Remove unused patches
This commit is contained in:
parent
179e81bf0a
commit
e98c2f2a47
@ -1,29 +0,0 @@
|
|||||||
From df411f00a3d1db2fcb0d122a54b9e13a57e35f3f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Date: Fri, 8 Jan 2021 11:43:31 -0500
|
|
||||||
Subject: [PATCH] Set client keytab location for 389ds
|
|
||||||
|
|
||||||
Handles behavior change in
|
|
||||||
https://github.com/389ds/389-ds-base/pull/4523
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8656
|
|
||||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
install/share/ds-ipa-env.conf.template | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/install/share/ds-ipa-env.conf.template b/install/share/ds-ipa-env.conf.template
|
|
||||||
index f5ce11a9a..c059aae15 100644
|
|
||||||
--- a/install/share/ds-ipa-env.conf.template
|
|
||||||
+++ b/install/share/ds-ipa-env.conf.template
|
|
||||||
@@ -3,4 +3,5 @@
|
|
||||||
[Service]
|
|
||||||
Environment=LC_ALL=C.UTF-8
|
|
||||||
Environment=KRB5_KTNAME=$KRB5_KTNAME
|
|
||||||
+Environment=KRB5_CLIENT_KTNAME=$KRB5_KTNAME
|
|
||||||
Environment=KRB5CCNAME=$KRB5CCNAME
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
56
5212.patch
56
5212.patch
@ -1,56 +0,0 @@
|
|||||||
From 2695789db45c2e7fe92e53a49521dc22fdffe317 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Mark Reynolds <mreynolds@redhat.com>
|
|
||||||
Date: Wed, 28 Oct 2020 10:34:31 -0400
|
|
||||||
Subject: [PATCH] New validation efforts in 389-ds-base require that the
|
|
||||||
backend entry for a database be created before the mapping tree entry. This
|
|
||||||
enforces that the mapping tree entry (the suffix) actually belongs to an
|
|
||||||
existing backend.
|
|
||||||
|
|
||||||
For IPA we simply need to reverse the order of the backend vs mapping tree
|
|
||||||
creation in cainstance.py -> __create_ds_db()
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8558
|
|
||||||
---
|
|
||||||
ipaserver/install/cainstance.py | 22 +++++++++++-----------
|
|
||||||
1 file changed, 11 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
||||||
index fca829de094..1c2fab1dffb 100644
|
|
||||||
--- a/ipaserver/install/cainstance.py
|
|
||||||
+++ b/ipaserver/install/cainstance.py
|
|
||||||
@@ -1162,17 +1162,6 @@ def __create_ds_db(self):
|
|
||||||
backend = 'ipaca'
|
|
||||||
suffix = DN(('o', 'ipaca'))
|
|
||||||
|
|
||||||
- # replication
|
|
||||||
- dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config'))
|
|
||||||
- entry = api.Backend.ldap2.make_entry(
|
|
||||||
- dn,
|
|
||||||
- objectclass=["top", "extensibleObject", "nsMappingTree"],
|
|
||||||
- cn=[suffix],
|
|
||||||
- )
|
|
||||||
- entry['nsslapd-state'] = ['Backend']
|
|
||||||
- entry['nsslapd-backend'] = [backend]
|
|
||||||
- api.Backend.ldap2.add_entry(entry)
|
|
||||||
-
|
|
||||||
# database
|
|
||||||
dn = DN(('cn', 'ipaca'), ('cn', 'ldbm database'), ('cn', 'plugins'),
|
|
||||||
('cn', 'config'))
|
|
||||||
@@ -1184,6 +1173,17 @@ def __create_ds_db(self):
|
|
||||||
entry['nsslapd-suffix'] = [suffix]
|
|
||||||
api.Backend.ldap2.add_entry(entry)
|
|
||||||
|
|
||||||
+ # replication
|
|
||||||
+ dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config'))
|
|
||||||
+ entry = api.Backend.ldap2.make_entry(
|
|
||||||
+ dn,
|
|
||||||
+ objectclass=["top", "extensibleObject", "nsMappingTree"],
|
|
||||||
+ cn=[suffix],
|
|
||||||
+ )
|
|
||||||
+ entry['nsslapd-state'] = ['Backend']
|
|
||||||
+ entry['nsslapd-backend'] = [backend]
|
|
||||||
+ api.Backend.ldap2.add_entry(entry)
|
|
||||||
+
|
|
||||||
def __setup_replication(self):
|
|
||||||
repl = replication.CAReplicationManager(self.realm, self.fqdn)
|
|
||||||
repl.setup_cs_replication(self.master_host)
|
|
107
5273.patch
107
5273.patch
@ -1,107 +0,0 @@
|
|||||||
From 87813eb6404ae0aa15b95b1af788db0d37e2efa5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Wed, 18 Nov 2020 12:35:38 +0200
|
|
||||||
Subject: [PATCH] util: Fix client-only build
|
|
||||||
|
|
||||||
Commit 26b9a697844c3bb66bdf83dad3a9738b3cb65361 did not fully fix the
|
|
||||||
client-only build as util/ipa_pwd.c unconditionally includes
|
|
||||||
pwquality.h.
