253 lines
9.1 KiB
Diff
253 lines
9.1 KiB
Diff
|
From 748ca34eae43f50b2c9e3ff3295b6ad490633df2 Mon Sep 17 00:00:00 2001
|
||
|
From: Christian Heimes <cheimes@redhat.com>
|
||
|
Date: Tue, 6 Feb 2018 10:05:49 +0100
|
||
|
Subject: [PATCH] Replace wsgi package conflict with config file
|
||
|
|
||
|
Instead of a package conflict, freeIPA now uses an Apache config file to
|
||
|
enforce the correct wsgi module. The workaround only applies to Fedora
|
||
|
since it is the only platform that permits parallel installation of
|
||
|
Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
|
||
|
Debian doesn't permit installation of both variants.
|
||
|
|
||
|
See: https://pagure.io/freeipa/issue/7161
|
||
|
Fixes: https://pagure.io/freeipa/issue/7394
|
||
|
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||
|
---
|
||
|
install/share/Makefile.am | 1 +
|
||
|
install/share/ipa-httpd-wsgi.conf.template | 7 +++++++
|
||
|
ipaplatform/base/constants.py | 4 ++++
|
||
|
ipaplatform/base/paths.py | 2 ++
|
||
|
ipaplatform/base/tasks.py | 4 ++++
|
||
|
ipaplatform/debian/tasks.py | 5 +++++
|
||
|
ipaplatform/fedora/constants.py | 6 +++++-
|
||
|
ipaplatform/fedora/paths.py | 4 +++-
|
||
|
ipaplatform/redhat/tasks.py | 31 ++++++++++++++++++++++++++++++
|
||
|
ipaserver/install/httpinstance.py | 7 ++++++-
|
||
|
ipaserver/install/server/upgrade.py | 7 +++++++
|
||
|
11 files changed, 75 insertions(+), 3 deletions(-)
|
||
|
create mode 100644 install/share/ipa-httpd-wsgi.conf.template
|
||
|
|
||
|
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
|
||
|
index b1285854ea..abdf3ac648 100644
|
||
|
--- a/install/share/Makefile.am
|
||
|
+++ b/install/share/Makefile.am
|
||
|
@@ -85,6 +85,7 @@ dist_app_DATA = \
|
||
|
kdcproxy-enable.uldif \
|
||
|
kdcproxy-disable.uldif \
|
||
|
ipa-httpd.conf.template \
|
||
|
+ ipa-httpd-wsgi.conf.template \
|
||
|
gssapi.login \
|
||
|
gssproxy.conf.template \
|
||
|
kdcproxy.wsgi \
|
||
|
diff --git a/install/share/ipa-httpd-wsgi.conf.template b/install/share/ipa-httpd-wsgi.conf.template
|
||
|
new file mode 100644
|
||
|
index 0000000000..89d424665a
|
||
|
--- /dev/null
|
||
|
+++ b/install/share/ipa-httpd-wsgi.conf.template
|
||
|
@@ -0,0 +1,7 @@
|
||
|
+# Do not edit. Created by IPA installer.
|
||
|
+
|
||
|
+# Some platforms allow parallel installation of Python 2 and 3 mod_wsgi
|
||
|
+# modules, but the modules can't coexist. Enforce loading of correct
|
||
|
+# WSGI module before the package's default config.
|
||
|
+
|
||
|
+LoadModule wsgi_module $WSGI_MODULE
|
||
|
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
|
||
|
index 94bd0f8a10..ca4a12ec01 100644
|
||
|
--- a/ipaplatform/base/constants.py
|
||
|
+++ b/ipaplatform/base/constants.py
|
||
|
@@ -39,5 +39,9 @@ class BaseConstantsNamespace(object):
|
||
|
SSSD_USER = "sssd"
|
||
|
# sql (new format), dbm (old format)
|
||
|
NSS_DEFAULT_DBTYPE = 'dbm'
|
||
|
+ # WSGI module override, only used on Fedora
|
||
|
+ MOD_WSGI_PYTHON2 = None
|
||
|
+ MOD_WSGI_PYTHON3 = None
|
||
|
+
|
||
|
|
||
|
constants = BaseConstantsNamespace()
|
||
|
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
|
||
|
index 3bb32416d6..753e8e80e7 100644
|
||
|
--- a/ipaplatform/base/paths.py
|
||
|
+++ b/ipaplatform/base/paths.py
|
||
|
@@ -48,6 +48,8 @@ class BasePathNamespace(object):
|
||
|
HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
|
||
|
HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf"
|
||
|
HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
|
||
|
+ # only used on Fedora
|
||
|
+ HTTPD_IPA_WSGI_MODULES_CONF = None
|
||
|
OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
|
||
|
HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab"
|
||
|
HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf"
|
||
|
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
|
||
|
index 8f73eaddc2..d4b56318e3 100644
|
||
|
--- a/ipaplatform/base/tasks.py
|
||
|
+++ b/ipaplatform/base/tasks.py
|
||
|
@@ -211,6 +211,10 @@ def remove_httpd_service_ipa_conf(self):
|
||
|
"""Remove configuration of httpd service of IPA"""
|
||
|
raise NotImplementedError()
|
||
|
|
||
|
+ def configure_httpd_wsgi_conf(self):
|
||
|
+ """Configure WSGI for correct Python version"""
|
||
|
+ raise NotImplementedError()
|
||
|
+
|
||
|
def is_fips_enabled(self):
|
||
|
return False
|
||
|
|
||
|
diff --git a/ipaplatform/debian/tasks.py b/ipaplatform/debian/tasks.py
|
||
|
index 6c41a35e77..4537260146 100644
|
||
|
--- a/ipaplatform/debian/tasks.py
|
||
|
+++ b/ipaplatform/debian/tasks.py
|
||
|
@@ -47,4 +47,9 @@ def restore_auth_configuration(path):
|
||
|
def parse_ipa_version(version):
|
||
|
return BaseTaskNamespace.parse_ipa_version(version)
|
||
|
|
||
|
+ def configure_httpd_wsgi_conf(self):
|
||
|
+ # Debian doesn't require special mod_wsgi configuration
|
||
|
+ pass
|
||
|
+
|
||
|
+
|
||
|
tasks = DebianTaskNamespace()
|
||
|
diff --git a/ipaplatform/fedora/constants.py b/ipaplatform/fedora/constants.py
|
||
|
index ce03f58cf9..79e7bd9a5e 100644
|
||
|
--- a/ipaplatform/fedora/constants.py
|
||
|
+++ b/ipaplatform/fedora/constants.py
|
||
|
@@ -11,6 +11,10 @@
|
||
|
|
||
|
|
||
|
class FedoraConstantsNamespace(RedHatConstantsNamespace):
|
||
|
- pass
|
||
|
+ # Fedora allows installation of Python 2 and 3 mod_wsgi, but the modules
|
||
|
+ # can't coexist. For Apache to load correct module.
|
||
|
+ MOD_WSGI_PYTHON2 = "modules/mod_wsgi.so"
|
||
|
+ MOD_WSGI_PYTHON3 = "modules/mod_wsgi_python3.so"
|
||
|
+
|
||
|
|
||
|
constants = FedoraConstantsNamespace()
|
||
|
diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
|
||
|
index 49a904f2f2..5238cdb4f4 100644
|
||
|
--- a/ipaplatform/fedora/paths.py
|
||
|
+++ b/ipaplatform/fedora/paths.py
|
||
|
@@ -27,7 +27,9 @@
|
||
|
|
||
|
|
||
|
class FedoraPathNamespace(RedHatPathNamespace):
|
||
|
- pass
|
||
|
+ HTTPD_IPA_WSGI_MODULES_CONF = (
|
||
|
+ "/etc/httpd/conf.modules.d/02-ipa-wsgi.conf"
|
||
|
+ )
|
||
|
|
||
|
|
||
|
paths = FedoraPathNamespace()
|
||
|
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
|
||
|
index 79bd5335ea..701c280ec0 100644
|
||
|
--- a/ipaplatform/redhat/tasks.py
|
||
|
+++ b/ipaplatform/redhat/tasks.py
|
||
|
@@ -30,6 +30,7 @@
|
||
|
import socket
|
||
|
import traceback
|
||
|
import errno
|
||
|
+import sys
|
||
|
|
||
|
from ctypes.util import find_library
|
||
|
from functools import total_ordering
|
||
|
@@ -484,6 +485,36 @@ def configure_http_gssproxy_conf(self, ipaapi_user):
|
||
|
os.chmod(paths.GSSPROXY_CONF, 0o600)
|
||
|
self.restore_context(paths.GSSPROXY_CONF)
|
||
|
|
||
|
+ def configure_httpd_wsgi_conf(self):
|
||
|
+ """Configure WSGI for correct Python version (Fedora)
|
||
|
+
|
||
|
+ See https://pagure.io/freeipa/issue/7394
|
||
|
+ """
|
||
|
+ conf = paths.HTTPD_IPA_WSGI_MODULES_CONF
|
||
|
+ if sys.version_info.major == 2:
|
||
|
+ wsgi_module = constants.MOD_WSGI_PYTHON2
|
||
|
+ else:
|
||
|
+ wsgi_module = constants.MOD_WSGI_PYTHON3
|
||
|
+
|
||
|
+ if conf is None or wsgi_module is None:
|
||
|
+ logger.info("Nothing to do for configure_httpd_wsgi_conf")
|
||
|
+ return
|
||
|
+
|
||
|
+ confdir = os.path.dirname(conf)
|
||
|
+ if not os.path.isdir(confdir):
|
||
|
+ os.makedirs(confdir)
|
||
|
+
|
||
|
+ ipautil.copy_template_file(
|
||
|
+ os.path.join(
|
||
|
+ paths.USR_SHARE_IPA_DIR, 'ipa-httpd-wsgi.conf.template'
|
||
|
+ ),
|
||
|
+ conf,
|
||
|
+ dict(WSGI_MODULE=wsgi_module)
|
||
|
+ )
|
||
|
+
|
||
|
+ os.chmod(conf, 0o644)
|
||
|
+ self.restore_context(conf)
|
||
|
+
|
||
|
def remove_httpd_service_ipa_conf(self):
|
||
|
"""Remove systemd config for httpd service of IPA"""
|
||
|
try:
|
||
|
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
|
||
|
index 8f3b5937fd..46764e6aa7 100644
|
||
|
--- a/ipaserver/install/httpinstance.py
|
||
|
+++ b/ipaserver/install/httpinstance.py
|
||
|
@@ -213,6 +213,7 @@ def remove_httpd_ccaches(self):
|
||
|
|
||
|
def __configure_http(self):
|
||
|
self.update_httpd_service_ipa_conf()
|
||
|
+ self.update_httpd_wsgi_conf()
|
||
|
|
||
|
target_fname = paths.HTTPD_IPA_CONF
|
||
|
http_txt = ipautil.template_file(
|
||
|
@@ -508,6 +509,9 @@ def enable_and_start_oddjobd(self):
|
||
|
def update_httpd_service_ipa_conf(self):
|
||
|
tasks.configure_httpd_service_ipa_conf()
|
||
|
|
||
|
+ def update_httpd_wsgi_conf(self):
|
||
|
+ tasks.configure_httpd_wsgi_conf()
|
||
|
+
|
||
|
def uninstall(self):
|
||
|
if self.is_configured():
|
||
|
self.print_msg("Unconfiguring web server")
|
||
|
@@ -564,7 +568,8 @@ def uninstall(self):
|
||
|
installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
|
||
|
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK)
|
||
|
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF)
|
||
|
- tasks.remove_httpd_service_ipa_conf()
|
||
|
+ if paths.HTTPD_IPA_WSGI_MODULES_CONF is not None:
|
||
|
+ installutils.remove_file(paths.HTTPD_IPA_WSGI_MODULES_CONF)
|
||
|
|
||
|
# Restore SELinux boolean states
|
||
|
boolean_states = {name: self.restore_state(name)
|
||
|
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
||
|
index 07cc18a78c..b12d80f105 100644
|
||
|
--- a/ipaserver/install/server/upgrade.py
|
||
|
+++ b/ipaserver/install/server/upgrade.py
|
||
|
@@ -1458,11 +1458,17 @@ def update_mod_nss_cipher_suite(http):
|
||
|
'cipher_suite_updated',
|
||
|
httpinstance.NSS_CIPHER_REVISION)
|
||
|
|
||
|
+
|
||
|
def update_ipa_httpd_service_conf(http):
|
||
|
logger.info('[Updating HTTPD service IPA configuration]')
|
||
|
http.update_httpd_service_ipa_conf()
|
||
|
|
||
|
|
||
|
+def update_ipa_http_wsgi_conf(http):
|
||
|
+ logger.info('[Updating HTTPD service IPA WSGI configuration]')
|
||
|
+ http.update_httpd_wsgi_conf()
|
||
|
+
|
||
|
+
|
||
|
def update_http_keytab(http):
|
||
|
logger.info('[Moving HTTPD service keytab to gssproxy]')
|
||
|
if os.path.exists(paths.OLD_IPA_KEYTAB):
|
||
|
@@ -1782,6 +1788,7 @@ def upgrade_configuration():
|
||
|
http.stop()
|
||
|
disable_httpd_system_trust(http)
|
||
|
update_ipa_httpd_service_conf(http)
|
||
|
+ update_ipa_http_wsgi_conf(http)
|
||
|
update_mod_nss_protocol(http)
|
||
|
update_mod_nss_cipher_suite(http)
|
||
|
disable_mod_nss_ocsp(http)
|