Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On 11/29/2013 03:50 PM, Alexander Bokovoy wrote: On Fri, 29 Nov 2013, Martin Kosek wrote: On 11/29/2013 03:30 PM, Petr Viktorin wrote: On 11/26/2013 02:35 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 02:15 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? Is this bad? Given that we are close to F20 release, I'd prefer to concentrate on polishing and testing F20. Well, for me it means updating the infrastructure I use for development, including internal CI. It'll cost me some time, which I currently don't have a lot of. Could we switch CI to track 3.3 branch for pre-F20? I just realized we have a problem here: this patch also went to ipa-3-3. That means 3.3 is currently also f20+ only. I see two options here: 1) Update the CI FreeIPA build instruction and remove the F20 httpd Requires. All tests should still work as long as mod_ssl is not installed. 3.3 shouldn't need this require, so we should back out the patch from there. That makes sense. Reverted in ipa-3-3: c6a15335b0406c9d7d57378cbdd9b20252438f65 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On 11/26/2013 02:35 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 02:15 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? Is this bad? Given that we are close to F20 release, I'd prefer to concentrate on polishing and testing F20. Well, for me it means updating the infrastructure I use for development, including internal CI. It'll cost me some time, which I currently don't have a lot of. Could we switch CI to track 3.3 branch for pre-F20? I just realized we have a problem here: this patch also went to ipa-3-3. That means 3.3 is currently also f20+ only. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On 11/29/2013 03:30 PM, Petr Viktorin wrote: On 11/26/2013 02:35 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 02:15 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? Is this bad? Given that we are close to F20 release, I'd prefer to concentrate on polishing and testing F20. Well, for me it means updating the infrastructure I use for development, including internal CI. It'll cost me some time, which I currently don't have a lot of. Could we switch CI to track 3.3 branch for pre-F20? I just realized we have a problem here: this patch also went to ipa-3-3. That means 3.3 is currently also f20+ only. I see two options here: 1) Update the CI FreeIPA build instruction and remove the F20 httpd Requires. All tests should still work as long as mod_ssl is not installed. 2) Migrate our CI tests to F20 :) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On Fri, 29 Nov 2013, Martin Kosek wrote: On 11/29/2013 03:30 PM, Petr Viktorin wrote: On 11/26/2013 02:35 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 02:15 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? Is this bad? Given that we are close to F20 release, I'd prefer to concentrate on polishing and testing F20. Well, for me it means updating the infrastructure I use for development, including internal CI. It'll cost me some time, which I currently don't have a lot of. Could we switch CI to track 3.3 branch for pre-F20? I just realized we have a problem here: this patch also went to ipa-3-3. That means 3.3 is currently also f20+ only. I see two options here: 1) Update the CI FreeIPA build instruction and remove the F20 httpd Requires. All tests should still work as long as mod_ssl is not installed. 3.3 shouldn't need this require, so we should back out the patch from there. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021.
Honza
--
Jan Cholasta
From f880aa215ad268a156e5367e9ee8a915c1e07e35 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 26 Nov 2013 08:53:34 +
Subject: [PATCH] Remove mod_ssl port workaround.
https://fedorahosted.org/freeipa/ticket/4021
---
freeipa.spec.in | 8 ++--
install/tools/ipa-upgradeconfig | 2 +-
ipaserver/install/httpinstance.py | 17 -
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ebc2f15..2a738dd 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -114,14 +114,14 @@ Requires: krb5-server = 1.10
Requires: krb5-pkinit-openssl
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
-Requires: httpd
+Requires: httpd = 2.4.6-6
Requires: mod_wsgi
%if 0%{?fedora} = 18
Requires: mod_auth_kerb = 5.4-16
%else
Requires: mod_auth_kerb = 5.4-8
%endif
-Requires: mod_nss = 1.0.8-24
+Requires: mod_nss = 1.0.8-26
Requires: python-ldap
Requires: python-krbV
Requires: acl
@@ -839,6 +839,10 @@ fi
%endif # ONLY_CLIENT
%changelog
+* Tue Nov 26 2013 Jan Cholasta jchol...@redhat.com - 3.3.90-6
+- Set minimum version of httpd to 2.4.6-6
+- Set minimum version of mod_nss to 1.0.8-26
+
* Tue Nov 12 2013 Tomas Babejtba...@redhat.com - 3.3.90-5
- Add Fedora 19 platform files
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 41c5126..10526f2 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1047,7 +1047,7 @@ def main():
http.remove_httpd_ccache()
http.configure_selinux_for_httpd()
http.configure_httpd_ccache()
-http.change_mod_nss_port_to_http()
+http.change_mod_nss_port_from_http()
ds = dsinstance.DsInstance()
ds.configure_dirsrv_ccache()
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 689e657..e61a0c6 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -253,25 +253,24 @@ class HTTPInstance(service.Service):
http_fd.close()
os.chmod(target_fname, 0644)
-def change_mod_nss_port_to_http(self):
+def change_mod_nss_port_from_http(self):
# mod_ssl enforces SSLEngine on for vhost on 443 even though
# the listener is mod_nss. This then crashes the httpd as mod_nss
# listened port obviously does not match mod_ssl requirements.
#
-# Change port to http to workaround the mod_ssl check, the SSL is
-# enforced in the vhost later, so it is benign.
+# The workaround for this was to change port to http. It is no longer
+# necessary, as mod_nss now ships with default configuration which
+# sets SSLEngine off when mod_ssl is installed.
#
-# Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168
-# is fixed.
-if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
-installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False)
-sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True)
+# Remove the workaround.
