diff options
| author | Tomas Babej <tbabej@redhat.com> | 2013-08-01 14:47:52 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2013-08-26 16:21:50 +0200 |
| commit | 12cb45c767d097a39d082ebad0f846bdb94ed9ca (patch) | |
| tree | 36493a5c43c398509c0792a1da0362aa8a858f35 | |
| parent | 509e579472800a75fccb89c9fb83614744d80c87 (diff) | |
| download | freeipa.git-12cb45c767d097a39d082ebad0f846bdb94ed9ca.tar.gz freeipa.git-12cb45c767d097a39d082ebad0f846bdb94ed9ca.tar.xz freeipa.git-12cb45c767d097a39d082ebad0f846bdb94ed9ca.zip | |
Make CS.cfg edits with CA instance stopped
This patch makes sure that all edits to CS.cfg configuration file
are performed while pki-tomcatd service is stopped.
Introduces a new contextmanager stopped_service for handling
a general problem of performing a task that needs certain service
being stopped.
https://fedorahosted.org/freeipa/ticket/3804
| -rw-r--r-- | install/restart_scripts/renew_ca_cert | 1 | ||||
| -rwxr-xr-x | install/tools/ipa-ca-install | 2 | ||||
| -rwxr-xr-x | install/tools/ipa-replica-install | 3 | ||||
| -rwxr-xr-x | install/tools/ipa-server-install | 3 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 96 | ||||
| -rw-r--r-- | ipaserver/install/installutils.py | 36 |
6 files changed, 101 insertions, 40 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 5768db3f..ab394b97 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -83,6 +83,7 @@ except Exception, e: finally: shutil.rmtree(tmpdir) +# Done withing stopped_service context, CA restarted here update_cert_config(nickname, cert) if nickname == 'subsystemCert cert-pki-ca': diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 636f63da..4edd26d3 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -189,8 +189,8 @@ def main(): CA.ldap_enable('CA', config.host_name, config.dirman_password, ipautil.realm_to_suffix(config.realm_name)) + # This is done within stopped_service context, which restarts CA CA.enable_client_auth_to_db() - CA.restart() # Install CA DNS records install_dns_records(config, options) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index c6d69fca..947c51f6 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -675,8 +675,9 @@ def main(): if CA and config.setup_ca: CA.ldap_enable('CA', config.host_name, config.dirman_password, ipautil.realm_to_suffix(config.realm_name)) + + # This is done within stopped_service context, which restarts CA CA.enable_client_auth_to_db() - CA.restart() krb = install_krb(config, setup_pkinit=options.setup_pkinit) http = install_http(config, auto_redirect=options.ui_redirect) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 06e99134..86ca3447 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -1054,8 +1054,9 @@ def main(): # We need to ldap_enable the CA now that DS is up and running ca.ldap_enable('CA', host_name, dm_password, ipautil.realm_to_suffix(realm_name)) + + # This is done within stopped_service context, which restarts CA ca.enable_client_auth_to_db() - ca.restart() # Upload the CA cert to the directory ds.upload_ca_cert() diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index ca3ee69f..15d79fdb 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -53,6 +53,7 @@ from ipaserver.install import service from ipaserver.install import installutils from ipaserver.install import dsinstance from ipaserver.install import certs +from ipaserver.install.installutils import stopped_service from ipaserver.plugins import ldap2 from ipapython.ipa_log_manager import * @@ -443,7 +444,10 @@ class CAInstance(service.Service): if not ipautil.dir_exists("/var/lib/pki-ca"): self.step("creating pki-ca instance", self.create_instance) self.step("configuring certificate server instance", self.__configure_instance) + self.step("stopping certificate server instance to update CS.cfg", self.__stop) self.step("disabling nonces", self.__disable_nonce) + self.step("set up CRL publishing", self.__enable_crl_publish) + self.step("starting certificate server instance", self.__start) # Step 1 of external is getting a CSR so we don't need to do these # steps until we get a cert back from the external CA. if self.external != 1: @@ -454,7 +458,6 @@ class CAInstance(service.Service): self.step("importing CA chain to RA certificate database", self.__import_ca_chain) self.step("fixing RA database permissions", self.fix_ra_perms) self.step("setting up signing cert profile", self.__setup_sign_profile) - self.step("set up CRL publishing", self.__enable_crl_publish) self.step("set certificate subject base", self.__set_subject_in_config) self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier) self.step("enabling CRL and OCSP extensions for certificates", self.__set_crl_ocsp_extensions) @@ -474,6 +477,13 @@ class CAInstance(service.Service): self.start_creation(runtime=210) + def __stop(self): + self.stop() + + def __start(self): + self.start() + + def __spawn_instance(self): """ Create and configure a new CA instance using pkispawn. @@ -781,7 +791,8 @@ class CAInstance(service.Service): if update_result != 0: raise RuntimeError("Disabling nonces failed") pent = pwd.getpwnam(PKI_USER) - os.chown(self.dogtag_constants.CS_CFG_PATH, pent.pw_uid, pent.pw_gid) + os.chown(self.dogtag_constants.CS_CFG_PATH, + pent.pw_uid, pent.pw_gid) def __issue_ra_cert(self): # The CA certificate is in the agent DB but isn't trusted @@ -1272,36 +1283,40 @@ class CAInstance(service.Service): """ caconfig = dogtag.install_constants.CS_CFG_PATH - # Enable file publishing, disable LDAP - installutils.set_directive(caconfig, - 'authz.instance.DirAclAuthz.ldap.ldapauth.authtype', - 'SslClientAuth', quotes=False, separator='=') - installutils.set_directive(caconfig, - 