|
|
||||||
|
|
||||||
Make sure we define USE_PWQUALITY in the full server configuration and
|
|
||||||
if that one is defined, include libpwquality use.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8587
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
configure.ac | 4 +++-
|
|
||||||
util/Makefile.am | 10 +++++++---
|
|
||||||
util/ipa_pwd.c | 9 ++++++++-
|
|
||||||
3 files changed, 18 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index ef1a1c6867e..5d04d446e0a 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -117,7 +117,9 @@ dnl ---------------------------------------------------------------------------
|
|
||||||
dnl - Check for pwquality library
|
|
||||||
dnl ---------------------------------------------------------------------------
|
|
||||||
AM_COND_IF([ENABLE_SERVER], [
|
|
||||||
- PKG_CHECK_MODULES([PWQUALITY], [pwquality])
|
|
||||||
+ PKG_CHECK_MODULES([PWQUALITY], [pwquality],
|
|
||||||
+ [AC_DEFINE(USE_PWQUALITY,1,[Use password quality checks])]
|
|
||||||
+ )
|
|
||||||
])
|
|
||||||
|
|
||||||
dnl ---------------------------------------------------------------------------
|
|
||||||
diff --git a/util/Makefile.am b/util/Makefile.am
|
|
||||||
index 5e21c098f14..b3803777809 100644
|
|
||||||
--- a/util/Makefile.am
|
|
||||||
+++ b/util/Makefile.am
|
|
||||||
@@ -21,7 +21,11 @@ libutil_la_SOURCES = \
|
|
||||||
|
|
||||||
libutil_la_LIBADD = $(CRYPTO_LIBS) $(KRB5_LIBS) $(LDAP_LIBS) $(PWQUALITY_LIBS)
|
|
||||||
|
|
||||||
-check_PROGRAMS = t_pwd t_policy
|
|
||||||
-TESTS = $(check_PROGRAMS)
|
|
||||||
+check_PROGRAMS = t_pwd
|
|
||||||
t_pwd_LDADD = libutil.la
|
|
||||||
-t_policy_LDADD = libutil.la
|
|
||||||
+if ENABLE_SERVER
|
|
||||||
+check_PROGRAMS += t_policy
|
|
||||||
+t_policy_LDADD = libutil.la
|
|
||||||
+endif
|
|
||||||
+
|
|
||||||
+TESTS = $(check_PROGRAMS)
|
|
||||||
diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c
|
|
||||||
index dbff5ef1cba..8fa413c69cf 100644
|
|
||||||
--- a/util/ipa_pwd.c
|
|
||||||
+++ b/util/ipa_pwd.c
|
|
||||||
@@ -23,6 +23,7 @@
|
|
||||||
#ifndef _GNU_SOURCE
|
|
||||||
#define _GNU_SOURCE
|
|
||||||
#endif
|
|
||||||
+#include "config.h"
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <string.h>
|
|
||||||
#include <time.h>
|
|
||||||
@@ -31,7 +32,9 @@
|
|
||||||
#include <syslog.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <errno.h>
|
|
||||||
+#if defined(USE_PWQUALITY)
|
|
||||||
#include <pwquality.h>
|
|
||||||
+#endif
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
#include <openssl/rand.h>
|
|
||||||
#include <openssl/sha.h>
|
|
||||||
@@ -417,11 +420,13 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
|
|
||||||
{
|
|
||||||
int pwdlen, blen;
|
|
||||||
int ret;
|
|
||||||
+#if defined(USE_PWQUALITY)
|
|
||||||
pwquality_settings_t *pwq;
|
|
||||||
int check_pwquality = 0;
|
|
||||||
- int entropy;
|
|
||||||
+ int entropy = 0;
|
|
||||||
char buf[PWQ_MAX_ERROR_MESSAGE_LEN];
|
|
||||||
void *auxerror;
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
if (!policy || !password) {
|
|
||||||
return IPAPWD_POLICY_ERROR;
|
|
||||||
@@ -534,6 +539,7 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+#if defined(USE_PWQUALITY)
|
|
||||||
/* Only call into libpwquality if at least one setting is made
|
|
||||||
* because there are a number of checks that don't have knobs
|
|
||||||
* so preserve the previous behavior.
|
|
||||||
@@ -601,6 +607,7 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+#endif /* USE_PWQUALITY */
|
|
||||||
|
|
||||||
if (pwd_history) {
|
|
||||||
char *hash;
|
|
@ -1,74 +0,0 @@
|
|||||||
From 2e4f9ef1552d1ef784bb91918aa60de0f05e453a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Date: Mon, 28 Sep 2020 12:00:01 +0200
|
|
||||||
Subject: [PATCH 1/2] Ensure that resolved.conf.d is accessible
|
|
||||||
|
|
||||||
systemd-resolved runs as user systemd-resolve. Ensure that
|
|
||||||
resolved.conf.d drop-in directory is accessible when installer runs with
|
|
||||||
restricted umask. Also ensure the file and directory has correct SELinux
|
|
||||||
context.
|
|
||||||
|
|
||||||
The parent directory /etc/systemd exists on all platforms.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8275
|
|
||||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
||||||
---
|
|
||||||
ipaplatform/base/tasks.py | 10 +++++++++-
|
|
||||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
|
|
||||||
index a39857e869..adf320b700 100644
|
|
||||||
--- a/ipaplatform/base/tasks.py
|
|
||||||
+++ b/ipaplatform/base/tasks.py
|
|
||||||
@@ -336,7 +336,11 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
|
|
||||||
from ipaplatform.services import knownservices
|
|
||||||
|
|
||||||
confd = os.path.dirname(paths.SYSTEMD_RESOLVED_IPA_CONF)
|
|
||||||
- os.makedirs(confd, exist_ok=True)
|
|
||||||
+ if not os.path.isdir(confd):
|
|
||||||
+ os.mkdir(confd)
|
|
||||||
+ # owned by root, readable by systemd-resolve user
|
|
||||||
+ os.chmod(confd, 0o755)
|
|
||||||
+ tasks.restore_context(confd, force=True)
|
|
||||||
|
|
||||||
cfg = RESOLVE1_IPA_CONF.format(
|
|
||||||
searchdomains=" ".join(searchdomains)
|
|
||||||
@@ -345,6 +349,10 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
|
|
||||||
os.fchmod(f.fileno(), 0o644)
|
|
||||||
f.write(cfg)
|
|
||||||
|
|
||||||
+ tasks.restore_context(
|
|
||||||
+ paths.SYSTEMD_RESOLVED_IPA_CONF, force=True
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
knownservices["systemd-resolved"].reload_or_restart()
|
|
||||||
|
|
||||||
def unconfigure_dns_resolver(self, fstore=None):
|
|
||||||
|
|
||||||
From 8b193f09018c3be283e0a3ecdfd1a58d49af360a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Date: Mon, 28 Sep 2020 12:29:00 +0200
|
|
||||||
Subject: [PATCH 2/2] Also backup DNS config drop-ins
|
|
||||||
|
|
||||||
/etc/NetworkManager/conf.d and /etc/systemd/resolved.conf.d drop-in
|
|
||||||
files were not backed up.
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/8275
|
|
||||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/ipa_backup.py | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
|
|
||||||
index 39347643d3..d472990afe 100644
|
|
||||||
--- a/ipaserver/install/ipa_backup.py
|
|
||||||
+++ b/ipaserver/install/ipa_backup.py
|
|
||||||
@@ -194,6 +194,8 @@ class Backup(admintool.AdminTool):
|
|
||||||
paths.GSSPROXY_CONF,
|
|
||||||
paths.HOSTS,
|
|
||||||
paths.SYSTEMD_PKI_TOMCAT_IPA_CONF,
|
|
||||||
+ paths.NETWORK_MANAGER_IPA_CONF,
|
|
||||||
+ paths.SYSTEMD_RESOLVED_IPA_CONF,
|
|
||||||
) + tuple(
|
|
||||||
os.path.join(paths.IPA_NSSDB_DIR, file)
|
|
||||||
for file in (certdb.NSS_DBM_FILES + certdb.NSS_SQL_FILES)
|
|
@ -1,36 +0,0 @@
|
|||||||
From 8b2002cc7e2e0400e1afa3a21963a22947c7a908 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Date: Tue, 29 Sep 2020 10:39:01 +0200
|
|
||||||
Subject: [PATCH] configure_dns_resolver: call self.restore_context
|
|
||||||
|
|
||||||
Use the platform implementation of restore_context() instead of the base
|
|
||||||
implementation.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8518
|
|
||||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
||||||
---
|
|
||||||
ipaplatform/base/tasks.py | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
|
|
||||||
index adf320b700..4387e0e12f 100644
|
|
||||||
--- a/ipaplatform/base/tasks.py
|
|
||||||
+++ b/ipaplatform/base/tasks.py
|
|
||||||
@@ -340,7 +340,7 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
|
|
||||||
os.mkdir(confd)
|
|
||||||
# owned by root, readable by systemd-resolve user
|
|
||||||
os.chmod(confd, 0o755)
|
|
||||||
- tasks.restore_context(confd, force=True)
|
|
||||||
+ self.restore_context(confd, force=True)
|
|
||||||
|
|
||||||
cfg = RESOLVE1_IPA_CONF.format(
|
|
||||||
searchdomains=" ".join(searchdomains)
|
|
||||||
@@ -349,7 +349,7 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
|
|
||||||
os.fchmod(f.fileno(), 0o644)
|
|
||||||
f.write(cfg)
|
|
||||||
|
|
||||||
- tasks.restore_context(
|
|
||||||
+ self.restore_context(
|
|
||||||
paths.SYSTEMD_RESOLVED_IPA_CONF, force=True
|
|
||||||
)
|
|
||||||
|
|
@ -1,37 +0,0 @@
|
|||||||
From f9900ef2401070351353724ef92111ec541e67f0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Sat, 26 Sep 2020 16:30:58 +0300
|
|
||||||
Subject: [PATCH] Pre-populate IP addresses for the name server upgrades
|
|
||||||
|
|
||||||
Setting up resolv.conf in BIND instance expects IP addresses of the
|
|
||||||
server to be provided. This is done wiht BindInstance.setup() method
|
|
||||||
call. However, when reusing resolver setup during upgrade BIND instance
|
|
||||||
has no IP addresses configured and fails with an assert in
|
|
||||||
tasks.configure_dns_resolver().
