Re: [Freeipa-devel] [PATCH 0132] always start certmonger during IPA server configuration upgrade
On 02.02.2016 12:18, Jan Cholasta wrote: On 2.2.2016 11:46, Jan Cholasta wrote: On 2.2.2016 11:41, Martin Babinsky wrote: On 02/02/2016 09:33 AM, Jan Cholasta wrote: On 1.2.2016 14:54, Martin Basti wrote: On 01.02.2016 13:55, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5655 LGTM, works for me, tested on both ca-less server and CA-full server. Because patch is touching certmonger I would like to get final ACK from Honza. This is suspicious: -if is_ca_enabled(): -http.configure_certmonger_renewal_guard() +http.configure_certmonger_renewal_guard() Why is it necessary? I don't know, you tell me: b9ae7690489368ead9f4983d386fa210dc265dfa What I meant is why is the change necessary, not why is the original code necessary. Ah, the original code didn't have the condition. LGTM then. LGTM + LGTM = ACK :) Pushed to: master: 612f4aa9003658f9a494ec327d50ec5a0592f7b4 ipa-4-3: d99552a8a9f855a7c5e00c4b0736061e05d6ed31 ipa-4-2: 3664efa31edf0dff6dd3410e2eccd12c9cd25782 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0132] always start certmonger during IPA server configuration upgrade
On 2.2.2016 11:46, Jan Cholasta wrote: On 2.2.2016 11:41, Martin Babinsky wrote: On 02/02/2016 09:33 AM, Jan Cholasta wrote: On 1.2.2016 14:54, Martin Basti wrote: On 01.02.2016 13:55, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5655 LGTM, works for me, tested on both ca-less server and CA-full server. Because patch is touching certmonger I would like to get final ACK from Honza. This is suspicious: -if is_ca_enabled(): -http.configure_certmonger_renewal_guard() +http.configure_certmonger_renewal_guard() Why is it necessary? I don't know, you tell me: b9ae7690489368ead9f4983d386fa210dc265dfa What I meant is why is the change necessary, not why is the original code necessary. Ah, the original code didn't have the condition. LGTM then. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0132] always start certmonger during IPA server configuration upgrade
On 2.2.2016 11:41, Martin Babinsky wrote: On 02/02/2016 09:33 AM, Jan Cholasta wrote: On 1.2.2016 14:54, Martin Basti wrote: On 01.02.2016 13:55, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5655 LGTM, works for me, tested on both ca-less server and CA-full server. Because patch is touching certmonger I would like to get final ACK from Honza. This is suspicious: -if is_ca_enabled(): -http.configure_certmonger_renewal_guard() +http.configure_certmonger_renewal_guard() Why is it necessary? I don't know, you tell me: b9ae7690489368ead9f4983d386fa210dc265dfa What I meant is why is the change necessary, not why is the original code necessary. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0132] always start certmonger during IPA server configuration upgrade
On 02/02/2016 09:33 AM, Jan Cholasta wrote: On 1.2.2016 14:54, Martin Basti wrote: On 01.02.2016 13:55, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5655 LGTM, works for me, tested on both ca-less server and CA-full server. Because patch is touching certmonger I would like to get final ACK from Honza. This is suspicious: -if is_ca_enabled(): -http.configure_certmonger_renewal_guard() +http.configure_certmonger_renewal_guard() Why is it necessary? I don't know, you tell me: b9ae7690489368ead9f4983d386fa210dc265dfa -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0132] always start certmonger during IPA server configuration upgrade
On 1.2.2016 14:54, Martin Basti wrote: On 01.02.2016 13:55, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5655 LGTM, works for me, tested on both ca-less server and CA-full server. Because patch is touching certmonger I would like to get final ACK from Honza. This is suspicious: -if is_ca_enabled(): -http.configure_certmonger_renewal_guard() +http.configure_certmonger_renewal_guard() Why is it necessary? -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0132] always start certmonger during IPA server configuration upgrade
On 01.02.2016 13:55, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5655 LGTM, works for me, tested on both ca-less server and CA-full server. Because patch is touching certmonger I would like to get final ACK from Honza. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0132] always start certmonger during IPA server configuration upgrade
https://fedorahosted.org/freeipa/ticket/5655
--
Martin^3 Babinsky
From bfa239bd1ac71f89a54f8be548432b89b2f527dd Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Mon, 1 Feb 2016 12:59:04 +0100
Subject: [PATCH] always start certmonger during IPA server configuration
upgrade
This patch fixes a regression introduced by commit
bef0f4c5c38e7ff6415e8f8c96dc306ef7f0ce56. Instead of checking whether
there is CA installed in the topology, we should always start certmonger
service during upgrade regardless when CA was configured.
