diff --git a/freeipa.spec b/freeipa.spec index ddeb5d7..5b69c89 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -67,7 +67,8 @@ # Require 4.7.0 which brings Python 3 bindings %global samba_version 2:4.7.0 %global samba_build_version 2:4.2.1 -%global selinux_policy_version 3.13.1-158.4 +# DNSSEC AVC violation, RHBZ#1537971 +%global selinux_policy_version 3.13.1-283.24 %global slapi_nis_version 0.56.1 # Use python3-pyldap to be compatible with old python3-pyldap 2.x and new @@ -77,12 +78,15 @@ %global python2_ldap_version 3.0.0-0.4.b4 %global python3_ldap_version 3.0.0-0.4.b4 %else -%global python2_ldap_version 2.4.15 +# syncrepl fix, https://pagure.io/freeipa/issue/7240 +%global python2_ldap_version 2.4.25-9 %global python3_ldap_version 2.4.35.1-2 %endif %endif +# Require Dogtag PKI 10.6.0 with Python 3 and SQL NSSDB fixes +%global pki_version 10.6.0-0.2 %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+') @@ -90,13 +94,13 @@ %global etc_systemd_dir %{_sysconfdir}/systemd/system %global gettext_domain ipa -%global VERSION 4.6.3 +%global VERSION 4.6.90.pre1 %define _hardened_build 1 Name: freeipa Version: %{VERSION} -Release: 5%{?dist} +Release: 1%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -105,11 +109,6 @@ URL: https://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc -# https://pagure.io/freeipa/issue/7389 -Patch0001: 0001-Fix-detection-of-KRA-installation-so-upgrades-can-su.patch -# https://pagure.io/freeipa/issue/7394 -Patch0002: 0002-Replace-wsgi-package-conflict-with-config-file.patch - # For the timestamp trick in patch application BuildRequires: diffstat @@ -221,7 +220,7 @@ BuildRequires: python2-dns >= 1.15 BuildRequires: jsl BuildRequires: python2-yubico # pki Python package -BuildRequires: pki-base-python2 >= 10.5.1-2 +BuildRequires: pki-base-python2 >= %{pki_version} BuildRequires: python2-pytest-multihost BuildRequires: python2-pytest-sourceorder # 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150 @@ -239,7 +238,6 @@ BuildRequires: python2-netifaces BuildRequires: python2-sss BuildRequires: python2-sss-murmur BuildRequires: python2-sssdconfig -BuildRequires: python2-nose BuildRequires: python2-paste BuildRequires: python2-systemd BuildRequires: python2-jinja2 @@ -263,7 +261,7 @@ BuildRequires: python3-qrcode-core >= 5.0.0 BuildRequires: python3-dns >= 1.15 BuildRequires: python3-yubico # pki Python package -BuildRequires: pki-base-python3 >= 10.5.1-2 +BuildRequires: pki-base-python3 >= %{pki_version} BuildRequires: python3-pytest-multihost BuildRequires: python3-pytest-sourceorder # 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150 @@ -278,7 +276,6 @@ BuildRequires: python3-sss BuildRequires: python3-sss-murmur BuildRequires: python3-sssdconfig BuildRequires: python3-libsss_nss_idmap -BuildRequires: python3-nose BuildRequires: python3-paste BuildRequires: python3-systemd BuildRequires: python3-jinja2 @@ -322,8 +319,10 @@ Requires: python3-pyldap >= %{python3_ldap_version} Requires: python2-ipaserver = %{version}-%{release} Requires: python2-ldap >= %{python2_ldap_version} %endif -# 1.3.7.6-1: https://bugzilla.redhat.com/show_bug.cgi?id=1488295 -Requires: 389-ds-base >= 1.3.7.6-1 +# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946 +# https://bugzilla.redhat.com/show_bug.cgi?id=1511462 +# https://bugzilla.redhat.com/show_bug.cgi?id=1514033 +Requires: 389-ds-base >= 1.3.7.9-1 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 @@ -347,8 +346,7 @@ Requires: python2-systemd Requires: mod_wsgi %endif Requires: mod_auth_gssapi >= 1.5.0 -# 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206 -Requires: mod_nss >= 1.0.14-3 +Requires: mod_ssl Requires: mod_session # 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3 Requires: mod_lookup_identity >= 0.9.9 @@ -360,16 +358,17 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= %{slapi_nis_version} -# 10.5.1-2 contains Python 3 vault fix -Requires: pki-ca >= 10.5.1-2 -Requires: pki-kra >= 10.5.1-2 +Requires: pki-ca >= %{pki_version} +Requires: pki-kra >= %{pki_version} Requires(preun): systemd-units Requires(postun): systemd-units Requires: policycoreutils >= 2.1.12-5 Requires: tar Requires(pre): certmonger >= 0.79.5-1 -# 1.3.7.6-1: https://bugzilla.redhat.com/show_bug.cgi?id=1488295 -Requires(pre): 389-ds-base >= 1.3.7.6-1 +# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946 +# https://bugzilla.redhat.com/show_bug.cgi?id=1511462 +# https://bugzilla.redhat.com/show_bug.cgi?id=1514033 +Requires(pre): 389-ds-base >= 1.3.7.9-1 Requires: fontawesome-fonts Requires: open-sans-fonts Requires: openssl @@ -430,7 +429,7 @@ BuildRequires: dbus-python Requires: python2-dns >= 1.15 Requires: python2-kdcproxy >= 0.3 Requires: rpm-libs -Requires: pki-base-python2 >= 10.5.1-2 +Requires: pki-base-python2 >= %{pki_version} Requires: python2-augeas %description -n python2-ipaserver @@ -464,7 +463,7 @@ Requires: python3-dns >= 1.15 Requires: python3-kdcproxy >= 0.3 Requires: python3-augeas Requires: rpm-libs -Requires: pki-base-python3 >= 10.5.1-2 +Requires: pki-base-python3 >= %{pki_version} %description -n python3-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, @@ -510,10 +509,7 @@ Requires: bind-utils >= 9.11.0-6.P2 Requires: bind-pkcs11 >= 9.11.0-6.P2 Requires: bind-pkcs11-utils >= 9.11.0-6.P2 Requires: opendnssec >= 1.4.6-4 -# Keep python2 dependencies until DNSSEC daemons are ported to Python 3 -Requires: python2 -Requires: python2-ipalib -Requires: python2-ipaserver +%{?systemd_requires} Provides: %{alt_name}-server-dns = %{version} Conflicts: %{alt_name}-server-dns @@ -579,11 +575,13 @@ Requires: python3-gssapi >= 1.2.0-5 Requires: python3-ipaclient = %{version}-%{release} Requires: python3-pyldap >= %{python3_ldap_version} Requires: python3-sssdconfig +Requires: python3-sssdconfig %else Requires: python2-gssapi >= 1.2.0-5 Requires: python2-ipaclient = %{version}-%{release} Requires: python2-ldap >= %{python2_ldap_version} Requires: python2-sssdconfig +Requires: python2-sssdconfig %endif Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp @@ -863,7 +861,6 @@ Requires: python2-ipaclient = %{version}-%{release} Requires: python2-ipaserver = %{version}-%{release} Requires: tar Requires: xz -Requires: python2-nose Requires: pytest >= 2.6 Requires: python2-paste Requires: python2-coverage @@ -872,9 +869,9 @@ Requires: python2-polib Requires: python2-pytest-multihost >= 0.5 Requires: python2-pytest-sourceorder Requires: ldns-utils -Requires: python2-sssdconfig Requires: python2-cryptography >= 1.6 Requires: iptables +Requires: python2-mock Provides: %{alt_name}-tests = %{version} Conflicts: %{alt_name}-tests @@ -899,7 +896,6 @@ Requires: python3-ipaclient = %{version}-%{release} Requires: python3-ipaserver = %{version}-%{release} Requires: tar Requires: xz -Requires: python3-nose Requires: python3-pytest >= 2.6 Requires: python3-coverage Requires: python3-polib @@ -961,6 +957,8 @@ export JAVA_STACK_SIZE="16m" # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235 export PATH=/usr/bin:/usr/sbin:$PATH export PYTHON=%{__python2} + +%if ! 0%{?with_python3} # Workaround: make sure all shebangs are pointing to Python 2 # This should be solved properly using setuptools # and this hack should be removed. @@ -969,61 +967,7 @@ find \ ! -name '*.pyo' -a \ -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \; - -%if 0%{?with_python3} -# TODO: temporary solution until all scripts are ported to python3, -# TODO: workaround: some scripts are copied over, so the are always py2. -# We have to explicitly set python3 here for ported files here -PY3_SUBST_PATHS=' -client/ipa-certupdate -client/ipa-client-automount -client/ipa-client-install -daemons/ipa-otpd/test.py -install/certmonger/ipa-server-guard -install/certmonger/dogtag-ipa-ca-renew-agent-submit -install/oddjob/com.redhat.idm.trust-fetch-domains -install/restart_scripts/renew_ra_cert_pre -install/restart_scripts/renew_ca_cert -install/restart_scripts/renew_ra_cert -install/restart_scripts/restart_httpd -install/restart_scripts/renew_kdc_cert -install/restart_scripts/stop_pkicad -install/restart_scripts/restart_dirsrv -install/tools/ipa-advise -install/tools/ipa-adtrust-install -install/tools/ipa-backup -install/tools/ipa-ca-install -install/tools/ipa-cacert-manage -install/tools/ipa-compat-manage -install/tools/ipa-csreplica-manage -install/tools/ipa-custodia -install/tools/ipa-custodia-check -install/tools/ipa-dns-install -install/tools/ipa-httpd-kdcproxy -install/tools/ipa-kra-install -install/tools/ipa-ldap-updater -install/tools/ipa-managed-entries -install/tools/ipa-nis-manage -install/tools/ipa-otptoken-import -install/tools/ipa-pkinit-manage -install/tools/ipa-pki-retrieve-key -install/tools/ipa-replica-conncheck -install/tools/ipa-replica-install -install/tools/ipa-replica-manage -install/tools/ipa-replica-prepare -install/tools/ipa-restore -install/tools/ipa-server-certinstall -install/tools/ipa-server-install -install/tools/ipa-server-upgrade -install/tools/ipa-winsync-migrate -install/tools/ipactl -ipa -' -for P in $PY3_SUBST_PATHS; do - sed -i -e '1 s|^#!