|
|
e0ab38 |
From 61f54afcde1df217fec01aa9ab38b0b9b704c501 Mon Sep 17 00:00:00 2001
|
|
|
e0ab38 |
From: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
e0ab38 |
Date: Tue, 5 Jan 2016 13:00:24 +0100
|
|
|
e0ab38 |
Subject: [PATCH] prevent crash of CA-less server upgrade due to absent
|
|
|
e0ab38 |
certmonger
|
|
|
e0ab38 |
|
|
|
e0ab38 |
ipa-server-upgrade tests whether certmonger service is running before
|
|
|
e0ab38 |
attempting to upgrade IPA master. This causes the upgrader to always fail when
|
|
|
e0ab38 |
there is no CA installer and certmonger is not needed, effectively preventing
|
|
|
e0ab38 |
CA-less IPA master to upgrade succefuly.
|
|
|
e0ab38 |
|
|
|
e0ab38 |
This test is now skipped if CA is not enabled.
|
|
|
e0ab38 |
|
|
|
e0ab38 |
https://fedorahosted.org/freeipa/ticket/5519
|
|
|
e0ab38 |
|
|
|
e0ab38 |
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
e0ab38 |
---
|
|
|
e0ab38 |
ipaserver/install/server/upgrade.py | 29 +++++++++++++++++++++++++++--
|
|
|
e0ab38 |
1 file changed, 27 insertions(+), 2 deletions(-)
|
|
|
e0ab38 |
|
|
|
e0ab38 |
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
|
e0ab38 |
index 945cb3ebd63767cb1d57083e1da7c5605ac5a2f9..616fba5c1a5b3737481aecbb09ab5344641a3b04 100644
|
|
|
e0ab38 |
--- a/ipaserver/install/server/upgrade.py
|
|
|
e0ab38 |
+++ b/ipaserver/install/server/upgrade.py
|
|
|
e0ab38 |
@@ -292,6 +292,24 @@ def setup_firefox_extension(fstore):
|
|
|
e0ab38 |
http.setup_firefox_extension(realm, domain)
|
|
|
e0ab38 |
|
|
|
e0ab38 |
|
|
|
e0ab38 |
+def is_ca_enabled():
|
|
|
e0ab38 |
+ """
|
|
|
e0ab38 |
+ check whether there is an active CA master
|
|
|
e0ab38 |
+ :return: True if there is an active CA in topology, False otherwise
|
|
|
e0ab38 |
+ """
|
|
|
e0ab38 |
+ ldap2 = api.Backend.ldap2
|
|
|
e0ab38 |
+ was_connected = ldap2.isconnected()
|
|
|
e0ab38 |
+
|
|
|
e0ab38 |
+ if not was_connected:
|
|
|
e0ab38 |
+ ldap2.connect()
|
|
|
e0ab38 |
+
|
|
|
e0ab38 |
+ try:
|
|
|
e0ab38 |
+ return api.Command.ca_is_enabled()['result']
|
|
|
e0ab38 |
+ finally:
|
|
|
e0ab38 |
+ if not was_connected:
|
|
|
e0ab38 |
+ ldap2.disconnect()
|
|
|
e0ab38 |
+
|
|
|
e0ab38 |
+
|
|
|
e0ab38 |
def ca_configure_profiles_acl(ca):
|
|
|
e0ab38 |
root_logger.info('[Authorizing RA Agent to modify profiles]')
|
|
|
e0ab38 |
|
|
|
e0ab38 |
@@ -1416,7 +1434,9 @@ def upgrade_configuration():
|
|
|
e0ab38 |
http = httpinstance.HTTPInstance(fstore)
|
|
|
e0ab38 |
http.configure_selinux_for_httpd()
|
|
|
e0ab38 |
http.change_mod_nss_port_from_http()
|
|
|
e0ab38 |
- http.configure_certmonger_renewal_guard()
|
|
|
e0ab38 |
+
|
|
|
e0ab38 |
+ if is_ca_enabled():
|
|
|
e0ab38 |
+ http.configure_certmonger_renewal_guard()
|
|
|
e0ab38 |
|
|
|
e0ab38 |
ds.configure_dirsrv_ccache()
|
|
|
e0ab38 |
|
|
|
e0ab38 |
@@ -1562,7 +1582,12 @@ def upgrade_check(options):
|
|
|
e0ab38 |
print unicode(e)
|
|
|
e0ab38 |
sys.exit(1)
|
|
|
e0ab38 |
|
|
|
e0ab38 |
- if not services.knownservices.certmonger.is_running():
|
|
|
e0ab38 |
+ try:
|
|
|
e0ab38 |
+ ca_is_enabled = is_ca_enabled()
|
|
|
e0ab38 |
+ except Exception as e:
|
|
|
e0ab38 |
+ raise RuntimeError("Cannot connect to LDAP server: {0}".format(e))
|
|
|
e0ab38 |
+
|
|
|
e0ab38 |
+ if not services.knownservices.certmonger.is_running() and ca_is_enabled:
|
|
|
e0ab38 |
raise RuntimeError('Certmonger is not running. Start certmonger and run upgrade again.')
|
|
|
e0ab38 |
|
|
|
e0ab38 |
if not options.skip_version_check:
|
|
|
e0ab38 |
--
|
|
|
e0ab38 |
2.4.3
|
|
|
e0ab38 |
|