Run upgrade under empty DIR: ccache collection

2018-03-21 13:44:28 +02:00 · 2018-03-21 13:44:28 +02:00 · 533fcd195a
commit 533fcd195a
parent 4bae5f4bc8
3 changed files with 79 additions and 90 deletions
--- a/0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch
+++ b/0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch
@ -0,0 +1,74 @@
+From fa7b54356d9b8c0d7b3b5788f527ef3eecdf58b8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 21 Mar 2018 10:33:32 +0200
+Subject: [PATCH] upgrade: Run configuration upgrade under empty ccache
+ collection
+
+Use temporary empty DIR-based ccache collection to prevent upgrade
+failures in case KCM: or KEYRING: ccache type is used by default in
+krb5.conf and is not available. We don't need any user credentials
+during upgrade procedure but kadmin.local would attempt to resolve
+default ccache and if that's not available, kadmin.local will fail.
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/install/server/upgrade.py | 28 +++++++++++++++++++++++++++-
+ 1 file changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index a38f4115c..5212a2749 100644
+--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
+@@ -11,6 +11,7 @@ import shutil
+ import pwd
+ import fileinput
+ import sys
+from contextlib import contextmanager
+ from augeas import Augeas
+ import dns.exception
+ from ipalib import api, x509
+@@ -1926,6 +1927,30 @@ def upgrade_check(options):
+         logger.warning("Upgrade without version check may break your system")
+ 
+ 
+@contextmanager
+def empty_ccache():
+    # Create temporary directory and use it as a DIR: ccache collection
+    # instead of whatever is a default in /etc/krb5.conf
+    #
+    # In Fedora 28 KCM: became a default credentials cache collection
+    # but if KCM daemon (part of SSSD) is not running, libkrb5 will fail
+    # to initialize. This causes kadmin.local to fail.
+    # Since we are in upgrade, we cannot kinit anyway (KDC is offline).
+    # Bug https://bugzilla.redhat.com/show_bug.cgi?id=1558818
+    kpath_dir = tempfile.mkdtemp(prefix="upgrade_ccaches", dir=paths.IPA_CCACHES)
+    kpath = "DIR:{dir}s".format(dir=kpath_dir)
+    old_path = os.getenv('KRB5CCNAME')
+    try:
+        os.environ['KRB5CCNAME'] = kpath
+        yield
+    finally:
+        if old_path:
+            os.environ['KRB5CCNAME'] = old_path
+        for f in os.listdir(kpath_dir):
+            os.remove(os.path.join(kpath_dir, f))
+        os.rmdir(kpath_dir)
+
+
+ def upgrade():
+     realm = api.env.realm
+     schema_files = [os.path.join(paths.USR_SHARE_IPA_DIR, f) for f
+@@ -1950,7 +1975,8 @@ def upgrade():
+ 
+     print('Upgrading IPA services')
+     logger.info('Upgrading the configuration of the IPA services')
+-    upgrade_configuration()
+    with empty_ccache():
+        upgrade_configuration()
+     logger.info('The IPA services were upgraded')
+ 
+     # store new data version after upgrade
+-- 
+2.14.3
+
--- a/0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch
+++ b/0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch
@ -1,88 +0,0 @@
-From c25c5c1c85d4ee3aaea7c62a32134c0af56b9004 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Wed, 21 Mar 2018 10:33:32 +0200
-Subject: [PATCH] upgrade: Run configuration upgrade under file-based ccache
-
-Use anonymous file-based ccache to prevent upgrade failures
-in case KCM: or KEYRING: ccache type is used by default
-in krb5.conf and is not available. We don't need any user
-credentials during upgrade procedure but kadmin.local
-would attempt to resolve default ccache and if that's not
-available, kadmin.local will fail.
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
- ipaserver/install/server/upgrade.py | 39 +++++++++++++++++++++++++++++++++++--
- 1 file changed, 37 insertions(+), 2 deletions(-)
-
-diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
-index a38f4115c..00389a914 100644
--- a/ipaserver/install/server/upgrade.py
-+++ b/ipaserver/install/server/upgrade.py
-@@ -11,10 +11,11 @@ import shutil
- import pwd
- import fileinput
- import sys
-+from contextlib import contextmanager
- from augeas import Augeas
- import dns.exception
- from ipalib import api, x509
-from ipalib.install import certmonger, sysrestore
-+from ipalib.install import certmonger, sysrestore, kinit
- import SSSDConfig
- import ipalib.util
- import ipalib.errors
-@@ -1926,6 +1927,32 @@ def upgrade_check(options):
-         logger.warning("Upgrade without version check may break your system")
- 
- 
-+@contextmanager
-+def anonymous_ccache():
-+    kpath = os.path.join(paths.IPA_CCACHES,
-+                         "upgrade_ccache_{}".format(os.getpid()))
-+
-+    try:
-+        logger.debug('Obtaining anonymous creds in ccache %s', kpath)
-+        kinit.kinit_armor(
-+            kpath,
-+            pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
-+        )
-+        kdestroy = True
-+    except RuntimeError:
-+        logger.error("Failed to obtain anonymous creds cache")
-+        kdestroy = False
-+    old_path = os.getenv('KRB5CCNAME')
-+    try:
-+        os.environ['KRB5CCNAME'] = kpath
-+        yield
-+    finally:
-+        if old_path:
-+            os.environ['KRB5CCNAME'] = old_path
-+        if kdestroy:
-+            installutils.remove_ccache(kpath)
-+
-+
- def upgrade():
-     realm = api.env.realm
-     schema_files = [os.path.join(paths.USR_SHARE_IPA_DIR, f) for f
-@@ -1950,7 +1977,15 @@ def upgrade():
- 
-     print('Upgrading IPA services')
-     logger.info('Upgrading the configuration of the IPA services')
-    upgrade_configuration()
-+    # Use anonymous file-based ccache to prevent upgrade failures
-+    # in case KCM: or KEYRING: ccache type is used by default
-+    # in krb5.conf and is not available. We don't need any user
-+    # credentials during upgrade procedure but kadmin.local
-+    # would attempt to resolve default ccache and if that's not
-+    # available, kadmin.local will fail.
-+    # Bug https://bugzilla.redhat.com/show_bug.cgi?id=1558818
-+    with anonymous_ccache():
-+        upgrade_configuration()
-     logger.info('The IPA services were upgraded')
- 
-     # store new data version after upgrade
-- 
-2.14.3
-
--- a/freeipa.spec
+++ b/freeipa.spec
@ -100,7 +100,7 @@

 Name:           freeipa
 Version:        %{VERSION}
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        The Identity, Policy and Audit system

 Group:          System Environment/Base
@ -110,7 +110,7 @@ Source0:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc
 Patch0001:      0001-Processing-of-server-roles-should-ignore-errors.Empt.patch
 Patch0002:      0002-Update-template-directory-with-new-variables-when-up.patch
-Patch0003:      0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch
+Patch0003:      0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch
 Patch0004:      0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch  

 # For the timestamp trick in patch application
@ -1720,6 +1720,9 @@ fi
 %endif # with_ipatests

 %changelog
+* Tue Mar 21 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre1-6
+- Change upgrade code to use DIR-based ccache and no kinit (#1558818)
+
 * Tue Mar 20 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre1-5
 - Apply upstream fix for #1558354
 - Run upgrade under file-based ccache (#1558818)