From 8495af1a50faca496fe2ce425b9b3a7f21ba1ea6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 1 Aug 2011 15:16:24 -0400
Subject: Re-arrange CA configuration code to reduce the number of restarts.

Ade Lee from the dogtag team looked at the configuration code and
determined that a number of restarts were not needed and recommended
re-arranging other code to reduce the number of restarts to one.

https://fedorahosted.org/freeipa/ticket/1555
---
 ipaserver/install/cainstance.py | 48 ++++++++++++-----------------------------
 ipaserver/install/service.py    |  5 ++++-
 2 files changed, 18 insertions(+), 35 deletions(-)

(limited to 'ipaserver')

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d62f232cc..5c6c49e4b 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -517,8 +517,8 @@ class CAInstance(service.Service):
         self.step("creating certificate server user", self.__create_ca_user)
         if not ipautil.dir_exists("/var/lib/pki-ca"):
             self.step("creating pki-ca instance", self.create_instance)
-        self.step("restarting certificate server", self.__restart_instance)
         self.step("configuring certificate server instance", self.__configure_instance)
+        self.step("disabling nonces", self.__disable_nonce)
         # Step 1 of external is getting a CSR so we don't need to do these
         # steps until we get a cert back from the external CA.
         if self.external != 1:
@@ -527,20 +527,18 @@ class CAInstance(service.Service):
             if self.create_ra_agent_db:
                 self.step("creating RA agent certificate database", self.__create_ra_agent_db)
             self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
-            if not self.clone:
-                self.step("restarting certificate server", self.__restart_instance)
-                self.step("requesting RA certificate from CA", self.__request_ra_certificate)
-                self.step("issuing RA agent certificate", self.__issue_ra_cert)
-                self.step("adding RA agent as a trusted user", self.__configure_ra)
             self.step("fixing RA database permissions", self.fix_ra_perms)
             self.step("setting up signing cert profile", self.__setup_sign_profile)
             self.step("set up CRL publishing", self.__enable_crl_publish)
+            self.step("set certificate subject base", self.__set_subject_in_config)
             self.step("configuring certificate server to start on boot", self.__enable)
             if not self.clone:
-                # A clone will be restarted in ipa-replica-install
                 self.step("restarting certificate server", self.__restart_instance)
+                self.step("requesting RA certificate from CA", self.__request_ra_certificate)
+                self.step("issuing RA agent certificate", self.__issue_ra_cert)
+                self.step("adding RA agent as a trusted user", self.__configure_ra)
 
-        self.start_creation("Configuring certificate server", 360)
+        self.start_creation("Configuring certificate server", 210)
 
     def create_instance(self):
         """
@@ -686,34 +684,11 @@ class CAInstance(service.Service):
             print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
             sys.exit(0)
 
-        # Turn off Nonces (again)
-        if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
-            raise RuntimeError("Disabling nonces failed")
-        pent = pwd.getpwnam(PKI_USER)
-        os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
-
         # pkisilent makes a copy of the CA PKCS#12 file for us but gives
         # it a lousy name.
         if ipautil.file_exists("/root/tmp-ca.p12"):
             shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
 
-        try:
-            # After configuration the service is running and configured
-            # but must be restarted for configuration to take effect.
-            # The service status in this case will be 4.
-            self.__restart_instance()
-        except ipautil.CalledProcessError, e:
-            logging.critical("failed to restart ca instance after pkisilent configuration %s" % e)
-            raise RuntimeError('Restarting CA after pkisilent configuration failed')
-
-        # If the configuration was successful status should now be 0.
-        # We don't call is_running() because we want the exit status for debugging.
-        try:
-            ipautil.run(["/sbin/service", self.service_name, "status", PKI_INSTANCE_NAME])
-        except ipautil.CalledProcessError, e:
-            logging.critical("ca instance configuration not successful after restart %s" % e)
-            raise RuntimeError('CA configuration not successful after restart')
-
         logging.debug("completed creating ca instance")
 
     def __restart_instance(self):
@@ -724,6 +699,13 @@ class CAInstance(service.Service):
             # TODO: roll back here?
             logging.critical("Failed to restart the certificate server. See the installation log for details.")
 
+    def __disable_nonce(self):
+        # Turn off Nonces
+        if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
+            raise RuntimeError("Disabling nonces failed")
+        pent = pwd.getpwnam(PKI_USER)
+        os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
+
     def __issue_ra_cert(self):
         # The CA certificate is in the agent DB but isn't trusted
         (admin_fd, admin_name) = tempfile.mkstemp()
@@ -1060,13 +1042,11 @@ class CAInstance(service.Service):
 
         ipautil.run(["/sbin/restorecon", publishdir])
 
-    def set_subject_in_config(self, suffix):
+    def __set_subject_in_config(self):
         # dogtag ships with an IPA-specific profile that forces a subject
         # format. We need to update that template with our base subject
         if installutils.update_file("/var/lib/%s/profiles/ca/caIPAserviceCert.cfg" % PKI_INSTANCE_NAME, 'OU=pki-ipa, O=IPA', self.subject_base):
             print "Updating subject_base in CA template failed"
-        self.print_msg("restarting certificate server")
-        self.__restart_instance()
 
     def uninstall(self):
         if self.is_configured():
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index efbb2c933..62db9baf5 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -258,7 +258,10 @@ class Service(object):
             if est.tm_min > 0:
                 if est.tm_min > 1:
                     plural = 's'
-                self.print_msg('%s: Estimated time %d minute%s' % (message, est.tm_min, plural))
+                if est.tm_sec > 0:
+                    self.print_msg('%s: Estimated time %d minute%s %d seconds' % (message, est.tm_min, plural, est.tm_sec))
+                else:
+                    self.print_msg('%s: Estimated time %d minute%s' % (message, est.tm_min, plural))
             else:
                 if est.tm_sec > 1:
                     plural = 's'
-- 
cgit