freeipa.git/ipapython/platform/base.py, branch webui_isolate FreeIPA patches convert the base platform modules into packages 2013-01-14T13:39:54+00:00 Timo Aaltonen tjaalton@ubuntu.com 2012-12-05T12:58:06+00:00 ed849639272acf0aed44935591ba525ec1348d59 






Stop and disable conflicting time&date services
2012-12-07T18:07:36+00:00

Martin Kosek
mkosek@redhat.com

2012-12-07T15:44:32+00:00

211f6c9046ab9b43c7f40e279db7c5595ae70bd1

Fedora 16 introduced chrony as default client time&date synchronization
service:
http://fedoraproject.org/wiki/Features/ChronyDefaultNTP
Thus, there may be people already using chrony as their time and date
synchronization service before installing IPA.

However, installing IPA server or client on such machine may lead to
unexpected behavior, as the IPA installer would configure ntpd and leave
the machine with both ntpd and chronyd enabled. However, since the OS
does not allow both chronyd and ntpd to be running concurrently and chronyd
has the precedence, ntpd would not be run on that system at all.

Make sure, that user is warned when trying to install IPA on such
system and is given a possibility to either not to let IPA configure
ntpd at all or to let the installer stop and disable chronyd.

https://fedorahosted.org/freeipa/ticket/2974





Fedora 16 introduced chrony as default client time&date synchronization
service:
http://fedoraproject.org/wiki/Features/ChronyDefaultNTP
Thus, there may be people already using chrony as their time and date
synchronization service before installing IPA.

However, installing IPA server or client on such machine may lead to
unexpected behavior, as the IPA installer would configure ntpd and leave
the machine with both ntpd and chronyd enabled. However, since the OS
does not allow both chronyd and ntpd to be running concurrently and chronyd
has the precedence, ntpd would not be run on that system at all.

Make sure, that user is warned when trying to install IPA on such
system and is given a possibility to either not to let IPA configure
ntpd at all or to let the installer stop and disable chronyd.

https://fedorahosted.org/freeipa/ticket/2974







Only update the list of running services in the installer or ipactl.
2012-12-05T15:44:44+00:00

Rob Crittenden
rcritten@redhat.com

2012-12-04T18:55:30+00:00

62e7053a12fdfc38ac7ed212529c716428c7d92b

The file is only present in the case of a server installation.

It should only be touched by the server installer and ipactl.

https://fedorahosted.org/freeipa/ticket/3277





The file is only present in the case of a server installation.

It should only be touched by the server installer and ipactl.

https://fedorahosted.org/freeipa/ticket/3277







Save service name on service startup/shutdown
2012-11-01T18:24:41+00:00

Simo Sorce
ssorce@redhat.com

2012-10-22T21:01:58+00:00

57132797120bcd3f68380b6b74343af2d83e0657

This is done as a default action of the ancestor class so that no matter what
platform is currently used this code is always the same and the name is the
wellknown service name.
This information will be used by ipactl to stop only and all the services that
have been started by any ipa tool/install script





This is done as a default action of the ancestor class so that no matter what
platform is currently used this code is always the same and the name is the
wellknown service name.
This information will be used by ipactl to stop only and all the services that
have been started by any ipa tool/install script







Revert "Save service name on service startup"
2012-11-01T18:23:38+00:00

Simo Sorce
simo@redhat.com

2012-11-01T18:23:38+00:00

895b2e2b4339f1b9edc2bc995e7548ac118ea5a1

This reverts commit 1ef651e7f9f5f940051dc470385aa08eefcd60af.

This was an olde version of the patch, next commit will put in the acked
version.





This reverts commit 1ef651e7f9f5f940051dc470385aa08eefcd60af.

This was an olde version of the patch, next commit will put in the acked
version.







Save service name on service startup
2012-11-01T14:58:19+00:00

Simo Sorce
ssorce@redhat.com

2012-10-23T00:48:25+00:00

1ef651e7f9f5f940051dc470385aa08eefcd60af

This is done as a default action of the ancestor class so that no matter what
platform is currently used this code is always the same and the name is the
wellknown service name.
This information will be used by ipacl to stop only and all the services that
have been started by any ipa tool/install script





This is done as a default action of the ancestor class so that no matter what
platform is currently used this code is always the same and the name is the
wellknown service name.
This information will be used by ipacl to stop only and all the services that
have been started by any ipa tool/install script







Wait for secure Dogtag ports when starting the pki services
2012-10-03T15:38:42+00:00

Petr Viktorin
pviktori@redhat.com

2012-09-25T13:48:47+00:00

9c0426c3ed6045e3af54c5c00be23bb63eb92606

Dogtag opens not only the insecure port (8080 or 9180, for d10 and
d9 respectively), but also secure ports (8443 or 9443&9444).
Wait for them when starting.

Part of the fix for https://fedorahosted.org/freeipa/ticket/3084





Dogtag opens not only the insecure port (8080 or 9180, for d10 and
d9 respectively), but also secure ports (8443 or 9443&9444).
Wait for them when starting.

Part of the fix for https://fedorahosted.org/freeipa/ticket/3084







Use Dogtag 10 only when it is available
2012-09-17T22:43:59+00:00

Petr Viktorin
pviktori@redhat.com

2012-08-23T16:38:45+00:00

4f76c143d2f2036af02677469c542f563a10158d

Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.

Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.

This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846





Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.

Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.

This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846







Modifications to install scripts for dogtag 10
2012-09-17T22:43:36+00:00

Ade Lee
alee@redhat.com

2012-08-16T02:53:51+00:00

3dd31a875650c7fe7c67ca6b47f2058c1181dafb

Dogtag 10 uses a new installer, new directory layout and new default
ports.  This patch changes the ipa install code to integrate these changes.

https://fedorahosted.org/freeipa/ticket/2846





Dogtag 10 uses a new installer, new directory layout and new default
ports.  This patch changes the ipa install code to integrate these changes.

https://fedorahosted.org/freeipa/ticket/2846







Use certmonger to renew CA subsystem certificates
2012-07-30T11:39:08+00:00

Rob Crittenden
rcritten@redhat.com

2012-07-11T19:51:01+00:00

03837bfd6dbf7fd1eaa437da22807d7061b99af7

Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803





Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803