|
|
f65af0 |
From d169b6fc759a7586c6b3372db7e81c7862b2f96e Mon Sep 17 00:00:00 2001
|
|
|
f65af0 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
f65af0 |
Date: Wed, 5 Sep 2018 17:36:16 +0200
|
|
|
f65af0 |
Subject: [PATCH] ipa-replica-install: properly use the file store
|
|
|
f65af0 |
|
|
|
f65af0 |
In ipa-replica-install, many components use their own instance
|
|
|
f65af0 |
of the FileStore to backup configuration files to the pre-install
|
|
|
f65af0 |
state. This causes issues when the calls are mixed, like for
|
|
|
f65af0 |
instance:
|
|
|
f65af0 |
ds.do_task1_that_backups_file (using ds.filestore)
|
|
|
f65af0 |
http.do_task2_that_backups_file (using http.filestore)
|
|
|
f65af0 |
ds.do_task3_that_backups_file (using ds.filestore)
|
|
|
f65af0 |
|
|
|
f65af0 |
because the list of files managed by ds.filestore does not include
|
|
|
f65af0 |
the files managed by http.filestore, and the 3rd call would remove
|
|
|
f65af0 |
any file added on 2nd call.
|
|
|
f65af0 |
|
|
|
f65af0 |
The symptom of this bug is that ipa-replica-install does not save
|
|
|
f65af0 |
/etc/httpd/conf.d/ssl.conf and subsequent uninstallation does not
|
|
|
f65af0 |
restore the file, leading to a line referring to ipa-rewrite.conf
|
|
|
f65af0 |
that prevents httpd startup.
|
|
|
f65af0 |
|
|
|
f65af0 |
The installer should consistently use the same filestore.
|
|
|
f65af0 |
|
|
|
f65af0 |
Fixes https://pagure.io/freeipa/issue/7684
|
|
|
f65af0 |
|
|
|
f65af0 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
f65af0 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
f65af0 |
---
|
|
|
f65af0 |
ipaserver/install/server/replicainstall.py | 31 +++++++++++++---------
|
|
|
f65af0 |
1 file changed, 18 insertions(+), 13 deletions(-)
|
|
|
f65af0 |
|
|
|
f65af0 |
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
|
f65af0 |
index 396d6089449225cc83aa28552a2009b9057e65ab..525a62c474c7429b7efee4853eb71e487e656bba 100644
|
|
|
f65af0 |
--- a/ipaserver/install/server/replicainstall.py
|
|
|
f65af0 |
+++ b/ipaserver/install/server/replicainstall.py
|
|
|
f65af0 |
@@ -79,7 +79,7 @@ def make_pkcs12_info(directory, cert_name, password_name):
|
|
|
f65af0 |
|
|
|
f65af0 |
|
|
|
f65af0 |
def install_replica_ds(config, options, ca_is_configured, remote_api,
|
|
|
f65af0 |
- ca_file, promote=False, pkcs12_info=None):
|
|
|
f65af0 |
+ ca_file, promote=False, pkcs12_info=None, fstore=None):
|
|
|
f65af0 |
dsinstance.check_ports()
|
|
|
f65af0 |
|
|
|
f65af0 |
# if we have a pkcs12 file, create the cert db from
|
|
|
f65af0 |
@@ -95,7 +95,8 @@ def install_replica_ds(config, options, ca_is_configured, remote_api,
|
|
|
f65af0 |
ca_subject = installutils.default_ca_subject_dn(config.subject_base)
|
|
|
f65af0 |
|
|
|
f65af0 |
ds = dsinstance.DsInstance(
|
|
|
f65af0 |
- config_ldif=options.dirsrv_config_file)
|
|
|
f65af0 |
+ config_ldif=options.dirsrv_config_file,
|
|
|
f65af0 |
+ fstore=fstore)
|
|
|
f65af0 |
ds.create_replica(
|
|
|
f65af0 |
realm_name=config.realm_name,
|
|
|
f65af0 |
master_fqdn=config.master_host_name,
|
|
|
f65af0 |
@@ -115,8 +116,9 @@ def install_replica_ds(config, options, ca_is_configured, remote_api,
|
|
|
f65af0 |
return ds
|
|
|
f65af0 |
|
|
|
f65af0 |
|
|
|
f65af0 |
-def install_krb(config, setup_pkinit=False, pkcs12_info=None, promote=False):
|
|
|
f65af0 |
- krb = krbinstance.KrbInstance()
|
|
|
f65af0 |
+def install_krb(config, setup_pkinit=False, pkcs12_info=None, promote=False,
|
|
|
f65af0 |
+ fstore=None):
|
|
|
f65af0 |
+ krb = krbinstance.KrbInstance(fstore=fstore)
|
|
|
f65af0 |
|
|
|
f65af0 |
# pkinit files
|
|
|
f65af0 |
if pkcs12_info is None:
|
|
|
f65af0 |
@@ -153,7 +155,8 @@ def install_ca_cert(ldap, base_dn, realm, cafile, destfile=paths.IPA_CA_CRT):
|
|
|
f65af0 |
|
|
|
f65af0 |
def install_http(config, auto_redirect, ca_is_configured, ca_file,
|
|
|
f65af0 |
promote=False,
|
|
|
f65af0 |
- pkcs12_info=None):
|
|
|
f65af0 |
+ pkcs12_info=None,
|
|
|
f65af0 |
+ fstore=None):
|
|
|
f65af0 |
# if we have a pkcs12 file, create the cert db from
|
|
|
f65af0 |
# that. Otherwise the ds setup will create the CA
|
|
|
f65af0 |
# cert
|
|
|
f65af0 |
@@ -161,8 +164,7 @@ def install_http(config, auto_redirect, ca_is_configured, ca_file,
|
|
|
f65af0 |
pkcs12_info = make_pkcs12_info(config.dir, "httpcert.p12",
|
|
|
f65af0 |
"http_pin.txt")
|
|
|
f65af0 |
|
|
|
f65af0 |
-
|
|
|
f65af0 |
- http = httpinstance.HTTPInstance()
|
|
|
f65af0 |
+ http = httpinstance.HTTPInstance(fstore=fstore)
|
|
|
f65af0 |
http.create_instance(
|
|
|
f65af0 |
config.realm_name, config.host_name, config.domain_name,
|
|
|
f65af0 |
config.dirman_password, pkcs12_info,
|
|
|
f65af0 |
@@ -173,14 +175,14 @@ def install_http(config, auto_redirect, ca_is_configured, ca_file,
|
|
|
f65af0 |
return http
|
|
|
f65af0 |
|
|
|
f65af0 |
|
|
|
f65af0 |
-def install_dns_records(config, options, remote_api):
|
|
|
f65af0 |
+def install_dns_records(config, options, remote_api, fstore=None):
|
|
|
f65af0 |
|
|
|
f65af0 |
if not bindinstance.dns_container_exists(
|
|
|
f65af0 |
ipautil.realm_to_suffix(config.realm_name)):
|
|
|
f65af0 |
return
|
|
|
f65af0 |
|
|
|
f65af0 |
try:
|
|
|
f65af0 |
- bind = bindinstance.BindInstance(api=remote_api)
|
|
|
f65af0 |
+ bind = bindinstance.BindInstance(api=remote_api, fstore=fstore)
|
|
|
f65af0 |
for ip in config.ips:
|
|
|
f65af0 |
reverse_zone = bindinstance.find_reverse_zone(ip, remote_api)
|
|
|
f65af0 |
|
|
|
f65af0 |
@@ -1425,10 +1427,11 @@ def install(installer):
|
|
|
f65af0 |
remote_api,
|
|
|
f65af0 |
ca_file=cafile,
|
|
|
f65af0 |
promote=promote,
|
|
|
f65af0 |
- pkcs12_info=dirsrv_pkcs12_info)
|
|
|
f65af0 |
+ pkcs12_info=dirsrv_pkcs12_info,
|
|
|
f65af0 |
+ fstore=fstore)
|
|
|
f65af0 |
|
|
|
f65af0 |
# Always try to install DNS records
|
|
|
f65af0 |
- install_dns_records(config, options, remote_api)
|
|
|
f65af0 |
+ install_dns_records(config, options, remote_api, fstore=fstore)
|
|
|
f65af0 |
|
|
|
f65af0 |
ntpinstance.ntp_ldap_enable(config.host_name, ds.suffix,
|
|
|
f65af0 |
remote_api.env.realm)
|
|
|
f65af0 |
@@ -1449,7 +1452,8 @@ def install(installer):
|
|
|
f65af0 |
config,
|
|
|
f65af0 |
setup_pkinit=not options.no_pkinit,
|
|
|
f65af0 |
pkcs12_info=pkinit_pkcs12_info,
|
|
|
f65af0 |
- promote=promote)
|
|
|
f65af0 |
+ promote=promote,
|
|
|
f65af0 |
+ fstore=fstore)
|
|
|
f65af0 |
|
|
|
f65af0 |
if promote:
|
|
|
f65af0 |
# We need to point to the master when certmonger asks for
|
|
|
f65af0 |
@@ -1479,7 +1483,8 @@ def install(installer):
|
|
|
f65af0 |
promote=promote,
|
|
|
f65af0 |
pkcs12_info=http_pkcs12_info,
|
|
|
f65af0 |
ca_is_configured=ca_enabled,
|
|
|
f65af0 |
- ca_file=cafile)
|
|
|
f65af0 |
+ ca_file=cafile,
|
|
|
f65af0 |
+ fstore=fstore)
|
|
|
f65af0 |
|
|
|
f65af0 |
if promote:
|
|
|
f65af0 |
# Need to point back to ourself after the cert for HTTP is obtained
|
|
|
f65af0 |
--
|
|
|
f65af0 |
2.17.1
|
|
|
f65af0 |
|