diff --git a/0001-Fix-detection-of-KRA-installation-so-upgrades-can-su.patch b/0001-Fix-detection-of-KRA-installation-so-upgrades-can-su.patch new file mode 100644 index 0000000..8604f08 --- /dev/null +++ b/0001-Fix-detection-of-KRA-installation-so-upgrades-can-su.patch @@ -0,0 +1,71 @@ +From 8821f7ae8e666b4ae42e232c672d616bf7fbffeb Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Sun, 4 Feb 2018 11:40:24 -0500 +Subject: [PATCH] Fix detection of KRA installation so upgrades can succeed + +Use is_installed() instead of is_configured() because +is_installed() does a config file check to see if the service +is in use. + +https://pagure.io/freeipa/issue/7389 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/server/upgrade.py | 4 ++-- + ipatests/test_integration/test_upgrade.py | 21 +++++++++++++++++++++ + 2 files changed, 23 insertions(+), 2 deletions(-) + create mode 100644 ipatests/test_integration/test_upgrade.py + +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index 07cc18a78..23173c0ca 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1710,7 +1710,7 @@ def upgrade_configuration(): + ) + upgrade_pki(ca, fstore) + +- if kra.is_configured(): ++ if kra.is_installed(): + logger.info('[Ensuring ephemeralRequest is enabled in KRA]') + kra.backup_config() + value = installutils.get_directive( +@@ -1728,7 +1728,7 @@ def upgrade_configuration(): + # by checking status using http + if ca.is_configured(): + ca.start('pki-tomcat') +- if kra.is_configured() and not kra.is_running(): ++ if kra.is_installed() and not kra.is_running(): + # This is for future-proofing in case the KRA is ever standalone. + kra.start('pki-tomcat') + +diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py +new file mode 100644 +index 000000000..951747b0b +--- /dev/null ++++ b/ipatests/test_integration/test_upgrade.py +@@ -0,0 +1,21 @@ ++# ++# Copyright (C) 2018 FreeIPA Contributors see COPYING for license ++# ++ ++""" ++Module provides tests to verify that the upgrade script works. ++""" ++ ++from ipatests.test_integration.base import IntegrationTest ++from ipatests.pytest_plugins.integration import tasks ++ ++ ++class TestUpgrade(IntegrationTest): ++ @classmethod ++ def install(cls, mh): ++ tasks.install_master(cls.master, setup_dns=False) ++ ++ def test_invoke_upgrader(self): ++ cmd = self.master.run_command(['ipa-server-upgrade'], ++ raiseonerr=False) ++ assert cmd.returncode == 0 +-- +2.14.3 + diff --git a/0002-Replace-wsgi-package-conflict-with-config-file.patch b/0002-Replace-wsgi-package-conflict-with-config-file.patch new file mode 100644 index 0000000..29bd3d6 --- /dev/null +++ b/0002-Replace-wsgi-package-conflict-with-config-file.patch @@ -0,0 +1,252 @@ +From 748ca34eae43f50b2c9e3ff3295b6ad490633df2 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Tue, 6 Feb 2018 10:05:49 +0100 +Subject: [PATCH] Replace wsgi package conflict with config file + +Instead of a package conflict, freeIPA now uses an Apache config file to +enforce the correct wsgi module. The workaround only applies to Fedora +since it is the only platform that permits parallel installation of +Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and +Debian doesn't permit installation of both variants. + +See: https://pagure.io/freeipa/issue/7161 +Fixes: https://pagure.io/freeipa/issue/7394 +Signed-off-by: Christian Heimes +--- + install/share/Makefile.am | 1 + + install/share/ipa-httpd-wsgi.conf.template | 7 +++++++ + ipaplatform/base/constants.py | 4 ++++ + ipaplatform/base/paths.py | 2 ++ + ipaplatform/base/tasks.py | 4 ++++ + ipaplatform/debian/tasks.py | 5 +++++ + ipaplatform/fedora/constants.py | 6 +++++- + ipaplatform/fedora/paths.py | 4 +++- + ipaplatform/redhat/tasks.py | 31 ++++++++++++++++++++++++++++++ + ipaserver/install/httpinstance.py | 7 ++++++- + ipaserver/install/server/upgrade.py | 7 +++++++ + 11 files changed, 75 insertions(+), 3 deletions(-) + create mode 100644 install/share/ipa-httpd-wsgi.conf.template + +diff --git a/install/share/Makefile.am b/install/share/Makefile.am +index b1285854ea..abdf3ac648 100644 +--- a/install/share/Makefile.am ++++ b/install/share/Makefile.am +@@ -85,6 +85,7 @@ dist_app_DATA = \ + kdcproxy-enable.uldif \ + kdcproxy-disable.uldif \ + ipa-httpd.conf.template \ ++ ipa-httpd-wsgi.conf.template \ + gssapi.login \ + gssproxy.conf.template \ + kdcproxy.wsgi \ +diff --git a/install/share/ipa-httpd-wsgi.conf.template b/install/share/ipa-httpd-wsgi.conf.template +new file mode 100644 +index 0000000000..89d424665a +--- /dev/null ++++ b/install/share/ipa-httpd-wsgi.conf.template +@@ -0,0 +1,7 @@ ++# Do not edit. Created by IPA installer. ++ ++# Some platforms allow parallel installation of Python 2 and 3 mod_wsgi ++# modules, but the modules can't coexist. Enforce loading of correct ++# WSGI module before the package's default config. ++ ++LoadModule wsgi_module $WSGI_MODULE +diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py +index 94bd0f8a10..ca4a12ec01 100644 +--- a/ipaplatform/base/constants.py ++++ b/ipaplatform/base/constants.py +@@ -39,5 +39,9 @@ class BaseConstantsNamespace(object): + SSSD_USER = "sssd" + # sql (new format), dbm (old format) + NSS_DEFAULT_DBTYPE = 'dbm' ++ # WSGI module override, only used on Fedora ++ MOD_WSGI_PYTHON2 = None ++ MOD_WSGI_PYTHON3 = None ++ + + constants = BaseConstantsNamespace() +diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py +index 3bb32416d6..753e8e80e7 100644 +--- a/ipaplatform/base/paths.py ++++ b/ipaplatform/base/paths.py +@@ -48,6 +48,8 @@ class BasePathNamespace(object): + HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf" + HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf" + HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf" ++ # only used on Fedora ++ HTTPD_IPA_WSGI_MODULES_CONF = None + OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab" + HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab" + HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf" +diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py +index 8f73eaddc2..d4b56318e3 100644 +--- a/ipaplatform/base/tasks.py ++++ b/ipaplatform/base/tasks.py +@@ -211,6 +211,10 @@ def remove_httpd_service_ipa_conf(self): + """Remove configuration of httpd service of IPA""" + raise NotImplementedError() + ++ def configure_httpd_wsgi_conf(self): ++ """Configure WSGI for correct Python version""" ++ raise NotImplementedError() ++ + def is_fips_enabled(self): + return False + +diff --git a/ipaplatform/debian/tasks.py b/ipaplatform/debian/tasks.py +index 6c41a35e77..4537260146 100644 +--- a/ipaplatform/debian/tasks.py ++++ b/ipaplatform/debian/tasks.py +@@ -47,4 +47,9 @@ def restore_auth_configuration(path): + def parse_ipa_version(version): + return BaseTaskNamespace.parse_ipa_version(version) + ++ def configure_httpd_wsgi_conf(self): ++ # Debian doesn't require special mod_wsgi configuration ++ pass ++ ++ + tasks = DebianTaskNamespace() +diff --git a/ipaplatform/fedora/constants.py b/ipaplatform/fedora/constants.py +index ce03f58cf9..79e7bd9a5e 100644 +--- a/ipaplatform/fedora/constants.py ++++ b/ipaplatform/fedora/constants.py +@@ -11,6 +11,10 @@ + + + class FedoraConstantsNamespace(RedHatConstantsNamespace): +- pass ++ # Fedora allows installation of Python 2 and 3 mod_wsgi, but the modules ++ # can't coexist. For Apache to load correct module. ++ MOD_WSGI_PYTHON2 = "modules/mod_wsgi.so" ++ MOD_WSGI_PYTHON3 = "modules/mod_wsgi_python3.so" ++ + + constants = FedoraConstantsNamespace() +diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py +index 49a904f2f2..5238cdb4f4 100644 +--- a/ipaplatform/fedora/paths.py ++++ b/ipaplatform/fedora/paths.py +@@ -27,7 +27,9 @@ + + + class FedoraPathNamespace(RedHatPathNamespace): +- pass ++ HTTPD_IPA_WSGI_MODULES_CONF = ( ++ "/etc/httpd/conf.modules.d/02-ipa-wsgi.conf" ++ ) + + + paths = FedoraPathNamespace() +diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py +index 79bd5335ea..701c280ec0 100644 +--- a/ipaplatform/redhat/tasks.py ++++ b/ipaplatform/redhat/tasks.py +@@ -30,6 +30,7 @@ + import socket + import traceback + import errno ++import sys + + from ctypes.util import find_library + from functools import total_ordering +@@ -484,6 +485,36 @@ def configure_http_gssproxy_conf(self, ipaapi_user): + os.chmod(paths.GSSPROXY_CONF, 0o600) + self.restore_context(paths.GSSPROXY_CONF) + ++ def configure_httpd_wsgi_conf(self): ++ """Configure WSGI for correct Python version (Fedora) ++ ++ See https://pagure.io/freeipa/issue/7394 ++ """ ++ conf = paths.HTTPD_IPA_WSGI_MODULES_CONF ++ if sys.version_info.major == 2: ++ wsgi_module = constants.MOD_WSGI_PYTHON2 ++ else: ++ wsgi_module = constants.MOD_WSGI_PYTHON3 ++ ++ if conf is None or wsgi_module is None: ++ logger.info("Nothing to do for configure_httpd_wsgi_conf") ++ return ++ ++ confdir = os.path.dirname(conf) ++ if not os.path.isdir(confdir): ++ os.makedirs(confdir) ++ ++ ipautil.copy_template_file( ++ os.path.join( ++ paths.USR_SHARE_IPA_DIR, 'ipa-httpd-wsgi.conf.template' ++ ), ++ conf, ++ dict(WSGI_MODULE=wsgi_module) ++ ) ++ ++ os.chmod(conf, 0o644) ++ self.restore_context(conf) ++ + def remove_httpd_service_ipa_conf(self): + """Remove systemd config for httpd service of IPA""" + try: +diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py +index 8f3b5937fd..46764e6aa7 100644 +--- a/ipaserver/install/httpinstance.py ++++ b/ipaserver/install/httpinstance.py +@@ -213,6 +213,7 @@ def remove_httpd_ccaches(self): + + def __configure_http(self): + self.update_httpd_service_ipa_conf() ++ self.update_httpd_wsgi_conf() + + target_fname = paths.HTTPD_IPA_CONF + http_txt = ipautil.template_file( +@@ -508,6 +509,9 @@ def enable_and_start_oddjobd(self): + def update_httpd_service_ipa_conf(self): + tasks.configure_httpd_service_ipa_conf() + ++ def update_httpd_wsgi_conf(self): ++ tasks.configure_httpd_wsgi_conf() ++ + def uninstall(self): + if self.is_configured(): + self.print_msg("Unconfiguring web server") +@@ -564,7 +568,8 @@ def uninstall(self): + installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF) + installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK) + installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF) +- tasks.remove_httpd_service_ipa_conf() ++ if paths.HTTPD_IPA_WSGI_MODULES_CONF is not None: ++ installutils.remove_file(paths.HTTPD_IPA_WSGI_MODULES_CONF) + + # Restore SELinux boolean states + boolean_states = {name: self.restore_state(name) +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index 07cc18a78c..b12d80f105 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1458,11 +1458,17 @@ def update_mod_nss_cipher_suite(http): + 'cipher_suite_updated', + httpinstance.NSS_CIPHER_REVISION) + ++ + def update_ipa_httpd_service_conf(http): + logger.info('[Updating HTTPD service IPA configuration]') + http.update_httpd_service_ipa_conf() + + ++def update_ipa_http_wsgi_conf(http): ++ logger.info('[Updating HTTPD service IPA WSGI configuration]') ++ http.update_httpd_wsgi_conf() ++ ++ + def update_http_keytab(http): + logger.info('[Moving HTTPD service keytab to gssproxy]') + if os.path.exists(paths.OLD_IPA_KEYTAB): +@@ -1782,6 +1788,7 @@ def upgrade_configuration(): + http.stop() + disable_httpd_system_trust(http) + update_ipa_httpd_service_conf(http) ++ update_ipa_http_wsgi_conf(http) + update_mod_nss_protocol(http) + update_mod_nss_cipher_suite(http) + disable_mod_nss_ocsp(http) diff --git a/freeipa.spec b/freeipa.spec index b8c4ab4..d49a402 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -88,7 +88,7 @@ Name: freeipa Version: %{VERSION} -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -98,6 +98,10 @@ Source0: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +# https://pagure.io/freeipa/issue/7389 +Patch0001: 0001-Fix-detection-of-KRA-installation-so-upgrades-can-su.patch +# https://pagure.io/freeipa/issue/7394 +Patch0002: 0002-Replace-wsgi-package-conflict-with-config-file.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -328,14 +332,12 @@ Requires(postun): python3 Requires: python3-gssapi >= 1.2.0-5 Requires: python3-systemd Requires: python3-mod_wsgi -Conflicts: mod_wsgi %else Requires(preun): python2 Requires(postun): python2 Requires: python2-gssapi >= 1.2.0-5 Requires: python2-systemd Requires: mod_wsgi -Conflicts: python3-mod_wsgi %endif Requires: mod_auth_gssapi >= 1.5.0 # 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206 @@ -1775,6 +1777,10 @@ fi %endif # with_ipatests %changelog +* Thu Feb 8 2018 Rob Crittenden - 4.6.3-3 +- Don't fail on upgrades if KRA is not installed +- Remove Conflicts between mod_wsgi and python3-mod_wsgi + * Wed Feb 07 2018 Fedora Release Engineering - 4.6.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild