|
|
92a605 |
From 8cbeb62e6b4f492047719d7c6e0cfa69c15ceaa4 Mon Sep 17 00:00:00 2001
|
|
|
92a605 |
From: Matthew Harmsen <mharmsen@redhat.com>
|
|
|
92a605 |
Date: Fri, 8 Dec 2017 17:17:34 -0700
|
|
|
92a605 |
Subject: [PATCH 1/6] Fix nuxwdog to work on all platforms
|
|
|
92a605 |
|
|
|
92a605 |
- dogtagpki Pagure Issue #2874 - nuxwdog won't start on Fedora
|
|
|
92a605 |
|
|
|
92a605 |
Change-Id: I5ff65c75087aeb939cb58ee7cf888bbbacb57ad5
|
|
|
92a605 |
(cherry picked from commit 19f04606cb58f7dc6e2872e39f62d3dad427ae22)
|
|
|
92a605 |
---
|
|
|
92a605 |
base/server/sbin/pki-server-nuxwdog | 4 ++--
|
|
|
92a605 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
92a605 |
|
|
|
92a605 |
diff --git a/base/server/sbin/pki-server-nuxwdog b/base/server/sbin/pki-server-nuxwdog
|
|
|
92a605 |
index ead925303..cb8993821 100755
|
|
|
92a605 |
--- a/base/server/sbin/pki-server-nuxwdog
|
|
|
92a605 |
+++ b/base/server/sbin/pki-server-nuxwdog
|
|
|
92a605 |
@@ -41,8 +41,8 @@ nux_fname="${CATALINA_BASE}/conf/nuxwdog.conf"
|
|
|
92a605 |
touch ${nux_fname}
|
|
|
92a605 |
chown pkiuser: ${nux_fname}
|
|
|
92a605 |
|
|
|
92a605 |
-echo "ExeFile ${JAVACMD}" > $nux_fname
|
|
|
92a605 |
-echo "ExeArgs ${JAVACMD} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname
|
|
|
92a605 |
+echo "ExeFile ${JAVA_HOME}/bin/java" > $nux_fname
|
|
|
92a605 |
+echo "ExeArgs ${JAVA_HOME}/bin/java ${JAVACMD_OPTS} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname
|
|
|
92a605 |
echo "TmpDir ${CATALINA_BASE}/logs/pids" >> $nux_fname
|
|
|
92a605 |
echo "ChildSecurity 1" >> $nux_fname
|
|
|
92a605 |
echo "ExeOut ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname
|
|
|
92a605 |
--
|
|
|
92a605 |
2.14.3
|
|
|
92a605 |
|
|
|
92a605 |
|
|
|
92a605 |
From e688a788f6cb9fd6e488ea5475c50c21583b9c87 Mon Sep 17 00:00:00 2001
|
|
|
92a605 |
From: Ade Lee <alee@redhat.com>
|
|
|
92a605 |
Date: Tue, 2 Jan 2018 13:38:40 -0500
|
|
|
92a605 |
Subject: [PATCH 2/6] Modified systemd invocations in pkispawn to handle
|
|
|
92a605 |
nuxwdog
|
|
|
92a605 |
|
|
|
92a605 |
The systemd invocations in pkispawn/pkidestroy did not account for
|
|
|
92a605 |
nuxwdog enabled instances. This patch allows pkispawn/pkidestroy to
|
|
|
92a605 |
use the right service name if the nuxwdog service unit files exist.
|
|
|
92a605 |
|
|
|
92a605 |
Also modified instance_layout deployment script to delete the right
|
|
|
92a605 |
systemd link.
|
|
|
92a605 |
|
|
|
92a605 |
Change-Id: I25eac0555aad022784d7728913ae4a335eab3463
|
|
|
92a605 |
(cherry picked from commit c7c907c07599ef1d9b52638c25153f7bd82de999)
|
|
|
92a605 |
---
|
|
|
92a605 |
.../python/pki/server/deployment/pkihelper.py | 55 ++++++++++------------
|
|
|
92a605 |
.../deployment/scriptlets/instance_layout.py | 5 +-
|
|
|
92a605 |
2 files changed, 28 insertions(+), 32 deletions(-)
|
|
|
92a605 |
|
|
|
92a605 |
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
|
|
|
92a605 |
index 9bb0dfc0e..2cc36f4a2 100644
|
|
|
92a605 |
--- a/base/server/python/pki/server/deployment/pkihelper.py
|
|
|
92a605 |
+++ b/base/server/python/pki/server/deployment/pkihelper.py
|
|
|
92a605 |
@@ -3495,17 +3495,28 @@ class Systemd(object):
|
|
|
92a605 |
|
|
|
92a605 |
Args:
|
|
|
92a605 |
deployer (dictionary): PKI Deployment name/value parameters
|
|
|
92a605 |
-
|
|
|
92a605 |
- Attributes:
|
|
|
92a605 |
-
|
|
|
92a605 |
- Returns:
|
|
|
92a605 |
-
|
|
|
92a605 |
- Raises:
|
|
|
92a605 |
-
|
|
|
92a605 |
- Examples:
|
|
|
92a605 |
-
|
|
|
92a605 |
"""
|
|
|
92a605 |
self.mdict = deployer.mdict
|
|
|
92a605 |
+ instance_name = deployer.mdict['pki_instance_name']
|
|
|
92a605 |
+
|
|
|
92a605 |
+ unit_file = 'pki-tomcatd@%s.service' % instance_name
|
|
|
92a605 |
+ systemd_link = os.path.join(
|
|
|
92a605 |
+ '/etc/systemd/system/pki-tomcatd.target.wants',
|
|
|
92a605 |
+ unit_file)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ nuxwdog_unit_file = 'pki-tomcatd-nuxwdog@%s.service' % instance_name
|
|
|
92a605 |
+ nuxwdog_systemd_link = os.path.join(
|
|
|
92a605 |
+ '/etc/systemd/system/pki-tomcatd-nuxwdog.target.wants',
|
|
|
92a605 |
+ nuxwdog_unit_file)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ if os.path.exists(nuxwdog_systemd_link):
|
|
|
92a605 |
+ self.is_nuxwdog_enabled = True
|
|
|
92a605 |
+ self.service_name = nuxwdog_unit_file
|
|
|
92a605 |
+ self.systemd_link = nuxwdog_systemd_link
|
|
|
92a605 |
+ else:
|
|
|
92a605 |
+ self.is_nuxwdog_enabled = False
|
|
|
92a605 |
+ self.service_name = unit_file
|
|
|
92a605 |
+ self.systemd_link = systemd_link
|
|
|
92a605 |
|
|
|
92a605 |
def daemon_reload(self, critical_failure=True):
|
|
|
92a605 |
"""PKI Deployment execution management lifecycle function.
