4.6.3-3: fix KRA upgrade issue, remove mod_wsgi confict
- Don't fail on upgrades if KRA is not installed - Remove Conflicts between mod_wsgi and python3-mod_wsgi
This commit is contained in:
parent
d54cd714b4
commit
6c78f950c5
@ -0,0 +1,71 @@
|
|||||||
|
From 8821f7ae8e666b4ae42e232c672d616bf7fbffeb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Sun, 4 Feb 2018 11:40:24 -0500
|
||||||
|
Subject: [PATCH] Fix detection of KRA installation so upgrades can succeed
|
||||||
|
|
||||||
|
Use is_installed() instead of is_configured() because
|
||||||
|
is_installed() does a config file check to see if the service
|
||||||
|
is in use.
|
||||||
|
|
||||||
|
https://pagure.io/freeipa/issue/7389
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/install/server/upgrade.py | 4 ++--
|
||||||
|
ipatests/test_integration/test_upgrade.py | 21 +++++++++++++++++++++
|
||||||
|
2 files changed, 23 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100644 ipatests/test_integration/test_upgrade.py
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
||||||
|
index 07cc18a78..23173c0ca 100644
|
||||||
|
--- a/ipaserver/install/server/upgrade.py
|
||||||
|
+++ b/ipaserver/install/server/upgrade.py
|
||||||
|
@@ -1710,7 +1710,7 @@ def upgrade_configuration():
|
||||||
|
)
|
||||||
|
upgrade_pki(ca, fstore)
|
||||||
|
|
||||||
|
- if kra.is_configured():
|
||||||
|
+ if kra.is_installed():
|
||||||
|
logger.info('[Ensuring ephemeralRequest is enabled in KRA]')
|
||||||
|
kra.backup_config()
|
||||||
|
value = installutils.get_directive(
|
||||||
|
@@ -1728,7 +1728,7 @@ def upgrade_configuration():
|
||||||
|
# by checking status using http
|
||||||
|
if ca.is_configured():
|
||||||
|
ca.start('pki-tomcat')
|
||||||
|
- if kra.is_configured() and not kra.is_running():
|
||||||
|
+ if kra.is_installed() and not kra.is_running():
|
||||||
|
# This is for future-proofing in case the KRA is ever standalone.
|
||||||
|
kra.start('pki-tomcat')
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..951747b0b
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/ipatests/test_integration/test_upgrade.py
|
||||||
|
@@ -0,0 +1,21 @@
|
||||||
|
+#
|
||||||
|
+# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+"""
|
||||||
|
+Module provides tests to verify that the upgrade script works.
|
||||||
|
+"""
|
||||||
|
+
|
||||||
|
+from ipatests.test_integration.base import IntegrationTest
|
||||||
|
+from ipatests.pytest_plugins.integration import tasks
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+class TestUpgrade(IntegrationTest):
|
||||||
|
+ @classmethod
|
||||||
|
+ def install(cls, mh):
|
||||||
|
+ tasks.install_master(cls.master, setup_dns=False)
|
||||||
|
+
|
||||||
|
+ def test_invoke_upgrader(self):
|
||||||
|
+ cmd = self.master.run_command(['ipa-server-upgrade'],
|
||||||
|
+ raiseonerr=False)
|
||||||
|
+ assert cmd.returncode == 0
|
||||||
|
--
|
||||||
|
2.14.3
|
||||||
|
|
252
0002-Replace-wsgi-package-conflict-with-config-file.patch
Normal file
252
0002-Replace-wsgi-package-conflict-with-config-file.patch
Normal file
@ -0,0 +1,252 @@
|
|||||||
|
From 748ca34eae43f50b2c9e3ff3295b6ad490633df2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Christian Heimes <cheimes@redhat.com>
|
||||||
|
Date: Tue, 6 Feb 2018 10:05:49 +0100
|
||||||
|
Subject: [PATCH] Replace wsgi package conflict with config file
|
||||||
|
|
||||||
|
Instead of a package conflict, freeIPA now uses an Apache config file to
|
||||||
|
enforce the correct wsgi module. The workaround only applies to Fedora
|
||||||
|
since it is the only platform that permits parallel installation of
|
||||||
|
Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
|
||||||
|
Debian doesn't permit installation of both variants.
