From e95356d72394a48482eb5be55ee0ac848de3dc2f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 30 Nov 2011 15:14:40 +0200 Subject: [PATCH] Introduce systemd upgrade script As user has no means to recover existing FreeIPA install after upgrading from SysV to systemd, introduce upgrade script. The upgrade script does following: - restores symlinks in FreeIPA's Dogtag installation - converts FreeIPA directory server instances to systemd - converts FreeIPA directory server configuration to be compatible with systemd services - converts FreeIPA KDC configuration to be compatible with systemd services - re-enables FreeIPA Script does nothing if FreeIPA is already active systemd service --- freeipa-systemd-upgrade | 73 +++++++++++++++++++++++++++++++++++++++++ freeipa.spec | 21 +++++++++++- 2 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 freeipa-systemd-upgrade diff --git a/freeipa-systemd-upgrade b/freeipa-systemd-upgrade new file mode 100644 index 0000000..c0b840c --- /dev/null +++ b/freeipa-systemd-upgrade @@ -0,0 +1,73 @@ +#! /usr/bin/python -E +from ipaserver.install.krbinstance import update_key_val_in_file +from ipapython import ipautil, config +from ipapython import services as ipaservices +import os, platform + +def convert_java_link(foo, topdir, filepaths): + cwd = os.getcwd() + os.chdir(topdir) + for filepath in filepaths: + # All this shouldn't happen because java system upgrade should properly + # move files and symlinks but if this is a broken link + if os.path.islink(filepath): + print " Checking %s ... " % (filepath), + if not os.path.exists(filepath): + rpath = os.path.realpath(filepath) + # .. and it points to jss in /usr/lib + if rpath.find('/usr/lib/') != -1 and rpath.find('jss') != -1: + base = os.path.basename(rpath) + bitness = platform.architecture()[0][:2] + # rewrite it to /usr/lib64 for x86_64 platform + if bitness == '64': + npath = "/usr/lib%s/jss/%s" % (bitness, base) + os.unlink(filepath) + os.symlink(npath, filepath) + print "%s -> %s" % (filepath, npath) + else: + print "Ok" + else: + print "Ok" + else: + print "Ok" + os.chdir(cwd) + +# 0. Init config +try: + config.init_config() +except IPAConfigError, e: + # No configured IPA install, no need to upgrade anything + exit(0) + +# 1. Convert broken symlinks, if any, in /var/lib/pki-ca +if os.path.exists('/var/lib/pki-ca/common/lib'): + print "Analyzing symlinks in PKI-CA install" + os.path.walk('/var/lib/pki-ca/common/lib', convert_java_link, None) + +try: + print "Found IPA server for domain %s" % (config.config.default_realm) + print "Converting services setup to systemd" + # 1. Upgrade /etc/sysconfig/dirsrv for systemd + print " Upgrade /etc/sysconfig/dirsrv" + update_key_val_in_file("/etc/sysconfig/dirsrv", "KRB5_KTNAME", "/etc/dirsrv/ds.keytab") + update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab") + # 2. Upgrade /etc/sysconfig/krb5kdc for systemd + print " Upgrade /etc/sysconfig/krb5kdc" + replacevars = {'KRB5REALM':config.config.default_realm} + appendvars = {} + ipautil.config_replace_variables("/etc/sysconfig/krb5kdc", + replacevars=replacevars, appendvars=appendvars) + ipaservices.restore_context("/etc/sysconfig/krb5kdc") + # 3. Enable DS instances: + realm = config.config.default_realm.upper().replace('.','-') + print " Re-enable Directory server instances PKI-IPA and %s " % (realm) + ipaservices.knownservices.dirsrv.enable(realm) + ipaservices.knownservices.dirsrv.enable("PKI-IPA") + # 4. Enable FreeIPA + print " Re-enable IPA service" + ipaservices.knownservices.ipa.enable() +except: + pass + +finally: + print "Finished." diff --git a/freeipa.spec b/freeipa.spec index e4dd824..cc855a6 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -14,13 +14,14 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} Name: freeipa Version: 2.1.3 -Release: 5%{?dist} +Release: 6%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base License: GPLv3+ URL: http://www.freeipa.org/ Source0: freeipa-%{version}.tar.gz +Source1: freeipa-systemd-upgrade Patch0: freeipa-2.1.3-systemd.patch.gz Patch1: freeipa-2.1.3-wait_for_socket.patch.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -218,6 +219,7 @@ package. %setup -n freeipa-%{version} -q %patch0 -p1 %patch1 -p1 +cp %{SOURCE1} init/systemd/ %build export CFLAGS="$CFLAGS %{optflags}" @@ -294,6 +296,8 @@ mkdir -p %{buildroot}%{_unitdir} for i in ipa.service ipa_kpasswd.service ; do install -m 644 init/systemd/$i %{buildroot}%{_unitdir}/$i done +mkdir -p %{buildroot}%{_libexecdir} +install -m 755 init/systemd/freeipa-systemd-upgrade %{buildroot}%{_libexecdir}/freeipa-systemd-upgrade rm -f %{buildroot}%{_initrddir}/ipa_kpasswd %endif @@ -316,6 +320,11 @@ rm -rf %{buildroot} # Use systemd scheme, update systemd as service units have changed /bin/systemctl --system daemon-reload 2>&1 || : if [ $1 -gt 1 ] ; then + # When upgrade is performed from SysV to systemd, ipa.service will be inactive + # due to https://bugzilla.redhat.com/show_bug.cgi?id=752846 + # FreeIPA existing setup cannot be used without upgrade script + /bin/systemctl --quiet is-active ipa.service >/dev/null || \ + /usr/libexec/freeipa-systemd-upgrade || : /usr/sbin/ipa-upgradeconfig || : /usr/sbin/ipa-ldap-updater --upgrade >/dev/null 2>&1 || : fi @@ -403,6 +412,7 @@ fi # Use systemd scheme %attr(644,root,root) %{_unitdir}/ipa.service %attr(644,root,root) %{_unitdir}/ipa_kpasswd.service +%{buildroot}%{_libexecdir}/freeipa-systemd-upgrade %dir %{python_sitelib}/ipaserver %{python_sitelib}/ipaserver/* %dir %{_usr}/share/ipa @@ -531,6 +541,15 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %changelog +* Wed Nov 30 2011 Alexander Bokovoy - 2.1.3-6 +- Introduce upgrade script to recover existing configuration after systemd migration + as user has no means to recover FreeIPA from systemd migration +- Upgrade script: + - recovers symlinks in Dogtag instance install + - recovers systemd configuration for FreeIPA's directory server instances + - recovers freeipa.service + - migrates directory server and KDC configs to use proper keytabs for systemd services + * Wed Oct 26 2011 Fedora Release Engineering - 2.1.3-5 - Rebuilt for glibc bug#747377