|
 |
483b06 |
From a93e6040fdadd41dc7d1c46c09110b7321ed333c Mon Sep 17 00:00:00 2001
|
|
|
483b06 |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
483b06 |
Date: Tue, 28 Feb 2017 12:07:19 +0100
|
|
|
483b06 |
Subject: [PATCH] Use Custodia 0.3.1 features
|
|
|
483b06 |
|
|
|
483b06 |
* Use sd-notify in ipa-custodia.service
|
|
|
483b06 |
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
|
|
|
483b06 |
default setting for IPA's config file. The new file also makes it
|
|
|
483b06 |
simpler to run IPA's custodia instance with its own SELinux context.
|
|
|
483b06 |
* ipapython no longer depends on custodia
|
|
|
483b06 |
|
|
|
483b06 |
The patch addresses three issues:
|
|
|
483b06 |
|
|
|
483b06 |
* https://bugzilla.redhat.com/show_bug.cgi?id=1430247
|
|
|
483b06 |
Forward compatibility with Custodia 0.3 in Fedora rawhide
|
|
|
483b06 |
* https://pagure.io/freeipa/issue/5825
|
|
|
483b06 |
Use sd-notify
|
|
|
483b06 |
* https://pagure.io/freeipa/issue/6788
|
|
|
483b06 |
Prepare for separate SELinux context
|
|
|
483b06 |
|
|
|
483b06 |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
483b06 |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
483b06 |
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
483b06 |
---
|
|
|
483b06 |
freeipa.spec.in | 13 ++++++++-----
|
|
|
483b06 |
init/systemd/Makefile.am | 1 +
|
|
|
483b06 |
init/systemd/ipa-custodia.service.in | 5 ++---
|
|
|
483b06 |
install/tools/Makefile.am | 1 +
|
|
|
483b06 |
install/tools/ipa-custodia | 6 ++++++
|
|
|
483b06 |
ipapython/setup.py | 1 -
|
|
|
483b06 |
ipaserver/secrets/service.py | 30 ++++++++++++++++++++++++++++++
|
|
|
483b06 |
ipaserver/setup.py | 1 +
|
|
|
483b06 |
ipasetup.py.in | 1 +
|
|
|
483b06 |
9 files changed, 50 insertions(+), 9 deletions(-)
|
|
|
483b06 |
create mode 100755 install/tools/ipa-custodia
|
|
|
483b06 |
create mode 100644 ipaserver/secrets/service.py
|
|
|
483b06 |
|
|
|
483b06 |
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
|
483b06 |
index 9c8a14a580ad80ed10e797bef9661e7b1feb81b3..91fca6ea974bd70847feb1e3b6db8ae3cbda061c 100644
|
|
|
483b06 |
--- a/freeipa.spec.in
|
|
|
483b06 |
+++ b/freeipa.spec.in
|
|
|
483b06 |
@@ -181,7 +181,8 @@ BuildRequires: pki-base-python2
|
|
|
483b06 |
BuildRequires: python-pytest-multihost
|
|
|
483b06 |
BuildRequires: python-pytest-sourceorder
|
|
|
483b06 |
BuildRequires: python-jwcrypto
|
|
|
483b06 |
-BuildRequires: python-custodia
|
|
|
483b06 |
+# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
|
|
|
483b06 |
+BuildRequires: python-custodia >= 0.3.1
|
|
|
483b06 |
BuildRequires: dbus-python
|
|
|
483b06 |
BuildRequires: python-dateutil
|
|
|
483b06 |
BuildRequires: python-enum34
|
|
|
483b06 |
@@ -216,7 +217,8 @@ BuildRequires: pki-base-python3
|
|
|
483b06 |
BuildRequires: python3-pytest-multihost
|
|
|
483b06 |
BuildRequires: python3-pytest-sourceorder
|
|
|
483b06 |
BuildRequires: python3-jwcrypto
|
|
|
483b06 |
-BuildRequires: python3-custodia
|
|
|
483b06 |
+# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
|
|
|
483b06 |
+BuildRequires: python3-custodia >= 0.3.1
|
|
|
483b06 |
BuildRequires: python3-dbus
|
|
|
483b06 |
BuildRequires: python3-dateutil
|
|
|
483b06 |
BuildRequires: python3-enum34
|
|
|
483b06 |
@@ -340,6 +342,7 @@ BuildArch: noarch
|
|
|
483b06 |
Requires: %{name}-server-common = %{version}-%{release}
|
|
|
483b06 |
Requires: %{name}-common = %{version}-%{release}
|
|
|
483b06 |
Requires: python2-ipaclient = %{version}-%{release}
|
|
|
483b06 |
+Requires: python-custodia >= 0.3.1
|
|
|
483b06 |
Requires: python-ldap >= 2.4.15
|
|
|
483b06 |
Requires: python-lxml
|
|
|
483b06 |
Requires: python-gssapi >= 1.2.0
|
|
|
483b06 |
@@ -370,6 +373,7 @@ BuildArch: noarch
|
|
|
483b06 |
Requires: %{name}-server-common = %{version}-%{release}
|
|
|
483b06 |
Requires: %{name}-common = %{version}-%{release}
|
|
|
483b06 |
Requires: python3-ipaclient = %{version}-%{release}
|
|
|
483b06 |
+Requires: python3-custodia >= 0.3.1
|
|
|
483b06 |
Requires: python3-pyldap >= 2.4.15
|
|
|
483b06 |
Requires: python3-lxml
|
|
|
483b06 |
Requires: python3-gssapi >= 1.2.0
|
|
|
483b06 |
@@ -399,7 +403,7 @@ BuildArch: noarch
|
|
|
483b06 |
Requires: %{name}-client-common = %{version}-%{release}
|
|
|
483b06 |
Requires: httpd >= 2.4.6-31
|
|
|
483b06 |
Requires: systemd-units >= 38
|
|
|
483b06 |
-Requires: custodia
|
|
|
483b06 |
+Requires: custodia >= 0.3.1
|
|
|
483b06 |
|
|
|
483b06 |
Provides: %{alt_name}-server-common = %{version}
|
|
|
483b06 |
Conflicts: %{alt_name}-server-common
|
|
|
483b06 |
@@ -650,7 +654,6 @@ Requires: python-jwcrypto
|
|
|
483b06 |
Requires: python-cffi
|
|
|
483b06 |
Requires: python-ldap >= 2.4.15
|
|
|
483b06 |
Requires: python-requests
|
|
|
483b06 |
-Requires: python-custodia
|
|
|
483b06 |
Requires: python-dns >= 1.15
|
|
|
483b06 |
Requires: python-enum34
|
|
|
483b06 |
Requires: python-netifaces >= 0.10.4
|
|
|
483b06 |
@@ -699,7 +702,6 @@ Requires: python3-six
|
|
|
483b06 |
Requires: python3-jwcrypto
|
|
|
483b06 |
Requires: python3-cffi
|
|
|
483b06 |
Requires: python3-pyldap >= 2.4.15
|
|
|
483b06 |
-Requires: python3-custodia
|
|
|
483b06 |
Requires: python3-requests
|
|
|
483b06 |
Requires: python3-dns >= 1.15
|
|
|
483b06 |
Requires: python3-netifaces >= 0.10.4
|
|
|
483b06 |
@@ -1160,6 +1162,7 @@ fi
|
|
|
483b06 |
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
|
|
|
483b06 |
%{_libexecdir}/certmonger/ipa-server-guard
|
|
|
483b06 |
%dir %{_libexecdir}/ipa
|
|
|
483b06 |
+%{_libexecdir}/ipa/ipa-custodia
|
|
|
483b06 |
%{_libexecdir}/ipa/ipa-dnskeysyncd
|
|
|
483b06 |
%{_libexecdir}/ipa/ipa-dnskeysync-replica
|
|
|
483b06 |
%{_libexecdir}/ipa/ipa-ods-exporter
|
|
|
483b06 |
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
|
|
|
483b06 |
index 325e8574812a2ec507911128dbac0315070d2897..945f6ac22a050f393990cad27156e092ce4f7a29 100644
|
|
|
483b06 |
--- a/init/systemd/Makefile.am
|
|
|
483b06 |
+++ b/init/systemd/Makefile.am
|
|
|
483b06 |
@@ -18,5 +18,6 @@ CLEANFILES = $(systemdsystemunit_DATA)
|
|
|
483b06 |
-e 's|@IPA_SYSCONF_DIR[@]|$(IPA_SYSCONF_DIR)|g' \
|
|
|
483b06 |
-e 's|@localstatedir[@]|$(localstatedir)|g' \
|
|
|
483b06 |
-e 's|@sbindir[@]|$(sbindir)|g' \
|
|
|
483b06 |
+ -e 's|@libexecdir[@]|$(libexecdir)|g' \
|
|
|
483b06 |
-e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
|
|
|
483b06 |
'$(srcdir)/$@.in' >$@
|
|
|
483b06 |
diff --git a/init/systemd/ipa-custodia.service.in b/init/systemd/ipa-custodia.service.in
|
|
|
483b06 |
index 3f9b128aa1b7ee373c52e1e3566048ec6028c826..0247bd8826529d638c692d827ae31393db292b4a 100644
|
|
|
483b06 |
--- a/init/systemd/ipa-custodia.service.in
|
|
|
483b06 |
+++ b/init/systemd/ipa-custodia.service.in
|
|
|
483b06 |
@@ -2,9 +2,8 @@
|
|
|
483b06 |
Description=IPA Custodia Service
|
|
|
483b06 |
|
|
|
483b06 |
[Service]
|
|
|
483b06 |
-Type=simple
|
|
|
483b06 |
-
|
|
|
483b06 |
-ExecStart=@sbindir@/custodia @IPA_SYSCONF_DIR@/custodia/custodia.conf
|
|
|
483b06 |
+Type=notify
|
|
|
483b06 |
+ExecStart=@libexecdir@/ipa/ipa-custodia @IPA_SYSCONF_DIR@/custodia/custodia.conf
|
|
|
483b06 |
PrivateTmp=yes
|
|
|
483b06 |
Restart=on-failure
|
|
|
483b06 |
RestartSec=60s
|
|
|
483b06 |
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
|
|
|
483b06 |
index f2c2ce2953c3ac146a80f7e4515769683a01f843..493e5ff4a8290be8ef076135104a85f8315b7842 100644
|
|
|
483b06 |
--- a/install/tools/Makefile.am
|
|
|
483b06 |
+++ b/install/tools/Makefile.am
|
|
|
483b06 |
@@ -32,6 +32,7 @@ dist_sbin_SCRIPTS = \
|
|
|
483b06 |
|
|
|
483b06 |
appdir = $(libexecdir)/ipa/
|
|
|
483b06 |
dist_app_SCRIPTS = \
|
|
|
483b06 |
+ ipa-custodia \
|
|
|
483b06 |
ipa-httpd-kdcproxy \
|
|
|
483b06 |
ipa-pki-retrieve-key \
|
|
|
483b06 |
$(NULL)
|
|
|
483b06 |
diff --git a/install/tools/ipa-custodia b/install/tools/ipa-custodia
|
|
|
483b06 |
new file mode 100755
|
|
|
483b06 |
index 0000000000000000000000000000000000000000..5deeeffdd78db323b6534934065772bb0ae67438
|
|
|
483b06 |
--- /dev/null
|
|
|
483b06 |
+++ b/install/tools/ipa-custodia
|
|
|
483b06 |
@@ -0,0 +1,6 @@
|
|
|
483b06 |
+#!/usr/bin/python2
|
|
|
483b06 |
+# Copyright (C) 2017 IPA Project Contributors, see COPYING for license
|
|
|
483b06 |
+from ipaserver.secrets.service import main
|
|
|
483b06 |
+
|
|
|
483b06 |
+if __name__ == '__main__':
|
|
|
483b06 |
+ main()
|
|
|
483b06 |
diff --git a/ipapython/setup.py b/ipapython/setup.py
|
|
|
483b06 |
index 86e4131e5f9cfc106393875018d6ac2645a38be1..2fc039fe7bb673add17404d13bf477c5b8bb0606 100755
|
|
|
483b06 |
--- a/ipapython/setup.py
|
|
|
483b06 |
+++ b/ipapython/setup.py
|
|
|
483b06 |
@@ -38,7 +38,6 @@ if __name__ == '__main__':
|
|
|
483b06 |
],
|
|
|
483b06 |
install_requires=[
|
|
|
483b06 |
"cffi",
|
|
|
483b06 |
- "custodia",
|
|
|
483b06 |
"cryptography",
|
|
|
483b06 |
"dnspython",
|
|
|
483b06 |
"gssapi",
|
|
|
483b06 |
diff --git a/ipaserver/secrets/service.py b/ipaserver/secrets/service.py
|
|
|
483b06 |
new file mode 100644
|
|
|
483b06 |
index 0000000000000000000000000000000000000000..f51c46a30e4caf76e38659c2f0a6a2c645376978
|
|
|
483b06 |
--- /dev/null
|
|
|
483b06 |
+++ b/ipaserver/secrets/service.py
|
|
|
483b06 |
@@ -0,0 +1,30 @@
|
|
|
483b06 |
+# Copyright (C) 2017 IPA Project Contributors, see COPYING for license
|
|
|
483b06 |
+import argparse
|
|
|
483b06 |
+
|
|
|
483b06 |
+import custodia.server
|
|
|
483b06 |
+
|
|
|
483b06 |
+
|
|
|
483b06 |
+argparser = argparse.ArgumentParser(
|
|
|
483b06 |
+ prog='ipa-custodia',
|
|
|
483b06 |
+ description='IPA Custodia service'
|
|
|
483b06 |
+)
|
|
|
483b06 |
+argparser.add_argument(
|
|
|
483b06 |
+ '--debug',
|
|
|
483b06 |
+ action='store_true',
|
|
|
483b06 |
+ help='Debug mode'
|
|
|
483b06 |
+)
|
|
|
483b06 |
+argparser.add_argument(
|
|
|
483b06 |
+ 'configfile',
|
|
|
483b06 |
+ nargs='?',
|
|
|
483b06 |
+ type=argparse.FileType('r'),
|
|
|
483b06 |
+ help="Path to IPA's custodia server config",
|
|
|
483b06 |
+ default='/etc/ipa/custodia/custodia.conf'
|
|
|
483b06 |
+)
|
|
|
483b06 |
+
|
|
|
483b06 |
+
|
|
|
483b06 |
+def main():
|
|
|
483b06 |
+ return custodia.server.main(argparser)
|
|
|
483b06 |
+
|
|
|
483b06 |
+
|
|
|
483b06 |
+if __name__ == '__main__':
|
|
|
483b06 |
+ main()
|
|
|
483b06 |
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
|
|
|
483b06 |
index d3c735c0f9e604512d6ccd14dcd16a186c6ecad4..42b0c1b0618ef9867acb1fe2add5702a756cf2d2 100755
|
|
|
483b06 |
--- a/ipaserver/setup.py
|
|
|
483b06 |
+++ b/ipaserver/setup.py
|
|
|
483b06 |
@@ -47,6 +47,7 @@ if __name__ == '__main__':
|
|
|
483b06 |
],
|
|
|
483b06 |
install_requires=[
|
|
|
483b06 |
"cryptography",
|
|
|
483b06 |
+ "custodia",
|
|
|
483b06 |
"dbus-python",
|
|
|
483b06 |
"dnspython",
|
|
|
483b06 |
"dogtag-pki",
|
|
|
483b06 |
diff --git a/ipasetup.py.in b/ipasetup.py.in
|
|
|
483b06 |
index 915f0edee7ca291cc4921f6b8e4d38498253b372..7f9b2c918c0cd582706edee087ed5944451aaf2e 100644
|
|
|
483b06 |
--- a/ipasetup.py.in
|
|
|
483b06 |
+++ b/ipasetup.py.in
|
|
|
483b06 |
@@ -64,6 +64,7 @@ if SETUPTOOLS_VERSION < (8, 0, 0):
|
|
|
483b06 |
|
|
|
483b06 |
PACKAGE_VERSION = {
|
|
|
483b06 |
'cryptography': 'cryptography >= 1.4',
|
|
|
483b06 |
+ 'custodia': 'custodia >= 0.3.1',
|
|
|
483b06 |
'dnspython': 'dnspython >= 1.15',
|
|
|
483b06 |
'gssapi': 'gssapi >= 1.2.0',
|
|
|
483b06 |
'ipaclient': 'ipaclient == {}'.format(VERSION),
|
|
|
483b06 |
--
|
|
|
483b06 |
2.12.1
|
|
|
483b06 |
|