|
|
|
92a605 |
@@ -3579,7 +3590,7 @@ class Systemd(object):
|
|
|
92a605 |
command = ["rm", "/etc/rc3.d/*" +
|
|
|
92a605 |
self.mdict['pki_instance_name']]
|
|
|
92a605 |
else:
|
|
|
92a605 |
- command = ["systemctl", "disable", "pki-tomcatd.target"]
|
|
|
92a605 |
+ command = ["systemctl", "disable", self.service_name]
|
|
|
92a605 |
|
|
|
92a605 |
# Display this "systemd" execution managment command
|
|
|
92a605 |
config.pki_log.info(
|
|
|
92a605 |
@@ -3629,7 +3640,7 @@ class Systemd(object):
|
|
|
92a605 |
command = ["ln", "-s", "/etc/init.d/pki-tomcatd",
|
|
|
92a605 |
"/etc/rc3.d/S89" + self.mdict['pki_instance_name']]
|
|
|
92a605 |
else:
|
|
|
92a605 |
- command = ["systemctl", "enable", "pki-tomcatd.target"]
|
|
|
92a605 |
+ command = ["systemctl", "enable", self.service_name]
|
|
|
92a605 |
|
|
|
92a605 |
# Display this "systemd" execution managment command
|
|
|
92a605 |
config.pki_log.info(
|
|
|
92a605 |
@@ -3673,20 +3684,15 @@ class Systemd(object):
|
|
|
92a605 |
|
|
|
92a605 |
"""
|
|
|
92a605 |
try:
|
|
|
92a605 |
- service = None
|
|
|
92a605 |
# Execute the "systemd daemon-reload" management lifecycle command
|
|
|
92a605 |
if reload_daemon:
|
|
|
92a605 |
self.daemon_reload(critical_failure)
|
|
|
92a605 |
- # Compose this "systemd" execution management command
|
|
|
92a605 |
- service = "pki-tomcatd" + "@" +\
|
|
|
92a605 |
- self.mdict['pki_instance_name'] + "." +\
|
|
|
92a605 |
- "service"
|
|
|
92a605 |
|
|
|
92a605 |
if pki.system.SYSTEM_TYPE == "debian":
|
|
|
92a605 |
command = ["/etc/init.d/pki-tomcatd", "start",
|
|
|
92a605 |
self.mdict['pki_instance_name']]
|
|
|
92a605 |
else:
|
|
|
92a605 |
- command = ["systemctl", "start", service]
|
|
|
92a605 |
+ command = ["systemctl", "start", self.service_name]
|
|
|
92a605 |
|
|
|
92a605 |
# Display this "systemd" execution managment command
|
|
|
92a605 |
config.pki_log.info(
|
|
|
92a605 |
@@ -3726,17 +3732,11 @@ class Systemd(object):
|
|
|
92a605 |
|
|
|
92a605 |
"""
|
|
|
92a605 |
try:
|
|
|
92a605 |
- service = None
|
|
|
92a605 |
- # Compose this "systemd" execution management command
|
|
|
92a605 |
- service = "pki-tomcatd" + "@" +\
|
|
|
92a605 |
- self.mdict['pki_instance_name'] + "." +\
|
|
|
92a605 |
- "service"
|
|
|
92a605 |
-
|
|
|
92a605 |
if pki.system.SYSTEM_TYPE == "debian":
|
|
|
92a605 |
command = ["/etc/init.d/pki-tomcatd", "stop",
|
|
|
92a605 |
self.mdict['pki_instance_name']]
|
|
|
92a605 |
else:
|
|
|
92a605 |
- command = ["systemctl", "stop", service]
|
|
|
92a605 |
+ command = ["systemctl", "stop", self.service_name]
|
|
|
92a605 |
|
|
|
92a605 |
# Display this "systemd" execution managment command
|
|
|
92a605 |
config.pki_log.info(
|
|
|
92a605 |
@@ -3777,21 +3777,16 @@ class Systemd(object):
|
|
|
92a605 |
|
|
|
92a605 |
"""
|
|
|
92a605 |
try:
|
|
|
92a605 |
- service = None
|
|
|
92a605 |
# Compose this "systemd" execution management command
|
|
|
92a605 |
# Execute the "systemd daemon-reload" management lifecycle command
|
|
|
92a605 |
if reload_daemon:
|
|
|
92a605 |
self.daemon_reload(critical_failure)
|
|
|
92a605 |
|
|
|
92a605 |
- service = "pki-tomcatd" + "@" +\
|
|
|
92a605 |
- self.mdict['pki_instance_name'] + "." +\
|
|
|
92a605 |
- "service"
|
|
|
92a605 |
-
|
|
|
92a605 |
if pki.system.SYSTEM_TYPE == "debian":
|
|
|
92a605 |
command = ["/etc/init.d/pki-tomcatd", "restart",
|
|
|
92a605 |
self.mdict['pki_instance_name']]
|
|
|
92a605 |
else:
|
|
|
92a605 |
- command = ["systemctl", "restart", service]
|
|
|
92a605 |
+ command = ["systemctl", "restart", self.service_name]
