Adam Young wrote:
Upgrading from a system that had an earlier version of IPA to the
current is broken right now, due to the fact that the new code expects
to talk to the Certificate Authority (CA) via the proxy ports (80, 443),
and the old code used non standard ports (above 8000).
IPA needs to make two changes during upgrade. I'm trying to figure out
the right place to make them.
The first change is to /etc/httpd/conf.d/nss.conf. The function to make
the change during install is:
ipaserver/install/httpinstance.py self.__enable_mod_nss_renegotiate
which just makes these two method calls.
installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation',
'on',False)
Seems to me that they should be added to
install/tools/ipa-upgradeconfig, possibly the main, or a function called
from it. Should I move the call enable_mod_nss_renegotiate into
installutils and call it from both places instead of having it in
httpinstance?
You can create an HTTPInstance object and just call them directly, that
is probably best.
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
http = httpinstance.HTTPInstance(fstore)
http.enable_mod_nss_renegotiate()
You'll need to make the method public, drop the __.
The other change is a little trickier. If the PKI server has not yet had
the proxy enabled, we need to run the script pki-setup-proxy. To test if
we should call that script, Ade and I have agreed that the best way is
to test in CS.conf for changes made: The values
proxy.securePort and proxy.unsecurePort should be set. Is there an
appropriate tool for making this check? someting from installutils? I'm
guessing get_directive('/etc/pki-ca/CS.cfg','proxy.securePort' , '=')?
I guess I'd have preferred that the upgrade script be robust enough to
be run any time. Given the circumstances this looks ok.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
