Re: [Freeipa-devel] [PATCH 0132] always start certmonger during IPA server configuration upgrade
On 02.02.2016 12:18, Jan Cholasta wrote: On 2.2.2016 11:46, Jan Cholasta wrote: On 2.2.2016 11:41, Martin Babinsky wrote: On 02/02/2016 09:33 AM, Jan Cholasta wrote: On 1.2.2016 14:54, Martin Basti wrote: On 01.02.2016 13:55, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5655 LGTM, works for me, tested on both ca-less server and CA-full server. Because patch is touching certmonger I would like to get final ACK from Honza. This is suspicious: -if is_ca_enabled(): -http.configure_certmonger_renewal_guard() +http.configure_certmonger_renewal_guard() Why is it necessary? I don't know, you tell me: b9ae7690489368ead9f4983d386fa210dc265dfa What I meant is why is the change necessary, not why is the original code necessary. Ah, the original code didn't have the condition. LGTM then. LGTM + LGTM = ACK :) Pushed to: master: 612f4aa9003658f9a494ec327d50ec5a0592f7b4 ipa-4-3: d99552a8a9f855a7c5e00c4b0736061e05d6ed31 ipa-4-2: 3664efa31edf0dff6dd3410e2eccd12c9cd25782 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0132] always start certmonger during IPA server configuration upgrade
On 2.2.2016 11:46, Jan Cholasta wrote: On 2.2.2016 11:41, Martin Babinsky wrote: On 02/02/2016 09:33 AM, Jan Cholasta wrote: On 1.2.2016 14:54, Martin Basti wrote: On 01.02.2016 13:55, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5655 LGTM, works for me, tested on both ca-less server and CA-full server. Because patch is touching certmonger I would like to get final ACK from Honza. This is suspicious: -if is_ca_enabled(): -http.configure_certmonger_renewal_guard() +http.configure_certmonger_renewal_guard() Why is it necessary? I don't know, you tell me: b9ae7690489368ead9f4983d386fa210dc265dfa What I meant is why is the change necessary, not why is the original code necessary. Ah, the original code didn't have the condition. LGTM then. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0132] always start certmonger during IPA server configuration upgrade
On 2.2.2016 11:41, Martin Babinsky wrote: On 02/02/2016 09:33 AM, Jan Cholasta wrote: On 1.2.2016 14:54, Martin Basti wrote: On 01.02.2016 13:55, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5655 LGTM, works for me, tested on both ca-less server and CA-full server. Because patch is touching certmonger I would like to get final ACK from Honza. This is suspicious: -if is_ca_enabled(): -http.configure_certmonger_renewal_guard() +http.configure_certmonger_renewal_guard() Why is it necessary? I don't know, you tell me: b9ae7690489368ead9f4983d386fa210dc265dfa What I meant is why is the change necessary, not why is the original code necessary. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0132] always start certmonger during IPA server configuration upgrade
On 02/02/2016 09:33 AM, Jan Cholasta wrote: On 1.2.2016 14:54, Martin Basti wrote: On 01.02.2016 13:55, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5655 LGTM, works for me, tested on both ca-less server and CA-full server. Because patch is touching certmonger I would like to get final ACK from Honza. This is suspicious: -if is_ca_enabled(): -http.configure_certmonger_renewal_guard() +http.configure_certmonger_renewal_guard() Why is it necessary? I don't know, you tell me: b9ae7690489368ead9f4983d386fa210dc265dfa -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0132] always start certmonger during IPA server configuration upgrade
On 1.2.2016 14:54, Martin Basti wrote: On 01.02.2016 13:55, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5655 LGTM, works for me, tested on both ca-less server and CA-full server. Because patch is touching certmonger I would like to get final ACK from Honza. This is suspicious: -if is_ca_enabled(): -http.configure_certmonger_renewal_guard() +http.configure_certmonger_renewal_guard() Why is it necessary? -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0132] always start certmonger during IPA server configuration upgrade
On 01.02.2016 13:55, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5655 LGTM, works for me, tested on both ca-less server and CA-full server. Because patch is touching certmonger I would like to get final ACK from Honza. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0132] always start certmonger during IPA server configuration upgrade
