9991ea
From c088cccb0b27e0defd5457f756a2d4c68e8eff55 Mon Sep 17 00:00:00 2001
9991ea
From: Martin Kosek <mkosek@redhat.com>
9991ea
Date: Tue, 11 Mar 2014 16:28:19 +0100
9991ea
Subject: [PATCH 56/58] ipa-replica-install never checks for 7389 port
9991ea
9991ea
When creating replica from a Dogtag 9 based IPA server, the port 7389
9991ea
which is required for the installation is never checked by
9991ea
ipa-replica-conncheck even though it knows that it is being installed
9991ea
from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by
9991ea
firewall, installation would stuck with no hint to user.
9991ea
9991ea
Make sure that the port configuration parsed from replica info file
9991ea
is used consistently in the installers.
9991ea
9991ea
https://fedorahosted.org/freeipa/ticket/4240
9991ea
9991ea
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
9991ea
---
9991ea
 install/tools/ipa-ca-install      | 17 +++++------------
9991ea
 install/tools/ipa-replica-install | 18 ++++++------------
9991ea
 ipaserver/install/cainstance.py   | 12 +++++-------
9991ea
 ipaserver/install/installutils.py | 16 ++++++++++++++++
9991ea
 4 files changed, 32 insertions(+), 31 deletions(-)
9991ea
9991ea
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
9991ea
index 4edd26d337a50eebe686daae539c257f706e0158..bb3e595a3df47f00b3929f546db7b04dd7eda32a 100755
9991ea
--- a/install/tools/ipa-ca-install
9991ea
+++ b/install/tools/ipa-ca-install
9991ea
@@ -30,7 +30,7 @@ from ipaserver.install import installutils, service
9991ea
 from ipaserver.install import certs
9991ea
 from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig,
9991ea
         expand_replica_info, read_replica_info, get_host_name, BadHostError,
9991ea
-        private_ccache)
9991ea
+        private_ccache, read_replica_info_dogtag_port)
9991ea
 from ipaserver.install import dsinstance, cainstance, bindinstance
9991ea
 from ipaserver.install.replication import replica_conn_check
9991ea
 from ipapython import version
9991ea
@@ -159,31 +159,24 @@ def main():
9991ea
             sys.exit(0)
9991ea
     config.dir = dir
9991ea
     config.setup_ca = True
9991ea
+    config.ca_ds_port = read_replica_info_dogtag_port(config.dir)
9991ea
 
9991ea
     if not ipautil.file_exists(config.dir + "/cacert.p12"):
9991ea
         print 'CA cannot be installed in CA-less setup.'
9991ea
         sys.exit(1)
9991ea
 
9991ea
-    portfile = config.dir + "/dogtag_directory_port.txt"
9991ea
-    if not ipautil.file_exists(portfile):
9991ea
-        dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT)
9991ea
-    else:
9991ea
-        with open(portfile) as fd:
9991ea
-            dogtag_master_ds_port = fd.read()
9991ea
-
9991ea
     if not options.skip_conncheck:
9991ea
         replica_conn_check(
9991ea
             config.master_host_name, config.host_name, config.realm_name, True,
9991ea
-            dogtag_master_ds_port, options.admin_password)
9991ea
+            config.ca_ds_port, options.admin_password)
9991ea
 
9991ea
     if options.skip_schema_check:
9991ea
         root_logger.info("Skipping CA DS schema check")
9991ea
     else:
9991ea
-        cainstance.replica_ca_install_check(config, dogtag_master_ds_port)
9991ea
+        cainstance.replica_ca_install_check(config)
9991ea
 
9991ea
     # Configure the CA if necessary
9991ea
-    CA = cainstance.install_replica_ca(
9991ea
-        config, dogtag_master_ds_port, postinstall=True)
9991ea
+    CA = cainstance.install_replica_ca(config, postinstall=True)
9991ea
 
