diff options
author | David Kupka <dkupka@redhat.com> | 2014-09-30 08:41:49 -0400 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-10-15 09:13:12 +0200 |
commit | 320ea12373f0172a9505c5e4f7c12b20c3439ac5 (patch) | |
tree | 95d58f9c28f61fc91428dc469ce66d9d4c330ed4 | |
parent | 86b5dce4d837c7c03d370287fc30416d16b1dd82 (diff) | |
download | freeipa-320ea12373f0172a9505c5e4f7c12b20c3439ac5.tar.gz freeipa-320ea12373f0172a9505c5e4f7c12b20c3439ac5.tar.xz freeipa-320ea12373f0172a9505c5e4f7c12b20c3439ac5.zip |
Stop dogtag when updating its configuration in ipa-upgradeconfig.
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.
https://fedorahosted.org/freeipa/ticket/4569
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
-rw-r--r-- | install/tools/ipa-upgradeconfig | 46 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 3 |
2 files changed, 28 insertions, 21 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 82e7857d5..e064f38fc 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -233,8 +233,10 @@ def upgrade_pki(ca, fstore): if not installutils.get_directive(configured_constants.CS_CFG_PATH, 'proxy.securePort', '=') and \ os.path.exists(paths.PKI_SETUP_PROXY): - ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' - ,'-pki_instance_name=pki-ca','-subsystem_type=ca']) + # update proxy configuration with stopped dogtag to prevent corruption + # of CS.cfg + ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib', + '-pki_instance_name=pki-ca','-subsystem_type=ca']) root_logger.debug('Proxy configuration updated') else: root_logger.debug('Proxy configuration up-to-date') @@ -1082,28 +1084,30 @@ def main(): ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) ca.backup_config() - # migrate CRL publish dir before the location in ipa.conf is updated - ca_restart = migrate_crl_publish_dir(ca) + with installutils.stopped_service(configured_constants.SERVICE_NAME, + configured_constants.PKI_INSTANCE_NAME): + # migrate CRL publish dir before the location in ipa.conf is updated + ca_restart = migrate_crl_publish_dir(ca) - if ca.is_configured(): - crl = installutils.get_directive(configured_constants.CS_CFG_PATH, - 'ca.crl.MasterCRL.enableCRLUpdates', - '=') - sub_dict['CLONE']='#' if crl.lower() == 'true' else '' + if ca.is_configured(): + crl = installutils.get_directive(configured_constants.CS_CFG_PATH, + 'ca.crl.MasterCRL.enableCRLUpdates', '=') + sub_dict['CLONE']='#' if crl.lower() == 'true' else '' - certmap_dir = dsinstance.config_dirname( - dsinstance.realm_to_serverid(api.env.realm)) + certmap_dir = dsinstance.config_dirname( + dsinstance.realm_to_serverid(api.env.realm)) + + upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf") + upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf") + upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) + if subject_base: + upgrade( + sub_dict, + os.path.join(certmap_dir, "certmap.conf"), + os.path.join(ipautil.SHARE_DIR, "certmap.conf.template") + ) + upgrade_pki(ca, fstore) - upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf") - upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf") - upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) - if subject_base: - upgrade( - sub_dict, - os.path.join(certmap_dir, "certmap.conf"), - os.path.join(ipautil.SHARE_DIR, "certmap.conf.template") - ) - upgrade_pki(ca, fstore) update_dbmodules(api.env.realm) uninstall_ipa_kpasswd() diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 978b98a58..d7562cafa 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1825,6 +1825,9 @@ def backup_config(dogtag_constants=None): if dogtag_constants is None: dogtag_constants = dogtag.configured_constants() + if services.knownservices.dogtag.is_running(): + raise RuntimeError("Dogtag must be stopped when creating backup of %s" + % dogtag_constants.CS_CFG_PATH) shutil.copy(dogtag_constants.CS_CFG_PATH, dogtag_constants.CS_CFG_PATH + '.ipabkp') |