From 748ca34eae43f50b2c9e3ff3295b6ad490633df2 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 6 Feb 2018 10:05:49 +0100 Subject: [PATCH] Replace wsgi package conflict with config file Instead of a package conflict, freeIPA now uses an Apache config file to enforce the correct wsgi module. The workaround only applies to Fedora since it is the only platform that permits parallel installation of Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and Debian doesn't permit installation of both variants. See: https://pagure.io/freeipa/issue/7161 Fixes: https://pagure.io/freeipa/issue/7394 Signed-off-by: Christian Heimes --- install/share/Makefile.am | 1 + install/share/ipa-httpd-wsgi.conf.template | 7 +++++++ ipaplatform/base/constants.py | 4 ++++ ipaplatform/base/paths.py | 2 ++ ipaplatform/base/tasks.py | 4 ++++ ipaplatform/debian/tasks.py | 5 +++++ ipaplatform/fedora/constants.py | 6 +++++- ipaplatform/fedora/paths.py | 4 +++- ipaplatform/redhat/tasks.py | 31 ++++++++++++++++++++++++++++++ ipaserver/install/httpinstance.py | 7 ++++++- ipaserver/install/server/upgrade.py | 7 +++++++ 11 files changed, 75 insertions(+), 3 deletions(-) create mode 100644 install/share/ipa-httpd-wsgi.conf.template diff --git a/install/share/Makefile.am b/install/share/Makefile.am index b1285854ea..abdf3ac648 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -85,6 +85,7 @@ dist_app_DATA = \ kdcproxy-enable.uldif \ kdcproxy-disable.uldif \ ipa-httpd.conf.template \ + ipa-httpd-wsgi.conf.template \ gssapi.login \ gssproxy.conf.template \ kdcproxy.wsgi \ diff --git a/install/share/ipa-httpd-wsgi.conf.template b/install/share/ipa-httpd-wsgi.conf.template new file mode 100644 index 0000000000..89d424665a --- /dev/null +++ b/install/share/ipa-httpd-wsgi.conf.template @@ -0,0 +1,7 @@ +# Do not edit. Created by IPA installer. + +# Some platforms allow parallel installation of Python 2 and 3 mod_wsgi +# modules, but the modules can't coexist. Enforce loading of correct +# WSGI module before the package's default config. + +LoadModule wsgi_module $WSGI_MODULE diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py index 94bd0f8a10..ca4a12ec01 100644 --- a/ipaplatform/base/constants.py +++ b/ipaplatform/base/constants.py @@ -39,5 +39,9 @@ class BaseConstantsNamespace(object): SSSD_USER = "sssd" # sql (new format), dbm (old format) NSS_DEFAULT_DBTYPE = 'dbm' + # WSGI module override, only used on Fedora + MOD_WSGI_PYTHON2 = None + MOD_WSGI_PYTHON3 = None + constants = BaseConstantsNamespace() diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 3bb32416d6..753e8e80e7 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -48,6 +48,8 @@ class BasePathNamespace(object): HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf" HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf" HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf" + # only used on Fedora + HTTPD_IPA_WSGI_MODULES_CONF = None OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab" HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab" HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf" diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 8f73eaddc2..d4b56318e3 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -211,6 +211,10 @@ def remove_httpd_service_ipa_conf(self): """Remove configuration of httpd service of IPA""" raise NotImplementedError() + def configure_httpd_wsgi_conf(self): + """Configure WSGI for correct Python version""" + raise NotImplementedError() + def is_fips_enabled(self): return False diff --git a/ipaplatform/debian/tasks.py b/ipaplatform/debian/tasks.py index 6c41a35e77..4537260146 100644 --- a/ipaplatform/debian/tasks.py +++ b/ipaplatform/debian/tasks.py @@ -47,4 +47,9 @@ def restore_auth_configuration(path): def parse_ipa_version(version): return BaseTaskNamespace.parse_ipa_version(version) + def configure_httpd_wsgi_conf(self): + # Debian doesn't require special mod_wsgi configuration + pass + + tasks = DebianTaskNamespace() diff --git a/ipaplatform/fedora/constants.py b/ipaplatform/fedora/constants.py index ce03f58cf9..79e7bd9a5e 100644 --- a/ipaplatform/fedora/constants.py +++ b/ipaplatform/fedora/constants.py @@ -11,6 +11,10 @@ class FedoraConstantsNamespace(RedHatConstantsNamespace): - pass + # Fedora allows installation of Python 2 and 3 mod_wsgi, but the modules + # can't coexist. For Apache to load correct module. + MOD_WSGI_PYTHON2 = "modules/mod_wsgi.so" + MOD_WSGI_PYTHON3 = "modules/mod_wsgi_python3.so" + constants = FedoraConstantsNamespace() diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py index 49a904f2f2..5238cdb4f4 100644 --- a/ipaplatform/fedora/paths.py +++ b/ipaplatform/fedora/paths.py @@ -27,7 +27,9 @@ class FedoraPathNamespace(RedHatPathNamespace): - pass + HTTPD_IPA_WSGI_MODULES_CONF = ( + "/etc/httpd/conf.modules.d/02-ipa-wsgi.conf" + ) paths = FedoraPathNamespace() diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 79bd5335ea..701c280ec0 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -30,6 +30,7 @@ import socket import traceback import errno +import sys from ctypes.util import find_library from functools import total_ordering @@ -484,6 +485,36 @@ def configure_http_gssproxy_conf(self, ipaapi_user): os.chmod(paths.GSSPROXY_CONF, 0o600) self.restore_context(paths.GSSPROXY_CONF) + def configure_httpd_wsgi_conf(self): + """Configure WSGI for correct Python version (Fedora) + + See https://pagure.io/freeipa/issue/7394 + """ + conf = paths.HTTPD_IPA_WSGI_MODULES_CONF + if sys.version_info.major == 2: + wsgi_module = constants.MOD_WSGI_PYTHON2 + else: + wsgi_module = constants.MOD_WSGI_PYTHON3 + + if conf is None or wsgi_module is None: + logger.info("Nothing to do for configure_httpd_wsgi_conf") + return + + confdir = os.path.dirname(conf) + if not os.path.isdir(confdir): + os.makedirs(confdir) + + ipautil.copy_template_file( + os.path.join( + paths.USR_SHARE_IPA_DIR, 'ipa-httpd-wsgi.conf.template' + ), + conf, + dict(WSGI_MODULE=wsgi_module) + ) + + os.chmod(conf, 0o644) + self.restore_context(conf) + def remove_httpd_service_ipa_conf(self): """Remove systemd config for httpd service of IPA""" try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 8f3b5937fd..46764e6aa7 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -213,6 +213,7 @@ def remove_httpd_ccaches(self): def __configure_http(self): self.update_httpd_service_ipa_conf() + self.update_httpd_wsgi_conf() target_fname = paths.HTTPD_IPA_CONF http_txt = ipautil.template_file( @@ -508,6 +509,9 @@ def enable_and_start_oddjobd(self): def update_httpd_service_ipa_conf(self): tasks.configure_httpd_service_ipa_conf() + def update_httpd_wsgi_conf(self): + tasks.configure_httpd_wsgi_conf() + def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring web server") @@ -564,7 +568,8 @@ def uninstall(self): installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF) - tasks.remove_httpd_service_ipa_conf() + if paths.HTTPD_IPA_WSGI_MODULES_CONF is not None: + installutils.remove_file(paths.HTTPD_IPA_WSGI_MODULES_CONF) # Restore SELinux boolean states boolean_states = {name: self.restore_state(name) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 07cc18a78c..b12d80f105 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1458,11 +1458,17 @@ def update_mod_nss_cipher_suite(http): 'cipher_suite_updated', httpinstance.NSS_CIPHER_REVISION) + def update_ipa_httpd_service_conf(http): logger.info('[Updating HTTPD service IPA configuration]') http.update_httpd_service_ipa_conf() +def update_ipa_http_wsgi_conf(http): + logger.info('[Updating HTTPD service IPA WSGI configuration]') + http.update_httpd_wsgi_conf() + + def update_http_keytab(http): logger.info('[Moving HTTPD service keytab to gssproxy]') if os.path.exists(paths.OLD_IPA_KEYTAB): @@ -1782,6 +1788,7 @@ def upgrade_configuration(): http.stop() disable_httpd_system_trust(http) update_ipa_httpd_service_conf(http) + update_ipa_http_wsgi_conf(http) update_mod_nss_protocol(http) update_mod_nss_cipher_suite(http) disable_mod_nss_ocsp(http)