Stop dogtag when updating its configuration in ipa-upgradeconfig.

Modifying CS.cfg when dogtag is running may (and does) result in corrupting this file. https://fedorahosted.org/freeipa/ticket/4569 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
author: David Kupka <dkupka@redhat.com> 2014-09-30 08:41:49 -0400
committer: Martin Kosek <mkosek@redhat.com> 2014-10-15 09:13:12 +0200
commit: 320ea12373f0172a9505c5e4f7c12b20c3439ac5 (patch)
tree: 95d58f9c28f61fc91428dc469ce66d9d4c330ed4
parent: 86b5dce4d837c7c03d370287fc30416d16b1dd82 (diff)
download: freeipa-320ea12373f0172a9505c5e4f7c12b20c3439ac5.tar.gz
freeipa-320ea12373f0172a9505c5e4f7c12b20c3439ac5.tar.xz
freeipa-320ea12373f0172a9505c5e4f7c12b20c3439ac5.zip
2 files changed, 28 insertions, 21 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 82e7857d5..e064f38fc 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -233,8 +233,10 @@ def upgrade_pki(ca, fstore):
     if not installutils.get_directive(configured_constants.CS_CFG_PATH,
                                       'proxy.securePort', '=') and \
             os.path.exists(paths.PKI_SETUP_PROXY):
-        ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
-                     ,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
+        # update proxy configuration with stopped dogtag to prevent corruption
+        # of CS.cfg
+        ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib',
+                     '-pki_instance_name=pki-ca','-subsystem_type=ca'])
         root_logger.debug('Proxy configuration updated')
     else:
         root_logger.debug('Proxy configuration up-to-date')
@@ -1082,28 +1084,30 @@ def main():
     ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
     ca.backup_config()
 
-    # migrate CRL publish dir before the location in ipa.conf is updated
-    ca_restart = migrate_crl_publish_dir(ca)
+    with installutils.stopped_service(configured_constants.SERVICE_NAME,
+            configured_constants.PKI_INSTANCE_NAME):
+        # migrate CRL publish dir before the location in ipa.conf is updated
+        ca_restart = migrate_crl_publish_dir(ca)
 
-    if ca.is_configured():
-        crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
-                                         'ca.crl.MasterCRL.enableCRLUpdates',
-                                         '=')
-        sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
+        if ca.is_configured():
+            crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
+                    'ca.crl.MasterCRL.enableCRLUpdates', '=')
+            sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
 
-    certmap_dir = dsinstance.config_dirname(
-        dsinstance.realm_to_serverid(api.env.realm))
+        certmap_dir = dsinstance.config_dirname(
+            dsinstance.realm_to_serverid(api.env.realm))
+
+        upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf")
+        upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf")
+        upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
+        if subject_base:
+            upgrade(
+                sub_dict,
+                os.path.join(certmap_dir, "certmap.conf"),
+                os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")
+            )
+        upgrade_pki(ca, fstore)
 
-    upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf")
-    upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf")
-    upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
-    if subject_base:
-        upgrade(
-            sub_dict,
-            os.path.join(certmap_dir, "certmap.conf"),
-            os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")
-        )
-    upgrade_pki(ca, fstore)
     update_dbmodules(api.env.realm)
     uninstall_ipa_kpasswd()
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 978b98a58..d7562cafa 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1825,6 +1825,9 @@ def backup_config(dogtag_constants=None):
     if dogtag_constants is None:
         dogtag_constants = dogtag.configured_constants()
 
+    if services.knownservices.dogtag.is_running():
+        raise RuntimeError("Dogtag must be stopped when creating backup of %s"
+                           % dogtag_constants.CS_CFG_PATH)
     shutil.copy(dogtag_constants.CS_CFG_PATH,
                 dogtag_constants.CS_CFG_PATH + '.ipabkp')
author	David Kupka <dkupka@redhat.com>	2014-09-30 08:41:49 -0400
committer	Martin Kosek <mkosek@redhat.com>	2014-10-15 09:13:12 +0200
commit	320ea12373f0172a9505c5e4f7c12b20c3439ac5 (patch)
tree	95d58f9c28f61fc91428dc469ce66d9d4c330ed4
parent	86b5dce4d837c7c03d370287fc30416d16b1dd82 (diff)
download	freeipa-320ea12373f0172a9505c5e4f7c12b20c3439ac5.tar.gz freeipa-320ea12373f0172a9505c5e4f7c12b20c3439ac5.tar.xz freeipa-320ea12373f0172a9505c5e4f7c12b20c3439ac5.zip