https://fedorahosted.org/freeipa/ticket/5655 -- Martin^3 Babinsky From bfa239bd1ac71f89a54f8be548432b89b2f527dd Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 1 Feb 2016 12:59:04 +0100 Subject: [PATCH] always start certmonger during IPA server configuration upgrade This patch fixes a regression introduced by commit bef0f4c5c38e7ff6415e8f8c96dc306ef7f0ce56. Instead of checking whether there is CA installed in the topology, we should always start certmonger service during upgrade regardless when CA was configured. https://fedorahosted.org/freeipa/ticket/5655 --- ipaserver/install/server/upgrade.py | 33 + 1 file changed, 5 insertions(+), 28 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 20379f19c652cb0b5911a4c2f1c67eae7f763379..48f8579a4bf49c9e225733facb06fcc001dbdb32 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -291,24 +291,6 @@ def setup_firefox_extension(fstore): http.setup_firefox_extension(realm, domain) -def is_ca_enabled(): -""" -check whether there is an active CA master -:return: True if there is an active CA in topology, False otherwise -""" -ldap2 = api.Backend.ldap2 -was_connected = ldap2.isconnected() - -if not was_connected: -ldap2.connect() - -try: -return api.Command.ca_is_enabled()['result'] -finally: -if not was_connected: -ldap2.disconnect() - - def ca_configure_profiles_acl(ca): root_logger.info('[Authorizing RA Agent to modify profiles]') @@ -1481,6 +1463,10 @@ def upgrade_configuration(): ) upgrade_pki(ca, fstore) +certmonger_service = services.knownservices.certmonger +if ca.is_configured() and not certmonger_service.is_running(): +certmonger_service.start() + ca.configure_certmonger_renewal_guard() update_dbmodules(api.env.realm) @@ -1496,8 +1482,7 @@ def upgrade_configuration(): http.configure_selinux_for_httpd() http.change_mod_nss_port_from_http() -if is_ca_enabled(): -http.configure_certmonger_renewal_guard() +http.configure_certmonger_renewal_guard() http.enable_and_start_oddjobd() @@ -1650,14 +1635,6 @@ def upgrade_check(options): print(unicode(e)) sys.exit(1) -try: -ca_is_enabled = is_ca_enabled() -except Exception as e: -raise RuntimeError("Cannot connect to LDAP server: {0}".format(e)) - -if not services.knownservices.certmonger.is_running() and ca_is_enabled: -raise RuntimeError('Certmonger is not running. Start certmonger and run upgrade again.') - if not options.skip_version_check: # check IPA version and data version try: -- 2.5.0 From d10dbd7c5bbcc7987c66e6ea0c15a658bf9d609c Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 1 Feb 2016 12:59:04 +0100 Subject: [PATCH] always start certmonger during IPA server configuration upgrade This patch fixes a regression introduced by commit bef0f4c5c38e7ff6415e8f8c96dc306ef7f0ce56. Instead of checking whether there is CA installed in the topology, we should always start certmonger service during upgrade regardless when CA was configured. https://fedorahosted.org/freeipa/ticket/5655 --- ipaserver/install/server/upgrade.py | 33 + 1 file changed, 5 insertions(+), 28 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 2d971964480e2f7829591f194a21ed6d23eccdd2..0a46635979497f8028465c2295b22485fd9c0279 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -292,24 +292,6 @@ def setup_firefox_extension(fstore): http.setup_firefox_extension(realm, domain) -def is_ca_enabled(): -""" -check whether there is an active CA master -:return: True if there is an active CA in topology, False otherwise -""" -ldap2 = api.Backend.ldap2 -was_connected = ldap2.isconnected() - -if not was_connected: -ldap2.connect() - -try: -return api.Command.ca_is_enabled()['result'] -finally: -if not was_connected: -ldap2.disconnect() - - def ca_configure_profiles_acl(ca): root_logger.info('[Authorizing RA Agent to modify profiles]') @@ -1420,6 +1402,10 @@ def upgrade_configuration(): ) upgrade_pki(ca, fstore) +certmonger_service = services.knownservices.certmonger +if ca.is_configured() and not certmonger_service.is_running(): +certmonger_service.start() + ca.configure_certmonger_renewal_guard() update_dbmodules(api.env.realm) @@ -1435,8 +1421,7 @@ def upgrade_configuration(): http.configure_selinux_for_httpd() http.change_mod_nss_port_from_http() -if is_ca_enabled(): -http.configure_certmonger_renewal_guard() +http.configure_certmonger_renewal_guard()