[Freeipa-devel] [PATCH] 322 Fix CA CRL migration crash in ipa-upgradeconfig

2012-10-10 Thread Martin Kosek 
CRL migrate procedure did not check if a CA was actually configured
on an updated master/replica. This caused ipa-upgradeconfig to
crash on replicas without a CA.

Make sure that CRL migrate procedure is not run when CA is not
configured on given master. Also add few try..except clauses to
make the procedure more robust. There is also a small refactoring of
service is not configured log messages, so that they have matching
log level and message.

dogtag.py constants were updated to have a correct path to new CRL
directory on Fedora 18 (dogtag 10).

https://fedorahosted.org/freeipa/ticket/3159
From cb119ccf053109101e1a835d8466acfb91f75869 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Wed, 10 Oct 2012 12:37:24 +0200
Subject: [PATCH] Fix CA CRL migration crash in ipa-upgradeconfig

CRL migrate procedure did not check if a CA was actually configured
on an updated master/replica. This caused ipa-upgradeconfig to
crash on replicas without a CA.

Make sure that CRL migrate procedure is not run when CA is not
configured on given master. Also add few try..except clauses to
make the procedure more robust. There is also a small refactoring of
service is not configured log messages, so that they have matching
log level and message.

dogtag.py constants were updated to have a correct path to new CRL
directory on Fedora 18 (dogtag 10).

https://fedorahosted.org/freeipa/ticket/3159
---
 install/tools/ipa-upgradeconfig | 43 +++--
 ipapython/dogtag.py |  4 ++--
 2 files changed, 31 insertions(+), 16 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 4ed718a9b9faea0821db5642544e9bb1194dbce4..51e5b1d5939758bff508e92186d25b2798e889d6 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -204,7 +204,7 @@ def check_certs():
 else:
 root_logger.debug('Certificate file exists')
 
-def upgrade_pki(fstore):
+def upgrade_pki(ca, fstore):
 
 Update/add the dogtag proxy configuration. The IPA side of this is
 handled in ipa-pki-proxy.conf.
@@ -213,8 +213,8 @@ def upgrade_pki(fstore):
 
 configured_constants = dogtag.configured_constants()
 root_logger.info('[Verifying that CA proxy configuration is correct]')
-if not os.path.exists(configured_constants.CS_CFG_PATH):
-root_logger.debug('No CA detected in /etc/pki-ca')
+if not ca.is_configured():
+root_logger.info('CA is not configured')
 return
 
 http = httpinstance.HTTPInstance(fstore)
@@ -300,7 +300,7 @@ def upgrade_ipa_profile(ca):
 if audit or ski:
 return True
 else:
-root_logger.debug('CA is not configured')
+root_logger.info('CA is not configured')
 
 return False
 
@@ -329,7 +329,7 @@ def named_enable_psearch():
 
 if not bindinstance.named_conf_exists():
 # DNS service may not be configured
-root_logger.debug('DNS not configured')
+root_logger.info('DNS is not configured')
 return
 
 try:
@@ -401,7 +401,7 @@ def named_enable_serial_autoincrement():
 
 if not bindinstance.named_conf_exists():
 # DNS service may not be configured
-root_logger.debug('DNS not configured')
+root_logger.info('DNS is not configured')
 return changed
 
 try:
@@ -448,8 +448,9 @@ def enable_certificate_renewal(ca):
 
 Returns True when CA needs to be restarted
 
+root_logger.info('[Enable certificate renewal]')
 if not ca.is_configured():
-root_logger.debug('dogtag not configured')
+root_logger.info('CA is not configured')
 return False
 
 # Using the nickname find the certmonger request_id
@@ -508,11 +509,20 @@ def migrate_crl_publish_dir(ca):
 root_logger.info('CRL tree already moved')
 return False
 
+if not ca.is_configured():
+root_logger.info('CA is not configured')
+return False
+
 caconfig = dogtag.configured_constants()
 
-old_publish_dir = installutils.get_directive(caconfig.CS_CFG_PATH,
-'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
-separator='=')
+try:
+old_publish_dir = installutils.get_directive(caconfig.CS_CFG_PATH,
+'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
+separator='=')
+except OSError, e:
+root_logger.error('Cannot read CA configuration file %s: %s',
+caconfig.CS_CFG_PATH, e)
+return False
 
 if old_publish_dir == caconfig.CRL_PUBLISH_PATH:
 # publish dir is already updated
@@ -536,9 +546,14 @@ def migrate_crl_publish_dir(ca):
 except Exception, e:
 root_logger.error('Cannot move CRL file to new directory: %s', e)
 
-installutils.set_directive(caconfig.CS_CFG_PATH,
-'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
-publishdir, quotes=False, separator='=')

Re: [Freeipa-devel] [PATCH] 322 Fix CA CRL migration crash in ipa-upgradeconfig

2012-10-10 Thread Petr Viktorin 

On 10/10/2012 01:05 PM, Martin Kosek wrote:

CRL migrate procedure did not check if a CA was actually configured
on an updated master/replica. This caused ipa-upgradeconfig to
crash on replicas without a CA.

Make sure that CRL migrate procedure is not run when CA is not
configured on given master. Also add few try..except clauses to
make the procedure more robust. There is also a small refactoring of
service is not configured log messages, so that they have matching
log level and message.

dogtag.py constants were updated to have a correct path to new CRL
directory on Fedora 18 (dogtag 10).

https://fedorahosted.org/freeipa/ticket/3159



ACK, I no longer get the upgrade errors.


--
PetrĀ³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel