rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Remove unused patches

Browse Source
This commit is contained in:
Alexander Bokovoy 2019-04-29 22:41:07 +03:00
parent 7d9a415144
commit 2fefcaa233
12 changed files with 0 additions and 1694 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
0001-Fedora-29-renamed-fedora-domainname.service.patch
View File

@ -1,70 +0,0 @@
From 907e1649580b8677d56da6207731addc178dca80 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Jun 15 2018 06:30:55 +0000
Subject: Fedora 29 renamed fedora-domainname.service
In Fedora 29, the fedora-domainname.service has been renamed to
nis-domainname.service like on RHEL. The ipaplatform service module for
Fedora now only renames the service, when it detects the presence of
fedora-domainname.service.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1588192
Fixes: https://pagure.io/freeipa/issue/7582
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
diff --git a/ipaplatform/fedora/services.py b/ipaplatform/fedora/services.py
index 6735153..09ba2e8 100644
--- a/ipaplatform/fedora/services.py
+++ b/ipaplatform/fedora/services.py
@@ -24,14 +24,23 @@ Contains Fedora-specific service class implementations.
from __future__ import absolute_import
+import os
+
from ipaplatform.redhat import services as redhat_services
# Mappings from service names as FreeIPA code references to these services
# to their actual systemd service names
fedora_system_units = redhat_services.redhat_system_units.copy()
-# Service that sets domainname on Fedora is called fedora-domainname.service
-fedora_system_units['domainname'] = 'fedora-domainname.service'
+# Fedora 28 and earlier have fedora-domainname.service. Starting from
+# Fedora 29, the service is called nis-domainname.service as defined in
+# ipaplatform.redhat.services.
+HAS_FEDORA_DOMAINNAME_SERVICE = os.path.isfile(
+ "/usr/lib/systemd/system/fedora-domainname.service"
+)
+
+if HAS_FEDORA_DOMAINNAME_SERVICE:
+ fedora_system_units['domainname'] = 'fedora-domainname.service'
# Service classes that implement Fedora-specific behaviour
@@ -44,7 +53,7 @@ class FedoraService(redhat_services.RedHatService):
# of specified name
def fedora_service_class_factory(name, api=None):
- if name == 'domainname':
+ if HAS_FEDORA_DOMAINNAME_SERVICE and name == 'domainname':
return FedoraService(name, api)
return redhat_services.redhat_service_class_factory(name, api)
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 80ad62b..390bbb0 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -47,6 +47,7 @@ redhat_system_units = dict((x, "%s.service" % x)
redhat_system_units['rpcgssd'] = 'nfs-secure.service'
redhat_system_units['rpcidmapd'] = 'nfs-idmap.service'
+redhat_system_units['domainname'] = 'nis-domainname.service'
# Rewrite dirsrv and pki-tomcatd services as they support instances via separate
# service generator. To make this working, one needs to have both foo@.servic

71
0001-Fix-detection-of-KRA-installation-so-upgrades-can-su.patch
View File

@ -1,71 +0,0 @@
From 8821f7ae8e666b4ae42e232c672d616bf7fbffeb Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Sun, 4 Feb 2018 11:40:24 -0500
Subject: [PATCH] Fix detection of KRA installation so upgrades can succeed
Use is_installed() instead of is_configured() because
is_installed() does a config file check to see if the service
is in use.
https://pagure.io/freeipa/issue/7389
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/server/upgrade.py | 4 ++--
ipatests/test_integration/test_upgrade.py | 21 +++++++++++++++++++++
2 files changed, 23 insertions(+), 2 deletions(-)
create mode 100644 ipatests/test_integration/test_upgrade.py
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 07cc18a78..23173c0ca 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1710,7 +1710,7 @@ def upgrade_configuration():
)
upgrade_pki(ca, fstore)
- if kra.is_configured():
+ if kra.is_installed():
logger.info('[Ensuring ephemeralRequest is enabled in KRA]')
kra.backup_config()
value = installutils.get_directive(
@@ -1728,7 +1728,7 @@ def upgrade_configuration():
# by checking status using http
if ca.is_configured():
ca.start('pki-tomcat')
- if kra.is_configured() and not kra.is_running():
+ if kra.is_installed() and not kra.is_running():
# This is for future-proofing in case the KRA is ever standalone.
kra.start('pki-tomcat')
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
new file mode 100644
index 000000000..951747b0b
--- /dev/null
+++ b/ipatests/test_integration/test_upgrade.py
@@ -0,0 +1,21 @@
+#
+# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
+#
+
+"""
+Module provides tests to verify that the upgrade script works.
+"""
+
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.pytest_plugins.integration import tasks
+
+
+class TestUpgrade(IntegrationTest):
+ @classmethod
+ def install(cls, mh):
+ tasks.install_master(cls.master, setup_dns=False)
+
+ def test_invoke_upgrader(self):
+ cmd = self.master.run_command(['ipa-server-upgrade'],
+ raiseonerr=False)
+ assert cmd.returncode == 0
--
2.14.3

252
0002-Replace-wsgi-package-conflict-with-config-file.patch
View File

@ -1,252 +0,0 @@
From 748ca34eae43f50b2c9e3ff3295b6ad490633df2 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 6 Feb 2018 10:05:49 +0100
Subject: [PATCH] Replace wsgi package conflict with config file
Instead of a package conflict, freeIPA now uses an Apache config file to
enforce the correct wsgi module. The workaround only applies to Fedora
since it is the only platform that permits parallel installation of
Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
Debian doesn't permit installation of both variants.
See: https://pagure.io/freeipa/issue/7161
Fixes: https://pagure.io/freeipa/issue/7394
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
install/share/Makefile.am | 1 +
install/share/ipa-httpd-wsgi.conf.template | 7 +++++++
ipaplatform/base/constants.py | 4 ++++
ipaplatform/base/paths.py | 2 ++
ipaplatform/base/tasks.py | 4 ++++
ipaplatform/debian/tasks.py | 5 +++++
ipaplatform/fedora/constants.py | 6 +++++-
ipaplatform/fedora/paths.py | 4 +++-
ipaplatform/redhat/tasks.py | 31 ++++++++++++++++++++++++++++++
ipaserver/install/httpinstance.py | 7 ++++++-
ipaserver/install/server/upgrade.py | 7 +++++++
11 files changed, 75 insertions(+), 3 deletions(-)
create mode 100644 install/share/ipa-httpd-wsgi.conf.template
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index b1285854ea..abdf3ac648 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -85,6 +85,7 @@ dist_app_DATA = \
kdcproxy-enable.uldif \
kdcproxy-disable.uldif \
ipa-httpd.conf.template \
+ ipa-httpd-wsgi.conf.template \
gssapi.login \
gssproxy.conf.template \
kdcproxy.wsgi \
diff --git a/install/share/ipa-httpd-wsgi.conf.template b/install/share/ipa-httpd-wsgi.conf.template
new file mode 100644
index 0000000000..89d424665a
--- /dev/null
+++ b/install/share/ipa-httpd-wsgi.conf.template
@@ -0,0 +1,7 @@
+# Do not edit. Created by IPA installer.
+
+# Some platforms allow parallel installation of Python 2 and 3 mod_wsgi
+# modules, but the modules can't coexist. Enforce loading of correct
+# WSGI module before the package's default config.
+
+LoadModule wsgi_module $WSGI_MODULE
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index 94bd0f8a10..ca4a12ec01 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -39,5 +39,9 @@ class BaseConstantsNamespace(object):
SSSD_USER = "sssd"
# sql (new format), dbm (old format)
NSS_DEFAULT_DBTYPE = 'dbm'
+ # WSGI module override, only used on Fedora
+ MOD_WSGI_PYTHON2 = None
+ MOD_WSGI_PYTHON3 = None
+
constants = BaseConstantsNamespace()
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 3bb32416d6..753e8e80e7 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -48,6 +48,8 @@ class BasePathNamespace(object):
HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf"
HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
+ # only used on Fedora
+ HTTPD_IPA_WSGI_MODULES_CONF = None
OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab"
HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf"
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 8f73eaddc2..d4b56318e3 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -211,6 +211,10 @@ def remove_httpd_service_ipa_conf(self):
"""Remove configuration of httpd service of IPA"""
raise NotImplementedError()
+ def configure_httpd_wsgi_conf(self):
+ """Configure WSGI for correct Python version"""
+ raise NotImplementedError()
+
def is_fips_enabled(self):
return False
diff --git a/ipaplatform/debian/tasks.py b/ipaplatform/debian/tasks.py
index 6c41a35e77..4537260146 100644
--- a/ipaplatform/debian/tasks.py
+++ b/ipaplatform/debian/tasks.py
@@ -47,4 +47,9 @@ def restore_auth_configuration(path):
def parse_ipa_version(version):
return BaseTaskNamespace.parse_ipa_version(version)
+ def configure_httpd_wsgi_conf(self):
+ # Debian doesn't require special mod_wsgi configuration
+ pass
+
+
tasks = DebianTaskNamespace()
diff --git a/ipaplatform/fedora/constants.py b/ipaplatform/fedora/constants.py
index ce03f58cf9..79e7bd9a5e 100644
--- a/ipaplatform/fedora/constants.py
+++ b/ipaplatform/fedora/constants.py
@@ -11,6 +11,10 @@
class FedoraConstantsNamespace(RedHatConstantsNamespace):
- pass
+ # Fedora allows installation of Python 2 and 3 mod_wsgi, but the modules
+ # can't coexist. For Apache to load correct module.
+ MOD_WSGI_PYTHON2 = "modules/mod_wsgi.so"
+ MOD_WSGI_PYTHON3 = "modules/mod_wsgi_python3.so"
+
constants = FedoraConstantsNamespace()
diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
index 49a904f2f2..5238cdb4f4 100644
--- a/ipaplatform/fedora/paths.py
+++ b/ipaplatform/fedora/paths.py
@@ -27,7 +27,9 @@
class FedoraPathNamespace(RedHatPathNamespace):
- pass
+ HTTPD_IPA_WSGI_MODULES_CONF = (
+ "/etc/httpd/conf.modules.d/02-ipa-wsgi.conf"
+ )
paths = FedoraPathNamespace()
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 79bd5335ea..701c280ec0 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -30,6 +30,7 @@
import socket
import traceback
import errno
+import sys
from ctypes.util import find_library
from functools import total_ordering
@@ -484,6 +485,36 @@ def configure_http_gssproxy_conf(self, ipaapi_user):
os.chmod(paths.GSSPROXY_CONF, 0o600)
self.restore_context(paths.GSSPROXY_CONF)
+ def configure_httpd_wsgi_conf(self):
+ """Configure WSGI for correct Python version (Fedora)
+
+ See https://pagure.io/freeipa/issue/7394
+ """
+ conf = paths.HTTPD_IPA_WSGI_MODULES_CONF
+ if sys.version_info.major == 2:
+ wsgi_module = constants.MOD_WSGI_PYTHON2
+ else:
+ wsgi_module = constants.MOD_WSGI_PYTHON3
+
+ if conf is None or wsgi_module is None:
+ logger.info("Nothing to do for configure_httpd_wsgi_conf")
+ return
+
+ confdir = os.path.dirname(conf)
+ if not os.path.isdir(confdir):
+ os.makedirs(confdir)
+
+ ipautil.copy_template_file(
+ os.path.join(
+ paths.USR_SHARE_IPA_DIR, 'ipa-httpd-wsgi.conf.template'
+ ),
+ conf,
+ dict(WSGI_MODULE=wsgi_module)
+ )
+
+ os.chmod(conf, 0o644)
+ self.restore_context(conf)
+
def remove_httpd_service_ipa_conf(self):
"""Remove systemd config for httpd service of IPA"""
try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 8f3b5937fd..46764e6aa7 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -213,6 +213,7 @@ def remove_httpd_ccaches(self):
def __configure_http(self):
self.update_httpd_service_ipa_conf()
+ self.update_httpd_wsgi_conf()
target_fname = paths.HTTPD_IPA_CONF
http_txt = ipautil.template_file(
@@ -508,6 +509,9 @@ def enable_and_start_oddjobd(self):
def update_httpd_service_ipa_conf(self):
tasks.configure_httpd_service_ipa_conf()
+ def update_httpd_wsgi_conf(self):
+ tasks.configure_httpd_wsgi_conf()
+
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring web server")
@@ -564,7 +568,8 @@ def uninstall(self):
installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF)
- tasks.remove_httpd_service_ipa_conf()
+ if paths.HTTPD_IPA_WSGI_MODULES_CONF is not None:
+ installutils.remove_file(paths.HTTPD_IPA_WSGI_MODULES_CONF)
# Restore SELinux boolean states
boolean_states = {name: self.restore_state(name)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 07cc18a78c..b12d80f105 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1458,11 +1458,17 @@ def update_mod_nss_cipher_suite(http):
'cipher_suite_updated',
httpinstance.NSS_CIPHER_REVISION)
+
def update_ipa_httpd_service_conf(http):
logger.info('[Updating HTTPD service IPA configuration]')
http.update_httpd_service_ipa_conf()
+def update_ipa_http_wsgi_conf(http):
+ logger.info('[Updating HTTPD service IPA WSGI configuration]')
+ http.update_httpd_wsgi_conf()
+
+
def update_http_keytab(http):
logger.info('[Moving HTTPD service keytab to gssproxy]')
if os.path.exists(paths.OLD_IPA_KEYTAB):
@@ -1782,6 +1788,7 @@ def upgrade_configuration():
http.stop()
disable_httpd_system_trust(http)
update_ipa_httpd_service_conf(http)
+ update_ipa_http_wsgi_conf(http)
update_mod_nss_protocol(http)
update_mod_nss_cipher_suite(http)
disable_mod_nss_ocsp(http)

31
0002-Use-python3-lesscpy-0.13.0.patch
View File

@ -1,31 +0,0 @@
From 7d12bbb99bee40188168523ff685b7e8e573ba17 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 12 Jun 2018 12:02:08 +0200
Subject: [PATCH] Use python3-lesscpy 0.13.0
Require python-lesscpy 0.13. with Python 3 fix and use py3-lesscpy to
compile ipa.css.
python2-lesscpy was the last Python 2 dependency.
Fixes: https://pagure.io/freeipa/issue/7585
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
install/ui/util/make-css.sh | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/install/ui/util/make-css.sh b/install/ui/util/make-css.sh
index 0091f839e..087a46961 100755
--- a/install/ui/util/make-css.sh
+++ b/install/ui/util/make-css.sh
@@ -22,5 +22,5 @@ set -o errexit
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-lesscpy -x $DIR/../less/ipa.less > $DIR/../css/ipa.css
+py3-lesscpy -x $DIR/../less/ipa.less > $DIR/../css/ipa.css
exit $?
--
2.13.6

76
2610.patch
View File

@ -1,76 +0,0 @@
From 66c57e6d92a9c5ca7b36ff125375810401e64233 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Tue, 27 Nov 2018 16:21:06 -0800
Subject: [PATCH] Fix authselect invocations to work with 1.0.2
Since authselect 1.0.2, invoking an authselect command sequence
like this:
['authselect', 'sssd', '', '--force']
does not work: authselect barfs on the empty string arg and
errors out. We must only pass a features arg if we actually have
some text to go in it.
This broke uninstallation.
In all cases, features are now passed as separate arguments instead of one
argument separated by space.
Fixes: https://pagure.io/freeipa/issue/7776
Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
ipaplatform/redhat/authconfig.py | 30 ++++++++++++++++++++----------
1 file changed, 20 insertions(+), 10 deletions(-)
diff --git a/ipaplatform/redhat/authconfig.py b/ipaplatform/redhat/authconfig.py
index a512345202..9d98b5b644 100644
--- a/ipaplatform/redhat/authconfig.py
+++ b/ipaplatform/redhat/authconfig.py
@@ -158,15 +158,26 @@ def unconfigure(
" ".join(args))
profile = 'sssd'
- features = ''
+ features = []
else:
- profile = \
- statestore.restore_state('authselect', 'profile') or 'sssd'
- features = \
- statestore.restore_state('authselect', 'features_list') or ''
+ profile = statestore.restore_state('authselect', 'profile')
+ if not profile:
+ profile = 'sssd'
+ features_state = statestore.restore_state(
+ 'authselect', 'features_list'
+ )
statestore.delete_state('authselect', 'mkhomedir')
+ # only non-empty features, https://pagure.io/freeipa/issue/7776
+ if features_state is not None:
+ features = [
+ f.strip() for f in features_state.split(' ') if f.strip()
+ ]
+ else:
+ features = []
- cmd = [paths.AUTHSELECT, "select", profile, features, "--force"]
+ cmd = [paths.AUTHSELECT, "select", profile]
+ cmd.extend(features)
+ cmd.append("--force")
ipautil.run(cmd)
def backup(self, path):
@@ -186,10 +197,9 @@ def restore(self, path):
if cfg:
profile = cfg[0]
-
- cmd = [
- paths.AUTHSELECT, "select", profile,
- " ".join(cfg[1]), "--force"]
+ cmd = [paths.AUTHSELECT, "select", profile]
+ cmd.extend(cfg[1])
+ cmd.append("--force")
ipautil.run(cmd)
def set_nisdomain(self, nisdomain):

22
fedora-30-fs.protected_regular.patch
View File

@ -1,22 +0,0 @@
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 48479f30c..01c166a86 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -483,7 +483,6 @@ class CAInstance(DogtagInstance):
(cfg_fd, cfg_file) = tempfile.mkstemp()
os.close(cfg_fd)
pent = pwd.getpwnam(self.service_user)
- os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
# Create CA configuration
config = RawConfigParser()
@@ -647,6 +646,9 @@ class CAInstance(DogtagInstance):
with open(cfg_file, "w") as f:
config.write(f)
+ # Finally chown the config file (rhbz#1677027)
+ os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
+
self.backup_state('installed', True)
try:
DogtagInstance.spawn_instance(

577
fedora-30-move-ds-systemd-snippet.patch
View File

@ -1,577 +0,0 @@
From f9f01f524311d334c32fb7e404526723decd22a7 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 2 Apr 2019 15:17:52 +0200
Subject: [PATCH 1/3] Add option to remove lines from a file
config_replace_variables() can now also remove lines from a file.
Related: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/share/ds-ipa-env.conf.template | 0
ipapython/ipautil.py | 13 ++++++--
ipatests/conftest.py | 13 ++++++++
.../test_ipapython/test_directivesetter.py | 14 ---------
ipatests/test_ipapython/test_ipautil.py | 30 +++++++++++++++++++
.../test_install/test_installutils.py | 13 --------
6 files changed, 53 insertions(+), 30 deletions(-)
create mode 100644 install/share/ds-ipa-env.conf.template
diff --git a/install/share/ds-ipa-env.conf.template b/install/share/ds-ipa-env.conf.template
new file mode 100644
index 000000000..e69de29bb
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index bfe54b2cb..4001bcec7 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1104,14 +1104,17 @@ def reverse_record_exists(ip_address):
return True
-def config_replace_variables(filepath, replacevars=dict(), appendvars=dict()):
+def config_replace_variables(filepath, replacevars=dict(), appendvars=dict(),
+ removevars=None):
"""
Take a key=value based configuration file, and write new version
- with certain values replaced or appended
+ with certain values replaced, appended, or removed.
All (key,value) pairs from replacevars and appendvars that were not found
in the configuration file, will be added there.
+ All entries in set removevars are removed.
+
It is responsibility of a caller to ensure that replacevars and
appendvars do not overlap.
@@ -1153,7 +1156,11 @@ $)''', re.VERBOSE)
elif value.find(appendvars[option]) == -1:
new_line = u"%s=%s %s\n" % (option, value, appendvars[option])
old_values[option] = value
- new_config.write(new_line)
+ if removevars and option in removevars:
+ old_values[option] = value
+ new_line = None
+ if new_line is not None:
+ new_config.write(new_line)
# Now add all options from replacevars and appendvars that were not found in the file
new_vars = replacevars.copy()
new_vars.update(appendvars)
diff --git a/ipatests/conftest.py b/ipatests/conftest.py
index dc1aec064..ebcbcd694 100644
--- a/ipatests/conftest.py
+++ b/ipatests/conftest.py
@@ -5,7 +5,9 @@ from __future__ import print_function
import os
import pprint
+import shutil
import sys
+import tempfile
import pytest
@@ -145,3 +147,14 @@ def pytest_runtest_setup(item):
# pylint: disable=no-member
if pytest.config.option.skip_ipaapi:
pytest.skip("Skip tests that needs an IPA API")
+
+
+@pytest.fixture
+def tempdir(request):
+ tempdir = tempfile.mkdtemp()
+
+ def fin():
+ shutil.rmtree(tempdir)
+
+ request.addfinalizer(fin)
+ return tempdir
diff --git a/ipatests/test_ipapython/test_directivesetter.py b/ipatests/test_ipapython/test_directivesetter.py
index c61c891dd..846db9414 100644
--- a/ipatests/test_ipapython/test_directivesetter.py
+++ b/ipatests/test_ipapython/test_directivesetter.py
@@ -4,11 +4,8 @@
from __future__ import absolute_import
import os
-import shutil
import tempfile
-import pytest
-
from ipapython import directivesetter
EXAMPLE_CONFIG = [
@@ -22,17 +19,6 @@ WHITESPACE_CONFIG = [
]
-@pytest.fixture
-def tempdir(request):
- tempdir = tempfile.mkdtemp()
-
- def fin():
- shutil.rmtree(tempdir)
-
- request.addfinalizer(fin)
- return tempdir
-
-
class test_set_directive_lines(object):
def test_remove_directive(self):
lines = directivesetter.set_directive_lines(
diff --git a/ipatests/test_ipapython/test_ipautil.py b/ipatests/test_ipapython/test_ipautil.py
index 3a4e406c5..c3aa2a7b5 100644
--- a/ipatests/test_ipapython/test_ipautil.py
+++ b/ipatests/test_ipapython/test_ipautil.py
@@ -28,6 +28,7 @@ import pwd
import socket
import sys
import tempfile
+import textwrap
import pytest
import six
@@ -577,3 +578,32 @@ def test_check_port_bindable_udp(udp_listen):
assert not ipautil.check_port_bindable(port, socket.SOCK_DGRAM)
sock.close()
assert ipautil.check_port_bindable(port, socket.SOCK_DGRAM)
+
+
+def test_config_replace_variables(tempdir):
+ conffile = os.path.join(tempdir, 'test.conf')
+
+ conf = textwrap.dedent("""
+ replaced=foo
+ removed=gone
+ """)
+ expected = textwrap.dedent("""
+ replaced=bar
+ addreplaced=baz
+ """)
+
+ with open(conffile, 'w') as f:
+ f.write(conf)
+
+ result = ipautil.config_replace_variables(
+ conffile,
+ replacevars=dict(replaced="bar", addreplaced="baz"),
+ removevars={'removed'}
+ )
+ assert result == {
+ 'removed': 'gone', 'replaced': 'foo'
+ }
+
+ with open(conffile, 'r') as f:
+ newconf = f.read()
+ assert newconf == expected
diff --git a/ipatests/test_ipaserver/test_install/test_installutils.py b/ipatests/test_ipaserver/test_install/test_installutils.py
index 577a993f8..3d878a454 100644
--- a/ipatests/test_ipaserver/test_install/test_installutils.py
+++ b/ipatests/test_ipaserver/test_install/test_installutils.py
@@ -6,9 +6,7 @@ from __future__ import absolute_import
import binascii
import os
import re
-import shutil
import subprocess
-import tempfile
import textwrap
import pytest
@@ -20,17 +18,6 @@ from ipaserver.install import ipa_backup
from ipaserver.install import ipa_restore
-@pytest.fixture
-def tempdir(request):
- tempdir = tempfile.mkdtemp()
-
- def fin():
- shutil.rmtree(tempdir)
-
- request.addfinalizer(fin)
- return tempdir
-
-
GPG_GENKEY = textwrap.dedent("""
%echo Generating a standard key
Key-Type: RSA
--
2.20.1
From f9b3fc1fc21ee7ec7333e147f5861e63feb87e35 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 2 Apr 2019 16:13:05 +0200
Subject: [PATCH 2/3] Add tasks.systemd_daemon_reload()
systemd daemon must be reloaded after a config file is added, changed,
or removed. Provide a common API endpoint in ipaplatform.tasks.
Related: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaplatform/base/services.py | 5 +++--
ipaplatform/base/tasks.py | 4 ++++
ipaplatform/redhat/tasks.py | 9 +++++----
ipaserver/install/ipa_restore.py | 2 +-
4 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py
index 09987100b..3fe9dee1e 100644
--- a/ipaplatform/base/services.py
+++ b/ipaplatform/base/services.py
@@ -35,6 +35,7 @@ import six
from ipapython import ipautil
from ipaplatform.paths import paths
+from ipaplatform.tasks import tasks
# pylint: disable=no-name-in-module, import-error
if six.PY3:
@@ -452,7 +453,7 @@ class SystemdService(PlatformService):
# Link exists and it is broken, make new one
os.unlink(srv_lnk)
os.symlink(self.lib_path, srv_lnk)
- ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"])
+ tasks.systemd_daemon_reload()
except Exception:
pass
else:
@@ -475,7 +476,7 @@ class SystemdService(PlatformService):
if os.path.isdir(srv_tgt):
if os.path.islink(srv_lnk):
os.unlink(srv_lnk)
- ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"])
+ tasks.systemd_daemon_reload()
except Exception:
pass
else:
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index e97ac0887..dc77b2e08 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -251,5 +251,9 @@ class BaseTaskNamespace(object):
def setup_httpd_logging(self):
raise NotImplementedError()
+ def systemd_daemon_reload(self):
+ """Tell systemd to reload config files"""
+ raise NotImplementedError
+
tasks = BaseTaskNamespace()
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 372d847a0..13889cf25 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -499,9 +499,11 @@ class RedHatTaskNamespace(BaseTaskNamespace):
os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644)
self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
+ self.systemd_daemon_reload()
- ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"],
- raiseonerr=False)
+ def systemd_daemon_reload(self):
+ """Tell systemd to reload config files"""
+ ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"])
def configure_http_gssproxy_conf(self, ipaapi_user):
ipautil.copy_template_file(
@@ -565,8 +567,7 @@ class RedHatTaskNamespace(BaseTaskNamespace):
)
return
- ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"],
- raiseonerr=False)
+ self.systemd_daemon_reload()
def set_hostname(self, hostname):
ipautil.run([paths.BIN_HOSTNAMECTL, 'set-hostname', hostname])
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index ac9f38485..ba9aad3f1 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -451,7 +451,7 @@ class Restore(admintool.AdminTool):
oddjobd.start()
http.remove_httpd_ccaches()
# have the daemons pick up their restored configs
- run([paths.SYSTEMCTL, "--system", "daemon-reload"])
+ tasks.systemd_daemon_reload()
finally:
try:
os.chdir(cwd)
--
2.20.1
From b6c810e921a42003083aa251eab01c055c1e6f78 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 2 Apr 2019 15:37:27 +0200
Subject: [PATCH 3/3] Move DS's Kerberos env vars to unit file
The IPA specific env vars KRB5_KTNAME and KRB5CCNAME are now defined in
a instance specific ipa-env.conf unit file.
Fixes: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/share/Makefile.am | 1 +
install/share/ds-ipa-env.conf.template | 5 ++
ipaplatform/base/paths.py | 2 +
ipaserver/install/dsinstance.py | 65 +++++++++++++++++++-------
ipaserver/install/ipa_backup.py | 1 +
ipaserver/install/krbinstance.py | 4 --
ipaserver/install/server/upgrade.py | 15 +++---
7 files changed, 63 insertions(+), 30 deletions(-)
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 536f68194..e1e91a2fc 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -39,6 +39,7 @@ dist_app_DATA = \
replica-acis.ldif \
replica-prevent-time-skew.ldif \
ds-nfiles.ldif \
+ ds-ipa-env.conf.template \
dns.ldif \
dnssec.ldif \
domainlevel.ldif \
diff --git a/install/share/ds-ipa-env.conf.template b/install/share/ds-ipa-env.conf.template
index e69de29bb..8ab667df6 100644
--- a/install/share/ds-ipa-env.conf.template
+++ b/install/share/ds-ipa-env.conf.template
@@ -0,0 +1,5 @@
+# Installed and maintained by ipa update tools, please do not modify
+
+[Service]
+Environment=KRB5_KTNAME=$KRB5_KTNAME
+Environment=KRB5CCNAME=$KRB5CCNAME
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index b5fae694e..9a34d7c7e 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -384,6 +384,8 @@ class BasePathNamespace(object):
AUTHCONFIG = None
AUTHSELECT = None
SYSCONF_NETWORK = None
+ SLAPD_INSTANCE_SYSTEMD_IPA_ENV_TEMPLATE = \
+ "/etc/systemd/system/dirsrv@%s.service.d/ipa-env.conf"
IPA_SERVER_UPGRADE = '/usr/sbin/ipa-server-upgrade'
KEYCTL = '/usr/bin/keyctl'
GETENT = '/usr/bin/getent'
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 5977cc749..318559b8d 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -27,7 +27,6 @@ import os
import re
import time
import tempfile
-import stat
import fnmatch
import ldap
@@ -229,7 +228,6 @@ class DsInstance(service.Service):
self.nickname = 'Server-Cert'
self.sub_dict = None
self.domain = domain_name
- self.serverid = None
self.master_fqdn = None
self.pkcs12_info = None
self.cacert_name = None
@@ -245,9 +243,11 @@ class DsInstance(service.Service):
self.domainlevel = domainlevel
if realm_name:
self.suffix = ipautil.realm_to_suffix(self.realm)
+ self.serverid = installutils.realm_to_serverid(self.realm)
self.__setup_sub_dict()
else:
self.suffix = DN()
+ self.serverid = None
subject_base = ipautil.dn_attribute_property('_subject_base')
@@ -275,7 +275,8 @@ class DsInstance(service.Service):
self.step("enabling referential integrity plugin", self.__add_referint_module)
self.step("configuring certmap.conf", self.__certmap_conf)
self.step("configure new location for managed entries", self.__repoint_managed_entries)
- self.step("configure dirsrv ccache", self.configure_dirsrv_ccache)
+ self.step("configure dirsrv ccache and keytab",
+ self.configure_systemd_ipa_env)
self.step("enabling SASL mapping fallback",
self.__enable_sasl_mapping_fallback)
@@ -553,7 +554,6 @@ class DsInstance(service.Service):
pent = pwd.getpwnam(DS_USER)
self.backup_state("serverid", self.serverid)
- self.fstore.backup_file(paths.SYSCONFIG_DIRSRV)
self.sub_dict['BASEDC'] = self.realm.split('.')[0].lower()
base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict)
@@ -767,21 +767,39 @@ class DsInstance(service.Service):
def __repoint_managed_entries(self):
self._ldap_mod("repoint-managed-entries.ldif", self.sub_dict)
- def configure_dirsrv_ccache(self):
+ def configure_systemd_ipa_env(self):
pent = pwd.getpwnam(platformconstants.DS_USER)
- ccache = paths.TMP_KRB5CC % pent.pw_uid
- filepath = paths.SYSCONFIG_DIRSRV
- if not os.path.exists(filepath):
- # file doesn't exist; create it with correct ownership & mode
- open(filepath, 'a').close()
- os.chmod(filepath,
- stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
- os.chown(filepath, 0, 0)
-
- replacevars = {'KRB5CCNAME': ccache}
- ipautil.backup_config_and_replace_variables(
- self.fstore, filepath, replacevars=replacevars)
- tasks.restore_context(filepath)
+ template = os.path.join(
+ paths.USR_SHARE_IPA_DIR, "ds-ipa-env.conf.template"
+ )
+ sub_dict = dict(
+ KRB5_KTNAME=paths.DS_KEYTAB,
+ KRB5CCNAME=paths.TMP_KRB5CC % pent.pw_uid
+ )
+ conf = ipautil.template_file(template, sub_dict)
+
+ destfile = paths.SLAPD_INSTANCE_SYSTEMD_IPA_ENV_TEMPLATE % (
+ self.serverid
+ )
+ destdir = os.path.dirname(destfile)
+
+ if not os.path.isdir(destdir):
+ # create dirsrv-$SERVERID.service.d
+ os.mkdir(destdir, 0o755)
+ with open(destfile, 'w') as f:
+ os.fchmod(f.fileno(), 0o644)
+ f.write(conf)
+ tasks.restore_context(destfile)
+
+ # remove variables from old /etc/sysconfig/dirsrv file
+ if os.path.isfile(paths.SYSCONFIG_DIRSRV):
+ self.fstore.backup_file(paths.SYSCONFIG_DIRSRV)
+ ipautil.config_replace_variables(
+ paths.SYSCONFIG_DIRSRV,
+ removevars={'KRB5_KTNAME', 'KRB5CCNAME'}
+ )
+ # reload systemd to materialize new config file
+ tasks.systemd_daemon_reload()
def __managed_entries(self):
self._ldap_mod("managed-entries.ldif", self.sub_dict)
@@ -1080,6 +1098,17 @@ class DsInstance(service.Service):
serverid)
installutils.rmtree(scripts)
+ # remove systemd unit file
+ unitfile = paths.SLAPD_INSTANCE_SYSTEMD_IPA_ENV_TEMPLATE % (
+ serverid
+ )
+ installutils.remove_file(unitfile)
+ try:
+ os.rmdir(os.path.dirname(unitfile))
+ except OSError:
+ # not empty
+ pass
+
# Just eat this state
self.restore_state("user_exists")
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index c4aa04a6b..65864f980 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -375,6 +375,7 @@ class Backup(admintool.AdminTool):
for file in (
paths.SYSCONFIG_DIRSRV_INSTANCE % serverid,
paths.ETC_TMPFILESD_DIRSRV % serverid,
+ paths.SLAPD_INSTANCE_SYSTEMD_IPA_ENV_TEMPLATE % serverid,
):
if os.path.exists(file):
self.files.append(file)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 71015788f..587a3c691 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -386,10 +386,6 @@ class KrbInstance(service.Service):
self.fstore.backup_file(paths.DS_KEYTAB)
installutils.create_keytab(paths.DS_KEYTAB, ldap_principal)
-
- vardict = {"KRB5_KTNAME": paths.DS_KEYTAB}
- ipautil.config_replace_variables(paths.SYSCONFIG_DIRSRV,
- replacevars=vardict)
pent = pwd.getpwnam(constants.DS_USER)
os.chown(paths.DS_KEYTAB, pent.pw_uid, pent.pw_gid)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 71211b9d6..7e54ad482 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1810,13 +1810,12 @@ def upgrade_configuration():
fqdn = api.env.host
# Ok, we are an IPA server, do the additional tests
- ds_serverid = installutils.realm_to_serverid(api.env.realm)
- ds = dsinstance.DsInstance()
+ ds = dsinstance.DsInstance(realm_name=api.env.realm)
# start DS, CA will not start without running DS, and cause error
ds_running = ds.is_running()
if not ds_running:
- ds.start(ds_serverid)
+ ds.start(ds.serverid)
if not sysupgrade.get_upgrade_state('ntpd', 'ntpd_cleaned'):
ntpd_cleanup(fqdn, fstore)
@@ -1870,7 +1869,7 @@ def upgrade_configuration():
paths.CA_CS_CFG_PATH, 'ca.crl.MasterCRL.enableCRLUpdates', '=')
sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
- ds_dirname = dsinstance.config_dirname(ds_serverid)
+ ds_dirname = dsinstance.config_dirname(ds.serverid)
upgrade_file(sub_dict, paths.HTTPD_IPA_CONF,
os.path.join(paths.USR_SHARE_IPA_DIR,
@@ -1946,16 +1945,16 @@ def upgrade_configuration():
http.enable_and_start_oddjobd()
- ds.configure_dirsrv_ccache()
+ ds.configure_systemd_ipa_env()
update_replica_config(ipautil.realm_to_suffix(api.env.realm))
if ca.is_configured():
update_replica_config(DN(('o', 'ipaca')))
- ds.stop(ds_serverid)
+ ds.stop(ds.serverid)
fix_schema_file_syntax()
remove_ds_ra_cert(subject_base)
- ds.start(ds_serverid)
+ ds.start(ds.serverid)
ds.fqdn = fqdn
ds.realm = api.env.realm
@@ -2114,7 +2113,7 @@ def upgrade_configuration():
enable_certauth(krb)
if not ds_running:
- ds.stop(ds_serverid)
+ ds.stop(ds.serverid)
if ca.is_configured():
if ca_running and not ca.is_running():
--
2.20.1

