diff --git a/0005-Fix-upgrade-update_replica_config-in-single-master-m.patch b/0005-Fix-upgrade-update_replica_config-in-single-master-m.patch deleted file mode 100644 index 7c3d6b4..0000000 --- a/0005-Fix-upgrade-update_replica_config-in-single-master-m.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 7c8fd5630da2de5d3c88cd5fec7787427259f123 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Mon, 16 Apr 2018 16:02:03 +1000 -Subject: [PATCH 40/92] Fix upgrade (update_replica_config) in single master - mode - -Commit afc0d4b62d043cd568ce87400f60e8fa8273495f added an upgrade -step that add an attribute to a replica config entry. The entry -only exists after a replica has been added, so upgrade was broken -for standalone server. Catch and suppress the NotFound error. - -Related to: https://pagure.io/freeipa/issue/7488 - -Reviewed-By: Christian Heimes ---- - ipaserver/install/server/upgrade.py | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py -index ed845027a..31c09d85d 100644 ---- a/ipaserver/install/server/upgrade.py -+++ b/ipaserver/install/server/upgrade.py -@@ -1642,7 +1642,11 @@ def update_replica_config(db_suffix): - ('cn', 'replica'), ('cn', db_suffix), ('cn', 'mapping tree'), - ('cn', 'config') - ) -- entry = api.Backend.ldap2.get_entry(dn) -+ try: -+ entry = api.Backend.ldap2.get_entry(dn) -+ except ipalib.errors.NotFound: -+ return # entry does not exist until a replica is installed -+ - if 'nsds5replicareleasetimeout' not in entry: - # See https://pagure.io/freeipa/issue/7488 - logger.info("Adding nsds5replicaReleaseTimeout=60 to %s", dn) --- -2.14.3 - diff --git a/0005-Fix-upgrade-when-named.conf-does-not-exist.patch b/0005-Fix-upgrade-when-named.conf-does-not-exist.patch new file mode 100644 index 0000000..5fb7ded --- /dev/null +++ b/0005-Fix-upgrade-when-named.conf-does-not-exist.patch @@ -0,0 +1,114 @@ +commit 421fc376ccb8668c07692d3a3394a5869dc97296 +Author: Fraser Tweedale +Date: Wed Mar 28 16:05:05 2018 +1100 + + Fix upgrade when named.conf does not exist + + Commit aee0d2180c7119bef30ab7cafea81dc3df1170b7 adds an upgrade step + that adds system crypto policy include to named.conf. This step + omitted the named.conf existence check; upgrade fails when it does + not exist. Add the existence check. + + Also update the test to add the IPA-related part of the named.conf + config, because the "existence check" actually does more than just + check that the file exists - it also check that it contains the IPA + bind-dyndb-ldap configuration section. + + Part of: https://pagure.io/freeipa/issue/4853 + + Reviewed-By: Christian Heimes + +diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py +index 5cf537201..cd70cc983 100644 +--- a/ipaserver/install/bindinstance.py ++++ b/ipaserver/install/bindinstance.py +@@ -93,6 +93,10 @@ def create_reverse(): + + + def named_conf_exists(): ++ """ ++ Checks that named.conf exists AND that it contains IPA-related config. ++ ++ """ + try: + with open(paths.NAMED_CONF, 'r') as named_fd: + lines = named_fd.readlines() +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index c192f4fff..07d783445 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -905,6 +905,10 @@ def named_add_server_id(): + def named_add_crypto_policy(): + """Add crypto policy include + """ ++ if not bindinstance.named_conf_exists(): ++ logger.info('DNS is not configured') ++ return False ++ + if sysupgrade.get_upgrade_state('named.conf', 'add_crypto_policy'): + # upgrade was done already + return False +diff --git a/ipatests/test_ipaserver/test_install/test_bindinstance.py b/ipatests/test_ipaserver/test_install/test_bindinstance.py +index 6b072ad8a..b88b93194 100644 +--- a/ipatests/test_ipaserver/test_install/test_bindinstance.py ++++ b/ipatests/test_ipaserver/test_install/test_bindinstance.py +@@ -24,7 +24,6 @@ options { + include "random/file"; + """ + +- + EXPECTED_CONFIG = """ + options { + \tdnssec-enable yes; +@@ -35,6 +34,12 @@ options { + include "random/file"; + """ + ++# bindinstance.named_conf_exists() looks for a section like this ++IPA_DYNDB_CONFIG = """ ++dyndb "ipa" "/usr/lib/bind/ldap.so" { ++}; ++""" ++ + POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config" + + +@@ -53,14 +58,16 @@ def test_add_crypto_policy(m_set, m_get, namedconf): + m_get.return_value = False + with open(namedconf, 'w') as f: + f.write(TEST_CONFIG) ++ f.write(IPA_DYNDB_CONFIG) + +- named_add_crypto_policy() ++ result = named_add_crypto_policy() ++ assert result + m_get.assert_called_with('named.conf', 'add_crypto_policy') + m_set.assert_called_with('named.conf', 'add_crypto_policy', True) + + with open(namedconf) as f: + content = f.read() +- assert content == EXPECTED_CONFIG ++ assert content == ''.join([EXPECTED_CONFIG, IPA_DYNDB_CONFIG]) + + m_get.reset_mock() + m_set.reset_mock() +@@ -69,3 +76,19 @@ def test_add_crypto_policy(m_set, m_get, namedconf): + named_add_crypto_policy() + m_get.assert_called_with('named.conf', 'add_crypto_policy') + m_set.assert_not_called() ++ ++ ++@patch('ipaserver.install.sysupgrade.get_upgrade_state') ++@patch('ipaserver.install.sysupgrade.set_upgrade_state') ++def test_add_crypto_policy_no_ipa(m_set, m_get, namedconf): ++ # Test if the update step is skipped when named.conf doesn't contain ++ # IPA related settings. ++ m_get.return_value = False ++ with open(namedconf, 'w') as f: ++ f.write(TEST_CONFIG) ++ ++ result = named_add_crypto_policy() ++ assert not result ++ ++ m_get.assert_not_called() ++ m_set.assert_not_called() diff --git a/freeipa.spec b/freeipa.spec index 705bd94..3e45908 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -112,7 +112,7 @@ Patch0001: 0001-Processing-of-server-roles-should-ignore-errors.Empt.patch Patch0002: 0002-Update-template-directory-with-new-variables-when-up.patch Patch0003: 0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch Patch0004: 0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch -Patch0005: 0005-Fix-upgrade-update_replica_config-in-single-master-m.patch +Patch0005: 0005-Fix-upgrade-when-named.conf-does-not-exist.patch # For the timestamp trick in patch application BuildRequires: diffstat