|
||||||
|
|
||||||
|
See: https://pagure.io/freeipa/issue/7161
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/7394
|
||||||
|
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||||
|
---
|
||||||
|
install/share/Makefile.am | 1 +
|
||||||
|
install/share/ipa-httpd-wsgi.conf.template | 7 +++++++
|
||||||
|
ipaplatform/base/constants.py | 4 ++++
|
||||||
|
ipaplatform/base/paths.py | 2 ++
|
||||||
|
ipaplatform/base/tasks.py | 4 ++++
|
||||||
|
ipaplatform/debian/tasks.py | 5 +++++
|
||||||
|
ipaplatform/fedora/constants.py | 6 +++++-
|
||||||
|
ipaplatform/fedora/paths.py | 4 +++-
|
||||||
|
ipaplatform/redhat/tasks.py | 31 ++++++++++++++++++++++++++++++
|
||||||
|
ipaserver/install/httpinstance.py | 7 ++++++-
|
||||||
|
ipaserver/install/server/upgrade.py | 7 +++++++
|
||||||
|
11 files changed, 75 insertions(+), 3 deletions(-)
|
||||||
|
create mode 100644 install/share/ipa-httpd-wsgi.conf.template
|
||||||
|
|
||||||
|
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
|
||||||
|
index b1285854ea..abdf3ac648 100644
|
||||||
|
--- a/install/share/Makefile.am
|
||||||
|
+++ b/install/share/Makefile.am
|
||||||
|
@@ -85,6 +85,7 @@ dist_app_DATA = \
|
||||||
|
kdcproxy-enable.uldif \
|
||||||
|
kdcproxy-disable.uldif \
|
||||||
|
ipa-httpd.conf.template \
|
||||||
|
+ ipa-httpd-wsgi.conf.template \
|
||||||
|
gssapi.login \
|
||||||
|
gssproxy.conf.template \
|
||||||
|
kdcproxy.wsgi \
|
||||||
|
diff --git a/install/share/ipa-httpd-wsgi.conf.template b/install/share/ipa-httpd-wsgi.conf.template
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..89d424665a
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/install/share/ipa-httpd-wsgi.conf.template
|
||||||
|
@@ -0,0 +1,7 @@
|
||||||
|
+# Do not edit. Created by IPA installer.
|
||||||
|
+
|
||||||
|
+# Some platforms allow parallel installation of Python 2 and 3 mod_wsgi
|
||||||
|
+# modules, but the modules can't coexist. Enforce loading of correct
|
||||||
|
+# WSGI module before the package's default config.
|
||||||
|
+
|
||||||
|
+LoadModule wsgi_module $WSGI_MODULE
|
||||||
|
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
|
||||||
|
index 94bd0f8a10..ca4a12ec01 100644
|
||||||
|
--- a/ipaplatform/base/constants.py
|
||||||
|
+++ b/ipaplatform/base/constants.py
|
||||||
|
@@ -39,5 +39,9 @@ class BaseConstantsNamespace(object):
|
||||||
|
SSSD_USER = "sssd"
|
||||||
|
# sql (new format), dbm (old format)
|
||||||
|
NSS_DEFAULT_DBTYPE = 'dbm'
|
||||||
|
+ # WSGI module override, only used on Fedora
|
||||||
|
+ MOD_WSGI_PYTHON2 = None
|
||||||
|
+ MOD_WSGI_PYTHON3 = None
|
||||||
|
+
|
||||||
|
|
||||||
|
constants = BaseConstantsNamespace()
|
||||||
|
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
|
||||||
|
index 3bb32416d6..753e8e80e7 100644
|
||||||
|
--- a/ipaplatform/base/paths.py
|
||||||
|
+++ b/ipaplatform/base/paths.py
|
||||||
|
@@ -48,6 +48,8 @@ class BasePathNamespace(object):
|
||||||
|
HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
|
||||||
|
HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf"
|
||||||
|
HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
|
||||||
|
+ # only used on Fedora
|
||||||
|
+ HTTPD_IPA_WSGI_MODULES_CONF = None