|
|
|
92a605 |
|
|
|
92a605 |
# Display this "systemd" execution managment command
|
|
|
92a605 |
config.pki_log.info(
|
|
|
92a605 |
diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
|
|
|
92a605 |
index a9a2840c7..b225d653b 100644
|
|
|
92a605 |
--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
|
|
|
92a605 |
+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
|
|
|
92a605 |
@@ -58,7 +58,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
92a605 |
# Link /etc/pki/<instance>/logging.properties
|
|
|
92a605 |
# to /usr/share/pki/server/conf/logging.properties.
|
|
|
92a605 |
deployer.symlink.create(
|
|
|
92a605 |
- os.path.join(deployer.mdict['pki_source_server_path'], "logging.properties"),
|
|
|
92a605 |
+ os.path.join(deployer.mdict['pki_source_server_path'],
|
|
|
92a605 |
+ "logging.properties"),
|
|
|
92a605 |
os.path.join(deployer.mdict['pki_instance_configuration_path'],
|
|
|
92a605 |
"logging.properties"))
|
|
|
92a605 |
|
|
|
92a605 |
@@ -173,7 +174,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
92a605 |
if len(deployer.instance.tomcat_instance_subsystems()) == 0:
|
|
|
92a605 |
|
|
|
92a605 |
# remove Tomcat instance systemd service link
|
|
|
92a605 |
- deployer.symlink.delete(deployer.mdict['pki_systemd_service_link'])
|
|
|
92a605 |
+ deployer.symlink.delete(deployer.systemd.systemd_link)
|
|
|
92a605 |
|
|
|
92a605 |
# remove Tomcat instance base
|
|
|
92a605 |
deployer.directory.delete(deployer.mdict['pki_instance_path'])
|
|
|
92a605 |
--
|
|
|
92a605 |
2.14.3
|
|
|
92a605 |
|
|
|
92a605 |
|
|
|
92a605 |
From 98851261dd164bc586c78d0b96df712918c336e8 Mon Sep 17 00:00:00 2001
|
|
|
92a605 |
From: Ade Lee <alee@redhat.com>
|
|
|
92a605 |
Date: Tue, 2 Jan 2018 14:52:32 -0500
|
|
|
92a605 |
Subject: [PATCH 3/6] Allow prompting for token passwords if not present
|
|
|
92a605 |
|
|
|
92a605 |
Change-Id: Ifa2e60424d713ebe15bf9aa92f1d5b7691b7e0ff
|
|
|
92a605 |
(cherry picked from commit 6716b82ecc38b23de81c8f0fe18863e1df4bfddb)
|
|
|
92a605 |
---
|
|
|
92a605 |
.../python/pki/server/deployment/__init__.py | 4 +++-
|
|
|
92a605 |
.../python/pki/server/deployment/pkihelper.py | 27 ++++++++--------------
|
|
|
92a605 |
base/server/sbin/pkidestroy | 2 +-
|
|
|
92a605 |
base/server/sbin/pkispawn | 2 +-
|
|
|
92a605 |
4 files changed, 15 insertions(+), 20 deletions(-)
|
|
|
92a605 |
|
|
|
92a605 |
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
|
|
|
92a605 |
index 709fe7014..f9b05dd42 100644
|
|
|
92a605 |
--- a/base/server/python/pki/server/deployment/__init__.py
|
|
|
92a605 |
+++ b/base/server/python/pki/server/deployment/__init__.py
|
|
|
92a605 |
@@ -66,6 +66,7 @@ class PKIDeployer:
|
|
|
92a605 |
self.systemd = None
|
|
|
92a605 |
self.tps_connector = None
|
|
|
92a605 |
self.config_client = None
|
|
|
92a605 |
+ self.parser = None
|
|
|
92a605 |
|
|
|
92a605 |
# Set installation time
|
|
|
92a605 |
ticks = time.time()
|
|
|
92a605 |
@@ -88,7 +89,7 @@ class PKIDeployer:
|
|
|
92a605 |
if not len(self.dns_domainname):
|
|
|
92a605 |
self.dns_domainname = self.hostname
|
|
|
92a605 |
|
|
|
92a605 |
- def init(self):
|
|
|
92a605 |
+ def init(self, parser):
|
|
|
92a605 |
|
|
|
92a605 |
# Utility objects
|
|
|
92a605 |
self.identity = util.Identity(self)
|
|
|
92a605 |
@@ -111,6 +112,7 @@ class PKIDeployer:
|
|
|
92a605 |
self.systemd = util.Systemd(self)
|
|
|
92a605 |
self.tps_connector = util.TPSConnector(self)
|
|
|
92a605 |
self.config_client = util.ConfigClient(self)
|
|
|
92a605 |
+ self.parser = parser
|
|
|
92a605 |
|
|
|
92a605 |
def flatten_master_dict(self):
|
|
|
92a605 |
|
|
|
92a605 |
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
|
|
|
92a605 |
index 2cc36f4a2..8049e61fc 100644
|
|
|
92a605 |
--- a/base/server/python/pki/server/deployment/pkihelper.py
|
|
|
92a605 |
+++ b/base/server/python/pki/server/deployment/pkihelper.py
|
|
|
92a605 |
@@ -2057,6 +2057,7 @@ class Password:
|
|
|
92a605 |
|
|
|
92a605 |
def __init__(self, deployer):
|
|
|
92a605 |
self.mdict = deployer.mdict
|
|
|
92a605 |
+ self.deployer = deployer
|
|
|
92a605 |
|
|
|
92a605 |
def create_password_conf(self, path, pin, pin_sans_token=False,
|
|
|
92a605 |
overwrite_flag=False, critical_failure=True):
|
|
|
92a605 |
@@ -2146,7 +2147,7 @@ class Password:
|
|
|
92a605 |
raise
|
|
|
92a605 |
return
|
|
|
92a605 |
|
|
|
92a605 |
- def get_password(self, path, token_name, critical_failure=True):
|
|
|
92a605 |
+ def get_password(self, path, token_name):
|
|
|
92a605 |
token_pwd = None
|
|
|
92a605 |
if os.path.exists(path) and os.path.isfile(path) and\
|
|
|
92a605 |
os.access(path, os.R_OK):
|
|
|
92a605 |
@@ -2159,16 +2160,11 @@ class Password:
|
|
|
92a605 |
token_pwd = tokens[token_name]
|
|
|
92a605 |
|
|
|
92a605 |
if token_pwd is None or token_pwd == '':
|
|
|
92a605 |
- # TODO prompt for this password
|
|
|
92a605 |
- config.pki_log.error(log.PKIHELPER_PASSWORD_NOT_FOUND_1,
|
|
|
92a605 |
- token_name,
|
|
|
92a605 |
- extra=config.PKI_INDENTATION_LEVEL_2)
|
|
|
92a605 |
- if critical_failure:
|
|
|
92a605 |
- raise Exception(
|
|
|
92a605 |
- log.PKIHELPER_PASSWORD_NOT_FOUND_1 %
|
|
|
92a605 |
- token_name)
|
|
|
92a605 |
- else:
|
|
|
92a605 |
- return
|
|
|
92a605 |
+ self.deployer.parser.read_password(
|
|
|
92a605 |
+ 'Password for token {}'.format(token_name),
|
|
|
92a605 |
+ self.deployer.subsystem_name,
|
|
|
92a605 |
+ 'token_pwd')
|
|
|
92a605 |
+ token_pwd = self.mdict['token_pwd']
|
|
|
92a605 |
return token_pwd
|
|
|
92a605 |
|
|
|
92a605 |
|
|
|
92a605 |
@@ -2998,8 +2994,7 @@ class KRAConnector:
|
|
|
92a605 |
|
|
|
92a605 |
token_pwd = self.password.get_password(
|
|
|
92a605 |
self.mdict['pki_shared_password_conf'],
|
|
|
92a605 |
- token_name,
|
|
|
92a605 |
- critical_failure)
|
|
|
92a605 |
+ token_name)
|
|
|
92a605 |
|
|
|
92a605 |
if token_pwd is None or token_pwd == '':
|
|
|
92a605 |
config.pki_log.warning(
|
|
|
92a605 |
@@ -3203,8 +3198,7 @@ class TPSConnector:
|
|
|
92a605 |
|
|
|
92a605 |
token_pwd = self.password.get_password(
|
|
|
92a605 |
self.mdict['pki_shared_password_conf'],
|
|
|
92a605 |
- token_name,
|
|
|
92a605 |
- critical_failure)
|
|
|
92a605 |
+ token_name)
|
|
|
92a605 |
|
|
|
92a605 |
if token_pwd is None or token_pwd == '':
|
|
|
92a605 |
config.pki_log.warning(
|
|
|
92a605 |
@@ -3441,8 +3435,7 @@ class SecurityDomain:
|
|
|
92a605 |
|
|
|
92a605 |
token_pwd = self.password.get_password(
|
|
|
92a605 |
self.mdict['pki_shared_password_conf'],
|
|
|
92a605 |
- token_name,
|
|
|
92a605 |
- critical_failure)
|
|
|
92a605 |
+ token_name)
|
|
|
92a605 |
|
|
|
92a605 |
if token_pwd is None or token_pwd == '':
|
|
|
92a605 |
config.pki_log.warning(
|
|
|
92a605 |
diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy
|
|
|
92a605 |
index 4a0c6a0b8..58d49698a 100755
|
|
|
92a605 |
--- a/base/server/sbin/pkidestroy
|
|
|
92a605 |
+++ b/base/server/sbin/pkidestroy
|
|
|
92a605 |
@@ -227,7 +227,7 @@ def main(argv):
|
|
|
92a605 |
|
|
|
92a605 |
# Process the various "scriptlets" to remove the specified PKI subsystem.
|
|
|
92a605 |
pki_subsystem_scriptlets = parser.mdict['destroy_scriplets'].split()
|
|
|
92a605 |
- deployer.init()
|
|
|
92a605 |
+ deployer.init(parser)
|
|
|
92a605 |
|
|
|
92a605 |
try:
|
|
|
92a605 |
for scriptlet_name in pki_subsystem_scriptlets:
|
|
|
92a605 |
diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
|
|
|
92a605 |
index 1aa7079e8..6d387b2d8 100755
|
|
|
92a605 |
--- a/base/server/sbin/pkispawn
|
|
|
92a605 |
+++ b/base/server/sbin/pkispawn
|
|
|
92a605 |
@@ -519,7 +519,7 @@ def main(argv):
|
|
|
92a605 |
|
|
|
92a605 |
# Process the various "scriptlets" to create the specified PKI subsystem.
|
|
|
92a605 |
pki_subsystem_scriptlets = parser.mdict['spawn_scriplets'].split()
|
|
|
92a605 |
- deployer.init()
|
|
|
92a605 |
+ deployer.init(parser)
|
|
|
92a605 |
|
|
|
92a605 |
try:
|
|
|
92a605 |
for scriptlet_name in pki_subsystem_scriptlets:
|
|
|
92a605 |
--
|
|
|
92a605 |
2.14.3
|
|
|
92a605 |
|
|
|
92a605 |
|
|
|
92a605 |
From 25439301773d2bf80a7eb871c8e1161bdbdb0315 Mon Sep 17 00:00:00 2001
|
|
|
92a605 |
From: Ade Lee <alee@redhat.com>
|
|
|
92a605 |
Date: Wed, 17 Jan 2018 18:31:19 -0500
|
|
|
92a605 |
Subject: [PATCH 4/6] Allow instances to be created with custom users
|
|
|
92a605 |
|
|
|
92a605 |
Some folks want to run instances under a different user and
|
|
|
92a605 |
group (ie. not pkiuser). They may even want a different user for
|
|
|
92a605 |
each instance. The way to do this in systemd is to create systemd
|
|
|
92a605 |
override files for the specific instance.
|
|
|
92a605 |
|
|
|
92a605 |
The deployment scriptlets have been updated to create (and delete)
|
|
|
92a605 |
these override files.
|
|
|
92a605 |
|
|
|
92a605 |
Change-Id: Icb0b6d15c6c8542dbbd565987d5fb3f1bddf6037
|
|
|
92a605 |
(cherry picked from commit afe0a2525cace41a1bef2ff7fe0f8f53aa5990e5)
|
|
|
92a605 |
---
|
|
|
92a605 |
.../python/pki/server/deployment/pkihelper.py | 55 ++++++++++++++++++++++
|
|
|
92a605 |
.../deployment/scriptlets/instance_layout.py | 18 +++++++
|
|
|
92a605 |
2 files changed, 73 insertions(+)
|
|
|
92a605 |
|
|
|
92a605 |
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
|
|
|
92a605 |
index 8049e61fc..2b18f003c 100644
|
|
|
92a605 |
--- a/base/server/python/pki/server/deployment/pkihelper.py
|
|
|
92a605 |
+++ b/base/server/python/pki/server/deployment/pkihelper.py
|
|
|
92a605 |
@@ -21,6 +21,12 @@
|
|
|
92a605 |
# System Imports
|
|
|
92a605 |
from __future__ import absolute_import
|
|
|
92a605 |
from __future__ import print_function
|
|
|
92a605 |
+
|
|
|
92a605 |
+try:
|
|
|
92a605 |
+ import configparser
|
|
|
92a605 |
+except ImportError:
|
|
|
92a605 |
+ import ConfigParser as configparser
|
|
|
92a605 |
+
|
|
|
92a605 |
import errno
|
|
|
92a605 |
import sys
|
|
|
92a605 |
import os
|
|
|
92a605 |
@@ -3490,26 +3496,75 @@ class Systemd(object):
|
|
|
92a605 |
deployer (dictionary): PKI Deployment name/value parameters
|
|
|
92a605 |
"""
|
|
|
92a605 |
self.mdict = deployer.mdict
|
|
|
92a605 |
+ self.deployer = deployer
|
|
|
92a605 |
instance_name = deployer.mdict['pki_instance_name']
|
|
|
92a605 |
|
|
|
92a605 |
unit_file = 'pki-tomcatd@%s.service' % instance_name
|
|
|
92a605 |
systemd_link = os.path.join(
|
|
|
92a605 |
'/etc/systemd/system/pki-tomcatd.target.wants',
|
|
|
92a605 |
unit_file)
|
|
|
92a605 |
+ override_dir = '/etc/systemd/system/pki-tomcatd@{}.service.d'.format(
|
|
|
92a605 |
+ instance_name)
|
|
|
92a605 |
+ self.base_override_dir = override_dir
|
|
|
92a605 |
|
|
|
92a605 |
nuxwdog_unit_file = 'pki-tomcatd-nuxwdog@%s.service' % instance_name
|
|
|
92a605 |
nuxwdog_systemd_link = os.path.join(
|
|
|
92a605 |
'/etc/systemd/system/pki-tomcatd-nuxwdog.target.wants',
|
|
|
92a605 |
nuxwdog_unit_file)
|
|
|
92a605 |
+ nuxwdog_override_dir = (
|
|
|
92a605 |
+ '/etc/systemd/system/pki-tomcatd-nuxwdog@{}.service.d'.format(
|
|
|
92a605 |
+ instance_name))
|
|
|
92a605 |
+ self.nuxwdog_override_dir = nuxwdog_override_dir
|
|
|
92a605 |
+
|
|
|
92a605 |
+ # self.overrides will be a hash of ConfigParsers indexed by filename
|
|
|
92a605 |
+ # once the overrides have been constructed, the caller should call
|
|
|
92a605 |
+ # write_overrides()
|
|
|
92a605 |
+ self.overrides = {}
|
|
|
92a605 |
|
|
|
92a605 |
if os.path.exists(nuxwdog_systemd_link):
|
|
|
92a605 |
self.is_nuxwdog_enabled = True
|
|
|
92a605 |
self.service_name = nuxwdog_unit_file
|
|
|
92a605 |
self.systemd_link = nuxwdog_systemd_link
|
|
|
92a605 |
+ self.override_dir = nuxwdog_override_dir
|
|
|
92a605 |
else:
|
|
|
92a605 |
self.is_nuxwdog_enabled = False
|
|
|
92a605 |
self.service_name = unit_file
|
|
|
92a605 |
self.systemd_link = systemd_link
|
|
|
92a605 |
+ self.override_dir = override_dir
|
|
|
92a605 |
+
|
|
|
92a605 |
+ def create_override_directory(self):
|
|
|
92a605 |
+ self.deployer.directory.create(self.override_dir, uid=0, gid=0)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ def create_override_file(self, fname):
|
|
|
92a605 |
+ self.create_override_directory()
|
|
|
92a605 |
+ self.deployer.file.create(
|
|
|
92a605 |
+ os.path.join(self.override_dir, fname),
|
|
|
92a605 |
+ uid=0, gid=0
|
|
|
92a605 |
+ )
|
|
|
92a605 |
+
|
|
|
92a605 |
+ def set_override(self, section, param, value, fname='local.conf'):
|
|
|
92a605 |
+ if fname not in self.overrides:
|
|
|
92a605 |
+ parser = configparser.ConfigParser()
|
|
|
92a605 |
+ parser.optionxform = str
|
|
|
92a605 |
+ override_file = os.path.join(self.override_dir, fname)
|
|
|
92a605 |
+ if os.path.exists(override_file):
|
|
|
92a605 |
+ parser.read(override_file)
|
|
|
92a605 |
+ self.overrides[fname] = parser
|
|
|
92a605 |
+ else:
|
|
|
92a605 |
+ parser = self.overrides[fname]
|
|
|
92a605 |
+
|
|
|
92a605 |
+ if not parser.has_section(section):
|
|
|
92a605 |
+ parser.add_section(section)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ parser[section][param] = value
|
|
|
92a605 |
+
|
|
|
92a605 |
+ def write_overrides(self):
|
|
|
92a605 |
+ for fname, parser in self.overrides.items():
|
|
|
92a605 |
+ override_file = os.path.join(self.override_dir, fname)
|
|
|
92a605 |
+ if not os.path.exists(override_file):
|
|
|
92a605 |
+ self.create_override_file(override_file)
|
|
|
92a605 |
+ with open(override_file, 'w') as fp:
|
|
|
92a605 |
+ parser.write(fp, space_around_delimiters=False)
|
|
|
92a605 |
|
|
|
92a605 |
def daemon_reload(self, critical_failure=True):
|
|
|
92a605 |
"""PKI Deployment execution management lifecycle function.
|
|
|
92a605 |
diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
|
|
|
92a605 |
index b225d653b..bb9919f34 100644
|
|
|
92a605 |
--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
|
|
|
92a605 |
+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
|
|
|
92a605 |
@@ -144,10 +144,21 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
92a605 |
deployer.symlink.create(
|
|
|
92a605 |
deployer.mdict['pki_tomcat_bin_path'],
|
|
|
92a605 |
deployer.mdict['pki_tomcat_bin_link'])
|
|
|
92a605 |
+
|
|
|
92a605 |
+ # create systemd links
|
|
|
92a605 |
deployer.symlink.create(
|
|
|
92a605 |
deployer.mdict['pki_tomcat_systemd'],
|
|
|
92a605 |
deployer.mdict['pki_instance_systemd_link'],
|
|
|
92a605 |
uid=0, gid=0)
|
|
|
92a605 |
+ user = deployer.mdict['pki_user']
|
|
|
92a605 |
+ group = deployer.mdict['pki_group']
|
|
|
92a605 |
+ if user != 'pkiuser' or group != 'pkiuser':
|
|
|
92a605 |
+ deployer.systemd.set_override(
|
|
|
92a605 |
+ 'Service', 'User', user, 'user.conf')
|
|
|
92a605 |
+ deployer.systemd.set_override(
|
|
|
92a605 |
+ 'Service', 'Group', group, 'user.conf')
|
|
|
92a605 |
+ deployer.systemd.write_overrides()
|
|
|
92a605 |
+ deployer.systemd.daemon_reload()
|
|
|
92a605 |
|
|
|
92a605 |
# establish shared NSS security databases for this instance
|
|
|
92a605 |
deployer.directory.create(deployer.mdict['pki_database_path'])
|
|
|
92a605 |
@@ -176,6 +187,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
92a605 |
# remove Tomcat instance systemd service link
|
|
|
92a605 |
deployer.symlink.delete(deployer.systemd.systemd_link)
|
|
|
92a605 |
|
|
|
92a605 |
+ # delete systemd override directories
|
|
|
92a605 |
+ if deployer.directory.exists(deployer.systemd.base_override_dir):
|
|
|
92a605 |
+ deployer.directory.delete(deployer.systemd.base_override_dir)
|
|
|
92a605 |
+ if deployer.directory.exists(deployer.systemd.nuxwdog_override_dir):
|
|
|
92a605 |
+ deployer.directory.delete(deployer.systemd.nuxwdog_override_dir)
|
|
|
92a605 |
+ deployer.systemd.daemon_reload()
|
|
|
92a605 |
+
|
|
|
92a605 |
# remove Tomcat instance base
|
|
|
92a605 |
deployer.directory.delete(deployer.mdict['pki_instance_path'])
|
|
|
92a605 |
# remove Tomcat instance logs
|
|
|
92a605 |
--
|
|
|
92a605 |
2.14.3
|
|
|
92a605 |
|
|
|
92a605 |
|
|
|
92a605 |
From dc0af568a913d06ced134e6685b5dec1bafb5153 Mon Sep 17 00:00:00 2001
|
|
|
92a605 |
From: Ade Lee <alee@redhat.com>
|
|
|
92a605 |
Date: Tue, 16 Jan 2018 15:10:15 -0500
|
|
|
92a605 |
Subject: [PATCH 5/6] Make sure tomcat is running as pki user with nuxwdog
|
|
|
92a605 |
|
|
|
92a605 |
The nuxwdog process needs to run as a privileged user to be able
|
|
|
92a605 |
to retrieve the passwords from the systemd tty agent in systemctl.
|
|
|
92a605 |
Therefore, the nuxwdog unit file should NOT specify the PKI user
|
|
|
92a605 |
there.
|
|
|
92a605 |
|
|
|
92a605 |
However, we have added an option to nuxwdog to specify the user
|
|
|
92a605 |
in the nuxwdog config file, so that the process that nuxwdog spawns
|
|
|
92a605 |
(ie. tomcat) will run as the specified user.
|
|
|
92a605 |
|
|
|
92a605 |
The code changes in this patch ensure that when the nuxwdog conf
|
|
|
92a605 |
file is created, the user is set correctly as the value of the
|
|
|
92a605 |
variable TOMCAT_USER.
|
|
|
92a605 |
|
|
|
92a605 |
Change-Id: I0b4f8caedb048aaedf6a8a8f72b24fab39ad7bbf
|
|
|
92a605 |
(cherry picked from commit 96e99209b278b5ba380a61486a5b6ce6a87326a0)
|
|
|
92a605 |
---
|
|
|
92a605 |
base/server/sbin/pki-server-nuxwdog | 3 ++-
|
|
|
92a605 |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
92a605 |
|
|
|
92a605 |
diff --git a/base/server/sbin/pki-server-nuxwdog b/base/server/sbin/pki-server-nuxwdog
|
|
|
92a605 |
index cb8993821..ffdbc3394 100755
|
|
|
92a605 |
--- a/base/server/sbin/pki-server-nuxwdog
|
|
|
92a605 |
+++ b/base/server/sbin/pki-server-nuxwdog
|
|
|
92a605 |
@@ -39,7 +39,7 @@ set_javacmd
|
|
|
92a605 |
# create the nuxwdog config file
|
|
|
92a605 |
nux_fname="${CATALINA_BASE}/conf/nuxwdog.conf"
|
|
|
92a605 |
touch ${nux_fname}
|
|
|
92a605 |
-chown pkiuser: ${nux_fname}
|
|
|
92a605 |
+chown ${TOMCAT_USER}: ${nux_fname}
|
|
|
92a605 |
|
|
|
92a605 |
echo "ExeFile ${JAVA_HOME}/bin/java" > $nux_fname
|
|
|
92a605 |
echo "ExeArgs ${JAVA_HOME}/bin/java ${JAVACMD_OPTS} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname
|
|
|
92a605 |
@@ -50,4 +50,5 @@ echo "ExeErr ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname
|
|
|
92a605 |
echo "ExeBackground 1" >> $nux_fname
|
|
|
92a605 |
echo "PidFile $NUXWDOG_PID" >> $nux_fname
|
|
|
92a605 |
echo "ChildPidFile $CATALINA_PID" >> $nux_fname
|
|
|
92a605 |
+echo "User ${TOMCAT_USER}" >> $nux_fname
|
|
|
92a605 |
|
|
|
92a605 |
--
|
|
|
92a605 |
2.14.3
|
|
|
92a605 |
|
|
|
92a605 |
|
|
|
92a605 |
From 73faa356531a529e13e55800861598bb6cc8ab6a Mon Sep 17 00:00:00 2001
|
|
|
92a605 |
From: Ade Lee <alee@redhat.com>
|
|
|
92a605 |
Date: Thu, 1 Feb 2018 13:02:03 -0500
|
|
|
92a605 |
Subject: [PATCH 6/6] More fixes for non-standard users
|
|
|
92a605 |
|
|
|
92a605 |
Needed to fix some python code that was added that works only on Python 3.
|
|
|
92a605 |
The top level directories for the registry should be owned by
|
|
|
92a605 |
root and be world readable/executable so that different users
|
|
|
92a605 |
can read the registry.
|
|
|
92a605 |
|
|
|
92a605 |
Change-Id: Ic0ce188cb678ff66e1a7370451f8df2285fc1282
|
|
|
92a605 |
cherry-pick from 79e8a8e99a3c9c6d16b63bb5d4b2b18a4b828b11
|
|
|
92a605 |
|
|
|
92a605 |
(cherry picked from commit e37ddfbc8b54e17dbe081221f6c849732a30ebe2)
|
|
|
92a605 |
---
|
|
|
92a605 |
base/common/CMakeLists.txt | 12 ++++++++++++
|
|
|
92a605 |
base/server/python/pki/server/deployment/pkihelper.py | 8 ++------
|
|
|
92a605 |
.../server/deployment/scriptlets/infrastructure_layout.py | 14 ++++++++++----
|
|
|
92a605 |
.../pki/server/deployment/scriptlets/instance_layout.py | 5 +++--
|
|
|
92a605 |
4 files changed, 27 insertions(+), 12 deletions(-)
|
|
|
92a605 |
|
|
|
92a605 |
diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt
|
|
|
92a605 |
index d7856e1aa..3e8659da6 100644
|
|
|
92a605 |
--- a/base/common/CMakeLists.txt
|
|
|
92a605 |
+++ b/base/common/CMakeLists.txt
|
|
|
92a605 |
@@ -133,6 +133,18 @@ install(
|
|
|
92a605 |
${SYSTEMD_ETC_INSTALL_DIR}/pki-tomcatd-nuxwdog.target.wants
|
|
|
92a605 |
)
|
|
|
92a605 |
|
|
|
92a605 |
+install(
|
|
|
92a605 |
+ DIRECTORY
|
|
|
92a605 |
+ DESTINATION
|
|
|
92a605 |
+ /etc/sysconfig/pki
|
|
|
92a605 |
+)
|
|
|
92a605 |
+
|
|
|
92a605 |
+install(
|
|
|
92a605 |
+ DIRECTORY
|
|
|
92a605 |
+ DESTINATION
|
|
|
92a605 |
+ /etc/sysconfig/pki/tomcat
|
|
|
92a605 |
+)
|
|
|
92a605 |
+
|
|
|
92a605 |
install(
|
|
|
92a605 |
DIRECTORY
|
|
|
92a605 |
man/
|
|
|
92a605 |
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
|
|
|
92a605 |
index 2b18f003c..2e92b5956 100644
|
|
|
92a605 |
--- a/base/server/python/pki/server/deployment/pkihelper.py
|
|
|
92a605 |
+++ b/base/server/python/pki/server/deployment/pkihelper.py
|
|
|
92a605 |
@@ -1024,8 +1024,6 @@ class Instance:
|
|
|
92a605 |
raise
|
|
|
92a605 |
|
|
|
92a605 |
def get_instance_status(self, secure_connection=True):
|
|
|
92a605 |
- pki_protocol = None
|
|
|
92a605 |
- pki_port = None
|
|
|
92a605 |
if secure_connection:
|
|
|
92a605 |
pki_protocol = "https"
|
|
|
92a605 |
pki_port = self.mdict['pki_https_port']
|
|
|
92a605 |
@@ -2931,7 +2929,6 @@ class ServerCertNickConf:
|
|
|
92a605 |
try:
|
|
|
92a605 |
# overwrite value inside 'serverCertNick.conf'
|
|
|
92a605 |
with open(self.servercertnick_conf, "w") as fd:
|
|
|
92a605 |
