diff options
| author | David Kupka <dkupka@redhat.com> | 2014-09-30 08:41:49 -0400 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-10-15 09:12:11 +0200 |
| commit | c44f4dcbea210e7802deda1909a3ec70aa6b6460 (patch) | |
| tree | 2bf497fe54e363a16501b6a1c94a81d636d58701 /install/tools | |
| parent | 7ad70025eb2deaf5c7c79149673dc2fbde2b7c2c (diff) | |
| download | freeipa-c44f4dcbea210e7802deda1909a3ec70aa6b6460.tar.gz freeipa-c44f4dcbea210e7802deda1909a3ec70aa6b6460.tar.xz freeipa-c44f4dcbea210e7802deda1909a3ec70aa6b6460.zip | |
Stop dogtag when updating its configuration in ipa-upgradeconfig.
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.
https://fedorahosted.org/freeipa/ticket/4569
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'install/tools')
| -rw-r--r-- | install/tools/ipa-upgradeconfig | 50 |
1 files changed, 27 insertions, 23 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 7f785e614..a1f085be4 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -233,8 +233,10 @@ def upgrade_pki(ca, fstore): if not installutils.get_directive(configured_constants.CS_CFG_PATH, 'proxy.securePort', '=') and \ os.path.exists(paths.PKI_SETUP_PROXY): - ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' - ,'-pki_instance_name=pki-ca','-subsystem_type=ca']) + # update proxy configuration with stopped dogtag to prevent corruption + # of CS.cfg + ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib', + '-pki_instance_name=pki-ca','-subsystem_type=ca']) root_logger.debug('Proxy configuration updated') else: root_logger.debug('Proxy configuration up-to-date') @@ -1204,28 +1206,30 @@ def main(): ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) ca.backup_config() - # migrate CRL publish dir before the location in ipa.conf is updated - ca_restart = migrate_crl_publish_dir(ca) + with installutils.stopped_service(configured_constants.SERVICE_NAME, + configured_constants.PKI_INSTANCE_NAME): + # migrate CRL publish dir before the location in ipa.conf is updated + ca_restart = migrate_crl_publish_dir(ca) + + if ca.is_configured(): + crl = installutils.get_directive(configured_constants.CS_CFG_PATH, + 'ca.crl.MasterCRL.enableCRLUpdates', '=') + sub_dict['CLONE']='#' if crl.lower() == 'true' else '' + + ds_serverid = dsinstance.realm_to_serverid(api.env.realm) + ds_dirname = dsinstance.config_dirname(ds_serverid) + + upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf") + upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf") + upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) + if subject_base: + upgrade( + sub_dict, + os.path.join(ds_dirname, "certmap.conf"), + os.path.join(ipautil.SHARE_DIR, "certmap.conf.template") + ) + upgrade_pki(ca, fstore) - if ca.is_configured(): - crl = installutils.get_directive(configured_constants.CS_CFG_PATH, - 'ca.crl.MasterCRL.enableCRLUpdates', - '=') - sub_dict['CLONE']='#' if crl.lower() == 'true' else '' - - ds_serverid = dsinstance.realm_to_serverid(api.env.realm) - ds_dirname = dsinstance.config_dirname(ds_serverid) - - upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf") - upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf") - upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) - if subject_base: - upgrade( - sub_dict, - os.path.join(ds_dirname, "certmap.conf"), - os.path.join(ipautil.SHARE_DIR, "certmap.conf.template") - ) - upgrade_pki(ca, fstore) update_dbmodules(api.env.realm) uninstall_ipa_kpasswd() |