189
fedora-30-nfs-utils-fixes.patch
View File

@ -1,189 +0,0 @@
From 2ee160d189042a356c1ba9bb91214f2a495cc10d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 26 Feb 2019 13:59:06 +0100
Subject: [PATCH] ipa-client-automount: handle NFS configuration file changes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
nfs-utils in Fedora 30 and later switched its configuration
file from /etc/sysconfig/nfs to /etc/nfs.conf, providing a
conversion service (nfs-convert.service) for upgrades.
However, for new installs the original configuration file
is missing. This change:
* adds a tuple-based osinfo.version_number method to handle
more kinds of OS versioning schemes
* detects RHEL and Fedora versions with the the new nfs-utils
behavior
* avoids backing up the new NFS configuration file as we do
not have to modify it.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1676981
Fixes: https://pagure.io/freeipa/issue/7868
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
client/ipa-client-automount.in | 18 ++++++++++--------
ipaplatform/fedora/constants.py | 9 ++++++++-
ipaplatform/fedora/paths.py | 3 +++
ipaplatform/fedora/services.py | 2 +-
ipaplatform/osinfo.py | 9 +++++++++
ipaplatform/rhel/constants.py | 7 +++++++
ipaplatform/rhel/paths.py | 4 +++-
7 files changed, 41 insertions(+), 11 deletions(-)
diff --git a/client/ipa-client-automount.in b/client/ipa-client-automount.in
index 15926bd02..f9eda9c7f 100755
--- a/client/ipa-client-automount.in
+++ b/client/ipa-client-automount.in
@@ -335,14 +335,16 @@ def configure_nfs(fstore, statestore):
"""
Configure secure NFS
"""
- replacevars = {
- constants.SECURE_NFS_VAR: 'yes',
- }
- ipautil.backup_config_and_replace_variables(fstore,
- paths.SYSCONFIG_NFS, replacevars=replacevars)
- tasks.restore_context(paths.SYSCONFIG_NFS)
-
- print("Configured %s" % paths.SYSCONFIG_NFS)
+ # Newer Fedora releases ship /etc/nfs.conf instead of /etc/sysconfig/nfs
+ # and do not require changes there. On these, SECURE_NFS_VAR == None
+ if constants.SECURE_NFS_VAR:
+ replacevars = {
+ constants.SECURE_NFS_VAR: 'yes',
+ }
+ ipautil.backup_config_and_replace_variables(fstore,
+ paths.SYSCONFIG_NFS, replacevars=replacevars)
+ tasks.restore_context(paths.SYSCONFIG_NFS)
+ print("Configured %s" % paths.SYSCONFIG_NFS)
# Prepare the changes
# We need to use IPAChangeConf as simple regexp substitution
diff --git a/ipaplatform/fedora/constants.py b/ipaplatform/fedora/constants.py
index d48696e0f..744b30aa0 100644
--- a/ipaplatform/fedora/constants.py
+++ b/ipaplatform/fedora/constants.py
@@ -10,6 +10,12 @@ This Fedora base platform module exports platform related constants.
from __future__ import absolute_import
from ipaplatform.redhat.constants import RedHatConstantsNamespace
+from ipaplatform.osinfo import osinfo
+
+# Fedora 28 and earlier use /etc/sysconfig/nfs
+# Fedora 30 and later use /etc/nfs.conf
+# Fedora 29 has both
+HAS_NFS_CONF = osinfo.version_number >= (30,)
class FedoraConstantsNamespace(RedHatConstantsNamespace):
@@ -22,6 +28,7 @@ class FedoraConstantsNamespace(RedHatConstantsNamespace):
# secure remote password, and DSA cert authentication.
# see https://fedoraproject.org/wiki/Changes/CryptoPolicy
TLS_HIGH_CIPHERS = "PROFILE=SYSTEM:!3DES:!PSK:!SRP:!aDSS"
-
+ if HAS_NFS_CONF:
+ SECURE_NFS_VAR = None
constants = FedoraConstantsNamespace()
diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
index a9bdedfe8..4e993c063 100644
--- a/ipaplatform/fedora/paths.py
+++ b/ipaplatform/fedora/paths.py
@@ -26,6 +26,7 @@ in Fedora-based systems.
from __future__ import absolute_import
from ipaplatform.redhat.paths import RedHatPathNamespace
+from ipaplatform.fedora.constants import HAS_NFS_CONF
class FedoraPathNamespace(RedHatPathNamespace):
@@ -33,6 +34,8 @@ class FedoraPathNamespace(RedHatPathNamespace):
"/etc/httpd/conf.modules.d/02-ipa-wsgi.conf"
)
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
+ if HAS_NFS_CONF:
+ SYSCONFIG_NFS = '/etc/nfs.conf'
paths = FedoraPathNamespace()
diff --git a/ipaplatform/fedora/services.py b/ipaplatform/fedora/services.py
index 5ff64f1cd..543cb1b7d 100644
--- a/ipaplatform/fedora/services.py
+++ b/ipaplatform/fedora/services.py
@@ -34,7 +34,7 @@ fedora_system_units = redhat_services.redhat_system_units.copy()
# Fedora 28 and earlier have fedora-domainname.service. Starting from
# Fedora 29, the service is called nis-domainname.service as defined in
# ipaplatform.redhat.services.
-HAS_FEDORA_DOMAINNAME_SERVICE = int(osinfo.version_id) <= 28
+HAS_FEDORA_DOMAINNAME_SERVICE = osinfo.version_number <= (28,)
if HAS_FEDORA_DOMAINNAME_SERVICE:
fedora_system_units['domainname'] = 'fedora-domainname.service'
diff --git a/ipaplatform/osinfo.py b/ipaplatform/osinfo.py
index a38165d01..35b024e16 100644
--- a/ipaplatform/osinfo.py
+++ b/ipaplatform/osinfo.py
@@ -177,6 +177,15 @@ class OSInfo(Mapping):
"""
return self._info.get('VERSION_ID')
+ @property
+ def version_number(self):
+ """Version number tuple based on version_id
+ """
+ version_id = self._info.get('VERSION_ID')
+ if not version_id:
+ return ()
+ return tuple(int(p) for p in version_id.split('.'))
+
@property
def platform_ids(self):
"""Ordered tuple of detected platforms (including override)
diff --git a/ipaplatform/rhel/constants.py b/ipaplatform/rhel/constants.py
index 72335ac68..073e33281 100644
--- a/ipaplatform/rhel/constants.py
+++ b/ipaplatform/rhel/constants.py
@@ -10,10 +10,17 @@ This RHEL base platform module exports platform related constants.
from __future__ import absolute_import
from ipaplatform.redhat.constants import RedHatConstantsNamespace
+from ipaplatform.osinfo import osinfo
+
+# RHEL 7 and earlier use /etc/sysconfig/nfs
+# RHEL 8 uses /etc/nfs.conf
+HAS_NFS_CONF = osinfo.version_number >= (8,)
class RHELConstantsNamespace(RedHatConstantsNamespace):
IPA_ADTRUST_PACKAGE_NAME = "ipa-server-trust-ad"
IPA_DNS_PACKAGE_NAME = "ipa-server-dns"
+ if HAS_NFS_CONF:
+ SECURE_NFS_VAR = None
constants = RHELConstantsNamespace()
diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py
index d8b64abde..c081ada32 100644
--- a/ipaplatform/rhel/paths.py
+++ b/ipaplatform/rhel/paths.py
@@ -26,10 +26,12 @@ in RHEL-based systems.
from __future__ import absolute_import
from ipaplatform.redhat.paths import RedHatPathNamespace
+from ipaplatform.rhel.constants import HAS_NFS_CONF
class RHELPathNamespace(RedHatPathNamespace):
- pass
+ if HAS_NFS_CONF:
+ SYSCONFIG_NFS = '/etc/nfs.conf'
paths = RHELPathNamespace()
--
2.20.1

36
fedora-30-remove_dsinstance.request_service_keytab.patch
View File

@ -1,36 +0,0 @@
From 4df3d5642d911ccf47c456ab40cb44831cad043d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sat, 6 Apr 2019 22:54:42 +0300
Subject: [PATCH] Remove DsInstance.request_service_keytab as it is not needed
anymore
DsInstance.request_service_keytab() used to configure
/etc/sysconfig/dirsrv which is not needed anymore with 389-ds-base
1.4.1.2. Thus, the method became indistinguishable from the parent and
can be removed completely.
---
ipaserver/install/dsinstance.py | 8 --------
1 file changed, 8 deletions(-)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 5eebdb09b..8240e3043 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -1352,14 +1352,6 @@ class DsInstance(service.Service):
if self.domainlevel is not None:
self._ldap_mod("domainlevel.ldif", self.sub_dict)
- def request_service_keytab(self):
- super(DsInstance, self).request_service_keytab()
-
- # Configure DS to use the keytab
- vardict = {"KRB5_KTNAME": self.keytab}
- ipautil.config_replace_variables(paths.SYSCONFIG_DIRSRV,
- replacevars=vardict)
-
def write_certmap_conf(realm, ca_subject):
"""(Re)write certmap.conf with given CA subject DN."""
--
2.21.0

52
fedora-30-samba4-remove-dep-on-talloc_strackframe-memory.patch
View File

@ -1,52 +0,0 @@
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index b1e0294e3..6eb63f1c6 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -19,7 +19,6 @@
#include <util/data_blob.h>
#include <util/time.h>
#include <util/debug.h>
-#include <util/talloc_stack.h>
#ifndef _SAMBA_UTIL_H_
bool trim_string(char *s, const char *front, const char *back);
@@ -880,9 +879,13 @@ static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
struct dom_sid *user_sid = NULL;
int rc;
enum idmap_error_code err;
- TALLOC_CTX *tmp_ctx = talloc_stackframe();
struct unixid id;
+ TALLOC_CTX *tmp_ctx = talloc_new(priv);
+ if (tmp_ctx == NULL) {
+ goto done;
+ }
+
/* Fast fail if we get a request for uidNumber=0 because it currently
* will never exist in the directory
* Saves an expensive LDAP call of which failure will never be cached
@@ -967,9 +970,13 @@ static bool ipasam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
size_t c;
int rc;
enum idmap_error_code err;
- TALLOC_CTX *tmp_ctx = talloc_stackframe();
struct unixid id;
+ TALLOC_CTX *tmp_ctx = talloc_new(priv);
+ if (tmp_ctx == NULL) {
+ goto done;
+ }
+
filter = talloc_asprintf(tmp_ctx,
"(|(&(gidNumber=%u)"
"(objectClass=%s))"
@@ -3620,7 +3627,8 @@ static void ipasam_free_private_data(void **vp)
(*ipasam_state)->result = NULL;
}
if ((*ipasam_state)->domain_dn != NULL) {
- SAFE_FREE((*ipasam_state)->domain_dn);
+ free((*ipasam_state)->domain_dn);
+ (*ipasam_state)->domain_dn = NULL;
}
*ipasam_state = NULL;

157
fedora-30-support-samba-4-10.patch
View File

@ -1,157 +0,0 @@
From 137af1d2c38925404dc92f70321ac0f5fb1cf5eb Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 31 Mar 2019 12:37:21 +0300
Subject: [PATCH] ipasam: use SID formatting calls to libsss_idmap
Samba 4.10 moved away to private libraries two functions we used to
convert a binary SID structre to strings:
- sid_talloc_string()
- sid_string_dbg()
We already used libsss_idmap to convert textual representation of SIDs
to a binary one, use the reverse function too.
libsss_idmap code operates on talloc structures, so we need to adopt a
bit a place where sid_string_dbg() was used because it assumed a static
buffer was provided by sid_string_dbg().
Finally, sid_talloc_string()'s replacement moves allocated memory to the
right context so that a memory will be freed earlier. Our SSSD idmap
context is a long-living one while in all cases where we were using
sid_talloc_string() we free the context much earlier.
Resolves: https://pagure.io/freeipa/issue/7893
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
daemons/ipa-sam/ipa_sam.c | 52 ++++++++++++++++++++++++++++-----------
1 file changed, 37 insertions(+), 15 deletions(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index fb9e07fce..4c60881f7 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -105,8 +105,6 @@ enum ndr_err_code ndr_pull_trustAuthInOutBlob(struct ndr_pull *ndr, int ndr_flag
bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */
/* available in libpdb.so, renamed from sid_check_is_domain() in c43505b621725c9a754f0ee98318d451b093f2ed */
bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */
-char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* available in libsmbconf.so */
-char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */
char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */
void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */
@@ -262,6 +260,18 @@ static bool sid_compose(struct dom_sid *dst, const struct dom_sid *dom_sid,
return true;
}
+static char *sid_talloc_string(struct sss_idmap_ctx *ctx, void *final_ctx, const struct dom_sid *dom_sid)
+{
+ enum idmap_error_code ret;
+ char *result = NULL;
+ ret = sss_idmap_smb_sid_to_sid(ctx, discard_const(dom_sid), &result);
+ if (ret != IDMAP_SUCCESS) {
+ return NULL;
+ }
+
+ return talloc_move(final_ctx, &result);
+}
+
static bool is_null_sid(const struct dom_sid *sid)
{
size_t c;
@@ -520,8 +530,18 @@ static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
}
if (dom_sid_compare_domain(sid, domain_sid) != 0) {
- DEBUG(10, ("SID %s is not in expected domain %s\n",
- str, sid_string_dbg(domain_sid)));
+ char *debug_domain_sid = NULL;
+ err = sss_idmap_smb_sid_to_sid(idmap_ctx,
+ discard_const(domain_sid),
+ &debug_domain_sid);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(10, ("SID %s is not in expected domain.\n",
+ str));
+ } else {
+ DEBUG(10, ("SID %s is not in expected domain %s\n",
+ str, debug_domain_sid));
+ talloc_free(debug_domain_sid);
+ }
res = false;
goto done;
}
@@ -590,7 +610,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
allsids = talloc_asprintf_append_buffer(
allsids, "(%s=%s)",
LDAP_ATTRIBUTE_SID,
- sid_string_talloc(mem_ctx, &sid));
+ sid_talloc_string(ipasam_state->idmap_ctx, mem_ctx, &sid));
if (allsids == NULL) {
goto done;
}
@@ -791,7 +811,8 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
filter = talloc_asprintf(mem_ctx,
"(&(%s=%s)"
"(|(objectClass=%s)(objectClass=%s)))",
- LDAP_ATTRIBUTE_SID, sid_string_talloc(mem_ctx, sid),
+ LDAP_ATTRIBUTE_SID,
+ sid_talloc_string(priv->idmap_ctx, mem_ctx, sid),
LDAP_OBJ_GROUPMAP, LDAP_OBJ_SAMBASAMACCOUNT);
if (filter == NULL) {
DEBUG(5, ("talloc_asprintf failed\n"));
@@ -933,7 +954,7 @@ static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
err = sss_idmap_sid_to_smb_sid(priv->idmap_ctx,
user_sid_string, &user_sid);
if (err != IDMAP_SUCCESS) {
- DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
+ DEBUG(3, ("Error creating sid structure for sid '%s'\n",
user_sid_string));
goto done;
}
@@ -1045,7 +1066,7 @@ found:
err = sss_idmap_sid_to_smb_sid(priv->idmap_ctx,
group_sid_string, &group_sid);
if (err != IDMAP_SUCCESS) {
- DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
+ DEBUG(3, ("Error creating sid structure for sid '%s'\n",
group_sid_string));
goto done;
}
@@ -1588,11 +1609,11 @@ static bool ipasam_search_grouptype(struct pdb_methods *methods,
state->base = talloc_strdup(search, ipasam_state->base_dn);
state->connection = ipasam_state->ldap_state;
state->scope = LDAP_SCOPE_SUBTREE;
- state->filter = talloc_asprintf(search, "(&(objectclass=%s)"
- "(%s=%s*))",
- LDAP_OBJ_GROUPMAP,
- LDAP_ATTRIBUTE_SID,
- sid_string_talloc(search, sid));
+ state->filter = talloc_asprintf(search, "(&(objectclass=%s)(%s=%s*))",
+ LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID,
+ sid_talloc_string(
+ ipasam_state->idmap_ctx,
+ search, sid));
state->attrs = talloc_attrs(search, "cn", LDAP_ATTRIBUTE_SID,
"displayName", "description",
NULL);
@@ -2403,7 +2424,7 @@ static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods,
char *sid_str;
bool ok;
- sid_str = sid_string_talloc(mem_ctx, sid);
+ sid_str = sid_talloc_string(ipasam_state->idmap_ctx, mem_ctx, sid);
if (sid_str == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -2584,7 +2605,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
if (!is_null_sid(&td->security_identifier)) {
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_TRUST_SID,
- sid_string_talloc(tmp_ctx, &td->security_identifier));
+ sid_talloc_string(ipasam_state->idmap_ctx,
+ tmp_ctx, &td->security_identifier));
}
if (td->trust_type != 0) {
--
2.20.1

161
freeipa-git-master-build-fixes.patch
View File

@ -1,161 +0,0 @@
From 93fb037d8409d9d46606c31d8a240e3963b72651 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Wed, 6 Feb 2019 13:47:01 +0100
Subject: [PATCH 1/3] Compile IPA modules with C11 extensions
- define __STDC_WANT_LIB_EXT1__ to get C11 extensions like memset_s() for
Samba's ZERO_STRUCT() macro, see
https://en.cppreference.com/w/c/string/byte/memset
- _DEFAULT_SOURCE enables features like htole16() from endian.h, see
http://man7.org/linux/man-pages/man3/endian.3.html
- _POSIX_C_SOURCE >= 200809 enables features like strndup() from string.h,
see http://man7.org/linux/man-pages/man3/strndup.3.html
- time_t is no longer implicitly defined, include time.h
- typeof() is only available as GNU extension. Use explicit types
instead of generic __typeof__().
Fixes: https://pagure.io/freeipa/issue/7858
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
configure.ac | 12 +++++++++---
daemons/ipa-slapi-plugins/libotp/otp_config.c | 4 ++--
util/ipa_krb5.h | 1 +
3 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/configure.ac b/configure.ac
index df8d063b1..7ef0f560c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -18,15 +18,21 @@ AC_CONFIG_HEADERS([config.h])
AM_INIT_AUTOMAKE([foreign 1.9 tar-pax])
m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES])
+dnl enable C11 extensions for features like memset_s()
+CFLAGS+=" -D__STDC_WANT_LIB_EXT1__=1"
+dnl enable features like htole16()
+CFLAGS+=" -D_DEFAULT_SOURCE=1"
+dnl Enable features like strndup()
+CFLAGS+=" -D_POSIX_C_SOURCE=200809L"
+dnl fail hard when includes statements are missing
+CFLAGS+=" -Werror=implicit-function-declaration"
+
AC_PROG_CC_C99
AC_DISABLE_STATIC
LT_INIT
AC_HEADER_STDC
-dnl fail hard when includes statements are missing
-CFLAGS+=" -Werror=implicit-function-declaration"
-
PKG_PROG_PKG_CONFIG
AC_ARG_ENABLE([server],
diff --git a/daemons/ipa-slapi-plugins/libotp/otp_config.c b/daemons/ipa-slapi-plugins/libotp/otp_config.c
index 685b2d9d2..949b9136c 100644
--- a/daemons/ipa-slapi-plugins/libotp/otp_config.c
+++ b/daemons/ipa-slapi-plugins/libotp/otp_config.c
@@ -217,7 +217,7 @@ struct otp_config *otp_config_init(Slapi_ComponentId *plugin_id)
void *node = NULL;
int search_result = 0;
- cfg = (typeof(cfg)) slapi_ch_calloc(1, sizeof(*cfg));
+ cfg = (struct otp_config *) slapi_ch_calloc(1, sizeof(*cfg));
cfg->plugin_id = plugin_id;
/* Build the config table. */
@@ -229,7 +229,7 @@ struct otp_config *otp_config_init(Slapi_ComponentId *plugin_id)
struct record *rec;
/* Create the config entry. */
- rec = (typeof(rec)) slapi_ch_calloc(1, sizeof(*rec));
+ rec = (struct record *) slapi_ch_calloc(1, sizeof(*rec));
rec->spec = specs[i];
rec->sdn = make_sdn(rec->spec->prefix, sfx);
diff --git a/util/ipa_krb5.h b/util/ipa_krb5.h
index 60a8ced5d..f64b39c69 100644
--- a/util/ipa_krb5.h
+++ b/util/ipa_krb5.h
@@ -1,5 +1,6 @@
#pragma once
+#include <time.h>
#include <lber.h>
#include <krb5/krb5.h>
#include <kdb.h>
--
2.20.1
From d4d0b8a04642fc21167342b6bee998846159e605 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Thu, 7 Feb 2019 11:29:36 +0100
Subject: [PATCH 2/3] Update build requirements on twine
On Fedora >= 29 the command 'twine' is provied by the twine package. On
F28 it's in python3-twine. F30 no longer has python3-twine.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
freeipa.spec.in | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ed1d6c167..14892965f 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -195,7 +195,11 @@ BuildRequires: python3-six
BuildRequires: dbus-glib-devel
BuildRequires: libffi-devel
BuildRequires: python3-tox
+%if 0%{?fedora} <= 28
BuildRequires: python3-twine
+%else
+BuildRequires: twine
+%endif
BuildRequires: python3-wheel
%endif # with_wheels
--
2.20.1
From 272837f1c07729392cdbc88b99a221390d01e70d Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Thu, 7 Feb 2019 12:11:42 +0100
Subject: [PATCH 3/3] Remove ZERO_STRUCT() call
ipa_sam uses Samba's macro ZERO_STRUCT() to safely zero out a block in
memory. On F30 ZERO_STRUCT() is currently broken, because it uses the
undefined C11 function memset_s().
During investigation of the bug, it turned out that
ZERO_STRUCT(td->security_identifier) is not needed. The whole td struct
is allocated with talloc_zero(), so td->security_identifier is already
zeroed.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1672231
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-sam/ipa_sam.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 675a511f0..b1e0294e3 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -2179,7 +2179,6 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
if (dummy == NULL) {
DEBUG(9, ("Attribute %s not present.\n",
LDAP_ATTRIBUTE_TRUST_SID));
- ZERO_STRUCT(td->security_identifier);
} else {
err = sss_idmap_sid_to_smb_sid(ipasam_state->idmap_ctx,
dummy, &sid);
--
2.20.1