pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 5 years ago
Clone
Blob Blame History Raw
From 61f54afcde1df217fec01aa9ab38b0b9b704c501 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Tue, 5 Jan 2016 13:00:24 +0100
Subject: [PATCH] prevent crash of CA-less server upgrade due to absent
 certmonger

ipa-server-upgrade tests whether certmonger service is running before
attempting to upgrade IPA master. This causes the upgrader to always fail when
there is no CA installer and certmonger is not needed, effectively preventing
CA-less IPA master to upgrade succefuly.

This test is now skipped if CA is not enabled.

https://fedorahosted.org/freeipa/ticket/5519

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/server/upgrade.py | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 945cb3ebd63767cb1d57083e1da7c5605ac5a2f9..616fba5c1a5b3737481aecbb09ab5344641a3b04 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -292,6 +292,24 @@ def setup_firefox_extension(fstore):
     http.setup_firefox_extension(realm, domain)
 
 
+def is_ca_enabled():
+    """
+    check whether there is an active CA master
+    :return: True if there is an active CA in topology, False otherwise
+    """
+    ldap2 = api.Backend.ldap2
+    was_connected = ldap2.isconnected()
+
+    if not was_connected:
+        ldap2.connect()
+
+    try:
+        return api.Command.ca_is_enabled()['result']
+    finally:
+        if not was_connected:
+            ldap2.disconnect()
+
+
 def ca_configure_profiles_acl(ca):
     root_logger.info('[Authorizing RA Agent to modify profiles]')
 
@@ -1416,7 +1434,9 @@ def upgrade_configuration():
     http = httpinstance.HTTPInstance(fstore)
     http.configure_selinux_for_httpd()
     http.change_mod_nss_port_from_http()
-    http.configure_certmonger_renewal_guard()
+
+    if is_ca_enabled():
+        http.configure_certmonger_renewal_guard()
 
     ds.configure_dirsrv_ccache()
 
@@ -1562,7 +1582,12 @@ def upgrade_check(options):
         print unicode(e)
         sys.exit(1)
 
-    if not services.knownservices.certmonger.is_running():
+    try:
+        ca_is_enabled = is_ca_enabled()
+    except Exception as e:
+        raise RuntimeError("Cannot connect to LDAP server: {0}".format(e))
+
+    if not services.knownservices.certmonger.is_running() and ca_is_enabled:
         raise RuntimeError('Certmonger is not running. Start certmonger and run upgrade again.')
 
     if not options.skip_version_check:
-- 
2.4.3