Re: [Freeipa-devel] [PATCHES] 0287 and 0288 for Proxy upgrade
Adam Young wrote: On 10/07/2011 02:42 PM, Rob Crittenden wrote: Adam Young wrote: On 10/06/2011 10:21 PM, Rob Crittenden wrote: Adam Young wrote: Not yet ready for prime time. I've tested the changes to updateinstance by hand, so I know they work. I'm having problems with the python import setup. RPM build fails with: install/tools/ipa-upgradeconfig:36: [F0401] Unable to import 'installutils' And, if I uncomment the import for http utils, I get an error at run time as well. That confuses me, as I am able to import installutils at runtime. I think these patches fix it. Please double check my comments. I tested this on a non-updated dogtag install (e.g. it doesn't have the new script) and it didn't seem to break anything. rob They work, but require this additional patch to the RPM spec. We talked about this a bit in IRC. I think we want to bump up all dogtag packages to 9.0.15. The update is pending push to updates-testing at this moment. With that change ack all around, just be sure to remove the non-sequitor services change before pushing. rob removed service change and pushed to ipa-2.1 I pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0287 and 0288 for Proxy upgrade
On 10/06/2011 10:21 PM, Rob Crittenden wrote: Adam Young wrote: Not yet ready for prime time. I've tested the changes to updateinstance by hand, so I know they work. I'm having problems with the python import setup. RPM build fails with: install/tools/ipa-upgradeconfig:36: [F0401] Unable to import 'installutils' And, if I uncomment the import for http utils, I get an error at run time as well. That confuses me, as I am able to import installutils at runtime. I think these patches fix it. Please double check my comments. I tested this on a non-updated dogtag install (e.g. it doesn't have the new script) and it didn't seem to break anything. rob They work, but require this additional patch to the RPM spec. From 2d988528bc43e7cdd088fc97c81e634bdd87351c Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Fri, 7 Oct 2011 13:07:55 -0400 Subject: [PATCH] Force the upgrade of pki-setup when upgrading the RPMS --- freeipa.spec.in |5 + ipapython/services.py | 48 2 files changed, 53 insertions(+), 0 deletions(-) create mode 100644 ipapython/services.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 8ebe1896a6d45c9a4b86cc16d0432299d209adb3..0171f853995514d96041d842885dacb0708480ca 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -112,6 +112,7 @@ Requires: slapi-nis = 0.21 %if 0%{?fedora} = 15 Requires: pki-ca = 9.0.12 Requires: pki-silent = 9.0.12 +Requires: pki-setup = 9.0.15 %else Requires: pki-ca = 9.0.5 Requires: pki-silent = 9.0.5 @@ -550,6 +551,10 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %changelog +* Fri Oct 7 2011 Adam Young ayo...@redhat.com - 2.1.1-2 +- Add explicit dependency on pki-setup. + + * Mon Sep 12 2011 Alexander Bokovoy aboko...@redhat.com - 2.1.1-1 - Make sure platform adaptation is packaged in -python sub-package diff --git a/ipapython/services.py b/ipapython/services.py new file mode 100644 index ..c27c4865f1f86100ae4924239b9212e305384223 --- /dev/null +++ b/ipapython/services.py @@ -0,0 +1,48 @@ +# Authors: Alexander Bokovoy aboko...@redhat.com +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. + +# authconfig is an entry point to platform-provided AuthConfig implementation +# (instance of ipapython.platform.base.AuthConfig) +authconfig = None + +# knownservices is an entry point to known platform services +# (instance of ipapython.platform.base.KnownServices) +knownservices = None + +# service is a class to instantiate ipapython.platform.base.PlatformService +service = None + +# restore context default implementation that does nothing +def restore_context_default(filepath): +return + +# Restore security context for a path +# If the platform has security features where context is important, implement your own +# version in platform services +restore_context = restore_context_default + +# Default implementation of backup and replace hostname that does nothing +def backup_and_replace_hostname_default(fstore, statestore, hostname): +return + +# Backup and replace system's hostname +# Since many platforms have their own way how to store system's hostname, this method must be +# implemented in platform services +backup_and_replace_hostname = backup_and_replace_hostname_default + +from ipapython.platform.redhat import * -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0287 and 0288 for Proxy upgrade
Adam Young wrote: On 10/06/2011 10:21 PM, Rob Crittenden wrote: Adam Young wrote: Not yet ready for prime time. I've tested the changes to updateinstance by hand, so I know they work. I'm having problems with the python import setup. RPM build fails with: install/tools/ipa-upgradeconfig:36: [F0401] Unable to import 'installutils' And, if I uncomment the import for http utils, I get an error at run time as well. That confuses me, as I am able to import installutils at runtime. I think these patches fix it. Please double check my comments. I tested this on a non-updated dogtag install (e.g. it doesn't have the new script) and it didn't seem to break anything. rob They work, but require this additional patch to the RPM spec. We talked about this a bit in IRC. I think we want to bump up all dogtag packages to 9.0.15. The update is pending push to updates-testing at this moment. With that change ack all around, just be sure to remove the non-sequitor services change before pushing. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0287 and 0288 for Proxy upgrade
On 10/07/2011 02:42 PM, Rob Crittenden wrote: Adam Young wrote: On 10/06/2011 10:21 PM, Rob Crittenden wrote: Adam Young wrote: Not yet ready for prime time. I've tested the changes to updateinstance by hand, so I know they work. I'm having problems with the python import setup. RPM build fails with: install/tools/ipa-upgradeconfig:36: [F0401] Unable to import 'installutils' And, if I uncomment the import for http utils, I get an error at run time as well. That confuses me, as I am able to import installutils at runtime. I think these patches fix it. Please double check my comments. I tested this on a non-updated dogtag install (e.g. it doesn't have the new script) and it didn't seem to break anything. rob They work, but require this additional patch to the RPM spec. We talked about this a bit in IRC. I think we want to bump up all dogtag packages to 9.0.15. The update is pending push to updates-testing at this moment. With that change ack all around, just be sure to remove the non-sequitor services change before pushing. rob removed service change and pushed to ipa-2.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0287 and 0288 for Proxy upgrade
Adam Young wrote: Not yet ready for prime time. I've tested the changes to updateinstance by hand, so I know they work. I'm having problems with the python import setup. RPM build fails with: install/tools/ipa-upgradeconfig:36: [F0401] Unable to import 'installutils' And, if I uncomment the import for http utils, I get an error at run time as well. That confuses me, as I am able to import installutils at runtime. I think these patches fix it. Please double check my comments. I tested this on a non-updated dogtag install (e.g. it doesn't have the new script) and it didn't seem to break anything. rob From ddbb78fde74e07e67805ed0a3aee22a4e8aaf8d5 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 6 Oct 2011 20:37:57 -0400 Subject: [PATCH 1/2] Make mod_nss renegotiation configuration a public function --- ipaserver/install/httpinstance.py |8 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index dbb0dd5..c5c047c 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -76,7 +76,7 @@ class HTTPInstance(service.Service): self.step(disabling mod_ssl in httpd, self.__disable_mod_ssl) self.step(setting mod_nss port to 443, self.__set_mod_nss_port) self.step(setting mod_nss password file, self.__set_mod_nss_passwordfile) -self.step(enabling mod_nss renegotiate, self.__enable_mod_nss_renegotiate) +self.step(enabling mod_nss renegotiate, self.enable_mod_nss_renegotiate) self.step(adding URL rewriting rules, self.__add_include) self.step(configuring httpd, self.__configure_http) self.step(setting up ssl, self.__setup_ssl) @@ -166,9 +166,9 @@ class HTTPInstance(service.Service): def __set_mod_nss_nickname(self, nickname): installutils.set_directive(NSS_CONF, 'NSSNickname', nickname) -def __enable_mod_nss_renegotiate(self): -installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False) -installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False) +def enable_mod_nss_renegotiate(self): +installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on', False) +installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) def __set_mod_nss_passwordfile(self): installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf') -- 1.7.6.4 From 41f6544ea55afd0229e18769853c1e6227baa191 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 6 Oct 2011 20:37:18 -0400 Subject: [PATCH 2/2] Execute pki proxy setup when server is upgraded if needed --- install/tools/ipa-upgradeconfig | 23 +-- 1 files changed, 21 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 1b08382..406da93 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -25,7 +25,10 @@ Upgrade configuration files to a newer template. import sys try: -from ipapython import ipautil +from ipapython import ipautil, sysrestore +from ipaserver.install import installutils +from ipaserver.install import dsinstance +from ipaserver.install import httpinstance import krbV import re import os @@ -135,6 +138,22 @@ def check_certs(): print Missing Certification Authority file. print You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt +def upgrade_pki(): + +Update/add the dogtag proxy configuration. The IPA side of this is +handled in ipa-pki-proxy.conf. + +This requires enabling SSL renegotiation. + +fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') +http = httpinstance.HTTPInstance(fstore) +http.enable_mod_nss_renegotiate() +if not installutils.get_directive('/etc/pki-ca/CS.cfg', + 'proxy.securePort', '=') and \ +os.path.exists('/usr/bin/pki-setup-proxy'): +ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib' + ,'-pki_instance_name=pki-ca','-subsystem_type=ca']) + def main(): Get some basics about the system. If getting those basics fail then @@ -162,7 +181,7 @@ def main(): upgrade(sub_dict, /etc/httpd/conf.d/ipa.conf, ipautil.SHARE_DIR + ipa.conf) upgrade(sub_dict, /etc/httpd/conf.d/ipa-rewrite.conf, ipautil.SHARE_DIR + ipa-rewrite.conf) upgrade(sub_dict, /etc/httpd/conf.d/ipa-pki-proxy.conf, ipautil.SHARE_DIR + ipa-pki-proxy.conf, add=True) - +upgrade_pki() try: if __name__ == __main__: sys.exit(main()) -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel