora} = 18 Requires: mod_auth_kerb = 5.4-16 %else Requires: mod_auth_kerb = 5.4-8 %endif -Requires: mod_nss = 1.0.8-24 +Requires: mod_nss = 1.0.8-26 Requires: python-ldap Requires: python-krbV Requires: acl @@ -839,6 +839,10 @@ fi %endif # ONLY_CLIENT %changelog +* Tue Nov 26 2013 Jan Cholasta jchol...@redhat.com - 3.3.90-6 +- Set minimum version of httpd to 2.4.6-6 +- Set minimum version of mod_nss to 1.0.8-26 + * Tue Nov 12 2013 Tomas Babejtba...@redhat.com - 3.3.90-5 - Add Fedora 19 platform files diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 41c5126..10526f2 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1047,7 +1047,7 @@ def main(): http.remove_httpd_ccache() http.configure_selinux_for_httpd() http.configure_httpd_ccache() -http.change_mod_nss_port_to_http() +http.change_mod_nss_port_from_http() ds = dsinstance.DsInstance() ds.configure_dirsrv_ccache() diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 689e657..e61a0c6 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -253,25 +253,24 @@ class HTTPInstance(service.Service): http_fd.close() os.chmod(target_fname, 0644) -def change_mod_nss_port_to_http(self): +def change_mod_nss_port_from_http(self): # mod_ssl enforces SSLEngine on for vhost on 443 even though # the listener is mod_nss. This then crashes the httpd as mod_nss # listened port obviously does not match mod_ssl requirements. # -# Change port to http to workaround the mod_ssl check, the SSL is -# enforced in the vhost later, so it is benign. +# The workaround for this was to change port to http. It is no longer +# necessary, as mod_nss now ships with default configuration which +# sets SSLEngine off when mod_ssl is installed. # -# Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168 -# is fixed. -if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'): -installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False) -sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True) +# Remove the workaround. +if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'): +installutils.set_directive(NSS_CONF, 'Listen', '443', quotes=False) +sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False) def __set_mod_nss_port(self): self.fstore.backup_file(NSS_CONF) if installutils.update_file(NSS_CONF, '8443', '443') != 0: print Updating port in %s failed. % NSS_CONF -self.change_mod_nss_port_to_http() def __set_mod_nss_nickname(self, nickname): installutils.set_directive(NSS_CONF, 'NSSNickname', nickname) -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On Tue, 26 Nov 2013, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza -- Jan Cholasta From f880aa215ad268a156e5367e9ee8a915c1e07e35 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 26 Nov 2013 08:53:34 + Subject: [PATCH] Remove mod_ssl port workaround. https://fedorahosted.org/freeipa/ticket/4021 --- freeipa.spec.in | 8 ++-- install/tools/ipa-upgradeconfig | 2 +- ipaserver/install/httpinstance.py | 17 - 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ebc2f15..2a738dd 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -114,14 +114,14 @@ Requires: krb5-server = 1.10 Requires: krb5-pkinit-openssl Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp -Requires: httpd +Requires: httpd = 2.4.6-6 Requires: mod_wsgi %if 0%{?fedora} = 18 Requires: mod_auth_kerb = 5.4-16 %else Requires: mod_auth_kerb = 5.4-8 %endif -Requires: mod_nss = 1.0.8-24 +Requires: mod_nss = 1.0.8-26 Requires: python-ldap Requires: python-krbV Requires: acl @@ -839,6 +839,10 @@ fi %endif # ONLY_CLIENT %changelog +* Tue Nov 26 2013 Jan Cholasta jchol...@redhat.com - 3.3.90-6 +- Set minimum version of httpd to 2.4.6-6 +- Set minimum version of mod_nss to 1.0.8-26 + * Tue Nov 12 2013 Tomas Babejtba...@redhat.com - 3.3.90-5 - Add Fedora 19 platform files diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 41c5126..10526f2 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1047,7 +1047,7 @@ def main(): http.remove_httpd_ccache() http.configure_selinux_for_httpd() http.configure_httpd_ccache() -http.change_mod_nss_port_to_http() +http.change_mod_nss_port_from_http() ds = dsinstance.DsInstance() ds.configure_dirsrv_ccache() diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 689e657..e61a0c6 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -253,25 +253,24 @@ class HTTPInstance(service.Service): http_fd.close() os.chmod(target_fname, 0644) -def change_mod_nss_port_to_http(self): +def change_mod_nss_port_from_http(self): # mod_ssl enforces SSLEngine on for vhost on 443 even though # the listener is mod_nss. This then crashes the httpd as mod_nss # listened port obviously does not match mod_ssl requirements. # -# Change port to http to workaround the mod_ssl check, the SSL is -# enforced in the vhost later, so it is benign. +# The workaround for this was to change port to http. It is no longer +# necessary, as mod_nss now ships with default configuration which +# sets SSLEngine off when mod_ssl is installed. # -# Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168 -# is fixed. -if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'): -installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False) -sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True) +# Remove the workaround. +if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'): +installutils.set_directive(NSS_CONF, 'Listen', '443', quotes=False) +sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False) def __set_mod_nss_port(self): self.fstore.backup_file(NSS_CONF) if installutils.update_file(NSS_CONF, '8443', '443') != 0: print Updating port in %s failed. % NSS_CONF -self.change_mod_nss_port_to_http() def __set_mod_nss_nickname(self, nickname): installutils.set_directive(NSS_CONF, 'NSSNickname', nickname) ACK. P.S. When do we start removing changelog entries from the spec.in in git master? :) -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On 11/26/2013 12:34 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza -- Jan Cholasta ACK. Pushed to: master: f20577ddc4ab40c2365c8abaa703d96019ec4eef ipa-3-3: 3a11044664341257a3929da2db1c493659515eec P.S. When do we start removing changelog entries from the spec.in in git master? :) Soon :) -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? Is this bad? Given that we are close to F20 release, I'd prefer to concentrate on polishing and testing F20. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On 11/26/2013 02:15 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? Is this bad? Given that we are close to F20 release, I'd prefer to concentrate on polishing and testing F20. Well, for me it means updating the infrastructure I use for development, including internal CI. It'll cost me some time, which I currently don't have a lot of. It would be nice to announce changes like this when sending the patch. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On 26.11.2013 14:24, Petr Viktorin wrote: On 11/26/2013 02:15 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? Is this bad? Given that we are close to F20 release, I'd prefer to concentrate on polishing and testing F20. Well, for me it means updating the infrastructure I use for development, including internal CI. It'll cost me some time, which I currently don't have a lot of. It would be nice to announce changes like this when sending the patch. I was going to do that, but forgot about it in the end. Sorry. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 02:15 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? Is this bad? Given that we are close to F20 release, I'd prefer to concentrate on polishing and testing F20. Well, for me it means updating the infrastructure I use for development, including internal CI. It'll cost me some time, which I currently don't have a lot of. Could we switch CI to track 3.3 branch for pre-F20? It would be nice to announce changes like this when sending the patch. I agree, this is subtle. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel