From d0327f33d3bc426db5c8dd86666e680da6a44b61 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 26 Mar 2019 13:27:35 +0100
Subject: [PATCH] Synchronize hidden state from IPA master role
ipa-{adtrust|ca|dns|kra}-install on a hidden replica also installs the
new service as hidden service.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
install/tools/ipa-adtrust-install | 2 +-
install/tools/ipa-ca-install | 2 +-
ipaserver/install/ipa_kra_install.py | 2 +-
ipaserver/install/service.py | 22 +++++++++++++++++++
.../test_replica_promotion.py | 4 +++-
5 files changed, 28 insertions(+), 4 deletions(-)
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 9dbfadb6fae193e2f4a54b3a0e226e0a6b1fd26f..19bd21866119b4a23f5a6a02cc8ea37c8f5d36ea 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -213,7 +213,7 @@ def main():
adtrust.install(True, options, fstore, api)
# Enable configured services and update DNS SRV records
- service.enable_services(api.env.host)
+ service.sync_services_state(api.env.host)
api.Command.dns_update_system_records()
print("""
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 55182dc30e4736618f749e78db161fc7eefe37ac..dda7a0527b07695c51140c437a2699c8634f2724 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -347,7 +347,7 @@ def main():
api.Backend.ldap2.connect()
# Enable configured services and update DNS SRV records
- service.enable_services(api.env.host)
+ service.sync_services_state(api.env.host)
api.Command.dns_update_system_records()
api.Backend.ldap2.disconnect()
diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py
index 19260ac7f23a7c6f3a6328d4f146510a186b706e..006bc92bec581e1983f11bfd75498b5484f2567a 100644
--- a/ipaserver/install/ipa_kra_install.py
+++ b/ipaserver/install/ipa_kra_install.py
@@ -239,6 +239,6 @@ class KRAInstaller(KRAInstall):
api.Backend.ldap2.connect()
# Enable configured services and update DNS SRV records
- service.enable_services(api.env.host)
+ service.sync_services_state(api.env.host)
api.Command.dns_update_system_records()
api.Backend.ldap2.disconnect()
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 6d7997c559f8d748f00dd9df28371c53bc12ee21..8948f64c2ec2db4cd013699e07dd94d5dba6c043 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -41,6 +41,7 @@ from ipaplatform.paths import paths
from ipaserver.masters import (
CONFIGURED_SERVICE, ENABLED_SERVICE, HIDDEN_SERVICE, SERVICE_LIST
)
+from ipaserver.servroles import HIDDEN
logger = logging.getLogger(__name__)
@@ -202,6 +203,27 @@ def hide_services(fqdn):
_set_services_state(fqdn, HIDDEN_SERVICE)
+def sync_services_state(fqdn):
+ """Synchronize services state from IPA master role state
+
+ Hide all services if the IPA master role state is in hidden state.
+ Otherwise enable all services.
+
+ :param fqdn: hostname of server
+ """
+ result = api.Command.server_role_find(
+ server_server=fqdn,
+ role_servrole='IPA master',
+ status=HIDDEN
+ )
+ if result['count']:
+ # one hidden server role
+ hide_services(fqdn)
+ else:
+ # IPA master is either enabled or configured, enable all
+ enable_services(fqdn)
+
+
def _set_services_state(fqdn, dest_state):
"""Change all services of a host
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index bf028bf7dc58abb6455ba1659f2d19bede69daa2..df71972a2ba3ad503011a558295bd38f587faf44 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -823,9 +823,11 @@ class TestHiddenReplicaPromotion(IntegrationTest):
# hidden replica with CA and DNS
tasks.install_replica(
cls.master, cls.replicas[0],
- setup_dns=True, setup_kra=True,
+ setup_dns=True, setup_kra=False,
extra_args=('--hidden-replica',)
)
+ # manually install KRA to verify that hidden state is synced
+ tasks.install_kra(cls.replicas[0])
def _check_dnsrecords(self, hosts_expected, hosts_unexpected=()):
domain = DNSName(self.master.domain.name).make_absolute()
--
2.20.1