URL: https://github.com/freeipa/freeipa/pull/1458 Author: tiran Title: #1458: Mod nss sql Action: opened
PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1458/head:pr1458 git checkout pr1458
From f022c16e8e0adf2c4df923e55504138638411ecf Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Wed, 10 Jan 2018 17:42:16 +0100 Subject: [PATCH 1/2] Default to NSSDB sql format https://pagure.io/freeipa/issue/7354 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaplatform/base/constants.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py index 94bd0f8a10..0e7611b2e9 100644 --- a/ipaplatform/base/constants.py +++ b/ipaplatform/base/constants.py @@ -38,6 +38,7 @@ class BaseConstantsNamespace(object): } SSSD_USER = "sssd" # sql (new format), dbm (old format) - NSS_DEFAULT_DBTYPE = 'dbm' + NSS_DEFAULT_DBTYPE = 'sql' + constants = BaseConstantsNamespace() From d7fed186bf78819660eb4fbf78f7b43b871c0325 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Wed, 10 Jan 2018 17:42:19 +0100 Subject: [PATCH 2/2] Migrate mod_nss NSSDB to sql format - Migrate mod_nss' NSSDB in /etc/httpd/alias to new SQL format. - Change NSSCertificateDatabase stanza to use SQL format explicitly. - Restore SELinux context when migration NSSDB. https://pagure.io/freeipa/issue/7354 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipapython/certdb.py | 3 ++- ipaserver/install/certs.py | 11 +++++++++++ ipaserver/install/httpinstance.py | 38 ++++++++++++++++++++++++++++++++----- ipaserver/install/server/upgrade.py | 2 ++ 4 files changed, 48 insertions(+), 6 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index e7fe17beb1..2b73fa7fdd 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -34,6 +34,7 @@ from ipaplatform.constants import constants from ipaplatform.paths import paths +from ipaplatform.tasks import tasks from ipapython.dn import DN from ipapython.kerberos import Principal from ipapython import ipautil @@ -383,7 +384,7 @@ def convert_db(self, rename_old=True): oldstat = os.stat(oldname) os.chmod(newname, stat.S_IMODE(oldstat.st_mode)) os.chown(newname, oldstat.st_uid, oldstat.st_gid) - # XXX also retain SELinux context? + tasks.restore_context(newname) self._set_filenames('sql') self.list_certs() # self-test diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 1579d5c09c..9513ccedec 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -47,6 +47,7 @@ from ipalib.text import _ from ipaplatform.paths import paths + logger = logging.getLogger(__name__) @@ -630,6 +631,16 @@ def is_ipa_issued_cert(self, api, nickname): return DN(cert.issuer) == cacert_subject + def needs_upgrade_format(self): + """Check if NSSDB file format needs upgrade + """ + return self.nssdb.dbtype == 'dbm' + + def upgrade_format(self): + """Upgrade NSSDB to new file format + """ + self.nssdb.convert_db() + class _CrossProcessLock(object): _DATETIME_FORMAT = '%Y%m%d%H%M%S%f' diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 8f3b5937fd..fa909552fa 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -160,9 +160,14 @@ def create_instance(self, realm, fqdn, domain_name, dm_password=None, self.set_mod_nss_cipher_suite) self.step("setting mod_nss protocol list to TLSv1.0 - TLSv1.2", self.set_mod_nss_protocol) - self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) - self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) + self.step("setting mod_nss password file", + self.__set_mod_nss_passwordfile) + self.step("enabling mod_nss renegotiate", + self.enable_mod_nss_renegotiate) self.step("disabling mod_nss OCSP", self.disable_mod_nss_ocsp) + self.step("Upgrading mod_nss certdb to SQL format", + self.migrate_nssdb_sql) + self.step("changing certdb to sql", self.set_mod_nss_sql) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -302,13 +307,36 @@ def __disable_mod_nss_ocsp(self): aug.set(ocsp_comment, '{} {}'.format(OCSP_DIRECTIVE, ocsp_state)) aug.save() - def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) - installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) + installutils.set_directive( + paths.HTTPD_NSS_CONF, + 'NSSCipherSuite', + ciphers, + False + ) def __set_mod_nss_passwordfile(self): - installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:' + paths.HTTPD_PASSWORD_CONF) + installutils.set_directive( + paths.HTTPD_NSS_CONF, + 'NSSPassPhraseDialog', 'file:' + paths.HTTPD_PASSWORD_CONF + ) + + def set_mod_nss_sql(self): + installutils.set_directive( + paths.HTTPD_NSS_CONF, + 'NSSCertificateDatabase', + 'sql:{}'.format(paths.HTTPD_ALIAS_DIR) + ) + + def migrate_nssdb_sql(self): + # need to shut down all access to NSSDB first + if self.is_running(): + raise RuntimeError("Cannot upgrade while HTTPD is running") + db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR) + if db.needs_upgrade_format(): + logger.debug("Upgrading NSSDB") + db.upgrade_format() def __add_include(self): """This should run after __set_mod_nss_port so is already backed up""" diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 07cc18a78c..664c906da8 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1788,6 +1788,8 @@ def upgrade_configuration(): fix_trust_flags() update_http_keytab(http) http.configure_gssproxy() + http.migrate_nssdb_sql() + http.set_mod_nss_sql() http.start() uninstall_selfsign(ds, http)
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org