areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone

Blame SOURCES/0041-ipa-replica-install-properly-use-the-file-store.patch

f65af0
From d169b6fc759a7586c6b3372db7e81c7862b2f96e Mon Sep 17 00:00:00 2001
f65af0
From: Florence Blanc-Renaud <flo@redhat.com>
f65af0
Date: Wed, 5 Sep 2018 17:36:16 +0200
f65af0
Subject: [PATCH] ipa-replica-install: properly use the file store
f65af0
f65af0
In ipa-replica-install, many components use their own instance
f65af0
of the FileStore to backup configuration files to the pre-install
f65af0
state. This causes issues when the calls are mixed, like for
f65af0
instance:
f65af0
ds.do_task1_that_backups_file (using ds.filestore)
f65af0
http.do_task2_that_backups_file (using http.filestore)
f65af0
ds.do_task3_that_backups_file (using ds.filestore)
f65af0
f65af0
because the list of files managed by ds.filestore does not include
f65af0
the files managed by http.filestore, and the 3rd call would remove
f65af0
any file added on 2nd call.
f65af0
f65af0
The symptom of this bug is that ipa-replica-install does not save
f65af0
/etc/httpd/conf.d/ssl.conf and subsequent uninstallation does not
f65af0
restore the file, leading to a line referring to ipa-rewrite.conf
f65af0
that prevents httpd startup.
f65af0
f65af0
The installer should consistently use the same filestore.
f65af0
f65af0
Fixes https://pagure.io/freeipa/issue/7684
f65af0
f65af0
Reviewed-By: Christian Heimes <cheimes@redhat.com>
f65af0
Reviewed-By: Christian Heimes <cheimes@redhat.com>
f65af0
---
f65af0
 ipaserver/install/server/replicainstall.py | 31 +++++++++++++---------
f65af0
 1 file changed, 18 insertions(+), 13 deletions(-)
f65af0
f65af0
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
f65af0
index 396d6089449225cc83aa28552a2009b9057e65ab..525a62c474c7429b7efee4853eb71e487e656bba 100644
f65af0
--- a/ipaserver/install/server/replicainstall.py
f65af0
+++ b/ipaserver/install/server/replicainstall.py
f65af0
@@ -79,7 +79,7 @@ def make_pkcs12_info(directory, cert_name, password_name):
f65af0
 
f65af0
 
f65af0
 def install_replica_ds(config, options, ca_is_configured, remote_api,
f65af0
-                       ca_file, promote=False, pkcs12_info=None):
f65af0
+                       ca_file, promote=False, pkcs12_info=None, fstore=None):
f65af0
     dsinstance.check_ports()
f65af0
 
f65af0
     # if we have a pkcs12 file, create the cert db from
f65af0
@@ -95,7 +95,8 @@ def install_replica_ds(config, options, ca_is_configured, remote_api,
f65af0
         ca_subject = installutils.default_ca_subject_dn(config.subject_base)
f65af0
 
f65af0
     ds = dsinstance.DsInstance(
f65af0
-        config_ldif=options.dirsrv_config_file)
f65af0
+        config_ldif=options.dirsrv_config_file,
f65af0
+        fstore=fstore)
f65af0
     ds.create_replica(
f65af0
         realm_name=config.realm_name,
f65af0
         master_fqdn=config.master_host_name,
f65af0
@@ -115,8 +116,9 @@ def install_replica_ds(config, options, ca_is_configured, remote_api,
f65af0
     return ds
f65af0
 
f65af0
 
f65af0
-def install_krb(config, setup_pkinit=False, pkcs12_info=None, promote=False):
f65af0
-    krb = krbinstance.KrbInstance()
f65af0
+def install_krb(config, setup_pkinit=False, pkcs12_info=None, promote=False,
f65af0
+                fstore=None):
f65af0
+    krb = krbinstance.KrbInstance(fstore=fstore)
f65af0
 
f65af0
     # pkinit files
f65af0
     if pkcs12_info is None:
f65af0
@@ -153,7 +155,8 @@ def install_ca_cert(ldap, base_dn, realm, cafile, destfile=paths.IPA_CA_CRT):
f65af0
 
f65af0
 def install_http(config, auto_redirect, ca_is_configured, ca_file,
f65af0
                  promote=False,
f65af0
-                 pkcs12_info=None):
f65af0
+                 pkcs12_info=None,
f65af0
+                 fstore=None):
f65af0
     # if we have a pkcs12 file, create the cert db from
f65af0
     # that. Otherwise the ds setup will create the CA
f65af0
     # cert
f65af0
@@ -161,8 +164,7 @@ def install_http(config, auto_redirect, ca_is_configured, ca_file,
f65af0
         pkcs12_info = make_pkcs12_info(config.dir, "httpcert.p12",
f65af0
                                        "http_pin.txt")
f65af0
 
f65af0
-
f65af0
-    http = httpinstance.HTTPInstance()
f65af0
+    http = httpinstance.HTTPInstance(fstore=fstore)
f65af0
     http.create_instance(
f65af0
         config.realm_name, config.host_name, config.domain_name,
f65af0
         config.dirman_password, pkcs12_info,
f65af0
@@ -173,14 +175,14 @@ def install_http(config, auto_redirect, ca_is_configured, ca_file,
f65af0
     return http
f65af0
 
f65af0
 
f65af0
-def install_dns_records(config, options, remote_api):
f65af0
+def install_dns_records(config, options, remote_api, fstore=None):
f65af0
 
f65af0
     if not bindinstance.dns_container_exists(
f65af0
             ipautil.realm_to_suffix(config.realm_name)):
f65af0
         return
f65af0
 
f65af0
     try:
f65af0
-        bind = bindinstance.BindInstance(api=remote_api)
f65af0
+        bind = bindinstance.BindInstance(api=remote_api, fstore=fstore)
f65af0
         for ip in config.ips:
f65af0
             reverse_zone = bindinstance.find_reverse_zone(ip, remote_api)
f65af0
 
f65af0
@@ -1425,10 +1427,11 @@ def install(installer):
f65af0
                                 remote_api,
f65af0
                                 ca_file=cafile,
f65af0
                                 promote=promote,
f65af0
-                                pkcs12_info=dirsrv_pkcs12_info)
f65af0
+                                pkcs12_info=dirsrv_pkcs12_info,
f65af0
+                                fstore=fstore)
f65af0
 
f65af0
         # Always try to install DNS records
f65af0
-        install_dns_records(config, options, remote_api)
f65af0
+        install_dns_records(config, options, remote_api, fstore=fstore)
f65af0
 
f65af0
         ntpinstance.ntp_ldap_enable(config.host_name, ds.suffix,
f65af0
                                     remote_api.env.realm)
f65af0
@@ -1449,7 +1452,8 @@ def install(installer):
f65af0
         config,
f65af0
         setup_pkinit=not options.no_pkinit,
f65af0
         pkcs12_info=pkinit_pkcs12_info,
f65af0
-        promote=promote)
f65af0
+        promote=promote,
f65af0
+        fstore=fstore)
f65af0
 
f65af0
     if promote:
f65af0
         # We need to point to the master when certmonger asks for
f65af0
@@ -1479,7 +1483,8 @@ def install(installer):
f65af0
         promote=promote,
f65af0
         pkcs12_info=http_pkcs12_info,
f65af0
         ca_is_configured=ca_enabled,
f65af0
-        ca_file=cafile)
f65af0
+        ca_file=cafile,
f65af0
+        fstore=fstore)
f65af0
 
f65af0
     if promote:
f65af0
         # Need to point back to ourself after the cert for HTTP is obtained
f65af0
-- 
f65af0
2.17.1
f65af0