https://fedorahosted.org/freeipa/ticket/5655
---
ipaserver/install/server/upgrade.py | 33 +
1 file changed, 5 insertions(+), 28 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 20379f19c652cb0b5911a4c2f1c67eae7f763379..48f8579a4bf49c9e225733facb06fcc001dbdb32 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -291,24 +291,6 @@ def setup_firefox_extension(fstore):
http.setup_firefox_extension(realm, domain)
-def is_ca_enabled():
-"""
-check whether there is an active CA master
-:return: True if there is an active CA in topology, False otherwise
-"""
-ldap2 = api.Backend.ldap2
-was_connected = ldap2.isconnected()
-
-if not was_connected:
-ldap2.connect()
-
-try:
-return api.Command.ca_is_enabled()['result']
-finally:
-if not was_connected:
-ldap2.disconnect()
-
-
def ca_configure_profiles_acl(ca):
root_logger.info('[Authorizing RA Agent to modify profiles]')
@@ -1481,6 +1463,10 @@ def upgrade_configuration():
)
upgrade_pki(ca, fstore)
+certmonger_service = services.knownservices.certmonger
+if ca.is_configured() and not certmonger_service.is_running():
+certmonger_service.start()
+
ca.configure_certmonger_renewal_guard()
update_dbmodules(api.env.realm)
@@ -1496,8 +1482,7 @@ def upgrade_configuration():
http.configure_selinux_for_httpd()
http.change_mod_nss_port_from_http()
-if is_ca_enabled():
-http.configure_certmonger_renewal_guard()
+http.configure_certmonger_renewal_guard()
http.enable_and_start_oddjobd()
@@ -1650,14 +1635,6 @@ def upgrade_check(options):
print(unicode(e))
sys.exit(1)
-try:
-ca_is_enabled = is_ca_enabled()
-except Exception as e:
-raise RuntimeError("Cannot connect to LDAP server: {0}".format(e))
-
-if not services.knownservices.certmonger.is_running() and ca_is_enabled:
-raise RuntimeError('Certmonger is not running. Start certmonger and run upgrade again.')
-
if not options.skip_version_check:
# check IPA version and data version
try:
--
2.5.0
From d10dbd7c5bbcc7987c66e6ea0c15a658bf9d609c Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Mon, 1 Feb 2016 12:59:04 +0100
Subject: [PATCH] always start certmonger during IPA server configuration
upgrade
This patch fixes a regression introduced by commit
bef0f4c5c38e7ff6415e8f8c96dc306ef7f0ce56. Instead of checking whether
there is CA installed in the topology, we should always start certmonger
service during upgrade regardless when CA was configured.
https://fedorahosted.org/freeipa/ticket/5655
---
ipaserver/install/server/upgrade.py | 33 +
1 file changed, 5 insertions(+), 28 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 2d971964480e2f7829591f194a21ed6d23eccdd2..0a46635979497f8028465c2295b22485fd9c0279 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -292,24 +292,6 @@ def setup_firefox_extension(fstore):
http.setup_firefox_extension(realm, domain)
-def is_ca_enabled():
-"""
-check whether there is an active CA master
-:return: True if there is an active CA in topology, False otherwise
-"""
-ldap2 = api.Backend.ldap2
-was_connected = ldap2.isconnected()
-
-if not was_connected:
-ldap2.connect()
-
-try:
-return api.Command.ca_is_enabled()['result']
-finally:
-if not was_connected:
-ldap2.disconnect()
-
-
def ca_configure_profiles_acl(ca):
root_logger.info('[Authorizing RA Agent to modify profiles]')
@@ -1420,6 +1402,10 @@ def upgrade_configuration():
)
upgrade_pki(ca, fstore)
+certmonger_service = services.knownservices.certmonger
+if ca.is_configured() and not certmonger_service.is_running():
+certmonger_service.start()
+
ca.configure_certmonger_renewal_guard()
update_dbmodules(api.env.realm)
@@ -1435,8 +1421,7 @@ def upgrade_configuration():
http.configure_selinux_for_httpd()
http.change_mod_nss_port_from_http()
-if is_ca_enabled():
-http.configure_certmonger_renewal_guard()
+http.configure_certmonger_renewal_guard()
