freeipa.git/ipapython/platform, branch 30gatepo FreeIPA project Make sure the CA is running when starting services 2012-10-24T02:02:21+00:00 Petr Viktorin pviktori@redhat.com 2012-09-25T13:57:03+00:00 d6fbbd530ee94bc4cdd00c9106fd789e50fb81cf - Provide a function for determinig the CA status using Dogtag 10's new getStatus endpoint. This must be done over HTTPS, but since our client certificate may not be set up yet, we need HTTPS without client authentication. Rather than copying from the existing http_request and https_request function, shared code is factored out to a common helper. - Call the new function when restarting the CA service. Since our Service can only be extended in platform-specific code, do this for Fedora only. Also, the status is only checked with Dogtag 10+. - When a restart call in cainstance failed, users were refered to the installation log, but no info was actually logged. Log the exception. https://fedorahosted.org/freeipa/ticket/3084 
- Provide a function for determinig the CA status using Dogtag 10's new
  getStatus endpoint.
  This must be done over HTTPS, but since our client certificate may not be set
  up yet, we need HTTPS without client authentication.
  Rather than copying from the existing http_request and https_request
  function, shared code is factored out to a common helper.
- Call the new function when restarting the CA service. Since our Service
  can only be extended in platform-specific code, do this for Fedora only.
  Also, the status is only checked with Dogtag 10+.
- When a restart call in cainstance failed, users were refered to the
  installation log, but no info was actually logged. Log the exception.

https://fedorahosted.org/freeipa/ticket/3084
Add fallback for httpd restarts on sysV platforms 2012-10-19T00:53:42+00:00 Martin Kosek mkosek@redhat.com 2012-10-18T14:50:08+00:00 9126b18d8bbf7d8f0f8981deb84f80f2eaa27bfe httpd init script on sysV based platforms cannot guarantee that two consecutive httpd service restarts succeed when run in a small time distance. Add fallback procedure that adds additional waiting time after such failed restart attempt, and then try to stop and start the service again. https://fedorahosted.org/freeipa/ticket/2965 
httpd init script on sysV based platforms cannot guarantee that two
consecutive httpd service restarts succeed when run in a small
time distance.

Add fallback procedure that adds additional waiting time after such
failed restart attempt, and then try to stop and start the service
again.

https://fedorahosted.org/freeipa/ticket/2965
Wait for secure Dogtag ports when starting the pki services 2012-10-03T15:38:42+00:00 Petr Viktorin pviktori@redhat.com 2012-09-25T13:48:47+00:00 9c0426c3ed6045e3af54c5c00be23bb63eb92606 Dogtag opens not only the insecure port (8080 or 9180, for d10 and d9 respectively), but also secure ports (8443 or 9443&9444). Wait for them when starting. Part of the fix for https://fedorahosted.org/freeipa/ticket/3084 
Dogtag opens not only the insecure port (8080 or 9180, for d10 and
d9 respectively), but also secure ports (8443 or 9443&9444).
Wait for them when starting.

Part of the fix for https://fedorahosted.org/freeipa/ticket/3084
Use Dogtag 10 only when it is available 2012-09-17T22:43:59+00:00 Petr Viktorin pviktori@redhat.com 2012-08-23T16:38:45+00:00 4f76c143d2f2036af02677469c542f563a10158d Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846 
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.

Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.

This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
Modifications to install scripts for dogtag 10 2012-09-17T22:43:36+00:00 Ade Lee alee@redhat.com 2012-08-16T02:53:51+00:00 3dd31a875650c7fe7c67ca6b47f2058c1181dafb Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. https://fedorahosted.org/freeipa/ticket/2846 
Dogtag 10 uses a new installer, new directory layout and new default
ports.  This patch changes the ipa install code to integrate these changes.

https://fedorahosted.org/freeipa/ticket/2846
Create /etc/sysconfig/network if it doesn't exist 2012-08-03T10:09:56+00:00 Petr Viktorin pviktori@redhat.com 2012-07-19T13:07:23+00:00 c8abd24ebe612a3a0d415cece508b94a57c636fe When the --hostname option is given to ipa-client-install, we write HOSTNAME to /etc/sysconfig/network. When that file didn't exist, the installer crashed. Create the file if it doesn't exist and we need to write to it. https://fedorahosted.org/freeipa/ticket/2840 
When the --hostname option is given to ipa-client-install, we
write HOSTNAME to /etc/sysconfig/network. When that file didn't exist,
the installer crashed.