'authz.instance.DirAclAuthz.ldap.ldapauth.bindDN', - 'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=') - installutils.set_directive(caconfig, - 'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname', - 'subsystemCert cert-pki-ca', quotes=False, separator='=') - installutils.set_directive(caconfig, - 'authz.instance.DirAclAuthz.ldap.ldapconn.port', - str(dogtag.install_constants.DS_SECURE_PORT), - quotes=False, separator='=') - installutils.set_directive(caconfig, - 'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn', - 'true', quotes=False, separator='=') - - installutils.set_directive(caconfig, 'internaldb.ldapauth.authtype', - 'SslClientAuth', quotes=False, separator='=') - installutils.set_directive(caconfig, 'internaldb.ldapauth.bindDN', - 'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=') - installutils.set_directive(caconfig, - 'internaldb.ldapauth.clientCertNickname', - 'subsystemCert cert-pki-ca', quotes=False, separator='=') - installutils.set_directive(caconfig, 'internaldb.ldapconn.port', - str(dogtag.install_constants.DS_SECURE_PORT), - quotes=False, separator='=') - installutils.set_directive(caconfig, 'internaldb.ldapconn.secureConn', - 'true', quotes=False, separator='=') + with stopped_service('pki_tomcatd', + instance_name=self.dogtag_constants.PKI_INSTANCE_NAME): + + # Enable file publishing, disable LDAP + installutils.set_directive(caconfig, + 'authz.instance.DirAclAuthz.ldap.ldapauth.authtype', + 'SslClientAuth', quotes=False, separator='=') + installutils.set_directive(caconfig, + 'authz.instance.DirAclAuthz.ldap.ldapauth.bindDN', + 'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=') + installutils.set_directive(caconfig, + 'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname', + 'subsystemCert cert-pki-ca', quotes=False, separator='=') + installutils.set_directive(caconfig, + 'authz.instance.DirAclAuthz.ldap.ldapconn.port', + str(dogtag.install_constants.DS_SECURE_PORT), + quotes=False, separator='=') + installutils.set_directive(caconfig, + 'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn', + 'true', quotes=False, separator='=') + + installutils.set_directive(caconfig, 'internaldb.ldapauth.authtype', + 'SslClientAuth', quotes=False, separator='=') + installutils.set_directive(caconfig, 'internaldb.ldapauth.bindDN', + 'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=') + installutils.set_directive(caconfig, + 'internaldb.ldapauth.clientCertNickname', + 'subsystemCert cert-pki-ca', quotes=False, separator='=') + installutils.set_directive(caconfig, 'internaldb.ldapconn.port', + str(dogtag.install_constants.DS_SECURE_PORT), + quotes=False, separator='=') + installutils.set_directive(caconfig, + 'internaldb.ldapconn.secureConn', 'true', quotes=False, + separator='=') def uninstall(self): if self.is_configured(): @@ -1687,7 +1702,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False): return ca -def update_cert_config(nickname, cert): +def update_cert_config(nickname, cert, dogtag_constants=None): """ When renewing a CA subsystem certificate the configuration file needs to get the new certificate as well. @@ -1695,6 +1710,10 @@ def update_cert_config(nickname, cert): nickname is one of the known nicknames. cert is a DER-encoded certificate. """ + + if dogtag_constants is None: + dogtag_constants = dogtag.configured_constants() + # The cert directive to update per nickname directives = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert', 'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert', @@ -1702,10 +1721,13 @@ def update_cert_config(nickname, cert): 'subsystemCert cert-pki-ca': 'ca.subsystem.cert', 'Server-Cert cert-pki-ca': 'ca.sslserver.cert'} - installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH, - directives[nickname], - base64.b64encode(cert), - quotes=False, separator='=') + with stopped_service('pki_tomcatd', + instance_name=dogtag_constants.PKI_INSTANCE_NAME): + + installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH, + directives[nickname], + base64.b64encode(cert), + quotes=False, separator='=') def update_people_entry(uid, dercert): """ diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index d17d53d1..268279dc 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -42,6 +42,7 @@ from ipapython import config from ipalib import errors from ipapython.dn import DN from ipaserver.install import certs +from ipapython import services as ipaservices # Used to determine install status IPA_MODULES = [ @@ -792,3 +793,38 @@ def private_ccache(path=None): if os.path.exists(path): os.remove(path) + + +@contextmanager +def stopped_service(service, instance_name=""): + """ + Ensure that the specified service is stopped while the commands within + this context are executed. + + Service is started at the end of the execution. + """ + + if instance_name: + log_instance_name = "@{instance}".format(instance=instance_name) + else: + log_instance_name = "" + + root_logger.debug('Ensuring that service %s%s is not running while ' + 'the next set of commands is being executed.', service, + log_instance_name) + + # Figure out if the service is running, if not, yield + if not ipaservices.knownservices[service].is_running(instance_name): + root_logger.debug('Service %s%s is not running, continue.', service, + log_instance_name) + yield + root_logger.debug('Starting %s%s.', service, log_instance_name) + ipaservices.knownservices[service].start(instance_name) + return + else: + # Stop the service, do the required stuff and start it again + root_logger.debug('Stopping %s%s.', service, log_instance_name) + ipaservices.knownservices[service].stop(instance_name) + yield + root_logger.debug('Starting %s%s.', service, log_instance_name) + ipaservices.knownservices[service].start(instance_name) |