|
||||||
|
OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
|
||||||
|
HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab"
|
||||||
|
HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf"
|
||||||
|
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
|
||||||
|
index 8f73eaddc2..d4b56318e3 100644
|
||||||
|
--- a/ipaplatform/base/tasks.py
|
||||||
|
+++ b/ipaplatform/base/tasks.py
|
||||||
|
@@ -211,6 +211,10 @@ def remove_httpd_service_ipa_conf(self):
|
||||||
|
"""Remove configuration of httpd service of IPA"""
|
||||||
|
raise NotImplementedError()
|
||||||
|
|
||||||
|
+ def configure_httpd_wsgi_conf(self):
|
||||||
|
+ """Configure WSGI for correct Python version"""
|
||||||
|
+ raise NotImplementedError()
|
||||||
|
+
|
||||||
|
def is_fips_enabled(self):
|
||||||
|
return False
|
||||||
|
|
||||||
|
diff --git a/ipaplatform/debian/tasks.py b/ipaplatform/debian/tasks.py
|
||||||
|
index 6c41a35e77..4537260146 100644
|
||||||
|
--- a/ipaplatform/debian/tasks.py
|
||||||
|
+++ b/ipaplatform/debian/tasks.py
|
||||||
|
@@ -47,4 +47,9 @@ def restore_auth_configuration(path):
|
||||||
|
def parse_ipa_version(version):
|
||||||
|
return BaseTaskNamespace.parse_ipa_version(version)
|
||||||
|
|
||||||
|
+ def configure_httpd_wsgi_conf(self):
|
||||||
|
+ # Debian doesn't require special mod_wsgi configuration
|
||||||
|
+ pass
|
||||||
|
+
|
||||||
|
+
|
||||||
|
tasks = DebianTaskNamespace()
|
||||||
|
diff --git a/ipaplatform/fedora/constants.py b/ipaplatform/fedora/constants.py
|
||||||
|
index ce03f58cf9..79e7bd9a5e 100644
|
||||||
|
--- a/ipaplatform/fedora/constants.py
|
||||||
|
+++ b/ipaplatform/fedora/constants.py
|
||||||
|
@@ -11,6 +11,10 @@
|
||||||
|
|
||||||
|
|
||||||
|
class FedoraConstantsNamespace(RedHatConstantsNamespace):
|
||||||
|
- pass
|
||||||
|
+ # Fedora allows installation of Python 2 and 3 mod_wsgi, but the modules
|
||||||
|
+ # can't coexist. For Apache to load correct module.
|
||||||
|
+ MOD_WSGI_PYTHON2 = "modules/mod_wsgi.so"
|
||||||
|
+ MOD_WSGI_PYTHON3 = "modules/mod_wsgi_python3.so"
|
||||||
|
+
|
||||||
|
|
||||||
|
constants = FedoraConstantsNamespace()
|
||||||
|
diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
|
||||||
|
index 49a904f2f2..5238cdb4f4 100644
|
||||||
|
--- a/ipaplatform/fedora/paths.py
|
||||||
|
+++ b/ipaplatform/fedora/paths.py
|
||||||
|
@@ -27,7 +27,9 @@
|
||||||
|
|
||||||
|
|
||||||
|
class FedoraPathNamespace(RedHatPathNamespace):
|
||||||
|
- pass
|
||||||
|
+ HTTPD_IPA_WSGI_MODULES_CONF = (
|
||||||
|
+ "/etc/httpd/conf.modules.d/02-ipa-wsgi.conf"
|
||||||
|
+ )
|
||||||
|
|
||||||
|
|
||||||
|
paths = FedoraPathNamespace()
|
||||||
|
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
|
||||||
|
index 79bd5335ea..701c280ec0 100644
|
||||||
|
--- a/ipaplatform/redhat/tasks.py
|
||||||
|
+++ b/ipaplatform/redhat/tasks.py
|
||||||
|
@@ -30,6 +30,7 @@
|
||||||
|
import socket
|
||||||
|
import traceback
|
||||||
|
import errno
|
||||||
|
+import sys
|
||||||
|
|
||||||
|
from ctypes.util import find_library
|
||||||
|
from functools import total_ordering
|
||||||
|
@@ -484,6 +485,36 @@ def configure_http_gssproxy_conf(self, ipaapi_user):
|
