subject:"Re\: \[Freeipa\-devel\] \[PATCH\] 433\-434 Remove mod

Re: [Freeipa-devel] [PATCH] 433-434 Remove mod_ssl conflict

2013-10-25 Thread Petr Viktorin


On 10/25/2013 10:31 AM, Martin Kosek wrote:

Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).

To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.

https://fedorahosted.org/freeipa/ticket/3974



TO TEST:
1. Install newest mod_nss:
F19: http://koji.fedoraproject.org/koji/buildinfo?buildID=473624
2. Install patched freeipa
3. Install mod_ssl
4. Update /etc/httpd/conf.d/ssl.conf to not listen on 443, but rather on
10443 or others
5. setenforce 0 to allow httpd listen on that port
6. ipa-server-install


When mod_ssl.rpm is instaled *after* ipa-server-install, no check is 
done, Apache just fails to start.

We need to document this.


The server should now listen on both 443 with mod_nss and 10443 with
mod_ssl. CLI and Web UI should continue to work, as well as cert
operations like cert-show 1 - cert operations would not work if new
mod_nss is not updated.


That is the Apache server, right? IPA is only on 443.


Martin





freeipa-mkosek-433-make-set_directive-and-get_directive-more-strict.patch


ACK


freeipa-mkosek-434-remove-mod_ssl-conflict.patch


Just a comment on logging:


+def httpd_443_configured():
+
+We now allow mod_ssl to be installed so don't automatically disable it.
+However it can't share the same listen port as mod_nss, so check for that.
+
+Returns True if something other than mod_nss is listening on 443.
+False otherwise.
+
+try:
+(stdout, stderr, rc) = ipautil.run(['/usr/sbin/httpd', '-t', '-D', 
'DUMP_VHOSTS'])
+except ipautil.CalledProcessError, e:
+print  sys.stderr, WARNING: cannot check if port 443 is already 
configured.
+print  sys.stderr, httpd returned error when checking:, str(e)
+return False
+
+port_line_re = re.compile(r'(?Paddress\S+):(?Pport\d+)')
+for line in stdout.splitlines():
+m = port_line_re.match(line)
+if m and int(m.group('port')) == 443:
+print WARNING: Apache is already configured with a listener on port 
443:
+print line
+return True


Please also log these messages, otherwise the log ends up not being very 
helpful.


Since the installation aborts, I think these should be ERROR or 
CRITICAL, not WARNING.



--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 433-434 Remove mod_ssl conflict

2013-10-25 Thread Martin Kosek


On 10/25/2013 12:33 PM, Petr Viktorin wrote:

On 10/25/2013 10:31 AM, Martin Kosek wrote:

Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).

To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.

https://fedorahosted.org/freeipa/ticket/3974



TO TEST:
1. Install newest mod_nss:
F19: http://koji.fedoraproject.org/koji/buildinfo?buildID=473624
2. Install patched freeipa
3. Install mod_ssl
4. Update /etc/httpd/conf.d/ssl.conf to not listen on 443, but rather on
10443 or others
5. setenforce 0 to allow httpd listen on that port
6. ipa-server-install


When mod_ssl.rpm is instaled *after* ipa-server-install, no check is done,
Apache just fails to start.
We need to document this.


Document where exactly? Ideas welcome. FreeIPA server uses set of ports, 
defined in
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/installing-ipa.html#prerequisites

When any other service binds to any of these port, some IPA service won't work. 
Regardless if it is mod_ssl or custom user service. People would probably not 
read FreeIPA documentation before installing mod_ssl anyway...



The server should now listen on both 443 with mod_nss and 10443 with
mod_ssl. CLI and Web UI should continue to work, as well as cert
operations like cert-show 1 - cert operations would not work if new
mod_nss is not updated.


That is the Apache server, right? IPA is only on 443.


Yup. This just refers to testing hints above, where I suggested to configure 
mod_ssl to listen on some custom port to prove that both mod_ssl and mod_nss 
can run on the same server.





Martin





freeipa-mkosek-433-make-set_directive-and-get_directive-more-strict.patch


ACK


freeipa-mkosek-434-remove-mod_ssl-conflict.patch


Just a comment on logging:


+def httpd_443_configured():
+
+We now allow mod_ssl to be installed so don't automatically disable it.
+However it can't share the same listen port as mod_nss, so check for that.
+
+Returns True if something other than mod_nss is listening on 443.
+False otherwise.
+
+try:
+(stdout, stderr, rc) = ipautil.run(['/usr/sbin/httpd', '-t', '-D',
'DUMP_VHOSTS'])
+except ipautil.CalledProcessError, e:
+print  sys.stderr, WARNING: cannot check if port 443 is already
configured.
+print  sys.stderr, httpd returned error when checking:, str(e)
+return False
+
+port_line_re = re.compile(r'(?Paddress\S+):(?Pport\d+)')
+for line in stdout.splitlines():
+m = port_line_re.match(line)
+if m and int(m.group('port')) == 443:
+print WARNING: Apache is already configured with a listener on
port 443:
+print line
+return True


Please also log these messages, otherwise the log ends up not being very 
helpful.

Since the installation aborts, I think these should be ERROR or CRITICAL, not
WARNING.


Right. I used service.print_msg as you suggested on IRC.

Martin
From 63dbf0fe14a1abbc4cf96922f8213d43c48b93fb Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Fri, 25 Oct 2013 10:22:08 +0200
Subject: [PATCH] Remove mod_ssl conflict

Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).

To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.

https://fedorahosted.org/freeipa/ticket/3974
---
 freeipa.spec.in   |  9 
 install/tools/ipa-replica-install |  4 
 install/tools/ipa-server-install  |  4 
 install/tools/ipa-upgradeconfig   |  1 +
 ipaserver/install/httpinstance.py | 46 ++-
 5 files changed, 54 insertions(+), 10 deletions(-)
 mode change 100644 = 100755 install/tools/ipa-server-install

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 34d74f40643a135bcbea15954a7cfbabbac4ae15..eee32a5a2b097339f6ca432c649d4e13c54594c7 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -121,7 +121,7 @@ Requires: mod_auth_kerb = 5.4-16
 %else
 Requires: mod_auth_kerb = 5.4-8
 %endif
-Requires: mod_nss
+Requires: mod_nss = 1.0.8-24
 Requires: python-ldap
 Requires: python-krbV
 Requires: acl
@@ -166,10 +166,6 @@ Conflicts: bind  9.8.2-0.4.rc2
 # member.
 Conflicts: nss-pam-ldapd  0.8.4
 
-# mod_proxy provides a single API to communicate over SSL. If mod_ssl
-# is even loaded into Apache then it grabs this interface.
-Conflicts: mod_ssl
-
 Obsoletes: ipa-server = 1.0
 
 %description server
@@ -836,6 +832,9 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
+* Fri Aug 25 2013 Martin Kosek mko...@redhat.com - 3.3.2-1
+- Remove mod_ssl conflict, it can now live with mod_nss installed
+
 * Wed Sep 4 2013 Ana Krivokapic

Re: [Freeipa-devel] [PATCH] 433-434 Remove mod_ssl conflict

2013-10-25 Thread Petr Viktorin

On 10/25/2013 02:09 PM, Martin Kosek wrote:

On 10/25/2013 12:33 PM, Petr Viktorin wrote:

On 10/25/2013 10:31 AM, Martin Kosek wrote:

Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).

To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.

https://fedorahosted.org/freeipa/ticket/3974

TO TEST:
1. Install newest mod_nss:
F19: http://koji.fedoraproject.org/koji/buildinfo?buildID=473624
2. Install patched freeipa
3. Install mod_ssl
4. Update /etc/httpd/conf.d/ssl.conf to not listen on 443, but rather on
10443 or others
5. setenforce 0 to allow httpd listen on that port
6. ipa-server-install

Okay, I found another problem. After the above steps:
- ipa-server-install --uninstall
- Uninstall mod_ssl
- ipa-server-install

When mod_ssl.rpm is instaled *after* ipa-server-install, no check is
done,
Apache just fails to start.
We need to document this.

Document where exactly? Ideas welcome. FreeIPA server uses set of ports,
defined in
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/installing-ipa.html#prerequisites

Well, at least in the release notes.
The guide you linked to could also have note that this conflicts with
the mod_nss defaults.

When any other service binds to any of these port, some IPA service
won't work. Regardless if it is mod_ssl or custom user service. People
would probably not read FreeIPA documentation before installing mod_ssl
anyway...

Right.
But still, we're removing the Conflicts with a package that will break
IPA when installed (even indirectly).

We need to be careful here.

The server should now listen on both 443 with mod_nss and 10443 with
mod_ssl. CLI and Web UI should continue to work, as well as cert
operations like cert-show 1 - cert operations would not work if new
mod_nss is not updated.

That is the Apache server, right? IPA is only on 443.

Yup. This just refers to testing hints above, where I suggested to
configure mod_ssl to listen on some custom port to prove that both
mod_ssl and mod_nss can run on the same server.

Martin

freeipa-mkosek-433-make-set_directive-and-get_directive-more-strict.patch

ACK

freeipa-mkosek-434-remove-mod_ssl-conflict.patch

Just a comment on logging:

[...]

+print WARNING: Apache is already configured with a
listener on
port 443:
+print line
+return True

Please also log these messages, otherwise the log ends up not being
very helpful.

Since the installation aborts, I think these should be ERROR or
CRITICAL, not
WARNING.

Right. I used service.print_msg as you suggested on IRC.

ACK, pushed to:
master: 4bed0de60d5bac005c9c54c7376b8dd873d1dd1d (fixed up spec changelog)
ipa-3-3: 6d24870c870d0cff0857dd7219d5475854bf8b85

--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 433-434 Remove mod_ssl conflict

2013-10-25 Thread Petr Viktorin


On 10/25/2013 03:46 PM, Petr Viktorin wrote:

On 10/25/2013 02:09 PM, Martin Kosek wrote:

On 10/25/2013 12:33 PM, Petr Viktorin wrote:

On 10/25/2013 10:31 AM, Martin Kosek wrote:

Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).

To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.

https://fedorahosted.org/freeipa/ticket/3974


[...]


Right. I used service.print_msg as you suggested on IRC.


ACK, pushed to:
master: 4bed0de60d5bac005c9c54c7376b8dd873d1dd1d (fixed up spec changelog)
ipa-3-3: 6d24870c870d0cff0857dd7219d5475854bf8b85


Jenkins found one more issue: wrong date(s) in the changelog(s).

Pushed as one-liner to master: 88154b5709a898b94aa0338f16af67b37c9a95ff
and two-liner to ipa-3-3: c8a4f041ced515cf164003534a07aa675d0f323a

--
Petr³
From 2f09fa9b0bafb8575d8726347c00b3ea484265a3 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Fri, 25 Oct 2013 15:30:59 +0200
Subject: [PATCH] Fix date in last changelog entry

---
 freeipa.spec.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 21ed8f90c384da56ee6fd08156e19d1beadc9c57..11ae934d928370eb13f45162a13f40a9acd64b74 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -832,7 +832,7 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
-* Fri Aug 25 2013 Martin Kosek mko...@redhat.com - 3.3.90-4
+* Fri Oct 25 2013 Martin Kosek mko...@redhat.com - 3.3.90-4
 - Remove mod_ssl conflict, it can now live with mod_nss installed
 
 * Wed Sep 4 2013 Ana Krivokapic akriv...@redhat.com - 3.3.90-3
-- 
1.8.3.1

From 284e466bc3c43ef36c59cfa539b91350a9e73199 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Fri, 25 Oct 2013 15:30:59 +0200
Subject: [PATCH] freeipa.spec: Fix changelog dates

---
 freeipa.spec.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index eee32a5a2b097339f6ca432c649d4e13c54594c7..a091164907735d659be61fe29221cbce6934c77d 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -832,13 +832,13 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
-* Fri Aug 25 2013 Martin Kosek mko...@redhat.com - 3.3.2-1
+* Fri Oct 25 2013 Martin Kosek mko...@redhat.com - 3.3.2-1
 - Remove mod_ssl conflict, it can now live with mod_nss installed
 
 * Wed Sep 4 2013 Ana Krivokapic akriv...@redhat.com - 3.3.0-3
 - Conform to tmpfiles.d packaging guidelines
 
-* Wed Aug 29 2013 Petr Viktorin pvikt...@redhat.com - 3.3.0-2
+* Wed Aug 28 2013 Petr Viktorin pvikt...@redhat.com - 3.3.0-2
 - Add man pages to the tests subpackage
 
 * Mon Aug 12 2013 Petr Viktorin pvikt...@redhat.com - 3.3.0-1
-- 
1.8.3.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 433-434 Remove mod_ssl conflict

Re: [Freeipa-devel] [PATCH] 433-434 Remove mod_ssl conflict

Re: [Freeipa-devel] [PATCH] 433-434 Remove mod_ssl conflict

Re: [Freeipa-devel] [PATCH] 433-434 Remove mod_ssl conflict

4 matches

Site Navigation

Mail list logo

Footer information