3 files changed, 40 insertions, 9 deletions

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 38e353672..7c1dc4312 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -440,7 +440,7 @@ if [ $1 = 1 ]; then
 fi
 %endif
 if [ $1 -gt 1 ] ; then
-    /usr/sbin/ipa-upgradeconfig || :
+    /usr/sbin/ipa-upgradeconfig >/dev/null 2>&1 || :
 fi
 
 %posttrans server
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 07c8466cd..bc8e6a249 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -152,19 +152,20 @@ def upgrade(sub_dict, filename, template, add=False):
     new = int(find_version(template))
 
     if old < 0 and not add:
-        print "%s not found." % filename
+        root_logger.error("%s not found." % filename)
         sys.exit(1)
 
     if new < 0:
-        print "%s not found." % template
+        root_logger.error("%s not found." % template)
 
     if old < new or (add and old == 0):
         backup_file(filename, new)
         update_conf(sub_dict, filename, template)
-        print "Upgraded %s to version %d" % (filename, new)
+        root_logger.info("Upgraded %s to version %d", filename, new)
 
 def check_certs():
     """Check ca.crt is in the right place, and try to fix if not"""
+    root_logger.info('[Verifying that root certificate is published]')
     if not os.path.exists("/usr/share/ipa/html/ca.crt"):
         ca_file = "/etc/httpd/alias/cacert.asc"
         if os.path.exists(ca_file):
@@ -174,8 +175,10 @@ def check_certs():
             finally:
                 os.umask(old_umask)
         else:
-            print "Missing Certification Authority file."
-            print "You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt"
+            root_logger.error("Missing Certification Authority file.")
+            root_logger.error("You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt")
+    else:
+        root_logger.debug('Certificate file exists')
 
 def upgrade_pki(fstore):
     """
@@ -184,7 +187,9 @@ def upgrade_pki(fstore):
 
     This requires enabling SSL renegotiation.
     """
+    root_logger.info('[Verifying that CA proxy configuration is correct]')
     if not os.path.exists('/etc/pki-ca/CS.cfg'):
+        root_logger.debug('No CA detected in /etc/pki-ca')
         return
 
     http = httpinstance.HTTPInstance(fstore)
@@ -194,6 +199,9 @@ def upgrade_pki(fstore):
             os.path.exists('/usr/bin/pki-setup-proxy'):
         ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib'
                      ,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
+        root_logger.debug('Proxy configuration updated')
+    else:
+        root_logger.debug('Proxy configuration up-to-date')
 
 def update_dbmodules(realm, filename="/etc/krb5.conf"):
     newfile = []
@@ -201,6 +209,7 @@ def update_dbmodules(realm, filename="/etc/krb5.conf"):
     found_realm = False
     prefix = ''
 
+    root_logger.info('[Verifying that KDC configuration is using ipa-kdb backend]')
     st = os.stat(filename)
     fd = open(filename)
 
@@ -208,7 +217,7 @@ def update_dbmodules(realm, filename="/etc/krb5.conf"):
     fd.close()
 
     if '    db_library = ipadb.so\n' in lines:
-        # Already updated
+        root_logger.debug('dbmodules already updated in %s', filename)
         return
 
     for line in lines:
@@ -234,32 +243,42 @@ def update_dbmodules(realm, filename="/etc/krb5.conf"):
     fd = open(filename, 'w')
     fd.write("".join(newfile))
     fd.close()
+    root_logger.debug('%s updated', filename)
 
 def cleanup_kdc(fstore):
     """
     Clean up old KDC files if they exist. We need to remove the actual
     file and any references in the uninstall configuration.
     """
+    root_logger.info('[Checking for deprecated KDC configuration files]')
     for file in ['kpasswd.keytab', 'ldappwd']:
         filename = '/var/kerberos/krb5kdc/%s' % file
         installutils.remove_file(filename)
         if fstore.has_file(filename):
             fstore.untrack_file(filename)
+            root_logger.debug('Uninstalling %s', filename)
 
 def upgrade_ipa_profile(realm):
     """
     Update the IPA Profile provided by dogtag
     """
+    root_logger.info('[Verifying that CA service certificate profile is updated]')
     ca = cainstance.CAInstance(realm, certs.NSS_DIR)
     if ca.is_configured():
         if ca.enable_subject_key_identifier():
+            root_logger.debug('Subject Key Identifier updated, restarting CA')
             ca.restart()
+        else:
+            root_logger.debug('Subject Key Identifier already set.')
+    else:
+        root_logger.debug('CA is not configured')
 
 def upgrade_httpd_selinux(fstore):
     """
     Update SElinux configuration for httpd instance in the same way as the
     new server installation does.
     """
+    root_logger.info('[Verifying the Apache SELinux configuration]')
     http = httpinstance.HTTPInstance(fstore)
     http.configure_selinux_for_httpd()
 
@@ -275,8 +294,11 @@ def enable_psearch_for_named():
     """
     changed = False
 
+    root_logger.info('[Enabling persistent search in DNS]')
+
     if not bindinstance.named_conf_exists():
         # DNS service may not be configured
+        root_logger.debug('DNS not configured')
         return
 
     try:
@@ -296,6 +318,7 @@ def enable_psearch_for_named():
             else:
                 changed = True
         sysupgrade.set_upgrade_state('named.conf', 'psearch_enabled', True)
+        root_logger.debug('Persistent search enabled')
 
     # make sure number of connections is right
     minimum_connections = 2
@@ -319,12 +342,15 @@ def enable_psearch_for_named():
                 try:
                     bindinstance.named_conf_set_directive('connections',
                                                           minimum_connections)
+                    root_logger.debug('Connections set to %d', minimum_connections)
                 except IOError, e:
                     root_logger.error('Cannot update connections in %s: %s',
                             bindinstance.NAMED_CONF, e)
                 else:
                     changed = True
 
+    if not changed:
+        root_logger.debug('No changes made')
     return changed
 
 def main():
@@ -339,7 +365,9 @@ def main():
 
     safe_options, options = parse_options()
 
-    standard_logging_setup(None, debug=options.debug)
+    standard_logging_setup('/var/log/ipaupgrade.log', verbose=True,
+        debug=options.debug, console_format='%(message)s',
+        filemode='a')
 
     fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
 
diff --git a/install/tools/man/ipa-upgradeconfig.8 b/install/tools/man/ipa-upgradeconfig.8
index 442f05482..740ec554a 100644
--- a/install/tools/man/ipa-upgradeconfig.8
+++ b/install/tools/man/ipa-upgradeconfig.8
@@ -16,7 +16,7 @@
 .\" 
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\" 
-.TH "ipa-upgradeconfig" "8" "Sep 9 2010" "freeipa" ""
+.TH "ipa-upgradeconfig" "8" "Jun 18 2012" "freeipa" ""
 .SH "NAME"
 ipa\-upgradeconfig \- Upgrade the IPA Apache configuration
 .SH "SYNOPSIS"
@@ -29,6 +29,9 @@ It examines the VERSION value in the head of \fI/etc/httpd/conf.d/ipa.conf\fR an
 It also will convert a CA configured to be accessible via ports 9443, 9444, 9445 and 9446 to be proxied by the IPA web server on ports 80 and 443.
 
 This is not intended to be run by an end\-user. It is executed when the IPA rpms are upgraded. This must be run as the root user.
+.SH "OPTIONS"
+\fB\-d\fR, \fB\-\-debug\fR
+Enable debug logging when more verbose output is needed
 .SH "EXIT STATUS"
 0 if the update was successful or there was nothing to do