4.6.3-3: fix KRA upgrade issue, remove mod_wsgi confict

- Don't fail on upgrades if KRA is not installed
- Remove Conflicts between mod_wsgi and python3-mod_wsgi
This commit is contained in:
Rob Crittenden 2018-02-08 16:54:42 -05:00
parent d54cd714b4
commit 6c78f950c5
3 changed files with 332 additions and 3 deletions

View File

@ -0,0 +1,71 @@
From 8821f7ae8e666b4ae42e232c672d616bf7fbffeb Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Sun, 4 Feb 2018 11:40:24 -0500
Subject: [PATCH] Fix detection of KRA installation so upgrades can succeed
Use is_installed() instead of is_configured() because
is_installed() does a config file check to see if the service
is in use.
https://pagure.io/freeipa/issue/7389
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/server/upgrade.py | 4 ++--
ipatests/test_integration/test_upgrade.py | 21 +++++++++++++++++++++
2 files changed, 23 insertions(+), 2 deletions(-)
create mode 100644 ipatests/test_integration/test_upgrade.py
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 07cc18a78..23173c0ca 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1710,7 +1710,7 @@ def upgrade_configuration():
)
upgrade_pki(ca, fstore)
- if kra.is_configured():
+ if kra.is_installed():
logger.info('[Ensuring ephemeralRequest is enabled in KRA]')
kra.backup_config()
value = installutils.get_directive(
@@ -1728,7 +1728,7 @@ def upgrade_configuration():
# by checking status using http
if ca.is_configured():
ca.start('pki-tomcat')
- if kra.is_configured() and not kra.is_running():
+ if kra.is_installed() and not kra.is_running():
# This is for future-proofing in case the KRA is ever standalone.
kra.start('pki-tomcat')
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
new file mode 100644
index 000000000..951747b0b
--- /dev/null
+++ b/ipatests/test_integration/test_upgrade.py
@@ -0,0 +1,21 @@
+#
+# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
+#
+
+"""
+Module provides tests to verify that the upgrade script works.
+"""
+
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.pytest_plugins.integration import tasks
+
+
+class TestUpgrade(IntegrationTest):
+ @classmethod
+ def install(cls, mh):
+ tasks.install_master(cls.master, setup_dns=False)
+
+ def test_invoke_upgrader(self):
+ cmd = self.master.run_command(['ipa-server-upgrade'],
+ raiseonerr=False)
+ assert cmd.returncode == 0
--
2.14.3

View File

@ -0,0 +1,252 @@
From 748ca34eae43f50b2c9e3ff3295b6ad490633df2 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 6 Feb 2018 10:05:49 +0100
Subject: [PATCH] Replace wsgi package conflict with config file
Instead of a package conflict, freeIPA now uses an Apache config file to
enforce the correct wsgi module. The workaround only applies to Fedora
since it is the only platform that permits parallel installation of
Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
Debian doesn't permit installation of both variants.
See: https://pagure.io/freeipa/issue/7161
Fixes: https://pagure.io/freeipa/issue/7394
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
install/share/Makefile.am | 1 +
install/share/ipa-httpd-wsgi.conf.template | 7 +++++++
ipaplatform/base/constants.py | 4 ++++
ipaplatform/base/paths.py | 2 ++
ipaplatform/base/tasks.py | 4 ++++
ipaplatform/debian/tasks.py | 5 +++++
ipaplatform/fedora/constants.py | 6 +++++-
ipaplatform/fedora/paths.py | 4 +++-
ipaplatform/redhat/tasks.py | 31 ++++++++++++++++++++++++++++++
ipaserver/install/httpinstance.py | 7 ++++++-
ipaserver/install/server/upgrade.py | 7 +++++++
11 files changed, 75 insertions(+), 3 deletions(-)
create mode 100644 install/share/ipa-httpd-wsgi.conf.template
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index b1285854ea..abdf3ac648 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -85,6 +85,7 @@ dist_app_DATA = \
kdcproxy-enable.uldif \
kdcproxy-disable.uldif \
ipa-httpd.conf.template \
+ ipa-httpd-wsgi.conf.template \
gssapi.login \
gssproxy.conf.template \
kdcproxy.wsgi \
diff --git a/install/share/ipa-httpd-wsgi.conf.template b/install/share/ipa-httpd-wsgi.conf.template
new file mode 100644
index 0000000000..89d424665a
--- /dev/null
+++ b/install/share/ipa-httpd-wsgi.conf.template
@@ -0,0 +1,7 @@
+# Do not edit. Created by IPA installer.
+
+# Some platforms allow parallel installation of Python 2 and 3 mod_wsgi
+# modules, but the modules can't coexist. Enforce loading of correct
+# WSGI module before the package's default config.
+
+LoadModule wsgi_module $WSGI_MODULE
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index 94bd0f8a10..ca4a12ec01 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -39,5 +39,9 @@ class BaseConstantsNamespace(object):
SSSD_USER = "sssd"
# sql (new format), dbm (old format)
NSS_DEFAULT_DBTYPE = 'dbm'
+ # WSGI module override, only used on Fedora
+ MOD_WSGI_PYTHON2 = None
+ MOD_WSGI_PYTHON3 = None
+
constants = BaseConstantsNamespace()
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 3bb32416d6..753e8e80e7 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -48,6 +48,8 @@ class BasePathNamespace(object):
HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf"
HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
+ # only used on Fedora
+ HTTPD_IPA_WSGI_MODULES_CONF = None
OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab"
HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf"
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 8f73eaddc2..d4b56318e3 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -211,6 +211,10 @@ def remove_httpd_service_ipa_conf(self):
"""Remove configuration of httpd service of IPA"""
raise NotImplementedError()
+ def configure_httpd_wsgi_conf(self):
+ """Configure WSGI for correct Python version"""
+ raise NotImplementedError()
+
def is_fips_enabled(self):
return False
diff --git a/ipaplatform/debian/tasks.py b/ipaplatform/debian/tasks.py
index 6c41a35e77..4537260146 100644
--- a/ipaplatform/debian/tasks.py
+++ b/ipaplatform/debian/tasks.py
@@ -47,4 +47,9 @@ def restore_auth_configuration(path):
def parse_ipa_version(version):
return BaseTaskNamespace.parse_ipa_version(version)
+ def configure_httpd_wsgi_conf(self):
+ # Debian doesn't require special mod_wsgi configuration
+ pass
+
+
tasks = DebianTaskNamespace()
diff --git a/ipaplatform/fedora/constants.py b/ipaplatform/fedora/constants.py
index ce03f58cf9..79e7bd9a5e 100644
--- a/ipaplatform/fedora/constants.py
+++ b/ipaplatform/fedora/constants.py
@@ -11,6 +11,10 @@
class FedoraConstantsNamespace(RedHatConstantsNamespace):
- pass
+ # Fedora allows installation of Python 2 and 3 mod_wsgi, but the modules
+ # can't coexist. For Apache to load correct module.
+ MOD_WSGI_PYTHON2 = "modules/mod_wsgi.so"
+ MOD_WSGI_PYTHON3 = "modules/mod_wsgi_python3.so"
+
constants = FedoraConstantsNamespace()
diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
index 49a904f2f2..5238cdb4f4 100644
--- a/ipaplatform/fedora/paths.py
+++ b/ipaplatform/fedora/paths.py
@@ -27,7 +27,9 @@
class FedoraPathNamespace(RedHatPathNamespace):
- pass
+ HTTPD_IPA_WSGI_MODULES_CONF = (
+ "/etc/httpd/conf.modules.d/02-ipa-wsgi.conf"
+ )
paths = FedoraPathNamespace()
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 79bd5335ea..701c280ec0 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -30,6 +30,7 @@
import socket
import traceback
import errno
+import sys
from ctypes.util import find_library
from functools import total_ordering
@@ -484,6 +485,36 @@ def configure_http_gssproxy_conf(self, ipaapi_user):
os.chmod(paths.GSSPROXY_CONF, 0o600)
self.restore_context(paths.GSSPROXY_CONF)
+ def configure_httpd_wsgi_conf(self):
+ """Configure WSGI for correct Python version (Fedora)
+
+ See https://pagure.io/freeipa/issue/7394
+ """
+ conf = paths.HTTPD_IPA_WSGI_MODULES_CONF
+ if sys.version_info.major == 2:
+ wsgi_module = constants.MOD_WSGI_PYTHON2
+ else:
+ wsgi_module = constants.MOD_WSGI_PYTHON3
+
+ if conf is None or wsgi_module is None:
+ logger.info("Nothing to do for configure_httpd_wsgi_conf")
+ return
+
+ confdir = os.path.dirname(conf)
+ if not os.path.isdir(confdir):
+ os.makedirs(confdir)
+
+ ipautil.copy_template_file(
+ os.path.join(
+ paths.USR_SHARE_IPA_DIR, 'ipa-httpd-wsgi.conf.template'
+ ),
+ conf,
+ dict(WSGI_MODULE=wsgi_module)
+ )
+
+ os.chmod(conf, 0o644)
+ self.restore_context(conf)
+
def remove_httpd_service_ipa_conf(self):
"""Remove systemd config for httpd service of IPA"""
try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 8f3b5937fd..46764e6aa7 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -213,6 +213,7 @@ def remove_httpd_ccaches(self):
def __configure_http(self):
self.update_httpd_service_ipa_conf()
+ self.update_httpd_wsgi_conf()
target_fname = paths.HTTPD_IPA_CONF
http_txt = ipautil.template_file(
@@ -508,6 +509,9 @@ def enable_and_start_oddjobd(self):
def update_httpd_service_ipa_conf(self):
tasks.configure_httpd_service_ipa_conf()
+ def update_httpd_wsgi_conf(self):
+ tasks.configure_httpd_wsgi_conf()
+
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring web server")
@@ -564,7 +568,8 @@ def uninstall(self):
installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF)
- tasks.remove_httpd_service_ipa_conf()
+ if paths.HTTPD_IPA_WSGI_MODULES_CONF is not None:
+ installutils.remove_file(paths.HTTPD_IPA_WSGI_MODULES_CONF)
# Restore SELinux boolean states
boolean_states = {name: self.restore_state(name)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 07cc18a78c..b12d80f105 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1458,11 +1458,17 @@ def update_mod_nss_cipher_suite(http):
'cipher_suite_updated',
httpinstance.NSS_CIPHER_REVISION)
+
def update_ipa_httpd_service_conf(http):
logger.info('[Updating HTTPD service IPA configuration]')
http.update_httpd_service_ipa_conf()
+def update_ipa_http_wsgi_conf(http):
+ logger.info('[Updating HTTPD service IPA WSGI configuration]')
+ http.update_httpd_wsgi_conf()
+
+
def update_http_keytab(http):
logger.info('[Moving HTTPD service keytab to gssproxy]')
if os.path.exists(paths.OLD_IPA_KEYTAB):
@@ -1782,6 +1788,7 @@ def upgrade_configuration():
http.stop()
disable_httpd_system_trust(http)
update_ipa_httpd_service_conf(http)
+ update_ipa_http_wsgi_conf(http)
update_mod_nss_protocol(http)
update_mod_nss_cipher_suite(http)
disable_mod_nss_ocsp(http)