|
|
||||||
|
|
||||||
Pass through the server's IP addresses during upgrade.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8518
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/server/upgrade.py | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
||||||
index 332f8b251..144b340a4 100644
|
|
||||||
--- a/ipaserver/install/server/upgrade.py
|
|
||||||
+++ b/ipaserver/install/server/upgrade.py
|
|
||||||
@@ -1451,6 +1451,9 @@ def upgrade_bind(fstore):
|
|
||||||
# resolve1's stub resolver config file.
|
|
||||||
has_resolved_ipa_conf = os.path.isfile(paths.SYSTEMD_RESOLVED_IPA_CONF)
|
|
||||||
if not has_resolved_ipa_conf and detect_resolve1_resolv_conf():
|
|
||||||
+ ip_addresses = installutils.get_server_ip_address(
|
|
||||||
+ api.env.host, True, False, [])
|
|
||||||
+ bind.ip_addresses = ip_addresses
|
|
||||||
bind.setup_resolv_conf()
|
|
||||||
logger.info("Updated systemd-resolved configuration")
|
|
||||||
|
|
||||||
--
|
|
||||||
2.28.0
|
|
||||||
|
|
@ -1,282 +0,0 @@
|
|||||||
From 071e283b19e925bea596a25b4758ab2cbc657914 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Tue, 11 Aug 2020 10:47:05 -0400
|
|
||||||
Subject: [PATCH 1/3] Fall back to old server installation detection when
|
|
||||||
needed
|
|
||||||
|
|
||||||
If there is no installation section the the install pre-dated
|
|
||||||
this new method of detecting a successful installation, fall back
|
|
||||||
to that.
|
|
||||||
|
|
||||||
https://pagure.io/freeipa/issue/8458
|
|
||||||
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
|
||||||
---
|
|
||||||
ipalib/facts.py | 31 ++++++++++++++++++++++++++++-
|
|
||||||
ipaserver/install/installutils.py | 4 ----
|
|
||||||
ipaserver/install/server/install.py | 3 ++-
|
|
||||||
ipaserver/install/server/upgrade.py | 7 +++++--
|
|
||||||
4 files changed, 37 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipalib/facts.py b/ipalib/facts.py
|
|
||||||
index 5106fc2ac5..d78c1a2275 100644
|
|
||||||
--- a/ipalib/facts.py
|
|
||||||
+++ b/ipalib/facts.py
|
|
||||||
@@ -6,17 +6,46 @@
|
|
||||||
Facts about the installation
|
|
||||||
"""
|
|
||||||
|
|
||||||
+import logging
|
|
||||||
import os
|
|
||||||
from . import sysrestore
|
|
||||||
from ipaplatform.paths import paths
|
|
||||||
|
|
||||||
+logger = logging.getLogger(__name__)
|
|
||||||
+
|
|
||||||
+# Used to determine install status
|
|
||||||
+IPA_MODULES = [
|
|
||||||
+ 'httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'install', 'krb5kdc', 'named']
|
|
||||||
+
|
|
||||||
|
|
||||||
def is_ipa_configured():
|
|
||||||
"""
|
|
||||||
Use the state to determine if IPA has been configured.
|
|
||||||
"""
|
|
||||||
sstore = sysrestore.StateFile(paths.SYSRESTORE)
|
|
||||||
- return sstore.get_state('installation', 'complete')
|
|
||||||
+ if sstore.has_state('installation'):
|
|
||||||
+ return sstore.get_state('installation', 'complete')
|
|
||||||
+
|
|
||||||
+ # Fall back to older method in case this is an existing installation
|
|
||||||
+
|
|
||||||
+ installed = False
|
|
||||||
+
|
|
||||||
+ fstore = sysrestore.FileStore(paths.SYSRESTORE)
|
|
||||||
+
|
|
||||||
+ for module in IPA_MODULES:
|
|
||||||
+ if sstore.has_state(module):
|
|
||||||
+ logger.debug('%s is configured', module)
|
|
||||||
+ installed = True
|
|
||||||
+ else:
|
|
||||||
+ logger.debug('%s is not configured', module)
|
|
||||||
+
|
|
||||||
+ if fstore.has_files():
|
|
||||||
+ logger.debug('filestore has files')
|
|
||||||
+ installed = True
|
|
||||||
+ else:
|
|
||||||
+ logger.debug('filestore is tracking no files')
|
|
||||||
+
|
|
||||||
+ return installed
|
|
||||||
|
|
||||||
|
|
||||||
def is_ipa_client_configured(on_master=False):
|
|
||||||
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
|
|
||||||
index 583b1aca0b..13baf494cd 100644
|
|
||||||
--- a/ipaserver/install/installutils.py
|
|
||||||
+++ b/ipaserver/install/installutils.py
|
|
||||||
@@ -63,10 +63,6 @@
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
-# Used to determine install status
|
|
||||||
-IPA_MODULES = [
|
|
||||||
- 'httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'install', 'krb5kdc', 'named']
|
|
||||||
-
|
|
||||||
|
|
||||||
class BadHostError(Exception):
|
|
||||||
pass
|
|
||||||
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
|
|
||||||
index b86c3fec15..4d8e3ad78f 100644
|
|
||||||
--- a/ipaserver/install/server/install.py
|
|
||||||
+++ b/ipaserver/install/server/install.py
|
|
||||||
@@ -37,13 +37,14 @@
|
|
||||||
validate_domain_name,
|
|
||||||
no_matching_interface_for_ip_address_warning,
|
|
||||||
)
|
|
||||||
+from ipalib.facts import IPA_MODULES
|
|
||||||
from ipaserver.install import (
|
|
||||||
adtrust, adtrustinstance, bindinstance, ca, dns, dsinstance,
|
|
||||||
httpinstance, installutils, kra, krbinstance,
|
|
||||||
otpdinstance, custodiainstance, replication, service,
|
|
||||||
sysupgrade)
|
|
||||||
from ipaserver.install.installutils import (
|
|
||||||
- IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address,
|
|
||||||
+ BadHostError, get_fqdn, get_server_ip_address,
|
|
||||||
load_pkcs12, read_password, verify_fqdn, update_hosts_file,
|
|
||||||
validate_mask)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
||||||
index f0d9b746cd..109d1e100e 100644
|
|
||||||
--- a/ipaserver/install/server/upgrade.py
|
|
||||||
+++ b/ipaserver/install/server/upgrade.py
|
|
||||||
@@ -1455,8 +1455,11 @@ def upgrade_configuration():
|
|
||||||
fstore = sysrestore.FileStore(paths.SYSRESTORE)
|
|
||||||
sstore = sysrestore.StateFile(paths.SYSRESTORE)
|
|
||||||
|
|
||||||
- if is_ipa_configured() is None:
|
|
||||||
- sstore.backup_state('installation', 'complete', True)
|
|
||||||
+ if not sstore.has_state('installation'):
|
|
||||||
+ if is_ipa_configured():
|
|
||||||
+ sstore.backup_state('installation', 'complete', True)
|
|
||||||
+ else:
|
|
||||||
+ sstore.backup_state('installation', 'complete', False)
|
|
||||||
|
|
||||||
fqdn = api.env.host
|
|
||||||
|
|
||||||
|
|
||||||
From 7d84d919a8f5767ade1dcc380ce4eebadac6a8b5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Tue, 11 Aug 2020 11:12:55 -0400
|
|
||||||
Subject: [PATCH 2/3] Use is_ipa_configured from ipalib.facts
|
|
||||||
|
|
||||||
A couple of places still used the deprecated installutils version.
|
|
||||||
|
|
||||||
https://pagure.io/freeipa/issue/8458
|
|
||||||
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/installutils.py | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
|
|
||||||
index 13baf494cd..a3274d5797 100644
|
|
||||||
--- a/ipaserver/install/installutils.py
|
|
||||||
+++ b/ipaserver/install/installutils.py
|
|
||||||
@@ -665,7 +665,7 @@ def check_server_configuration():
|
|
||||||
Most convenient use case for the function is in install tools that require
|
|
||||||
configured IPA for its function.
|
|
||||||
"""
|
|
||||||
- if not is_ipa_configured():
|
|
||||||
+ if not facts.is_ipa_configured():
|
|
||||||
raise ScriptError("IPA is not configured on this system.",
|
|
||||||
rval=SERVER_NOT_CONFIGURED)
|
|
||||||
|
|
||||||
|
|
||||||
From 36ecfdbfe4ceedcfe056816cbb22162842fae975 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Tue, 11 Aug 2020 13:55:54 -0400
|
|
||||||
Subject: [PATCH 3/3] ipatests: Add test for is_ipa_configured
|
|
||||||
|
|
||||||
Validate that is_ipa_configured() returns True when using either
|
|
||||||
the original and the new configuration methods. This will allow
|
|
||||||
older installs to successfully upgrade.
|
|
||||||
|
|
||||||
https://pagure.io/freeipa/issue/8458
|
|
||||||
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
|
||||||
---
|
|
||||||
.../test_integration/test_installation.py | 88 +++++++++++++++++++
|
|
||||||
1 file changed, 88 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
|
||||||
index fb19900838..98bdc98ab8 100644
|
|
||||||
--- a/ipatests/test_integration/test_installation.py
|
|
||||||
+++ b/ipatests/test_integration/test_installation.py
|
|
||||||
@@ -21,6 +21,7 @@
|
|
||||||
|
|
||||||
from ipalib import x509
|
|
||||||
from ipalib.constants import DOMAIN_LEVEL_0
|
|
||||||
+from ipalib.sysrestore import SYSRESTORE_STATEFILE, SYSRESTORE_INDEXFILE
|
|
||||||
from ipapython.dn import DN
|
|
||||||
from ipaplatform.constants import constants
|
|
||||||
from ipaplatform.osinfo import osinfo
|
|
||||||
@@ -357,6 +358,93 @@ def test_ipa_ca_crt_permissions(self):
|
|
||||||
assert owner == "root"
|
|
||||||
assert group == "root"
|
|
||||||
|
|
||||||
+ def test_is_ipa_configured(self):
|
|
||||||
+ """Verify that the old and new methods of is_ipa_installed works
|
|
||||||
+
|
|
||||||
+ If there is an installation section then it is the status.
|
|
||||||
+
|
|
||||||
+ If not then it will fall back to looking for configured
|
|
||||||
+ services and files and use that for determination.
|
|
||||||
+ """
|
|
||||||
+ def set_installation_state(host, state):
|
|
||||||
+ """
|
|
||||||
+ Update the complete value in the installation section
|
|
||||||
+ """
|
|
||||||
+ host.run_command(
|
|
||||||
+ ['python3', '-c',
|
|
||||||
+ 'from ipalib.install import sysrestore; '
|
|
||||||
+ 'from ipaplatform.paths import paths;'
|
|
||||||
+ 'sstore = sysrestore.StateFile(paths.SYSRESTORE); '
|
|
||||||
+ 'sstore.backup_state("installation", "complete", '
|
|
||||||
+ '{state})'.format(state=state)])
|
|
||||||
+
|
|
||||||
+ def get_installation_state(host):
|
|
||||||
+ """
|
|
||||||
+ Retrieve the installation state from new install method
|
|
||||||
+ """
|
|
||||||
+ result = host.run_command(
|
|
||||||
+ ['python3', '-c',
|
|
||||||
+ 'from ipalib.install import sysrestore; '
|
|
||||||
+ 'from ipaplatform.paths import paths;'
|
|
||||||
+ 'sstore = sysrestore.StateFile(paths.SYSRESTORE); '
|
|
||||||
+ 'print(sstore.get_state("installation", "complete"))'])
|
|
||||||
+ return result.stdout_text.strip() # a string
|
|
||||||
+
|
|
||||||
+ # This comes from freeipa.spec and is used to determine whether
|
|
||||||
+ # an upgrade is required.
|
|
||||||
+ cmd = ['python3', '-c',
|
|
||||||
+ 'import sys; from ipalib import facts; sys.exit(0 '
|
|
||||||
+ 'if facts.is_ipa_configured() else 1);']
|
|
||||||
+
|
|
||||||
+ # This will use the new method since this is a fresh install,
|
|
||||||
+ # verify that it is true.
|
|
||||||
+ self.master.run_command(cmd)
|
|
||||||
+ assert get_installation_state(self.master) == 'True'
|
|
||||||
+
|
|
||||||
+ # Set complete to False which should cause the command to fail
|
|
||||||
+ # This tests the state of a failed or in-process installation.
|
|
||||||
+ set_installation_state(self.master, False)
|
|
||||||
+ result = self.master.run_command(cmd, raiseonerr=False)
|
|
||||||
+ assert result.returncode == 1
|
|
||||||
+ set_installation_state(self.master, True)
|
|
||||||
+
|
|
||||||
+ # Tweak sysrestore.state to drop installation section
|
|
||||||
+ self.master.run_command(
|
|
||||||
+ ['sed','-i', r's/\[installation\]/\[badinstallation\]/',
|
|
||||||
+ os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
|
|
||||||
+
|
|
||||||
+ # Re-run installation check and it should fall back to old method
|
|
||||||
+ # and be successful.
|
|
||||||
+ self.master.run_command(cmd)
|
|
||||||
+ assert get_installation_state(self.master) == 'None'
|
|
||||||
+
|
|
||||||
+ # Restore installation section.
|
|
||||||
+ self.master.run_command(
|
|
||||||
+ ['sed','-i', r's/\[badinstallation\]/\[installation\]/',
|
|
||||||
+ os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
|
|
||||||
+
|
|
||||||
+ # Uninstall and confirm that the old method reports correctly
|
|
||||||
+ # on uninstalled servers. It will exercise the old method since
|
|
||||||
+ # there is no state.
|
|
||||||
+ tasks.uninstall_master(self.master)
|
|
||||||
+
|
|
||||||
+ # ensure there is no stale state
|
|
||||||
+ result = self.master.run_command(r'test -f {}'.format(
|
|
||||||
+ os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)),
|
|
||||||
+ raiseonerr=False
|
|
||||||
+ )
|
|
||||||
+ assert result.returncode == 1
|
|
||||||
+ result = self.master.run_command(r'test -f {}'.format(
|
|
||||||
+ os.path.join(paths.SYSRESTORE, SYSRESTORE_INDEXFILE)),
|
|
||||||
+ raiseonerr=False
|
|
||||||
+ )
|
|
||||||
+ assert result.returncode == 1
|
|
||||||
+
|
|
||||||
+ # Now run is_ipa_configured() and it should be False
|
|
||||||
+ result = self.master.run_command(cmd, raiseonerr=False)
|
|
||||||
+ assert result.returncode == 1
|
|
||||||
+
|
|
||||||
+
|
|
||||||
class TestInstallWithCA_KRA1(InstallTestBase1):
|
|
||||||
|
|
||||||
@classmethod
|
|
@ -1,98 +0,0 @@
|
|||||||
From cd2fe2947589aaf8de0e9e64839c8840b68e9664 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Wed, 9 Dec 2020 11:15:20 +0200
|
|
||||||
Subject: [PATCH 1/2] Allow mod_auth_gssapi to create and access ccaches in
|
|
||||||
/run/ipa/ccaches
|
|
||||||
|
|
||||||
With commit c6644b8566f747fa80e2c1925b79bad9f8c92bd7 we default to
|
|
||||||
create unique credential caches in /run/ipa/ccaches for every client
|
|
||||||
that connects to IPA with a new session. On F34, mod_auth_gssapi process
|
|
||||||
running as 'apache' cannot create the ccache in /run/ipa/ccaches because
|
|
||||||
it has no access rights.
|
|
||||||
|
|
||||||
The core of the problem is that we have two different paths to obtaining
|
|
||||||
a ccache: one where 'apache' running httpd process creates it directly
|
|
||||||
and one where an internal redirect from 'ipaapi' running httpd process
|
|
||||||
is happening.
|
|
||||||
|
|
||||||
Use SUID and SGID to 'ipaapi'/'ipaapi' and allow 'apache' group to write
|
|
||||||
to '/run/ipa/ccaches'. This fixes the problem.
|
|
||||||
|
|
||||||
Note that we cannot completely remove 'GssapiDelegCcachePerms'. If we'd
|
|
||||||
do so, mod_auth_gssapi will do redirects and fail.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8613
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
init/tmpfilesd/ipa.conf.in | 3 ++-
|
|
||||||
install/share/ipa.conf.template | 4 ++--
|
|
||||||
2 files changed, 4 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/init/tmpfilesd/ipa.conf.in b/init/tmpfilesd/ipa.conf.in
|
|
||||||
index 183ceeda6..6467e1b93 100644
|
|
||||||
--- a/init/tmpfilesd/ipa.conf.in
|
|
||||||
+++ b/init/tmpfilesd/ipa.conf.in
|
|
||||||
@@ -1,2 +1,3 @@
|
|
||||||
d /run/ipa 0711 root root
|
|
||||||
-d /run/ipa/ccaches 0770 ipaapi ipaapi
|
|
||||||
+d /run/ipa/ccaches 6770 ipaapi ipaapi
|
|
||||||
+a+ /run/ipa/ccaches - - - - g:apache:rwx
|
|
||||||
diff --git a/install/share/ipa.conf.template b/install/share/ipa.conf.template
|
|
||||||
index ca51d2ea3..d74e14d4f 100644
|
|
||||||
--- a/install/share/ipa.conf.template
|
|
||||||
+++ b/install/share/ipa.conf.template
|
|
||||||
@@ -75,7 +75,7 @@ WSGIScriptReloading Off
|
|
||||||
|
|
||||||
GssapiImpersonate On
|
|
||||||
GssapiDelegCcacheDir $IPA_CCACHES
|
|
||||||
- GssapiDelegCcachePerms mode:0660 gid:ipaapi
|
|
||||||
+ GssapiDelegCcachePerms mode:0660
|
|
||||||
GssapiDelegCcacheUnique On
|
|
||||||
GssapiUseS4U2Proxy on
|
|
||||||
GssapiAllowedMech krb5
|
|
||||||
@@ -117,7 +117,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
|
|
||||||
<Location "/ipa/session/login_x509">
|
|
||||||
AuthType none
|
|
||||||
GssapiDelegCcacheDir $IPA_CCACHES
|
|
||||||
- GssapiDelegCcachePerms mode:0660 gid:ipaapi
|
|
||||||
+ GssapiDelegCcachePerms mode:0660
|
|
||||||
GssapiDelegCcacheUnique On
|
|
||||||
SSLVerifyClient require
|
|
||||||
SSLUserName SSL_CLIENT_CERT
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
|
|
||||||
From 786e0823cdc58ad232b8320af94ea9ad89df88d6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Wed, 9 Dec 2020 13:26:05 +0200
|
|
||||||
Subject: [PATCH 2/2] upgrade: provide DOMAIN to the server upgrade dictionary
|
|
||||||
|
|
||||||
Rules in ipa-rewrite.conf use $DOMAIN variable but it is not available
|
|
||||||
