Re: [Freeipa-devel] [PATCH] 433-434 Remove mod_ssl conflict
On 10/25/2013 10:31 AM, Martin Kosek wrote: Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one machine (of course, when listening to different ports). To make sure that mod_ssl is not configured to listen on 443 (default mod_ssl configuration), add a check to the installer checking of either mod_nss or mod_ssl was configured to listen on that port. https://fedorahosted.org/freeipa/ticket/3974 TO TEST: 1. Install newest mod_nss: F19: http://koji.fedoraproject.org/koji/buildinfo?buildID=473624 2. Install patched freeipa 3. Install mod_ssl 4. Update /etc/httpd/conf.d/ssl.conf to not listen on 443, but rather on 10443 or others 5. setenforce 0 to allow httpd listen on that port 6. ipa-server-install When mod_ssl.rpm is instaled *after* ipa-server-install, no check is done, Apache just fails to start. We need to document this. The server should now listen on both 443 with mod_nss and 10443 with mod_ssl. CLI and Web UI should continue to work, as well as cert operations like cert-show 1 - cert operations would not work if new mod_nss is not updated. That is the Apache server, right? IPA is only on 443. Martin freeipa-mkosek-433-make-set_directive-and-get_directive-more-strict.patch ACK freeipa-mkosek-434-remove-mod_ssl-conflict.patch Just a comment on logging: +def httpd_443_configured(): + +We now allow mod_ssl to be installed so don't automatically disable it. +However it can't share the same listen port as mod_nss, so check for that. + +Returns True if something other than mod_nss is listening on 443. +False otherwise. + +try: +(stdout, stderr, rc) = ipautil.run(['/usr/sbin/httpd', '-t', '-D', 'DUMP_VHOSTS']) +except ipautil.CalledProcessError, e: +print sys.stderr, WARNING: cannot check if port 443 is already configured. +print sys.stderr, httpd returned error when checking:, str(e) +return False + +port_line_re = re.compile(r'(?Paddress\S+):(?Pport\d+)') +for line in stdout.splitlines(): +m = port_line_re.match(line) +if m and int(m.group('port')) == 443: +print WARNING: Apache is already configured with a listener on port 443: +print line +return True Please also log these messages, otherwise the log ends up not being very helpful. Since the installation aborts, I think these should be ERROR or CRITICAL, not WARNING. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 433-434 Remove mod_ssl conflict
On 10/25/2013 12:33 PM, Petr Viktorin wrote: On 10/25/2013 10:31 AM, Martin Kosek wrote: Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one machine (of course, when listening to different ports). To make sure that mod_ssl is not configured to listen on 443 (default mod_ssl configuration), add a check to the installer checking of either mod_nss or mod_ssl was configured to listen on that port. https://fedorahosted.org/freeipa/ticket/3974 TO TEST: 1. Install newest mod_nss: F19: http://koji.fedoraproject.org/koji/buildinfo?buildID=473624 2. Install patched freeipa 3. Install mod_ssl 4. Update /etc/httpd/conf.d/ssl.conf to not listen on 443, but rather on 10443 or others 5. setenforce 0 to allow httpd listen on that port 6. ipa-server-install When mod_ssl.rpm is instaled *after* ipa-server-install, no check is done, Apache just fails to start. We need to document this. Document where exactly? Ideas welcome. FreeIPA server uses set of ports, defined in http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/installing-ipa.html#prerequisites When any other service binds to any of these port, some IPA service won't work. Regardless if it is mod_ssl or custom user service. People would probably not read FreeIPA documentation before installing mod_ssl anyway... The server should now listen on both 443 with mod_nss and 10443 with mod_ssl. CLI and Web UI should continue to work, as well as cert operations like cert-show 1 - cert operations would not work if new mod_nss is not updated. That is the Apache server, right? IPA is only on 443. Yup. This just refers to testing hints above, where I suggested to configure mod_ssl to listen on some custom port to prove that both mod_ssl and mod_nss can run on the same server. Martin freeipa-mkosek-433-make-set_directive-and-get_directive-more-strict.patch ACK