||||||
|
os.chmod(paths.GSSPROXY_CONF, 0o600)
|
||||||
|
self.restore_context(paths.GSSPROXY_CONF)
|
||||||
|
|
||||||
|
+ def configure_httpd_wsgi_conf(self):
|
||||||
|
+ """Configure WSGI for correct Python version (Fedora)
|
||||||
|
+
|
||||||
|
+ See https://pagure.io/freeipa/issue/7394
|
||||||
|
+ """
|
||||||
|
+ conf = paths.HTTPD_IPA_WSGI_MODULES_CONF
|
||||||
|
+ if sys.version_info.major == 2:
|
||||||
|
+ wsgi_module = constants.MOD_WSGI_PYTHON2
|
||||||
|
+ else:
|
||||||
|
+ wsgi_module = constants.MOD_WSGI_PYTHON3
|
||||||
|
+
|
||||||
|
+ if conf is None or wsgi_module is None:
|
||||||
|
+ logger.info("Nothing to do for configure_httpd_wsgi_conf")
|
||||||
|
+ return
|
||||||
|
+
|
||||||
|
+ confdir = os.path.dirname(conf)
|
||||||
|
+ if not os.path.isdir(confdir):
|
||||||
|
+ os.makedirs(confdir)
|
||||||
|
+
|
||||||
|
+ ipautil.copy_template_file(
|
||||||
|
+ os.path.join(
|
||||||
|
+ paths.USR_SHARE_IPA_DIR, 'ipa-httpd-wsgi.conf.template'
|
||||||
|
+ ),
|
||||||
|
+ conf,
|
||||||
|
+ dict(WSGI_MODULE=wsgi_module)
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ os.chmod(conf, 0o644)
|
||||||
|
+ self.restore_context(conf)
|
||||||
|
+
|
||||||
|
def remove_httpd_service_ipa_conf(self):
|
||||||
|
"""Remove systemd config for httpd service of IPA"""
|
||||||
|
try:
|
||||||
|
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
|
||||||
|
index 8f3b5937fd..46764e6aa7 100644
|
||||||
|
--- a/ipaserver/install/httpinstance.py
|
||||||
|
+++ b/ipaserver/install/httpinstance.py
|
||||||
|
@@ -213,6 +213,7 @@ def remove_httpd_ccaches(self):
|
||||||
|
|
||||||
|
def __configure_http(self):
|
||||||
|
self.update_httpd_service_ipa_conf()
|
||||||
|
+ self.update_httpd_wsgi_conf()
|
||||||
|
|
||||||
|
target_fname = paths.HTTPD_IPA_CONF
|
||||||
|
http_txt = ipautil.template_file(
|
||||||
|
@@ -508,6 +509,9 @@ def enable_and_start_oddjobd(self):
|
||||||
|
def update_httpd_service_ipa_conf(self):
|
||||||
|
tasks.configure_httpd_service_ipa_conf()
|
||||||
|
|
||||||
|
+ def update_httpd_wsgi_conf(self):
|
||||||
|
+ tasks.configure_httpd_wsgi_conf()
|
||||||
|
+
|
||||||
|
def uninstall(self):
|
||||||
|
if self.is_configured():
|
||||||
|
self.print_msg("Unconfiguring web server")
|
||||||
|
@@ -564,7 +568,8 @@ def uninstall(self):
|
||||||
|
installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
|
||||||
|
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK)
|
||||||
|
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF)
|
||||||
|
- tasks.remove_httpd_service_ipa_conf()
|
||||||
|
+ if paths.HTTPD_IPA_WSGI_MODULES_CONF is not None:
|
||||||
|
+ installutils.remove_file(paths.HTTPD_IPA_WSGI_MODULES_CONF)
|
||||||
|
|
||||||
|
# Restore SELinux boolean states
|
||||||
|
boolean_states = {name: self.restore_state(name)
|
||||||
|
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
||||||
|
index 07cc18a78c..b12d80f105 100644
|
||||||
|
--- a/ipaserver/install/server/upgrade.py
|
||||||
|
+++ b/ipaserver/install/server/upgrade.py
|
||||||
|
@@ -1458,11 +1458,17 @@ def update_mod_nss_cipher_suite(http):
|
||||||
|
'cipher_suite_updated',
|
||||||
|
httpinstance.NSS_CIPHER_REVISION)
|
||||||
|
|
||||||
|
+
|
||||||
|
def update_ipa_httpd_service_conf(http):
|
||||||
|
logger.info('[Updating HTTPD service IPA configuration]')
|
||||||
|
http.update_httpd_service_ipa_conf()
|
||||||
|
|
||||||
|
|
||||||
|
+def update_ipa_http_wsgi_conf(http):
|
||||||
|
+ logger.info('[Updating HTTPD service IPA WSGI configuration]')
|
||||||
|
+ http.update_httpd_wsgi_conf()
|
||||||
|
+
|
||||||
|
+
|
||||||
|
def update_http_keytab(http):
|
||||||
|
logger.info('[Moving HTTPD service keytab to gssproxy]')
|
||||||
|
if os.path.exists(paths.OLD_IPA_KEYTAB):
|
||||||
|
@@ -1782,6 +1788,7 @@ def upgrade_configuration():
|
||||||
|
http.stop()
|
||||||
|
disable_httpd_system_trust(http)
|
||||||
|
update_ipa_httpd_service_conf(http)
|
||||||
|
+ update_ipa_http_wsgi_conf(http)
|
||||||
|
update_mod_nss_protocol(http)
|
||||||
|
update_mod_nss_cipher_suite(http)
|
||||||
|
disable_mod_nss_ocsp(http)
|
12
freeipa.spec
12
freeipa.spec
@ -88,7 +88,7 @@
|
|||||||
|
|
||||||
Name: freeipa
|
Name: freeipa
|
||||||
Version: %{VERSION}
|
Version: %{VERSION}
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
@ -98,6 +98,10 @@ Source0: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz
|
|||||||
Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc
|
Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
|
|
||||||
|
# https://pagure.io/freeipa/issue/7389
|
||||||
|
Patch0001: 0001-Fix-detection-of-KRA-installation-so-upgrades-can-su.patch
|
||||||
|
# https://pagure.io/freeipa/issue/7394
|
||||||
|
Patch0002: 0002-Replace-wsgi-package-conflict-with-config-file.patch
|
||||||
|
|
||||||
# For the timestamp trick in patch application
|
# For the timestamp trick in patch application
|
||||||
BuildRequires: diffstat
|
BuildRequires: diffstat
|
||||||
@ -328,14 +332,12 @@ Requires(postun): python3
|
|||||||
Requires: python3-gssapi >= 1.2.0-5
|
Requires: python3-gssapi >= 1.2.0-5
|
||||||
Requires: python3-systemd
|
Requires: python3-systemd
|
||||||
Requires: python3-mod_wsgi
|
Requires: python3-mod_wsgi
|
||||||
Conflicts: mod_wsgi
|
|
||||||
%else
|
%else
|
||||||
Requires(preun): python2
|
Requires(preun): python2
|
||||||
Requires(postun): python2
|
Requires(postun): python2
|
||||||
Requires: python2-gssapi >= 1.2.0-5
|
Requires: python2-gssapi >= 1.2.0-5
|
||||||
Requires: python2-systemd
|
Requires: python2-systemd
|
||||||
Requires: mod_wsgi
|
Requires: mod_wsgi
|
||||||
Conflicts: python3-mod_wsgi
|
|
||||||
%endif
|
%endif
|
||||||
Requires: mod_auth_gssapi >= 1.5.0
|
Requires: mod_auth_gssapi >= 1.5.0
|
||||||
# 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206
|
# 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206
|
||||||
@ -1775,6 +1777,10 @@ fi
|
|||||||
%endif # with_ipatests
|
%endif # with_ipatests
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Feb 8 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.3-3
|
||||||
|
- Don't fail on upgrades if KRA is not installed
|
||||||
|
- Remove Conflicts between mod_wsgi and python3-mod_wsgi
|
||||||
|
|
||||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.6.3-2
|
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.6.3-2
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user