View File

@ -88,7 +88,7 @@
Name: freeipa Name: freeipa
Version: %{VERSION} Version: %{VERSION}
Release: 2%{?dist} Release: 3%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
Group: System Environment/Base Group: System Environment/Base
@ -98,6 +98,10 @@ Source0: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz
Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
# https://pagure.io/freeipa/issue/7389
Patch0001: 0001-Fix-detection-of-KRA-installation-so-upgrades-can-su.patch
# https://pagure.io/freeipa/issue/7394
Patch0002: 0002-Replace-wsgi-package-conflict-with-config-file.patch
# For the timestamp trick in patch application # For the timestamp trick in patch application
BuildRequires: diffstat BuildRequires: diffstat
@ -328,14 +332,12 @@ Requires(postun): python3
Requires: python3-gssapi >= 1.2.0-5 Requires: python3-gssapi >= 1.2.0-5
Requires: python3-systemd Requires: python3-systemd
Requires: python3-mod_wsgi Requires: python3-mod_wsgi
Conflicts: mod_wsgi
%else %else
Requires(preun): python2 Requires(preun): python2
Requires(postun): python2 Requires(postun): python2
Requires: python2-gssapi >= 1.2.0-5 Requires: python2-gssapi >= 1.2.0-5
Requires: python2-systemd Requires: python2-systemd
Requires: mod_wsgi Requires: mod_wsgi
Conflicts: python3-mod_wsgi
%endif %endif
Requires: mod_auth_gssapi >= 1.5.0 Requires: mod_auth_gssapi >= 1.5.0
# 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206 # 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206
@ -1775,6 +1777,10 @@ fi
%endif # with_ipatests %endif # with_ipatests
%changelog %changelog
* Thu Feb 8 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.3-3
- Don't fail on upgrades if KRA is not installed
- Remove Conflicts between mod_wsgi and python3-mod_wsgi
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.6.3-2 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.6.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild