freeipa.git/install/restart_scripts/restart_dirsrv, branch webui_isolate FreeIPA patches Set explicit confdir option for global contexts 2016-12-02T08:14:35+00:00 Christian Heimes cheimes@redhat.com 2016-11-28T15:24:33+00:00 1e6a204b4372bbbfb722a00370a5ce4e34406b9f Some API contexts are used to modify global state (e.g. files in /etc and /var). These contexts do not support confdir overrides. Initialize the API with an explicit confdir argument to paths.ETC_IPA. The special contexts are: * backup * cli_installer * installer * ipctl * renew * restore * server * updates The patch also corrects the context of the ipa-httpd-kdcproxy script to 'server'. https://fedorahosted.org/freeipa/ticket/6389 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.

The special contexts are:

* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates

The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.

https://fedorahosted.org/freeipa/ticket/6389

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Fix renewal lock issues on installation 2016-11-16T08:10:01+00:00 Florence Blanc-Renaud flo@redhat.com 2016-11-10T12:14:34+00:00 198cd5fab3937fd8948bea4b4949e30db4e490a4 - Make sure that the file /var/run/ipa/renewal.lock is deleted upon uninstallation, in order to avoid subsequent installation issues. - Modify certmonger renewal script: restart the http/dirsrv services only if they were already running - Cleanup certmonger ra renewal script: no need to restart httpd - Reorder during http install: request the SSL cert before adding ipa-service-guard Rationale: when a CA helper is modified, certmonger launches the helper with various operations (FETCH_ROOTS, ...) If the CA helper is once again modified, the on-going helper is killed. This can lead to ipa-service-guard being killed and not releasing the renew lock. If the SSL cert is requested with IPA helper before ipa-service-guard is added, we avoid this locking issue. Part of the refactoring effort, certificates sub-effort. https://fedorahosted.org/freeipa/ticket/6433 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
- Make sure that the file /var/run/ipa/renewal.lock is deleted upon
uninstallation, in order to avoid subsequent installation issues.

- Modify certmonger renewal script: restart the http/dirsrv services
only if they were already running

- Cleanup certmonger ra renewal script: no need to restart httpd

- Reorder during http install: request the SSL cert before adding
ipa-service-guard
Rationale: when a CA helper is modified, certmonger launches the helper
with various operations (FETCH_ROOTS, ...) If the CA helper is once again
modified, the on-going helper is killed. This can lead to
ipa-service-guard being killed and not releasing the renew lock.

If the SSL cert is requested with IPA helper before ipa-service-guard is added,
we avoid this locking issue.

Part of the refactoring effort, certificates sub-effort.

https://fedorahosted.org/freeipa/ticket/6433

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
restart scripts: bootstrap api with in_server=True 2016-06-21T06:30:35+00:00 Fraser Tweedale ftweedal@redhat.com 2016-06-17T04:18:05+00:00 3edf13cd8ab541908d7e2011a54e31edf1844ea2 renew_ca_cert fails because it cannot access the 'config' plugin. Bootstrap all the restart scripts to avoid such issues. Fixes: https://fedorahosted.org/freeipa/ticket/5968 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
renew_ca_cert fails because it cannot access the 'config' plugin.
Bootstrap all the restart scripts to avoid such issues.

Fixes: https://fedorahosted.org/freeipa/ticket/5968
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Modernize 'except' clauses 2015-08-12T16:17:23+00:00 Petr Viktorin pviktori@redhat.com 2015-07-30T14:49:29+00:00 27dabb45282911e375336f75934af9dd6cc5d963 The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com> 
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Make certificate renewal process synchronized 2015-01-13T18:34:59+00:00 Jan Cholasta jcholast@redhat.com 2015-01-08T09:06:46+00:00 b9ae7690489368ead9f4983d386fa210dc265dfa Synchronization is achieved using a global renewal lock. https://fedorahosted.org/freeipa/ticket/4803 Reviewed-By: David Kupka <dkupka@redhat.com> 
Synchronization is achieved using a global renewal lock.

https://fedorahosted.org/freeipa/ticket/4803

Reviewed-By: David Kupka <dkupka@redhat.com>
ipaplatform: Remove redundant imports of ipaservices 2014-06-16T17:48:20+00:00 Tomas Babej tbabej@redhat.com 2014-05-29T08:51:08+00:00 c7edd7b68c98d105f02a5977a0ff7c2a3081f2c9 Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
Also fixes few incorrect imports.

https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
ipaplatform: Change service code in freeipa to use ipaplatform services 2014-06-16T17:48:19+00:00 Tomas Babej tbabej@redhat.com 2014-05-29T08:37:18+00:00 49fcd42f8fd71b894a0953a37f10a6c326e16048 https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Log unhandled exceptions in certificate renewal scripts. 2014-03-10T17:41:10+00:00 Jan Cholasta jcholast@redhat.com 2014-01-23T14:33:26+00:00 8e986904096925fc08df8cbdf271d722314c5460 https://fedorahosted.org/freeipa/ticket/4093 Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4093

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Use /usr/bin/python2 2014-01-03T08:46:05+00:00 Xiao-Long Chen chenxiaolong@cxl.epac.to 2013-11-27T13:53:57+00:00 5e96fbc22afa02f08f71513e7b59d3d5c6a1f9dc Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com 
Part of the effort to port FreeIPA to Arch Linux,
where Python 3 is the default.

FreeIPA hasn't been ported to Python 3, so the code must be modified to
run /usr/bin/python2

https://fedorahosted.org/freeipa/ticket/3438

Updated by pviktori@redhat.com
Fix some restart script issues found with certificate renewal. 2012-09-06T23:09:18+00:00 Rob Crittenden rcritten@redhat.com 2014-08-08T20:09:42+00:00 0f81268ec4a006625c8286ac7c6f5fed5aab7346 The restart_dirsrv script wasn't initializing the api so the startup_timeout wasn't available. The subsystemCert cert-pki-ca definition was missing so we didn't know which certificate to update in CS.cfg. Add some documentation and a pause between restarts for the renew_ca_cert script so that when the CA subsystem certs are renewed they don't all try to restart the CA at the same time. https://fedorahosted.org/freeipa/ticket/3006 
The restart_dirsrv script wasn't initializing the api so the
startup_timeout wasn't available.

The subsystemCert cert-pki-ca definition was missing so we didn't
know which certificate to update in CS.cfg.

Add some documentation and a pause between restarts for the
renew_ca_cert script so that when the CA subsystem certs are renewed
they don't all try to restart the CA at the same time.

https://fedorahosted.org/freeipa/ticket/3006