+if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
+installutils.set_directive(NSS_CONF, 'Listen', '443', quotes=False)
+sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
def __set_mod_nss_port(self):
self.fstore.backup_file(NSS_CONF)
if installutils.update_file(NSS_CONF, '8443', '443') != 0:
print Updating port in %s failed. % NSS_CONF
-self.change_mod_nss_port_to_http()
def __set_mod_nss_nickname(self, nickname):
installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On Tue, 26 Nov 2013, Jan Cholasta wrote:
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021.
Honza
--
Jan Cholasta
From f880aa215ad268a156e5367e9ee8a915c1e07e35 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 26 Nov 2013 08:53:34 +
Subject: [PATCH] Remove mod_ssl port workaround.
https://fedorahosted.org/freeipa/ticket/4021
---
freeipa.spec.in | 8 ++--
install/tools/ipa-upgradeconfig | 2 +-
ipaserver/install/httpinstance.py | 17 -
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ebc2f15..2a738dd 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -114,14 +114,14 @@ Requires: krb5-server = 1.10
Requires: krb5-pkinit-openssl
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
-Requires: httpd
+Requires: httpd = 2.4.6-6
Requires: mod_wsgi
%if 0%{?fedora} = 18
Requires: mod_auth_kerb = 5.4-16
%else
Requires: mod_auth_kerb = 5.4-8
%endif
-Requires: mod_nss = 1.0.8-24
+Requires: mod_nss = 1.0.8-26
Requires: python-ldap
Requires: python-krbV
Requires: acl
@@ -839,6 +839,10 @@ fi
%endif # ONLY_CLIENT
%changelog
+* Tue Nov 26 2013 Jan Cholasta jchol...@redhat.com - 3.3.90-6
+- Set minimum version of httpd to 2.4.6-6
+- Set minimum version of mod_nss to 1.0.8-26
+
* Tue Nov 12 2013 Tomas Babejtba...@redhat.com - 3.3.90-5
- Add Fedora 19 platform files
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 41c5126..10526f2 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1047,7 +1047,7 @@ def main():
http.remove_httpd_ccache()
http.configure_selinux_for_httpd()
http.configure_httpd_ccache()
-http.change_mod_nss_port_to_http()
+http.change_mod_nss_port_from_http()
ds = dsinstance.DsInstance()
ds.configure_dirsrv_ccache()
diff --git a/ipaserver/install/httpinstance.py
b/ipaserver/install/httpinstance.py
index 689e657..e61a0c6 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -253,25 +253,24 @@ class HTTPInstance(service.Service):
http_fd.close()
os.chmod(target_fname, 0644)
-def change_mod_nss_port_to_http(self):
+def change_mod_nss_port_from_http(self):
# mod_ssl enforces SSLEngine on for vhost on 443 even though
# the listener is mod_nss. This then crashes the httpd as mod_nss
# listened port obviously does not match mod_ssl requirements.
#
-# Change port to http to workaround the mod_ssl check, the SSL is
-# enforced in the vhost later, so it is benign.
+# The workaround for this was to change port to http. It is no longer
+# necessary, as mod_nss now ships with default configuration which
+# sets SSLEngine off when mod_ssl is installed.
#
-# Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168
-# is fixed.
-if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
-installutils.set_directive(NSS_CONF, 'Listen', '443 http',
quotes=False)
-sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated',
True)
+# Remove the workaround.
+if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
+installutils.set_directive(NSS_CONF, 'Listen', '443', quotes=False)
+sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated',
False)
def __set_mod_nss_port(self):
self.fstore.backup_file(NSS_CONF)
if installutils.update_file(NSS_CONF, '8443', '443') != 0:
print Updating port in %s failed. % NSS_CONF
-self.change_mod_nss_port_to_http()
def __set_mod_nss_nickname(self, nickname):
installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
ACK.
P.S. When do we start removing changelog entries from the spec.in in
git master? :)
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On 11/26/2013 12:34 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza -- Jan Cholasta ACK. Pushed to: master: f20577ddc4ab40c2365c8abaa703d96019ec4eef ipa-3-3: 3a11044664341257a3929da2db1c493659515eec P.S. When do we start removing changelog entries from the spec.in in git master? :) Soon :) -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? Is this bad? Given that we are close to F20 release, I'd prefer to concentrate on polishing and testing F20. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On 11/26/2013 02:15 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? Is this bad? Given that we are close to F20 release, I'd prefer to concentrate on polishing and testing F20. Well, for me it means updating the infrastructure I use for development, including internal CI. It'll cost me some time, which I currently don't have a lot of. It would be nice to announce changes like this when sending the patch. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On 26.11.2013 14:24, Petr Viktorin wrote: On 11/26/2013 02:15 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? Is this bad? Given that we are close to F20 release, I'd prefer to concentrate on polishing and testing F20. Well, for me it means updating the infrastructure I use for development, including internal CI. It'll cost me some time, which I currently don't have a lot of. It would be nice to announce changes like this when sending the patch. I was going to do that, but forgot about it in the end. Sorry. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 203 Remove mod_ssl port workaround
On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 02:15 PM, Alexander Bokovoy wrote: On Tue, 26 Nov 2013, Petr Viktorin wrote: On 11/26/2013 12:17 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4021. Honza I assume a build of httpd = 2.4.6-6 is not planned for Fedora 19, so master is now f20+ only. Is that right? Is this bad? Given that we are close to F20 release, I'd prefer to concentrate on polishing and testing F20. Well, for me it means updating the infrastructure I use for development, including internal CI. It'll cost me some time, which I currently don't have a lot of. Could we switch CI to track 3.3 branch for pre-F20? It would be nice to announce changes like this when sending the patch. I agree, this is subtle. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