\s\?.*\bpython[0-9]*|#!%{__python3}|' $P -done; - -%endif # with_python3 +%endif # ! with_python3 %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ @@ -1034,22 +978,14 @@ done; %make_build -Onone %if 0%{?with_python3} -pushd %{_builddir}/freeipa-%{version}-python3 export PYTHON=%{__python3} -# Workaround: make sure all shebangs are pointing to Python 3 -# This should be solved properly using setuptools -# and this hack should be removed. -find \ - ! -name '*.pyc' -a \ - ! -name '*.pyo' -a \ - -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ - -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python3}|' {} \; +pushd %{_builddir}/freeipa-%{version}-python3 %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ %{linter_options} popd -%endif # with_python3 +%endif # with_python3 %check @@ -1074,16 +1010,7 @@ make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir} # will overwrite /usr/bin/ipa and other scripts with variants using # python2 shebang. pushd %{_builddir}/freeipa-%{version}-python3 -(cd ipaclient && %make_install) -(cd ipalib && %make_install) -(cd ipaplatform && %make_install) -(cd ipapython && %make_install) -%if ! %{ONLY_CLIENT} -(cd ipaserver && %make_install) -%endif # ONLY_CLIENT -%if 0%{?with_ipatests} -(cd ipatests && %make_install) -%endif # with_ipatests +%{__make} python_install DESTDIR=%{?buildroot} INSTALL="%{__install} -p" popd %if 0%{?with_ipatests} @@ -1251,6 +1178,17 @@ getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c # add apache to ipaaapi group id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi + +%post server-dns +%systemd_post ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service + +%preun server-dns +%systemd_preun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service + +%postun server-dns +%systemd_postun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service + + %postun server-trust-ad if [ "$1" -ge "1" ]; then if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then @@ -1392,9 +1330,6 @@ fi %dir %{_libexecdir}/ipa %{_libexecdir}/ipa/ipa-custodia %{_libexecdir}/ipa/ipa-custodia-check -%{_libexecdir}/ipa/ipa-dnskeysyncd -%{_libexecdir}/ipa/ipa-dnskeysync-replica -%{_libexecdir}/ipa/ipa-ods-exporter %{_libexecdir}/ipa/ipa-httpd-kdcproxy %{_libexecdir}/ipa/ipa-pki-retrieve-key %{_libexecdir}/ipa/ipa-otpd @@ -1408,9 +1343,6 @@ fi %attr(644,root,root) %{_unitdir}/ipa.service %attr(644,root,root) %{_unitdir}/ipa-otpd.socket %attr(644,root,root) %{_unitdir}/ipa-otpd@.service -%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service -%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket -%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service # END %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so @@ -1479,8 +1411,6 @@ fi %license COPYING %ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy -%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd -%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf # NOTE: systemd specific section %{_tmpfilesdir}/ipa.conf @@ -1539,10 +1469,6 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf -%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec -%{_usr}/share/ipa/ipa.conf -%{_usr}/share/ipa/ipa-rewrite.conf -%{_usr}/share/ipa/ipa-pki-proxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini @@ -1555,6 +1481,7 @@ fi %attr(711,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca +%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs %ghost %{_localstatedir}/lib/ipa/pki-ca/publish %ghost %{_localstatedir}/named/dyndb-ldap/ipa %dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia @@ -1567,9 +1494,17 @@ fi %defattr(-,root,root,-) %doc README.md Contributors.txt %license COPYING +%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd +%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec +%{_libexecdir}/ipa/ipa-dnskeysyncd +%{_libexecdir}/ipa/ipa-dnskeysync-replica +%{_libexecdir}/ipa/ipa-ods-exporter %{_sbindir}/ipa-dns-install %{_mandir}/man1/ipa-dns-install.1* - +%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service +%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket +%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service %files server-trust-ad %defattr(-,root,root,-) @@ -1781,6 +1716,9 @@ fi %endif # with_ipatests %changelog +* Fri Mar 16 2018 Rob Crittenden - 4.6.90.pre1-1 +- Update to upstream 4.6.90.pre1 + * Tue Feb 20 2018 Rob Crittenden - 4.6.3-5 - Disable i686 server builds because 389-ds no longer provides builds on that arch. (#1544386)