Handle upgrade issues with systemd in Fedora 16 and above

Since 389-ds-base-1.2.10-0.8.a7 Directory Server's systemd settings are
configured via /etc/sysconfig/dirsrv.systemd. It means logic change in
systemd/fedora16 platform of FreeIPA.

Additionally, existing installs need to be handled during upgrade.

Fixes:
    https://fedorahosted.org/freeipa/ticket/2117
    https://fedorahosted.org/freeipa/ticket/2300

1 files changed, 96 insertions, 0 deletions

diff --git a/init/systemd/freeipa-systemd-upgrade b/init/systemd/freeipa-systemd-upgrade
new file mode 100755
index 000000000..e662d2835
--- /dev/null
+++ b/init/systemd/freeipa-systemd-upgrade
@@ -0,0 +1,96 @@
+#! /usr/bin/python -E
+from ipaserver.install.krbinstance import update_key_val_in_file
+from ipapython import ipautil, config
+from ipapython import services as ipaservices
+import os, platform
+
+def convert_java_link(foo, topdir, filepaths):
+    cwd = os.getcwd()
+    os.chdir(topdir)
+    for filepath in filepaths:
+        # All this shouldn't happen because java system upgrade should properly
+        # move files and symlinks but if this is a broken link
+        if os.path.islink(filepath):
+            print "    Checking %s ... " % (filepath),
+            if not os.path.exists(filepath):
+                rpath = os.path.realpath(filepath)
+                # .. and it points to jss in /usr/lib
+                if rpath.find('/usr/lib/') != -1  and rpath.find('jss') != -1:
+                    base = os.path.basename(rpath)
+                    bitness = platform.architecture()[0][:2]
+                    # rewrite it to /usr/lib64 for x86_64 platform
+                    if bitness == '64':
+                        npath = "/usr/lib%s/jss/%s" % (bitness, base)
+                        os.unlink(filepath)
+                        os.symlink(npath, filepath)
+                        print "%s -> %s" % (filepath, npath)
+                    else:
+                        print "Ok"
+                else:
+                    print "Ok"
+            else:
+                print "Ok"
+    os.chdir(cwd)
+
+# 0. Init config
+try:
+    config.init_config()
+except config.IPAConfigError, e:
+    # No configured IPA install, no need to upgrade anything
+    exit(0)
+
+# 1. Convert broken symlinks, if any, in /var/lib/pki-ca
+if os.path.exists('/var/lib/pki-ca/common/lib'):
+    print "Analyzing symlinks in PKI-CA install"
+    os.path.walk('/var/lib/pki-ca/common/lib', convert_java_link, None)
+
+try:
+    print "Found IPA server for domain %s" % (config.config.default_realm)
+    # 1. Make sure Dogtag instance (if exists) has proper OIDs for IPA CA
+    ipa_ca_cfg = "/var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg"
+    if os.path.exists(ipa_ca_cfg):
+        print "Make sure PKI-CA has Extended Key Usage OIDs for the certificates (Server and Client Authentication)",
+        key = 'policyset.serverCertSet.7.default.params.exKeyUsageOIDs'
+        value = '1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2'
+        replacevars = {key:value}
+        appendvars = {}
+        old_values = ipautil.config_replace_variables(ipa_ca_cfg, replacevars=replacevars, appendvars=appendvars)
+        ipaservices.restore_context(ipa_ca_cfg)
+        if key in old_values and old_values[key] != value:
+            print
+            print "    WARNING: Previously issued certificate didn't have both Server and Client Authentication usage"
+            print "             Old usage OID(s): %(oids)s" % (old_values[key])
+            print "    Please make sure to revoke old certificates and re-issue them again to add both usages when needed"
+            ipaservices.service('pki-cad').restart()
+        else:
+            print "... ok"
+    print "Converting services setup to systemd"
+    # 2. Upgrade /etc/sysconfig/dirsrv for systemd
+    print "    Upgrade /etc/sysconfig/dirsrv"
+    update_key_val_in_file("/etc/sysconfig/dirsrv", "KRB5_KTNAME", "/etc/dirsrv/ds.keytab")
+    update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab")
+    # 3. Upgrade /etc/sysconfig/krb5kdc for systemd
+    print "    Upgrade /etc/sysconfig/krb5kdc"
+    replacevars = {'KRB5REALM':config.config.default_realm}
+    appendvars = {}
+    ipautil.config_replace_variables("/etc/sysconfig/krb5kdc",
+       replacevars=replacevars, appendvars=appendvars)
+    ipaservices.restore_context("/etc/sysconfig/krb5kdc")
+    # 4. Enable DS instances:
+    # when enabling DS instances we'll also do configure /etc/sysconfig/dirsrv.systemd
+    # which comes with 389-ds-base-1.2.10-0.8.a7 on F-16 and later. This is handled in
+    # fedora16 platform code
+    realm = config.config.default_realm.upper().replace('.','-')
+    print "    Re-enable Directory server instances PKI-IPA and %s " % (realm)
+    if os.path.exists('/etc/systemd/system/dirsrv@.service'):
+        os.unlink('/etc/systemd/system/dirsrv@.service')
+    ipaservices.knownservices.dirsrv.enable(realm)
+    ipaservices.knownservices.dirsrv.enable("PKI-IPA")
+    # 4. Enable FreeIPA
+    print "    Re-enable IPA service"
+    ipaservices.knownservices.ipa.enable()
+except:
+    pass
+
+finally:
+    print "Finished."