freeipa-mkosek-434-remove-mod_ssl-conflict.patch Just a comment on logging: +def httpd_443_configured(): + +We now allow mod_ssl to be installed so don't automatically disable it. +However it can't share the same listen port as mod_nss, so check for that. + +Returns True if something other than mod_nss is listening on 443. +False otherwise. + +try: +(stdout, stderr, rc) = ipautil.run(['/usr/sbin/httpd', '-t', '-D', 'DUMP_VHOSTS']) +except ipautil.CalledProcessError, e: +print sys.stderr, WARNING: cannot check if port 443 is already configured. +print sys.stderr, httpd returned error when checking:, str(e) +return False + +port_line_re = re.compile(r'(?Paddress\S+):(?Pport\d+)') +for line in stdout.splitlines(): +m = port_line_re.match(line) +if m and int(m.group('port')) == 443: +print WARNING: Apache is already configured with a listener on port 443: +print line +return True Please also log these messages, otherwise the log ends up not being very helpful. Since the installation aborts, I think these should be ERROR or CRITICAL, not WARNING. Right. I used service.print_msg as you suggested on IRC. Martin From 63dbf0fe14a1abbc4cf96922f8213d43c48b93fb Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 25 Oct 2013 10:22:08 +0200 Subject: [PATCH] Remove mod_ssl conflict Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one machine (of course, when listening to different ports). To make sure that mod_ssl is not configured to listen on 443 (default mod_ssl configuration), add a check to the installer checking of either mod_nss or mod_ssl was configured to listen on that port. https://fedorahosted.org/freeipa/ticket/3974 --- freeipa.spec.in | 9 install/tools/ipa-replica-install | 4 install/tools/ipa-server-install | 4 install/tools/ipa-upgradeconfig | 1 + ipaserver/install/httpinstance.py | 46 ++- 5 files changed, 54 insertions(+), 10 deletions(-) mode change 100644 = 100755 install/tools/ipa-server-install diff --git a/freeipa.spec.in b/freeipa.spec.in index 34d74f40643a135bcbea15954a7cfbabbac4ae15..eee32a5a2b097339f6ca432c649d4e13c54594c7 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -121,7 +121,7 @@ Requires: mod_auth_kerb = 5.4-16 %else Requires: mod_auth_kerb = 5.4-8 %endif -Requires: mod_nss +Requires: mod_nss = 1.0.8-24 Requires: python-ldap Requires: python-krbV Requires: acl @@ -166,10 +166,6 @@ Conflicts: bind 9.8.2-0.4.rc2 # member. Conflicts: nss-pam-ldapd 0.8.4 -# mod_proxy provides a single API to communicate over SSL. If mod_ssl -# is even loaded into Apache then it grabs this interface. -Conflicts: mod_ssl - Obsoletes: ipa-server = 1.0 %description server @@ -836,6 +832,9 @@ fi %endif # ONLY_CLIENT %changelog +* Fri Aug 25 2013 Martin Kosek mko...@redhat.com - 3.3.2-1 +- Remove mod_ssl conflict, it can now live with mod_nss installed + * Wed Sep 4 2013 Ana Krivokapic
Re: [Freeipa-devel] [PATCH] 433-434 Remove mod_ssl conflict
On 10/25/2013 02:09 PM, Martin Kosek wrote: On 10/25/2013 12:33 PM, Petr Viktorin wrote: On 10/25/2013 10:31 AM, Martin Kosek wrote: Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one machine (of course, when listening to different ports). To make sure that mod_ssl is not configured to listen on 443 (default mod_ssl configuration), add a check to the installer checking of either mod_nss or mod_ssl was configured to listen on that port. https://fedorahosted.org/freeipa/ticket/3974 TO TEST: 1. Install newest mod_nss: F19: http://koji.fedoraproject.org/koji/buildinfo?buildID=473624 2. Install patched freeipa 3. Install mod_ssl 4. Update /etc/httpd/conf.d/ssl.conf to not listen on 443, but rather on 10443 or others 5. setenforce 0 to allow httpd listen on that port 6. ipa-server-install Okay, I found another problem. After the above steps: - ipa-server-install --uninstall - Uninstall mod_ssl - ipa-server-install When mod_ssl.rpm is instaled *after* ipa-server-install, no check is done, Apache just fails to start. We need to document this. Document where exactly? Ideas welcome. FreeIPA server uses set of ports, defined in http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/installing-ipa.html#prerequisites Well, at least in the release notes. The guide you linked to could also have note that this conflicts with the mod_nss defaults. When any other service binds to any of these port, some IPA service won't work. Regardless if it is mod_ssl or custom user service. People would probably not read FreeIPA documentation before installing mod_ssl anyway... Right. But still, we're removing the Conflicts with a package that will break IPA when installed (even indirectly). We need to be careful here. The server should now listen on both 443 with mod_nss and 10443 with mod_ssl. CLI and Web UI should continue to work, as well as cert operations like cert-show 1 - cert operations would not work if new mod_nss is not updated. That is the Apache server, right? IPA is only on 443. Yup. This just refers to testing hints above, where I suggested to configure mod_ssl to listen on some custom port to prove that both mod_ssl and mod_nss can run on the same server. Martin freeipa-mkosek-433-make-set_directive-and-get_directive-more-strict.patch ACK freeipa-mkosek-434-remove-mod_ssl-conflict.patch Just a comment on logging: [...] +print WARNING: Apache is already configured with a listener on port 443: +print line +return True Please also log these messages, otherwise the log ends up not being very helpful. Since the installation aborts, I think these should be ERROR or CRITICAL, not WARNING. Right. I used service.print_msg as you suggested on IRC. ACK, pushed to: master: 4bed0de60d5bac005c9c54c7376b8dd873d1dd1d (fixed up spec changelog) ipa-3-3: 6d24870c870d0cff0857dd7219d5475854bf8b85 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 433-434 Remove mod_ssl conflict
On 10/25/2013 03:46 PM, Petr Viktorin wrote: On 10/25/2013 02:09 PM, Martin Kosek wrote: On 10/25/2013 12:33 PM, Petr Viktorin wrote: On 10/25/2013 10:31 AM, Martin Kosek wrote: Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one machine (of course, when listening to different ports). To make sure that mod_ssl is not configured to listen on 443 (default mod_ssl configuration), add a check to the installer checking of either mod_nss or mod_ssl was configured to listen on that port. https://fedorahosted.org/freeipa/ticket/3974 [...] Right. I used service.print_msg as you suggested on IRC. ACK, pushed to: master: 4bed0de60d5bac005c9c54c7376b8dd873d1dd1d (fixed up spec changelog) ipa-3-3: 6d24870c870d0cff0857dd7219d5475854bf8b85 Jenkins found one more issue: wrong date(s) in the changelog(s). Pushed as one-liner to master: 88154b5709a898b94aa0338f16af67b37c9a95ff and two-liner to ipa-3-3: c8a4f041ced515cf164003534a07aa675d0f323a -- Petr³ From 2f09fa9b0bafb8575d8726347c00b3ea484265a3 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Fri, 25 Oct 2013 15:30:59 +0200 Subject: [PATCH] Fix date in last changelog entry --- freeipa.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 21ed8f90c384da56ee6fd08156e19d1beadc9c57..11ae934d928370eb13f45162a13f40a9acd64b74 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -832,7 +832,7 @@ fi %endif # ONLY_CLIENT %changelog -* Fri Aug 25 2013 Martin Kosek mko...@redhat.com - 3.3.90-4 +* Fri Oct 25 2013 Martin Kosek mko...@redhat.com - 3.3.90-4 - Remove mod_ssl conflict, it can now live with mod_nss installed * Wed Sep 4 2013 Ana Krivokapic akriv...@redhat.com - 3.3.90-3 -- 1.8.3.1 From 284e466bc3c43ef36c59cfa539b91350a9e73199 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Fri, 25 Oct 2013 15:30:59 +0200 Subject: [PATCH] freeipa.spec: Fix changelog dates --- freeipa.spec.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index eee32a5a2b097339f6ca432c649d4e13c54594c7..a091164907735d659be61fe29221cbce6934c77d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -832,13 +832,13 @@ fi %endif # ONLY_CLIENT %changelog -* Fri Aug 25 2013 Martin Kosek mko...@redhat.com - 3.3.2-1 +* Fri Oct 25 2013 Martin Kosek mko...@redhat.com - 3.3.2-1 - Remove mod_ssl conflict, it can now live with mod_nss installed * Wed Sep 4 2013 Ana Krivokapic akriv...@redhat.com - 3.3.0-3 - Conform to tmpfiles.d packaging guidelines -* Wed Aug 29 2013 Petr Viktorin pvikt...@redhat.com - 3.3.0-2 +* Wed Aug 28 2013 Petr Viktorin pvikt...@redhat.com - 3.3.0-2 - Add man pages to the tests subpackage * Mon Aug 12 2013 Petr Viktorin pvikt...@redhat.com - 3.3.0-1 -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel