| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1607 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
| |
- fix for when new CRL Issuing point is added, default CRL signing alg is SHA2 instead of SHA1
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1606 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
| |
- fix that makes the default alg not SHA1 when new profiles are created from the Console
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1604 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
jakarta-commons-lang.jar is needed by velocity, add that link in
WEB-INF/lib. This dependency first appeared in F13.
We had been providing a link to jakarta-commons-collections.jar in
$pki_instance/common/lib but that link is not necessary since tomcat6
already provide jakarta-commons-collections.jar. So remove the
superfluous link creation, it isn't needed.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1602 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
| |
- changed defaults in CS.cfg's from SHA1 to SHA2
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1601 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1599 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
| |
(Legacy build system changes for compliance)
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1597 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
| |
CS.cfg changes)
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1596 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1594 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
| |
before Security Domain Panel
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1590 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1589 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1588 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1587 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1586 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1583 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1581 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
| |
instead of the Mozldap
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1580 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
| |
instead of the Mozldap
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1579 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1578 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During testing with Ade several issues were discovered which needed
fixing, these included:
Remove connectionTimeout on JSS connectors in the server.xml files due
to JSS bug. We will reenable the timeouts when JSS is fixed.
pki_apache_initscript had chmod & chown wrapped in an echo command
which prevented them from executing, an artifact inadverantly left in
the file during a debug session. The role parameter to runcon which
had been added to facilitate test/debug was removed.
The logfile variables shared between pkicommon, pkicreate and
pkiremove were awkward and resulted in warnings about the use of
uninitialized variables in some circumstances. Some functions were
tweaked and some variables removed to enforce better data hiding and
eliminate the warnings with respect to the logfile.
If the pkicreate script aborted before it completed it would fail to
write the installation manifest which made it impossible to remove the
partial installation via pkiremove. A hander was added so it would run
if Perl executed a "die" (e.g. aborted). The handler writes the
manifest before final exit. The subroutine used to write the manifest
was bullet proofed to avoid referencing uninitialized variables in the
case of non-normal exit.
The copy_directory() subroutine failed to preserve symbolic links in
the source, instead it traversed the source link and copied the target
of the link. copy_directory() and it's support routines were enhanced
to preserve symbolic links. A new subrotine copy_symlink() was added.
pkicreate failed to create a symbolic link to the symkey.jar file, it
now creates the link to symkey.jar.
The passwords written into the two password files were not terminated
with a newline character, now they are.
pkiremove would enter an infinate loop if the -force option was
specified, this is now fixed.
The tomcat6.conf file had been inadvertantly omitted from the tks
subsystem.
References to the deprecated apachectl file were expunged.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1577 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1576 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1575 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
| |
The pki-setup package provides and uses a PRIVATE Perl module
(pkicommon.pm). RPM erroneously believes there should be a requires
perl(pkicommon) from the public perl library path. Use the documented
macros to correct RPM's incorrect automatic dependency generation.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1574 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
| |
Restore crossContext attribute which had been erroneously removed
during merging.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1573 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Earlier in the patch series a change was introduced with respect to
the initscripts. A per instance initscript was created in /etc/init.d
for each instance. This was simply a symlink to the tomcat6 initscript
(using the instance name). The uber initscript, pki-cad, would iterate over
the installed instances and invoke the per instance initscript.
However during the review process it was pointed out that when
removing (erasing) an rpm the per instance initscripts would not be
removed because they are not in the rpm file manifest. This would
leave dangling initscripts. Also it was felt the per instance
initscript in /etc/init.d was confusing when combined with the uber
initscript.
This patch moves the per instance initscript from /etc/init.d to the
instance directory. It retains the same name (i.e. the instance
name). Now instead of the the uber initscript invoking the per
instance initscript in /etc/init.d via the service command it instead
directly invokes initscript in the instance directory.
This patch also fixes a bug discovered from reading the shell code
invoked by the uber initscript (in the pki "functions" library). The
test to determine if a supplied instance name was vaid was
incorrect. The code did this:
if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]
however $PKI_REGISTRY_ENTRIES is a space separated list of all
registry instance files, thus the test only succeeds if there is a
single instance. The test was modified to iterate over the all the
entries in $PKI_REGISTRY_ENTRIES.
This patch also fixed the list_intances() function to list only the
instance name, not the full path the to instance configuration
file. We also replaced the use of /bin/ls with a shell glob.
This patch also moves some variables which had been identically
defined in both pkicreate and pkiremove into the pkicommon library for
consistency and maintenance sake.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1572 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the strict and warning pragmas informing the Python interpreter we
want to obey the language rules and catch as many errors for us as it
can.
Clean up all the errors that strict reported.
Properly define the scope of all identifiers and use correct import
semantics.
Initialize most global variables to undef so that we can catch the use
of those variables prior to their initialization with defined
values. Previously most had been initialized to the empty string,
which is a perfectly valid value, thus no warnings will be emitted if
they are used before being assigned a value of our choosing.
At this point all variables and functions will have been declared and
assigned reasonable values. We're now protected against things like
misspelled identifier names, silently using undefined values,
referencing things which don't exist, etc.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1571 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1570 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tomcat by default will not read symbolic links under the WEB-INF
directory. This can be overridden by setting the context parameter
allowLinking to True.
We want to symlink to the jars and not copy them because otherwise
when rpms containing the jars are updated with bug fixes or security
fixes we won't benefit from them if we've made private copies of the
jars in the instance. The reason why allowLinking defaults to False is
motivated by security concerns on untrusted web applications. Also
you'll often see in tomcat documentation the recommendation that all
necessary jars are copied into the WAR, this recommendation derives
from deploying a web app on a random server where the presence or
absence of jar or a specific version of a jar can't be
guaranteed. However, that is not our situation, we're not deploying a
WAR on random servers, our tomcat instance is quite controlled and
we'll never deploy unknown/untrusted web applications from it. The use
of symbolic links in this context should be safe and the value in
picking up rpm updates is so important that it justifies the use of
symbolic links in our controlled deployment.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1569 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
| |
It wasn't initialized in some places. Use the same naming convention
in all places.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1568 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1567 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
| |
In some places $uninstall_action was being referenced before it was
initialized and thus generated warnings.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1566 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
| |
Fix return value when dry_run is enabled. Also simplify dry run
conditional syntax by removing unnecessary list parenthesis.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1565 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Some messages were being directly written to stdout or stderr
bypassing the message mechanism, the emit() function. That meant those
messages were not recorded in the log and hence were lost. This patch
uses the emit() function for more messages.
The patch also adds a "warning" level to the message category.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1564 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some functions were being called with the deprecated ampersand
syntax. In Perl the & prefix operator indicates the expression is to
be interpreted as a function, e.g. &foo means foo is a function and if
foo was followed by a list then it means call the function foo. The
list can be parenthesized or not, it could just be comma separated
expressions. Calling functions with this syntax is a hold over from
earlier versions of Perl, but modern Perl has much cleaner syntax
where function calls look like they do in other languages, an
identifier followed by parenthesis. This is the calling style used in
most of the rest of the code. This patch just unifies the calling
syntax so it's consistent and more readable. Also the patch cleans up
the function definition, some of the functions had been defined with
an empty formal parameter list, but that conflicts with function
prototyping introduced in modern Perl, an empty formal parameter list
states the function takes no arguments. It only worked previously
because when the (deprecated) ampersand operator was applied to the
identifier it defeated prototype checking.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1563 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
set_library_path() and get_library_path() were both producing warnings
from Perl about the use of uninitialized variables. This occurred
because get_library_path() returned the value of the LD_LIBRARY_PATH
environment variable, which if it is not set in the envronment is the
undef value. Then the caller of get_library_path() would use the
result to build a new string to use as a new library path. But the use
of undef in the string concatentation was producing warnings. Finally
the caller would reset the library path to what had been orginally
returned by get_library_path(), which set LD_LIBRARY_PATH in %ENV to
the undef value, which is probaly not the best idea, although legal.
To fix this every routine which called get_library_path() would need
to check for undef value as it builds a new replacement path, that's a
lot of code to add in a lot of places.
Instead set_library_path() was modified, instead of accepting a string
containing a new path, it now accepts an array of path values. It
iterates over the array discarding any undef values in the array and
builds a path string from the defined values. This simplifed the
callers of get_library_path() and set_library_path(). It also had the
nice property that if get_library_path() initially returned undef then
subsequently calling set_library_path() with that value produces an
empty string for storing into %ENV which preferable to storing undef.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1562 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is mostly a merge of the tomcat 6 server.xml file with our
existing server.xml file from tomcat 5.
Merge in new comments.
remove org.apache.catalina.storeconfig.StoreConfigLifecycleListener
because it's not part of tomcat6
Parameterize the following based on our template engine:
sslOptions="[TOMCAT_SSL_OPTIONS]"
ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
tls3Ciphers="[TOMCAT_TLS3_CIPHERS]"
Note: After the cipher parameterization was done it was discovered
that the other subsystems do not utilize ECC ciphers, it's not clear
if they should or not. We may need to paramterize the cipher list in
pkicreate or go back to hardcoding the cipher list in the xml file.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1561 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
| |
* remove dtomcat5
* add registry_instance
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1560 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
| |
We copy a number of tomcat config files from the tomcat distribution
and keep them in our own location. Some of those config files had
changes between tomcat5 and tomcat6. This patch just merges the
tomcat6 changes into our copy of the files making them very close to
the original tomcat6 version of the file.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1559 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
| |
The $CATALINA_BASE/logging.properties file provides configuration of
logging for the tomcat instance.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1558 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
| |
Also, use more succinct Perl syntax for improved readability.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1557 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
| |
Also some minor tweaks for checking result status and protecting
variables in string interpolation for the SELinux shell commands.
No change in functionality, just robustness enhancements.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1556 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1555 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tomcat's class loading follows the model for J2EE Application
Containers and Servlet's. Each release of Tomcat has modified it's
class loading in some respect. Usually the class loading modifications
have been in the service of encouraging best practice. Typically this
means keeping web applications which may be running in the same tomcat
instance completely isolated from each other such that they can't
interfere with one other. In essence this means classes which are
loaded by a specific web application should only be visible to that
web application. Sharing classes/jars between web applications is to
avoided to the greatest extent possible. Best practice suggests only
"framework" classes (e.g. tomcat's servlet API's) should be
shared. Class visibility and sharing is controlled by a hierarchy of
class loaders. The topic of class loading, and specifically in the
context of servlet containers, has been extensively written about. For
those interested in the topic a search of the web will produce a
wealth of material. I found the following documents useful:
"Understanding The Tomcat Classpath Common Problems
And How To Fix Them"
http://www.mulesoft.com/tomcat-classpath
"Class Loaders"
http://datadisk.co.uk/html_docs/java_app/tomcat6/tomcat6_classloaders.htm
"Apache Tomcat 6.0 Class Loader HOW-TO"
http://tomcat.apache.org/tomcat-6.0-doc/class-loader-howto.html
"Java programming dynamics, Part 1:
Java classes and class loading"
http://www.ibm.com/developerworks/java/library/j-dyn0429/
"Taxonomy of class loader problems encountered when
using Jakarta Commons Logging"
http://articles.qos.ch/classloader.html
In particular one needs to have a firm understanding of the class
loading delegation model, parent-first vs. child-first, as this
differs between standard Java and Servlet Containers.
We attempt to follow best practice to the greatest extent possible so
that the jars we need are visible only the to appropriate class
loader.
We do have one significant exception which requires violating the
isolation principle. tomcatjss and jss are both required by the tomcat
framework and by our web application. This occurs because we specify
the catalina connector (Coyote) we wish to use for our server
SSL/TLS connections are jss instead of the default SSL/TLS connectors
in tomcat, thus tomcat needs to load tomcatjss and jss. Our web
application also utilizes tomcatjss and jss, the most obvious example
being the CrypoManager which must be a singleton instance. There is an
additional issue, jss is a JNI native library written in C. JVM's have
a restriction which prevents loading a JNI library by more than one
class loader. The fact the CryptoManager is a signleton and that jss
is JNI means jss (and tomcatjss) must only be loaded by exactly one
class loader in the JVM. Thus tomcatjss and jss must be loaded by the
tomcat common class loader which is shared between the tomcat servlet
framework and loaded web applications.
Normally tomcat ships with a catalina.properties configuration file
which enforces the best practice class loading separation. However, in
recognition that is sometimes too restrictive the catalina.properties
file can be edited to support other class loading configurations. We
take advantage of this by establishing a "common" class loading
location specific to the tomcat instance
(e.g. $CATALINA_BASE/common/lib). The tomcat common class loader via
the catalina.properties file is directed to also search this
directory. We install tomcatjss, jss and jakarta-commons-logging in
this common location. All other jars follow best practice and are
isolated in the web applications library
(e.g. $CATALINA_BASE/webapps/<webapp_name>/WEB-INF/lib).
The reason why jakarta-commons-logging is also installed in common
along with tomcatjss and jss is because it is a dependency of
tomcatjss and is not otherwise available because tomcat uses another
logging package.
When we install the tomcat instance we don't actually copy jar files
into the library directories under $CATALINA_BASE because we want to
use the system supplied jar files and if they are updated because of
bug fixes, security fixes, etc. we want to immediately take advantage
of the updated version of the jar file. Thus we "install" symbolic
links in the library directories which point to the system supplied jar
files. This also reduces disk usage by avoiding multiple copies of the
same file.
This patch implements the above by doing the following:
Makes catalina.properties a "template file" which is processed by our
templating facility. The only substitution at the moment is the common
class loader location.
Establishes the paths to each of our required jar files as supplied by
the system package manager.
Creates symbolic links the to jar files in the instance library
directories.
The following diagram illustrates the class loading described above:
+--------------------+
| Bootstrap |
| Class Loader |
+--------------------+
|
V
+--------------------+
| Extension |
| Class Loader |
+--------------------+
|
V
+--------------------+
| System |
| Class Loader |
+--------------------+
|
V
+---------------------------+
| Common |
| Class Loader |
| $CATALINA_BASE/common/lib |
| (see note 1) |
+---------------------------+
|
+---------------+--------------------+
| |
V V
+---------------------------------------+ +-------------------------+
| CA Web App | | Web App 2 |
| Class Loader | | Class Loader |
| $CATALINA_BASE/webapps/ca/WEB-INF/lib | | (for illustration only) |
| (see note 2) | | |
+---------------------------------------+ +-------------------------+
[1] Common loader loads these jars:
jakarta-commons-logging
jss
tomcatjss
[2] CA Web App loader loads these jars:
certsrv
cms
cmsbundle
cmscore
cmsutil
jakarta-commons-collections
kra
ldapjdk
nsutil
osutil
velocity
xerces-j2
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1554 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The modifications to the install scripts have been Linux specific. So
much has changed it's reasonable to assume the special case code for
other OS's (e.g. Solaris and Windows) is not likely to be correct any
more. As a consequence there isn't much sense in keeping this OS
specific code.
To support other OS's the scripts would really need to be ported to
the target OS and it probably would be best to do this cleanly by
starting fresh and incrementally adding back in OS specific
exceptions.
Note: Only OS specific code which obviously needed porting after the
update to the scripts was removed. The OS specific code which was
"generic" has been preserved.
Plus, management has stated the other OS's are no longer supported.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1553 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
| |
The utilities in pkicommon were enhanced in a previous patch. This
patch calls the new utilites with the new parameter lists. The bulk of
the changes are simplifying the specification of file permissions,
file ownership, and checking the result of the operation.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1552 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
| |
The pkicomplete script is no longer needed, remove all vestiges of
it's existence.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1551 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The install info utilities were introduced in a previous patch. This
patch removes the old mechanisms and replaces it with the new
mechanism. See the earlier patch for a more complete description.
This patch also pulls in a few minor edits to support dry run mode and
logging.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1550 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The initscripts for pki-* were significantly simplified. All logic
related to managing the tomcat instance was completely eliminated!
This is because we now use the unmodified tomcat6 initscript which
ships with the tomcat6 package completely freeing us of having to know
how to manage a tomcat instance. We simply defer to the definitive
source, the tomcat6 package.
This eliminated half the code in script, reducing it from 1831 lines
to 885 lines!
What remained was essentially the "pki registry" management, how we
record what pki instances have been created on the system. There was
also code to extract information from config files, this is used when
reporting instance status.
The registry management logic had been almost identically copied into
the other KRC, OCSP & TKS initscrips. Copying complex code into
multiple places is not good software engineering, rather the code
should be defined in one location and then referenced. To this end the
common shell code for the shared initscripts was isolated in a common
file, pki/base/common/scripts/functions in our source tree and
installed as /usr/share/pki/scripts/functions. The functions file is
now 812 lines of code and shared amongst pki components. The shell
code in functions was also made more robust, formerly it would try to
extract string data out of files by using exact strings and string
character counts, this varied slightly by each component. Now it just
uses sed and regular expressions and won't break if someone adds a
character to line in one of the files.
With the pki registry logic isolated in a common file and by using the
installed tomcat initscript we've now reduced the size of the
initscript from 1,831 lines to a mere 73 lines! Just 4% of it's former
size and in the process greatly increased robustness and
maintainability.
Each instance in the pki registry is defined by a configuration
file. Formerly that file was created by the function
construct_pki_instance_registry() in pkicreate. Although the purpose
of construct_pki_instance_registry() is to write out a simple shell
script it's implmentation was completly incomprehensible and
unreadable. Since the resulting file is basically the same for
different instances and subsytems and varies only by a minor amount of
parametrization it a perfect candidate for a template file. We've now
added a new template file base/*/setup/registry_instance which is easy
to read and is processed by the exact same templating system which
many of the other files are processed by. Also, formerly the registry
instance file had shell logic it which is no longer necessary and has
been removed. What we've ended up with is essentially just a set of
shell variables (e.g. key/value pairs).
Now the pki-* initscripts essentially just iterate over the instances
located in the registry and invoke the initscript for the instance
(which is ultimately just the standard tomcat6 initscript). This gives
us yet another significant advantage. You can now control an instance
using the normal "service" commands, there is no need to use the pki-*
uber initscript to control instances. You can still do that if you
wish, but now you can do the more obvious and natural service command
on anything appearing in /etc/init.d. You can still use the pki-* uber
initscripts to manage all instances of a subsystem if that makes more
sense, but given there is likely to only be one instance of a
subsystem installed on a machine being able to manage it directly and
not needing to use an uber initscript to iterate a single instance
yields something which is easier and more obvious to system
administrators.
The previous patch, "tomcat6_initscript", which updated the initscript
logic discussed how a tomcat instance configuration file is installed
in /etc/sysconfig under the instance name. Unfortunately that patch
omitted the generation of that file which is generated using our
templating facility. The source file
pki/base/*/shared/conf/tomcat6.conf and replaces the previous
tomcat5.conf file. For example if we are creating a pki-ca instance
the file /usr/share/pki/ca/conf/tomcat6.conf will have substitutions
performed on it and then it will be installed as
/etc/sysconfig/pki-ca, which will be "sourced" by the standard tomcat6
initscript to parametrize the tomcat instance. This logically belonged
in the previous "tomcat6_initscript" patch, but since this patch is
also about initscript modifications it seems reasonable to include in
the patch instead.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1549 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With tomcat6 tomcat instances are created by creating a symbolic link
with the new instance name in /etc/init.d (aka /etc/rc.d/init.d) to
the tomcat6 initscript supplied by the tomcat6 package. When the
tomcat6 initscript starts it examines it's basename (as seen by the
symbolic link) and sets that to it's instance name. It then sources a
per instance configuration file located in /etc/sysconfig whose
basename matches the instance name (e.g. same name as initscript
symlink).
For example if we wanted to create a tomcat6 instance called "foo"
% ln -s /etc/init.d/tomcat6 /etc/init.d/foo
% cp /etc/sysconfig/tomcat6 /etc/sysconfig/foo
Now we have a new tomcat6 instance which can be managed by the
standard mechanisms, e.g. /sbin/service. For example:
% /sbin/service foo start
% /sbin/service foo status
% /sbin/service foo stop
A very desirable property of this approach is NEVER modifying or
overriding any files supplied by the tomcat6 package. If there are any
bug fixes in the system supplied tomcat6 package we automatically will
benefit from those fixes once the system administrator installs a new
tomcat6 package. This was not the case previously when we were using
tomcat5 for PKI, we overrode a number of files and created our own
independent tomcat instance mechanism private to ourselves. This was a
lot of work, non-standard, and prevented ourselves from benefiting
from any updates to the tomcat package related to instance management.
This patch also removes a number of references to tomcat5 specific
files.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1548 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dtomcat5 was a private copy of a system supplied initscript. We should
never make private copies of files supplied by other packages
otherwise we get out of sync, especially with respect to bug fixes.
In any event dtomcat5 does not even exist in tomcat6 (nor an
equivalent).
With tomcat6 we're going to use the initscript supplied by the tomcat6
package. We are not going to modify files supplied by other packages!
tomcat6 has an easy mechanism to launch tomcat6 instances. You create
a symlink in /etc/init.d (e.g. /etc/rc.d/init.d) which points to the
tomcat6 initscript. When the tomcat6 initscript is invoked it gets the
basename of the script, because it's a symlink it will be the name of
the instance. That name is then used to read a tomcat6 config file in
/etc/sysconfig. This way you can create a variety of tomcat6 daemons
and launch them with the standard system tools/files and never once
need to modify any file provided by the tomcat6 package!
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1547 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
