freeipa.git/ipalib/install, branch fix_ber_scanf FreeIPA patches Replace replication_wait_timeout with certmonger_wait_timeout 2019-09-04T12:52:14+00:00 Rob Crittenden rcritten@redhat.com 2019-07-05T17:31:32+00:00 faf34fcdfd78208726e3e8586186f34e7c44d732 The variable is intended to control the timeout for replication events. If someone had significantly reduced it via configuration then it could have caused certmogner requests to fail due to timeouts. Add replication_wait_timeout, certmonger_wait_timeout and http_timeout to the default.conf man page. Related: https://pagure.io/freeipa/issue/7971 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
The variable is intended to control the timeout for replication
events. If someone had significantly reduced it via configuration
then it could have caused certmogner requests to fail due to timeouts.

Add replication_wait_timeout, certmonger_wait_timeout and
http_timeout to the default.conf man page.

Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Pass token_name to certmonger 2019-04-25T06:57:58+00:00 Christian Heimes cheimes@redhat.com 2019-04-23T11:47:38+00:00 8686cd3b4b69f725aee05c9cdd3034d7436055d3 For HSM support, IPA has to pass the token name for CA and subsystem certificates to certmonger. For now, only the default 'internal' token is supported. Related: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
For HSM support, IPA has to pass the token name for CA and subsystem
certificates to certmonger. For now, only the default 'internal' token is
supported.

Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reuse key type and size in certmonger resubmit 2019-04-16T14:51:40+00:00 Christian Heimes cheimes@redhat.com 2019-04-16T09:37:51+00:00 00a7868fa4011a0639bf96d23225c4203980bfb3 Certmonger has hard-coded defaults for key size and key type. In case a request does not contain these values, certmonger uses 2048 RSA keys. Since the CA now has 3072, it will also rekey the CA to 2048 instead of resubmitting with the existing 2048 bit key. Use key-size and key-type from the existing request when resubmitting. Related: https://pagure.io/freeipa/issue/6790 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Certmonger has hard-coded defaults for key size and key type. In case a
request does not contain these values, certmonger uses 2048 RSA keys.
Since the CA now has 3072, it will also rekey the CA to 2048 instead of
resubmitting with the existing 2048 bit key.

Use key-size and key-type from the existing request when resubmitting.

Related: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Py3: Remove subclassing from object 2018-09-27T09:49:04+00:00 Christian Heimes cheimes@redhat.com 2018-09-26T09:59:50+00:00 b431e9b684df11c811892bd9d2a5711355f0076e Python 2 had old style and new style classes. Python 3 has only new style classes. There is no point to subclass from object any more. See: https://pagure.io/freeipa/issue/7715 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Remove replica_file knob from ipalib/install/service.py 2018-09-12T11:11:21+00:00 Thomas Woerner twoerner@redhat.com 2018-09-10T14:01:49+00:00 374138d0301da19d2c59ac5cdc7372d156272655 The replica_file option is not needed anymore. Threfore the option can be removed. See: https://pagure.io/freeipa/issue/7689 Signed-off-by: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
The replica_file option is not needed anymore. Threfore the option can
be removed.

See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Mark replica_file option as deprecated 2018-08-13T10:35:06+00:00 Thomas Woerner twoerner@redhat.com 2018-08-07T09:05:20+00:00 0ce79ec6f51083efe7dce724503ef502481b3f65 The replica_file option is only supported for DL0. The option will be marked deprecated for now. See: https://pagure.io/freeipa/issue/7669 Signed-off-by: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
The replica_file option is only supported for DL0. The option will be
marked deprecated for now.

See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Auto-retry failed certmonger requests 2018-07-09T18:15:18+00:00 Christian Heimes cheimes@redhat.com 2018-07-08T09:53:58+00:00 1fa2a7cd41095295ebee5cd3b280507580ba8fbb During parallel replica installation, a request sometimes fails with CA_REJECTED or CA_UNREACHABLE. The error occur when the master is either busy or some information haven't been replicated yet. Even a stuck request can be recovered, e.g. when permission and group information have been replicated. A new function request_and_retry_cert() automatically resubmits failing requests until it times out. Fixes: https://pagure.io/freeipa/issue/7623 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
During parallel replica installation, a request sometimes fails with
CA_REJECTED or CA_UNREACHABLE. The error occur when the master is
either busy or some information haven't been replicated yet. Even
a stuck request can be recovered, e.g. when permission and group
information have been replicated.

A new function request_and_retry_cert() automatically resubmits failing
requests until it times out.

Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add absolute_import future imports 2018-04-20T07:43:37+00:00 Stanislav Laznicka slaznick@redhat.com 2018-04-05T07:21:16+00:00 b5bdd07bc54ca557491652ce61011ae6aa3eb592 Add absolute_import from __future__ so that pylint does not fail and to achieve python3 behavior in python2. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Remove main function from the certmonger library 2018-02-21T06:57:40+00:00 Rob Crittenden rcritten@redhat.com 2017-11-30T20:48:10+00:00 a0407f75f9b25c265008e907c7f97e2e4b0fa6e8 This was useful during initial development and as a simple in-tree unit test but it isn't needed anymore. Related: https://pagure.io/freeipa/issue/3757 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
This was useful during initial development and as a simple
in-tree unit test but it isn't needed anymore.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fix FileStore.backup_file() not to backup same file 2018-02-19T13:16:51+00:00 Stanislav Laznicka slaznick@redhat.com 2018-02-19T08:50:41+00:00 364ffd5a0ff0848ec203f39397f00733a76d3350 FileStore.backup_file() docstring claimed not to store a copy of the same file but the behavior of the method did not match this description. This commit makes the backed-up file filename derivation deterministic by hashing its content by SHA-256, thus it should not back up two files with the same filename and content. Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com> 
FileStore.backup_file() docstring claimed not to store a
copy of the same file but the behavior of the method did not
match this description.

This commit makes the backed-up file filename derivation
deterministic by hashing its content by SHA-256, thus it
should not back up two files with the same filename and content.

Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>