9991ea
     # We need to ldap_enable the CA now that DS is up and running
9991ea
     CA.ldap_enable('CA', config.host_name, config.dirman_password,
9991ea
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
9991ea
index 0e7aefef48d47fefa290607e0604c014d9469fdd..e039fd1e7cb213b3269d0a5d2305a96f68e36e29 100755
9991ea
--- a/install/tools/ipa-replica-install
9991ea
+++ b/install/tools/ipa-replica-install
9991ea
@@ -37,8 +37,8 @@ from ipaserver.install import memcacheinstance
9991ea
 from ipaserver.install import otpdinstance
9991ea
 from ipaserver.install.replication import replica_conn_check, ReplicationManager
9991ea
 from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info,
9991ea
-                                            read_replica_info ,get_host_name,
9991ea
-                                            BadHostError, private_ccache)
9991ea
+        read_replica_info, get_host_name, BadHostError, private_ccache,
9991ea
+        read_replica_info_dogtag_port)
9991ea
 from ipaserver.plugins.ldap2 import ldap2
9991ea
 from ipaserver.install import cainstance
9991ea
 from ipalib import api, errors, util
9991ea
@@ -534,6 +534,7 @@ def main():
9991ea
             sys.exit(0)
9991ea
     config.dir = dir
9991ea
     config.setup_ca = options.setup_ca
9991ea
+    config.ca_ds_port = read_replica_info_dogtag_port(config.dir)
9991ea
 
9991ea
     if config.setup_ca and not ipautil.file_exists(config.dir + "/cacert.p12"):
9991ea
         print 'CA cannot be installed in CA-less setup.'
9991ea
@@ -541,18 +542,11 @@ def main():
9991ea
 
9991ea
     installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
9991ea
 
9991ea
-    portfile = config.dir + "/dogtag_directory_port.txt"
9991ea
-    if not ipautil.file_exists(portfile):
9991ea
-        dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT)
9991ea
-    else:
9991ea
-        with open(portfile) as fd:
9991ea
-            dogtag_master_ds_port = fd.read()
9991ea
-
9991ea
     # check connection
9991ea
     if not options.skip_conncheck:
9991ea
         replica_conn_check(
9991ea
             config.master_host_name, config.host_name, config.realm_name,
9991ea
-            options.setup_ca, dogtag_master_ds_port, options.admin_password)
9991ea
+            options.setup_ca, config.ca_ds_port, options.admin_password)
9991ea
 
9991ea
 
9991ea
     # check replica host IP resolution
9991ea
@@ -657,7 +651,7 @@ def main():
9991ea
     if options.skip_schema_check:
9991ea
         root_logger.info("Skipping CA DS schema check")
9991ea
     else:
9991ea
-        cainstance.replica_ca_install_check(config, dogtag_master_ds_port)
9991ea
+        cainstance.replica_ca_install_check(config)
9991ea
 
9991ea
     # Configure ntpd
9991ea
     if options.conf_ntp:
9991ea
@@ -669,7 +663,7 @@ def main():
9991ea
     ds = install_replica_ds(config)
9991ea
 
9991ea
     # Configure the CA if necessary
9991ea
-    CA = cainstance.install_replica_ca(config, dogtag_master_ds_port)
9991ea
+    CA = cainstance.install_replica_ca(config)
9991ea
 
9991ea
     # Always try to install DNS records
9991ea
     install_dns_records(config, options)
9991ea
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
9991ea
index 52c91b68c2d073a9b1c6aedc1811aa26db046e6b..126bbae66e8a9ae8d9cc6e624745ab1cc37bf4c1 100644
9991ea
--- a/ipaserver/install/cainstance.py
9991ea
+++ b/ipaserver/install/cainstance.py
9991ea
@@ -1574,7 +1574,7 @@ def is_master(self):
9991ea
         return master == 'New'
9991ea
 
9991ea
 
9991ea
-def replica_ca_install_check(config, master_ds_port):
9991ea
+def replica_ca_install_check(config):
9991ea
     if not config.setup_ca:
9991ea
         return
9991ea
 
9991ea
@@ -1583,8 +1583,6 @@ def replica_ca_install_check(config, master_ds_port):
9991ea
         # Replica of old "self-signed" master - CA won't be installed
9991ea
         return
9991ea
 
9991ea
-    master_ds_port = int(master_ds_port)
9991ea
-
9991ea
     # Exit if we have an old-style (Dogtag 9) CA already installed
9991ea
     ca = CAInstance(config.realm_name, certs.NSS_DIR,
9991ea
         dogtag_constants=dogtag.Dogtag9Constants)
9991ea
@@ -1592,13 +1590,13 @@ def replica_ca_install_check(config, master_ds_port):
9991ea
         root_logger.info('Dogtag 9 style CA instance found')
9991ea
         sys.exit("A CA is already configured on this system.")
9991ea
 
9991ea
-    if master_ds_port != dogtag.Dogtag9Constants.DS_PORT:
9991ea
+    if config.ca_ds_port != dogtag.Dogtag9Constants.DS_PORT:
9991ea
         root_logger.debug(
9991ea
             'Installing CA Replica from master with a merged database')
9991ea
         return
9991ea
 
9991ea
     # Check if the master has the necessary schema in its CA instance
9991ea
-    ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, master_ds_port)
9991ea
+    ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, config.ca_ds_port)
9991ea
     objectclass = 'ipaObject'
9991ea
     root_logger.debug('Checking if IPA schema is present in %s', ca_ldap_url)
9991ea
     try:
9991ea
@@ -1627,7 +1625,7 @@ def replica_ca_install_check(config, master_ds_port):
9991ea
         exit('IPA schema missing on master CA directory server')
9991ea
 
9991ea
 
9991ea
-def install_replica_ca(config, master_ds_port, postinstall=False):
9991ea
+def install_replica_ca(config, postinstall=False):
9991ea
     """
9991ea
     Install a CA on a replica.
9991ea
 
9991ea
@@ -1676,7 +1674,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
9991ea
                           config.dirman_password, config.dirman_password,
9991ea
                           pkcs12_info=(cafile,),
9991ea
                           master_host=config.master_host_name,
9991ea
-                          master_replication_port=master_ds_port,
9991ea
+                          master_replication_port=config.ca_ds_port,
9991ea
                           subject_base=config.subject_base)
9991ea
 
9991ea
     # Restart httpd since we changed it's config and added ipa-pki-proxy.conf
9991ea
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
9991ea
index 32671adc895b0cb2632729e8bdb44b5df02c1314..8be8cd3ffa86256c096ddc99227210f2daeb3185 100644
9991ea
--- a/ipaserver/install/installutils.py
9991ea
+++ b/ipaserver/install/installutils.py
9991ea
@@ -538,6 +538,22 @@ def read_replica_info(dir, rconfig):
9991ea
     except NoOptionError:
9991ea
         pass
9991ea
 
9991ea
+def read_replica_info_dogtag_port(config_dir):
9991ea
+    portfile = config_dir + "/dogtag_directory_port.txt"
9991ea
+    default_port = dogtag.Dogtag9Constants.DS_PORT
9991ea
+    if not ipautil.file_exists(portfile):
9991ea
+        dogtag_master_ds_port = default_port
9991ea
+    else:
9991ea
+        with open(portfile) as fd:
9991ea
+            try:
9991ea
+                dogtag_master_ds_port = int(fd.read())
9991ea
+            except (ValueError, IOError), e:
9991ea
+                root_logger.debug('Cannot parse dogtag DS port: %s', e)
9991ea
+                root_logger.debug('Default to %d', default_port)
9991ea
+                dogtag_master_ds_port = default_port
9991ea
+
9991ea
+    return dogtag_master_ds_port
9991ea
+
9991ea
 def check_server_configuration():
9991ea
     """
9991ea
     Check if IPA server is configured on the system.
9991ea
-- 
9991ea
1.8.5.3
9991ea