From d169b6fc759a7586c6b3372db7e81c7862b2f96e Mon Sep 17 00:00:00 2001

From: Florence Blanc-Renaud <flo@redhat.com>

Date: Wed, 5 Sep 2018 17:36:16 +0200

Subject: [PATCH] ipa-replica-install: properly use the file store

In ipa-replica-install, many components use their own instance

of the FileStore to backup configuration files to the pre-install

state. This causes issues when the calls are mixed, like for

instance:

ds.do_task1_that_backups_file (using ds.filestore)

http.do_task2_that_backups_file (using http.filestore)

ds.do_task3_that_backups_file (using ds.filestore)

because the list of files managed by ds.filestore does not include

the files managed by http.filestore, and the 3rd call would remove

any file added on 2nd call.

The symptom of this bug is that ipa-replica-install does not save

/etc/httpd/conf.d/ssl.conf and subsequent uninstallation does not

restore the file, leading to a line referring to ipa-rewrite.conf

that prevents httpd startup.

The installer should consistently use the same filestore.

Fixes https://pagure.io/freeipa/issue/7684

Reviewed-By: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Christian Heimes <cheimes@redhat.com>

---

 ipaserver/install/server/replicainstall.py | 31 +++++++++++++---------

 1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py

index 396d6089449225cc83aa28552a2009b9057e65ab..525a62c474c7429b7efee4853eb71e487e656bba 100644

--- a/ipaserver/install/server/replicainstall.py

+++ b/ipaserver/install/server/replicainstall.py

@@ -79,7 +79,7 @@ def make_pkcs12_info(directory, cert_name, password_name):

 def install_replica_ds(config, options, ca_is_configured, remote_api,

-                       ca_file, promote=False, pkcs12_info=None):

+                       ca_file, promote=False, pkcs12_info=None, fstore=None):

     dsinstance.check_ports()

     # if we have a pkcs12 file, create the cert db from

@@ -95,7 +95,8 @@ def install_replica_ds(config, options, ca_is_configured, remote_api,

         ca_subject = installutils.default_ca_subject_dn(config.subject_base)

     ds = dsinstance.DsInstance(

-        config_ldif=options.dirsrv_config_file)

+        config_ldif=options.dirsrv_config_file,

+        fstore=fstore)

     ds.create_replica(

         realm_name=config.realm_name,

         master_fqdn=config.master_host_name,

@@ -115,8 +116,9 @@ def install_replica_ds(config, options, ca_is_configured, remote_api,

     return ds

-def install_krb(config, setup_pkinit=False, pkcs12_info=None, promote=False):

-    krb = krbinstance.KrbInstance()

+def install_krb(config, setup_pkinit=False, pkcs12_info=None, promote=False,

+                fstore=None):

+    krb = krbinstance.KrbInstance(fstore=fstore)

     # pkinit files

     if pkcs12_info is None:

@@ -153,7 +155,8 @@ def install_ca_cert(ldap, base_dn, realm, cafile, destfile=paths.IPA_CA_CRT):

 def install_http(config, auto_redirect, ca_is_configured, ca_file,

                  promote=False,

-                 pkcs12_info=None):

+                 pkcs12_info=None,

+                 fstore=None):

     # if we have a pkcs12 file, create the cert db from

     # that. Otherwise the ds setup will create the CA

     # cert

@@ -161,8 +164,7 @@ def install_http(config, auto_redirect, ca_is_configured, ca_file,

         pkcs12_info = make_pkcs12_info(config.dir, "httpcert.p12",

                                        "http_pin.txt")

-

-    http = httpinstance.HTTPInstance()

+    http = httpinstance.HTTPInstance(fstore=fstore)

     http.create_instance(

         config.realm_name, config.host_name, config.domain_name,

         config.dirman_password, pkcs12_info,

@@ -173,14 +175,14 @@ def install_http(config, auto_redirect, ca_is_configured, ca_file,

     return http

-def install_dns_records(config, options, remote_api):

+def install_dns_records(config, options, remote_api, fstore=None):

     if not bindinstance.dns_container_exists(

             ipautil.realm_to_suffix(config.realm_name)):

         return

     try:

-        bind = bindinstance.BindInstance(api=remote_api)

+        bind = bindinstance.BindInstance(api=remote_api, fstore=fstore)

         for ip in config.ips:

             reverse_zone = bindinstance.find_reverse_zone(ip, remote_api)

@@ -1425,10 +1427,11 @@ def install(installer):

                                 remote_api,

                                 ca_file=cafile,

                                 promote=promote,

-                                pkcs12_info=dirsrv_pkcs12_info)

+                                pkcs12_info=dirsrv_pkcs12_info,

+                                fstore=fstore)

         # Always try to install DNS records

-        install_dns_records(config, options, remote_api)

+        install_dns_records(config, options, remote_api, fstore=fstore)

         ntpinstance.ntp_ldap_enable(config.host_name, ds.suffix,

                                     remote_api.env.realm)

@@ -1449,7 +1452,8 @@ def install(installer):

         config,

         setup_pkinit=not options.no_pkinit,

         pkcs12_info=pkinit_pkcs12_info,

-        promote=promote)

+        promote=promote,

+        fstore=fstore)

     if promote:

         # We need to point to the master when certmonger asks for

@@ -1479,7 +1483,8 @@ def install(installer):

         promote=promote,

         pkcs12_info=http_pkcs12_info,

         ca_is_configured=ca_enabled,

-        ca_file=cafile)

+        ca_file=cafile,

+        fstore=fstore)

     if promote:

         # Need to point back to ourself after the cert for HTTP is obtained

-- 

2.17.1