- ssl_server_nickname = None
|
|
|
92a605 |
if self.step_two:
|
|
|
92a605 |
# use final HSM name
|
|
|
92a605 |
ssl_server_nickname = (self.token_name + ":" +
|
|
|
92a605 |
@@ -3556,7 +3553,7 @@ class Systemd(object):
|
|
|
92a605 |
if not parser.has_section(section):
|
|
|
92a605 |
parser.add_section(section)
|
|
|
92a605 |
|
|
|
92a605 |
- parser[section][param] = value
|
|
|
92a605 |
+ parser.set(section, param, value)
|
|
|
92a605 |
|
|
|
92a605 |
def write_overrides(self):
|
|
|
92a605 |
for fname, parser in self.overrides.items():
|
|
|
92a605 |
@@ -3564,7 +3561,7 @@ class Systemd(object):
|
|
|
92a605 |
if not os.path.exists(override_file):
|
|
|
92a605 |
self.create_override_file(override_file)
|
|
|
92a605 |
with open(override_file, 'w') as fp:
|
|
|
92a605 |
- parser.write(fp, space_around_delimiters=False)
|
|
|
92a605 |
+ parser.write(fp)
|
|
|
92a605 |
|
|
|
92a605 |
def daemon_reload(self, critical_failure=True):
|
|
|
92a605 |
"""PKI Deployment execution management lifecycle function.
|
|
|
92a605 |
@@ -4142,7 +4139,6 @@ class ConfigClient:
|
|
|
92a605 |
os.path.dirname(self.mdict['pki_external_admin_csr_path']))
|
|
|
92a605 |
with open(self.mdict['pki_external_admin_csr_path'], "w") as f:
|
|
|
92a605 |
f.write("-----BEGIN CERTIFICATE REQUEST-----\n")
|
|
|
92a605 |
- admin_certreq = None
|
|
|
92a605 |
with open(os.path.join(
|
|
|
92a605 |
self.mdict['pki_client_database_dir'],
|
|
|
92a605 |
"admin_pkcs10.bin.asc"), "r") as f:
|
|
|
92a605 |
diff --git a/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py b/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py
|
|
|
92a605 |
index b105378f8..7322ac392 100644
|
|
|
92a605 |
--- a/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py
|
|
|
92a605 |
+++ b/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py
|
|
|
92a605 |
@@ -53,9 +53,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
92a605 |
# registry directories for storage of a copy of the original
|
|
|
92a605 |
# deployment configuration file used to spawn this instance,
|
|
|
92a605 |
# and save a copy of this file
|
|
|
92a605 |
- deployer.directory.create(deployer.mdict['pki_registry_path'])
|
|
|
92a605 |
- deployer.directory.create(
|
|
|
92a605 |
- deployer.mdict['pki_instance_type_registry_path'])
|
|
|
92a605 |
+ #
|
|
|
92a605 |
+ # Unless a prefix is used, the top level directories should exist
|
|
|
92a605 |
+ # and be owned by the rpm
|
|
|
92a605 |
+ if deployer.mdict['pki_root_prefix'] != "":
|
|
|
92a605 |
+ deployer.directory.create(deployer.mdict['pki_registry_path'])
|
|
|
92a605 |
+ deployer.directory.create(
|
|
|
92a605 |
+ deployer.mdict['pki_instance_type_registry_path'])
|
|
|
92a605 |
+
|
|
|
92a605 |
deployer.directory.create(deployer.mdict['pki_instance_registry_path'])
|
|
|
92a605 |
deployer.directory.create(
|
|
|
92a605 |
deployer.mdict['pki_subsystem_registry_path'])
|
|
|
92a605 |
@@ -123,4 +128,5 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
92a605 |
deployer.directory.delete(
|
|
|
92a605 |
deployer.mdict['pki_configuration_path'])
|
|
|
92a605 |
# remove top-level infrastructure registry
|
|
|
92a605 |
- deployer.directory.delete(deployer.mdict['pki_registry_path'])
|
|
|
92a605 |
+ if deployer.mdict['pki_root_prefix'] != "":
|
|
|
92a605 |
+ deployer.directory.delete(deployer.mdict['pki_registry_path'])
|
|
|
92a605 |
diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
|
|
|
92a605 |
index bb9919f34..b24e9b728 100644
|
|
|
92a605 |
--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
|
|
|
92a605 |
+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
|
|
|
92a605 |
@@ -211,8 +211,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
92a605 |
deployer.mdict['pki_instance_registry_path'])
|
|
|
92a605 |
# remove Tomcat PKI registry (if empty)
|
|
|
92a605 |
if deployer.instance.tomcat_instances() == 0:
|
|
|
92a605 |
- deployer.directory.delete(
|
|
|
92a605 |
- deployer.mdict['pki_instance_type_registry_path'])
|
|
|
92a605 |
+ if deployer.mdict['pki_root_prefix'] != "":
|
|
|
92a605 |
+ deployer.directory.delete(
|
|
|
92a605 |
+ deployer.mdict['pki_instance_type_registry_path'])
|
|
|
92a605 |
|
|
|
92a605 |
|
|
|
92a605 |
# Callback only when the /usr/share/pki/server/conf directory
|
|
|
92a605 |
--
|
|
|
92a605 |
2.14.3
|
|
|
92a605 |
|