Re: [Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True
On 06/21/2016 09:40 AM, Jan Cholasta wrote:
> On 21.6.2016 09:35, Petr Vobornik wrote:
>> On 06/21/2016 08:31 AM, Jan Cholasta wrote:
>>> On 17.6.2016 16:30, Petr Vobornik wrote:
I'm not sure if following is related to thin client or other work, but
it should be looked at. Feel free to open different ticket for it.
I was doing some testing yesterday and this was in audit:
time->Thu Jun 16 22:11:32 2016
type=AVC msg=audit(1466107892.404:662): avc: denied { write } for
pid=26289 comm="dogtag-ipa-ca-r" name="ipa_memcached" dev="tmpfs"
ino=183080 scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file
permissive=0
I did not investigate further, but couldn't it be caused by initialing
api with api.bootstrap(in_server=True.. which then initializes session
plugin which then initializes MemcacheSessionManager?
Similar issue could be in other usages.
>>>
>>> AFAIK this is trigerred by importing ipalib.session and can happen even
>>> with client API.
>>>
>>
>> True, but it would have to be explicit, which won't probably happen.
>>
>> In ipaserver/plugins/session.py it is done automatically:
>>
>> if api.env.in_server:
>> from ipalib.session import session_mgr
>
> IMHO that doesn't really matter, it should be fixed not to connect on
> import, because that's just plain wrong.
>
True, new ticket: https://fedorahosted.org/freeipa/ticket/5988
--
Petr Vobornik
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True
On 21.6.2016 09:35, Petr Vobornik wrote:
On 06/21/2016 08:31 AM, Jan Cholasta wrote:
On 17.6.2016 16:30, Petr Vobornik wrote:
I'm not sure if following is related to thin client or other work, but
it should be looked at. Feel free to open different ticket for it.
I was doing some testing yesterday and this was in audit:
time->Thu Jun 16 22:11:32 2016
type=AVC msg=audit(1466107892.404:662): avc: denied { write } for
pid=26289 comm="dogtag-ipa-ca-r" name="ipa_memcached" dev="tmpfs"
ino=183080 scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file
permissive=0
I did not investigate further, but couldn't it be caused by initialing
api with api.bootstrap(in_server=True.. which then initializes session
plugin which then initializes MemcacheSessionManager?
Similar issue could be in other usages.
AFAIK this is trigerred by importing ipalib.session and can happen even
with client API.
True, but it would have to be explicit, which won't probably happen.
In ipaserver/plugins/session.py it is done automatically:
if api.env.in_server:
from ipalib.session import session_mgr
IMHO that doesn't really matter, it should be fixed not to connect on
import, because that's just plain wrong.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True
On 06/21/2016 08:31 AM, Jan Cholasta wrote:
> On 17.6.2016 16:30, Petr Vobornik wrote:
>>
>> I'm not sure if following is related to thin client or other work, but
>> it should be looked at. Feel free to open different ticket for it.
>>
>> I was doing some testing yesterday and this was in audit:
>>
>> time->Thu Jun 16 22:11:32 2016
>> type=AVC msg=audit(1466107892.404:662): avc: denied { write } for
>> pid=26289 comm="dogtag-ipa-ca-r" name="ipa_memcached" dev="tmpfs"
>> ino=183080 scontext=system_u:system_r:certmonger_t:s0
>> tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file
>> permissive=0
>>
>> I did not investigate further, but couldn't it be caused by initialing
>> api with api.bootstrap(in_server=True.. which then initializes session
>> plugin which then initializes MemcacheSessionManager?
>>
>> Similar issue could be in other usages.
>
> AFAIK this is trigerred by importing ipalib.session and can happen even
> with client API.
>
True, but it would have to be explicit, which won't probably happen.
In ipaserver/plugins/session.py it is done automatically:
if api.env.in_server:
from ipalib.session import session_mgr
--
Petr Vobornik
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True
On 17.6.2016 16:30, Petr Vobornik wrote:
On 17.6.2016 08:53, Fraser Tweedale wrote:
On Fri, Jun 17, 2016 at 08:35:45AM +0200, Jan Cholasta wrote:
Hi,
On 17.6.2016 06:55, Fraser Tweedale wrote:
Attached patch fixes https://fedorahosted.org/freeipa/ticket/5968
This should be fixed for all the restart scripts, not just renew_ca_cert.
Updated patch attached.
Thanks, ACK.
Pushed to master: 3edf13cd8ab541908d7e2011a54e31edf1844ea2
I'm not sure if following is related to thin client or other work, but
it should be looked at. Feel free to open different ticket for it.
I was doing some testing yesterday and this was in audit:
time->Thu Jun 16 22:11:32 2016
type=AVC msg=audit(1466107892.404:662): avc: denied { write } for
pid=26289 comm="dogtag-ipa-ca-r" name="ipa_memcached" dev="tmpfs"
ino=183080 scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file
permissive=0
I did not investigate further, but couldn't it be caused by initialing
api with api.bootstrap(in_server=True.. which then initializes session
plugin which then initializes MemcacheSessionManager?
Similar issue could be in other usages.
AFAIK this is trigerred by importing ipalib.session and can happen even
with client API.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True
On 17.6.2016 08:53, Fraser Tweedale wrote:
> On Fri, Jun 17, 2016 at 08:35:45AM +0200, Jan Cholasta wrote:
>> Hi,
>>
>> On 17.6.2016 06:55, Fraser Tweedale wrote:
>>> Attached patch fixes https://fedorahosted.org/freeipa/ticket/5968
>>
>> This should be fixed for all the restart scripts, not just renew_ca_cert.
>>
> Updated patch attached.
>
I'm not sure if following is related to thin client or other work, but
it should be looked at. Feel free to open different ticket for it.
I was doing some testing yesterday and this was in audit:
time->Thu Jun 16 22:11:32 2016
type=AVC msg=audit(1466107892.404:662): avc: denied { write } for
pid=26289 comm="dogtag-ipa-ca-r" name="ipa_memcached" dev="tmpfs"
ino=183080 scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file
permissive=0
I did not investigate further, but couldn't it be caused by initialing
api with api.bootstrap(in_server=True.. which then initializes session
plugin which then initializes MemcacheSessionManager?
Similar issue could be in other usages.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True
On Fri, Jun 17, 2016 at 08:35:45AM +0200, Jan Cholasta wrote: > Hi, > > On 17.6.2016 06:55, Fraser Tweedale wrote: > > Attached patch fixes https://fedorahosted.org/freeipa/ticket/5968 > > This should be fixed for all the restart scripts, not just renew_ca_cert. > Updated patch attached. From dac1e3e748fc5b9b3d48aa1dc2050d5f9a505773 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 17 Jun 2016 14:18:05 +1000 Subject: [PATCH] restart scripts: bootstrap api with in_server=True renew_ca_cert fails because it cannot access the 'config' plugin. Bootstrap all the restart scripts to avoid such issues. Fixes: https://fedorahosted.org/freeipa/ticket/5968 --- install/restart_scripts/renew_ca_cert | 2 +- install/restart_scripts/renew_ra_cert | 2 +- install/restart_scripts/restart_dirsrv | 2 +- install/restart_scripts/stop_pkicad| 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index bfb726cddf1b747f01512a85408fd479427ced44..dc0f1117b366e3fdcf6d00f0e6d928e2e32b8f2b 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -38,7 +38,7 @@ from ipaplatform.paths import paths def _main(): nickname = sys.argv[1] -api.bootstrap(context='restart') +api.bootstrap(in_server=True, context='restart') api.finalize() dogtag_service = services.knownservices['pki_tomcatd'] diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index 9b5e231b526432bec3e6d187a674042a27b94b57..17a7af9b079ea6d91fc60fac2bcc65d8ec7d8bc0 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -37,7 +37,7 @@ from ipaplatform.paths import paths def _main(): nickname = 'ipaCert' -api.bootstrap(context='restart') +api.bootstrap(in_server=True, context='restart') api.finalize() tmpdir = tempfile.mkdtemp(prefix="tmp-") diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv index 856729b5cd8dcfe7885a6ccf64aa847e6379102c..a8e78184f9a6f595a11440fbddae3c41933bb29b 100644 --- a/install/restart_scripts/restart_dirsrv +++ b/install/restart_scripts/restart_dirsrv @@ -33,7 +33,7 @@ def _main(): except IndexError: instance = "" -api.bootstrap(context='restart') +api.bootstrap(in_server=True, context='restart') api.finalize() syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance) diff --git a/install/restart_scripts/stop_pkicad b/install/restart_scripts/stop_pkicad index 30b99eeff80b42aedbada583df37f9fddb076aec..ae07dcd588a54bbb1328b289c9218d2053f32c0b 100644 --- a/install/restart_scripts/stop_pkicad +++ b/install/restart_scripts/stop_pkicad @@ -27,7 +27,7 @@ from ipaserver.install import certs def main(): -api.bootstrap(context='restart') +api.bootstrap(in_server=True, context='restart') api.finalize() dogtag_service = services.knownservices['pki_tomcatd'] -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True
Hi, On 17.6.2016 06:55, Fraser Tweedale wrote: Attached patch fixes https://fedorahosted.org/freeipa/ticket/5968 This should be fixed for all the restart scripts, not just renew_ca_cert. Thanks, Fraser Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
