e0ab38
From 61f54afcde1df217fec01aa9ab38b0b9b704c501 Mon Sep 17 00:00:00 2001
e0ab38
From: Martin Babinsky <mbabinsk@redhat.com>
e0ab38
Date: Tue, 5 Jan 2016 13:00:24 +0100
e0ab38
Subject: [PATCH] prevent crash of CA-less server upgrade due to absent
e0ab38
 certmonger
e0ab38
e0ab38
ipa-server-upgrade tests whether certmonger service is running before
e0ab38
attempting to upgrade IPA master. This causes the upgrader to always fail when
e0ab38
there is no CA installer and certmonger is not needed, effectively preventing
e0ab38
CA-less IPA master to upgrade succefuly.
e0ab38
e0ab38
This test is now skipped if CA is not enabled.
e0ab38
e0ab38
https://fedorahosted.org/freeipa/ticket/5519
e0ab38
e0ab38
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
e0ab38
---
e0ab38
 ipaserver/install/server/upgrade.py | 29 +++++++++++++++++++++++++++--
e0ab38
 1 file changed, 27 insertions(+), 2 deletions(-)
e0ab38
e0ab38
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
e0ab38
index 945cb3ebd63767cb1d57083e1da7c5605ac5a2f9..616fba5c1a5b3737481aecbb09ab5344641a3b04 100644
e0ab38
--- a/ipaserver/install/server/upgrade.py
e0ab38
+++ b/ipaserver/install/server/upgrade.py
e0ab38
@@ -292,6 +292,24 @@ def setup_firefox_extension(fstore):
e0ab38
     http.setup_firefox_extension(realm, domain)
e0ab38
 
e0ab38
 
e0ab38
+def is_ca_enabled():
e0ab38
+    """
e0ab38
+    check whether there is an active CA master
e0ab38
+    :return: True if there is an active CA in topology, False otherwise
e0ab38
+    """
e0ab38
+    ldap2 = api.Backend.ldap2
e0ab38
+    was_connected = ldap2.isconnected()
e0ab38
+
e0ab38
+    if not was_connected:
e0ab38
+        ldap2.connect()
e0ab38
+
e0ab38
+    try:
e0ab38
+        return api.Command.ca_is_enabled()['result']
e0ab38
+    finally:
e0ab38
+        if not was_connected:
e0ab38
+            ldap2.disconnect()
e0ab38
+
e0ab38
+
e0ab38
 def ca_configure_profiles_acl(ca):
e0ab38
     root_logger.info('[Authorizing RA Agent to modify profiles]')
e0ab38
 
e0ab38
@@ -1416,7 +1434,9 @@ def upgrade_configuration():
e0ab38
     http = httpinstance.HTTPInstance(fstore)
e0ab38
     http.configure_selinux_for_httpd()
e0ab38
     http.change_mod_nss_port_from_http()
e0ab38
-    http.configure_certmonger_renewal_guard()
e0ab38
+
e0ab38
+    if is_ca_enabled():
e0ab38
+        http.configure_certmonger_renewal_guard()
e0ab38
 
e0ab38
     ds.configure_dirsrv_ccache()
e0ab38
 
e0ab38
@@ -1562,7 +1582,12 @@ def upgrade_check(options):
e0ab38
         print unicode(e)
e0ab38
         sys.exit(1)
e0ab38
 
e0ab38
-    if not services.knownservices.certmonger.is_running():
e0ab38
+    try:
e0ab38
+        ca_is_enabled = is_ca_enabled()
e0ab38
+    except Exception as e:
e0ab38
+        raise RuntimeError("Cannot connect to LDAP server: {0}".format(e))
e0ab38
+
e0ab38
+    if not services.knownservices.certmonger.is_running() and ca_is_enabled:
e0ab38
         raise RuntimeError('Certmonger is not running. Start certmonger and run upgrade again.')
e0ab38
 
e0ab38
     if not options.skip_version_check:
e0ab38
-- 
e0ab38
2.4.3
e0ab38