in the dictionary. Regression was introduced with
|
|
||||||
e731b2725a3772cd037683ff2e08c514fd02019f.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8615
|
|
||||||
Related: https://pagure.io/freeipa/issue/8595
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/server/upgrade.py | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
||||||
index 18891d53c..00a133a4d 100644
|
|
||||||
--- a/ipaserver/install/server/upgrade.py
|
|
||||||
+++ b/ipaserver/install/server/upgrade.py
|
|
||||||
@@ -1578,6 +1578,7 @@ def upgrade_configuration():
|
|
||||||
IPA_CCACHES=paths.IPA_CCACHES,
|
|
||||||
IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
|
|
||||||
KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
|
|
||||||
+ DOMAIN=api.env.domain,
|
|
||||||
)
|
|
||||||
|
|
||||||
subject_base = find_subject_base()
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,75 +0,0 @@
|
|||||||
From 44669a5a35970020d492cba644d0584bcc68774f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Date: Mon, 14 Dec 2020 17:44:38 +0100
|
|
||||||
Subject: [PATCH] Change mkdir logic in DNSSEC
|
|
||||||
|
|
||||||
- Create /var/named/dyndb-ldap/ipa/master/ early
|
|
||||||
- Assume that /var/named/dyndb-ldap/ipa/master/ exists in BINDMgr.sync()
|
|
||||||
|
|
||||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/dnssec/bindmgr.py | 7 +++----
|
|
||||||
ipaserver/install/dnskeysyncinstance.py | 19 +++++++++++++------
|
|
||||||
ipaserver/install/server/upgrade.py | 1 +
|
|
||||||
3 files changed, 17 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
|
|
||||||
index 4f7cad89344..a15c0e601a2 100644
|
|
||||||
--- a/ipaserver/dnssec/bindmgr.py
|
|
||||||
+++ b/ipaserver/dnssec/bindmgr.py
|
|
||||||
@@ -182,10 +182,9 @@ def sync_zone(self, zone):
|
|
||||||
zone_path = os.path.join(paths.BIND_LDAP_DNS_ZONE_WORKDIR,
|
|
||||||
self.get_zone_dir_name(zone))
|
|
||||||
try:
|
|
||||||
- os.makedirs(zone_path)
|
|
||||||
- except OSError as e:
|
|
||||||
- if e.errno != errno.EEXIST:
|
|
||||||
- raise e
|
|
||||||
+ os.mkdir(zone_path, 0o770)
|
|
||||||
+ except FileExistsError:
|
|
||||||
+ pass
|
|
||||||
|
|
||||||
# fix HSM permissions
|
|
||||||
# TODO: move out
|
|
||||||
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
|
|
||||||
index 26c1d9c7516..16870b73b5c 100644
|
|
||||||
--- a/ipaserver/install/dnskeysyncinstance.py
|
|
||||||
+++ b/ipaserver/install/dnskeysyncinstance.py
|
|
||||||
@@ -66,12 +66,19 @@ def set_dyndb_ldap_workdir_permissions(self):
|
|
||||||
"""
|
|
||||||
Setting up correct permissions to allow write/read access for daemons
|
|
||||||
"""
|
|
||||||
- if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR):
|
|
||||||
- os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0o770)
|
|
||||||
- # dnssec daemons require to have access into the directory
|
|
||||||
- os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0o770)
|
|
||||||
- os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, self.named_uid,
|
|
||||||
- self.named_gid)
|
|
||||||
+ directories = [
|
|
||||||
+ paths.BIND_LDAP_DNS_IPA_WORKDIR,
|
|
||||||
+ paths.BIND_LDAP_DNS_ZONE_WORKDIR,
|
|
||||||
+ ]
|
|
||||||
+ for directory in directories:
|
|
||||||
+ try:
|
|
||||||
+ os.mkdir(directory, 0o770)
|
|
||||||
+ except FileExistsError:
|
|
||||||
+ pass
|
|
||||||
+ else:
|
|
||||||
+ os.chmod(directory, 0o770)
|
|
||||||
+ # dnssec daemons require to have access into the directory
|
|
||||||
+ os.chown(directory, self.named_uid, self.named_gid)
|
|
||||||
|
|
||||||
def remove_replica_public_keys(self, replica_fqdn):
|
|
||||||
ldap = api.Backend.ldap2
|
|
||||||
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
||||||
index 18891d53c7d..c453e16b08a 100644
|
|
||||||
--- a/ipaserver/install/server/upgrade.py
|
|
||||||
+++ b/ipaserver/install/server/upgrade.py
|
|
||||||
@@ -1749,6 +1749,7 @@ def upgrade_configuration():
|
|
||||||
else:
|
|
||||||
if dnssec_set_openssl_engine(dnskeysyncd):
|
|
||||||
dnskeysyncd.start_dnskeysyncd()
|
|
||||||
+ dnskeysyncd.set_dyndb_ldap_workdir_permissions()
|
|
||||||
|
|
||||||
cleanup_kdc(fstore)
|
|
||||||
cleanup_adtrust(fstore)
|
|
Loading…
Reference in New Issue
Block a user