diff options
Diffstat (limited to 'install/tools/ipa-upgradeconfig')
-rw-r--r-- | install/tools/ipa-upgradeconfig | 103 |
1 files changed, 93 insertions, 10 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 6c0437180..cb2164c0c 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -25,7 +25,7 @@ Upgrade configuration files to a newer template. import sys try: - from ipapython import ipautil, sysrestore, version + from ipapython import ipautil, sysrestore, version, services from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import * from ipapython import certmonger @@ -44,6 +44,7 @@ try: import re import os import shutil + import pwd import fileinput from ipalib import api import ipalib.errors @@ -281,12 +282,11 @@ def cleanup_kdc(fstore): fstore.untrack_file(filename) root_logger.debug('Uninstalling %s', filename) -def upgrade_ipa_profile(realm): +def upgrade_ipa_profile(ca): """ Update the IPA Profile provided by dogtag """ root_logger.info('[Verifying that CA service certificate profile is updated]') - ca = cainstance.CAInstance(realm, certs.NSS_DIR) if ca.is_configured(): if ca.enable_subject_key_identifier(): root_logger.debug('Subject Key Identifier updated, restarting CA') @@ -433,22 +433,23 @@ def named_enable_serial_autoincrement(): return changed -def enable_certificate_renewal(realm): +def enable_certificate_renewal(ca): """ If the CA subsystem certificates are not being tracked for renewal then tell certmonger to start tracking them. + + Returns True when CA needs to be restarted """ - ca = cainstance.CAInstance(realm, certs.NSS_DIR) if not ca.is_configured(): root_logger.debug('dogtag not configured') - return + return False # Using the nickname find the certmonger request_id criteria = (('cert_storage_location', '/etc/httpd/alias', certmonger.NPATH),('cert_nickname', 'ipaCert', None)) request_id = certmonger.get_request_id(criteria) if request_id is not None: root_logger.debug('Certificate renewal already configured') - return + return False if not sysupgrade.get_upgrade_state('dogtag', 'renewal_configured'): if ca.is_master(): @@ -459,8 +460,81 @@ def enable_certificate_renewal(realm): ca.configure_agent_renewal() ca.track_servercert() sysupgrade.set_upgrade_state('dogtag', 'renewal_configured', True) - ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) root_logger.debug('CA subsystem certificate renewal enabled') + return True + + return False + +def copy_crl_file(old_path, new_path=None): + """ + Copy CRL to new location, update permissions and SELinux context + """ + if new_path is None: + filename = os.path.basename(old_path) + new_path = os.path.join(dogtag.configured_constants().CRL_PUBLISH_PATH, + filename) + root_logger.debug('copy_crl_file: %s -> %s', old_path, new_path) + + if os.path.islink(old_path): + # update symlink to the most most recent CRL file + filename = os.path.basename(os.readlink(old_path)) + realpath = os.path.join(dogtag.configured_constants().CRL_PUBLISH_PATH, + filename) + root_logger.debug('copy_crl_file: Create symlink %s -> %s', + new_path, realpath) + os.symlink(realpath, new_path) + else: + shutil.copy2(old_path, new_path) + pent = pwd.getpwnam(cainstance.PKI_USER) + os.chown(new_path, pent.pw_uid, pent.pw_gid) + + services.restore_context(new_path) + +def migrate_crl_publish_dir(ca): + """ + Move CRL publish dir from /var/lib/pki-ca/publish to IPA controlled tree: + /var/lib/ipa/pki-ca/publish + """ + root_logger.info('[Migrate CRL publish directory]') + if sysupgrade.get_upgrade_state('dogtag', 'moved_crl_publish_dir'): + root_logger.info('CRL tree already moved') + return False + + caconfig = dogtag.configured_constants() + + old_publish_dir = installutils.get_directive(caconfig.CS_CFG_PATH, + 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', + separator='=') + + if old_publish_dir == caconfig.CRL_PUBLISH_PATH: + # publish dir is already updated + root_logger.info('Publish directory already set to new location') + sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True) + return False + + # Prepare target publish dir (permissions, SELinux context) + publishdir = ca.prepare_crl_publish_dir() + + # Copy all CRLs to new directory + root_logger.info('Copy all CRLs to new publish directory') + try: + crl_files = cainstance.get_crl_files(old_publish_dir) + except OSError, e: + root_logger.error('Cannot move CRL files to new directory: %s', e) + else: + for f in crl_files: + try: + copy_crl_file(f) + except Exception, e: + root_logger.error('Cannot move CRL file to new directory: %s', e) + + installutils.set_directive(caconfig.CS_CFG_PATH, + 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', + publishdir, quotes=False, separator='=') + sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True) + root_logger.info('CRL publish directory has been migrated, ' + 'request pki-ca restart') + return True def main(): """ @@ -505,6 +579,11 @@ def main(): DOGTAG_PORT=configured_constants.AJP_PORT, ) + + # migrate CRL publish dir before the location in ipa.conf is updated + ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) + ca_restart = migrate_crl_publish_dir(ca) + upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) @@ -530,14 +609,18 @@ def main(): pass cleanup_kdc(fstore) - upgrade_ipa_profile(api.env.realm) + upgrade_ipa_profile(ca) changed_psearch = named_enable_psearch() changed_autoincrement = named_enable_serial_autoincrement() if changed_psearch or changed_autoincrement: # configuration has changed, restart the name server root_logger.info('Changes to named.conf have been made, restart named') bindinstance.BindInstance(fstore).restart() - enable_certificate_renewal(api.env.realm) + ca_restart = ca_restart or enable_certificate_renewal(ca) + + if ca_restart: + root_logger.info('pki-ca configuration changed, restart pki-ca') + ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) if __name__ == '__main__': installutils.run_script(main, operation_name='ipa-upgradeconfig') |