Create the file if it doesn't exist and we need to write to it.

https://fedorahosted.org/freeipa/ticket/2840
Use certmonger to renew CA subsystem certificates 2012-07-30T11:39:08+00:00 Rob Crittenden rcritten@redhat.com 2012-07-11T19:51:01+00:00 03837bfd6dbf7fd1eaa437da22807d7061b99af7 Certificate renewal can be done only one one CA as the certificates need to be shared amongst them. certmonger has been trained to communicate directly with dogtag to perform the renewals. The initial CA installation is the defacto certificate renewal master. A copy of the certificate is stored in the IPA LDAP tree in cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the certificate, when a certificate is renewed. Only the most current certificate is stored. It is valid to have no certificates there, it means that no renewals have taken place. The clones are configured with a new certmonger CA type that polls this location in the IPA tree looking for an updated certificate. If one is not found then certmonger is put into the CA_WORKING state and will poll every 8 hours until an updated certificate is available. The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case. When this certificate is updated we also need to update its entry in the dogtag tree, adding the updated certificate and telling dogtag which certificate to use. This is the certificate that lets IPA issue certificates. On upgrades we check to see if the certificate tracking is already in place. If not then we need to determine if this is the master that will do the renewals or not. This decision is made based on whether it was the first master installed. It is concievable that this master is no longer available meaning that none are actually tracking renewal. We will need to document this. https://fedorahosted.org/freeipa/ticket/2803 
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803
Centralize timeout for waiting for servers to start. 2012-07-02T21:08:58+00:00 Rob Crittenden rcritten@redhat.com 2012-05-24T15:23:36+00:00 e5b6260008a3a7132fdaef99d800406eb8872316 All service start/restart currently go through ipapython/platform so move the "wait for service to start" code there as well. A dictionary of known services and ports to wait on is defined in base.py This is referenced by the platforms by instance name to determine what to wait for. For the case of dirsrv if we get that as a plain name (no specific instance) it is assumed to be the main IPA service. https://fedorahosted.org/freeipa/ticket/2375 https://fedorahosted.org/freeipa/ticket/2610 
All service start/restart currently go through ipapython/platform so
move the "wait for service to start" code there as well.

A dictionary of known services and ports to wait on is defined in base.py
This is referenced by the platforms by instance name to determine what
to wait for. For the case of dirsrv if we get that as a plain name
(no specific instance) it is assumed to be the main IPA service.

https://fedorahosted.org/freeipa/ticket/2375
https://fedorahosted.org/freeipa/ticket/2610
Configure automount using autofs or sssd. 2012-06-25T21:24:34+00:00 Rob Crittenden rcritten@redhat.com 2012-05-29T18:20:38+00:00 f4d2f2a65b799e200c2f98164e1a0ac4e9b07376 This script edits nsswitch.conf to use either ldap (autofs) or sss (sssd) to find automount maps. NFSv4 services are started so Kerberos encryption and/or integrity can be used on the maps. https://fedorahosted.org/freeipa/ticket/1233 https://fedorahosted.org/freeipa/ticket/2193 
This script edits nsswitch.conf to use either ldap (autofs) or
sss (sssd) to find automount maps.

NFSv4 services are started so Kerberos encryption and/or integrity can
be used on the maps.

https://fedorahosted.org/freeipa/ticket/1233
https://fedorahosted.org/freeipa/ticket/2193
If SELinux is enabled ensure we also have restorecon. 2012-05-31T12:07:05+00:00 Rob Crittenden rcritten@redhat.com 2012-05-31T11:59:33+00:00 9e877585e213a9fccec8ff9b3dcb876b2ec65696 We don't have a specific requires on the policycoreutils package. It gets pulled in as a dependency on the server anyway, but checking there is like a belt and suspenders. On the client we don't require SELinux at all. If SELinux is enabled however we need to set things up properly. This is provided by the policycoreutils package so fail if that isn't available. https://fedorahosted.org/freeipa/ticket/2368 
We don't have a specific requires on the policycoreutils package. It
gets pulled in as a dependency on the server anyway, but checking
there is like a belt and suspenders.

On the client we don't require SELinux at all. If SELinux is enabled
however we need to set things up properly. This is provided by the
policycoreutils package so fail if that isn't available.

https://fedorahosted.org/freeipa/ticket/2368