freeipa.git/ipapython/platform/fedora16.py, branch webui_isolate FreeIPA patches convert the base platform modules into packages 2013-01-14T13:39:54+00:00 Timo Aaltonen tjaalton@ubuntu.com 2012-12-05T12:58:06+00:00 ed849639272acf0aed44935591ba525ec1348d59 






Stop and disable conflicting time&date services
2012-12-07T18:07:36+00:00

Martin Kosek
mkosek@redhat.com

2012-12-07T15:44:32+00:00

211f6c9046ab9b43c7f40e279db7c5595ae70bd1

Fedora 16 introduced chrony as default client time&date synchronization
service:
http://fedoraproject.org/wiki/Features/ChronyDefaultNTP
Thus, there may be people already using chrony as their time and date
synchronization service before installing IPA.

However, installing IPA server or client on such machine may lead to
unexpected behavior, as the IPA installer would configure ntpd and leave
the machine with both ntpd and chronyd enabled. However, since the OS
does not allow both chronyd and ntpd to be running concurrently and chronyd
has the precedence, ntpd would not be run on that system at all.

Make sure, that user is warned when trying to install IPA on such
system and is given a possibility to either not to let IPA configure
ntpd at all or to let the installer stop and disable chronyd.

https://fedorahosted.org/freeipa/ticket/2974





Fedora 16 introduced chrony as default client time&date synchronization
service:
http://fedoraproject.org/wiki/Features/ChronyDefaultNTP
Thus, there may be people already using chrony as their time and date
synchronization service before installing IPA.

However, installing IPA server or client on such machine may lead to
unexpected behavior, as the IPA installer would configure ntpd and leave
the machine with both ntpd and chronyd enabled. However, since the OS
does not allow both chronyd and ntpd to be running concurrently and chronyd
has the precedence, ntpd would not be run on that system at all.

Make sure, that user is warned when trying to install IPA on such
system and is given a possibility to either not to let IPA configure
ntpd at all or to let the installer stop and disable chronyd.

https://fedorahosted.org/freeipa/ticket/2974







Change network configuration file
2012-12-05T12:30:31+00:00

Martin Kosek
mkosek@redhat.com

2012-12-05T09:50:05+00:00

3896bf370a142eb95a4341e381ee7b1ff0f0c3e2

Fedora+systemd changed deprecated /etc/sysconfig/network which was
used by IPA to store static hostname for the IPA machine. See
https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details.

Change Fedora platform files to store the hostname to /etc/hostname
instead.

https://fedorahosted.org/freeipa/ticket/3279





Fedora+systemd changed deprecated /etc/sysconfig/network which was
used by IPA to store static hostname for the IPA machine. See
https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details.

Change Fedora platform files to store the hostname to /etc/hostname
instead.

https://fedorahosted.org/freeipa/ticket/3279







Preserve original service_name in services
2012-11-01T14:58:19+00:00

Simo Sorce
ssorce@redhat.com

2012-10-23T00:48:24+00:00

09dbc1f36bbc14c1224e45778cbc59586dfeea75

This is needed to be able to reference stuff always wth the same name.
The platform specific private name must be kept in a platform specific
variable.
In the case of systemd we store it in systemd_name
For the redhat platform wellknown names and service name are the same so
currently no special name is needed.





This is needed to be able to reference stuff always wth the same name.
The platform specific private name must be kept in a platform specific
variable.
In the case of systemd we store it in systemd_name
For the redhat platform wellknown names and service name are the same so
currently no special name is needed.







Make sure the CA is running when starting services
2012-10-24T02:02:21+00:00

Petr Viktorin
pviktori@redhat.com

2012-09-25T13:57:03+00:00

d6fbbd530ee94bc4cdd00c9106fd789e50fb81cf

- Provide a function for determinig the CA status using Dogtag 10's new
  getStatus endpoint.
  This must be done over HTTPS, but since our client certificate may not be set
  up yet, we need HTTPS without client authentication.
  Rather than copying from the existing http_request and https_request
  function, shared code is factored out to a common helper.
- Call the new function when restarting the CA service. Since our Service
  can only be extended in platform-specific code, do this for Fedora only.
  Also, the status is only checked with Dogtag 10+.
- When a restart call in cainstance failed, users were refered to the
  installation log, but no info was actually logged. Log the exception.

https://fedorahosted.org/freeipa/ticket/3084





- Provide a function for determinig the CA status using Dogtag 10's new
  getStatus endpoint.
  This must be done over HTTPS, but since our client certificate may not be set
  up yet, we need HTTPS without client authentication.
  Rather than copying from the existing http_request and https_request
  function, shared code is factored out to a common helper.
- Call the new function when restarting the CA service. Since our Service
  can only be extended in platform-specific code, do this for Fedora only.
  Also, the status is only checked with Dogtag 10+.
- When a restart call in cainstance failed, users were refered to the
  installation log, but no info was actually logged. Log the exception.

https://fedorahosted.org/freeipa/ticket/3084







Modifications to install scripts for dogtag 10
2012-09-17T22:43:36+00:00

Ade Lee
alee@redhat.com

2012-08-16T02:53:51+00:00

3dd31a875650c7fe7c67ca6b47f2058c1181dafb

Dogtag 10 uses a new installer, new directory layout and new default
ports.  This patch changes the ipa install code to integrate these changes.

https://fedorahosted.org/freeipa/ticket/2846





Dogtag 10 uses a new installer, new directory layout and new default
ports.  This patch changes the ipa install code to integrate these changes.

https://fedorahosted.org/freeipa/ticket/2846







Use certmonger to renew CA subsystem certificates
2012-07-30T11:39:08+00:00

Rob Crittenden
rcritten@redhat.com

2012-07-11T19:51:01+00:00

03837bfd6dbf7fd1eaa437da22807d7061b99af7

Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803





Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803







Centralize timeout for waiting for servers to start.
2012-07-02T21:08:58+00:00

Rob Crittenden
rcritten@redhat.com

2012-05-24T15:23:36+00:00

e5b6260008a3a7132fdaef99d800406eb8872316

All service start/restart currently go through ipapython/platform so
move the "wait for service to start" code there as well.

A dictionary of known services and ports to wait on is defined in base.py
This is referenced by the platforms by instance name to determine what
to wait for. For the case of dirsrv if we get that as a plain name
(no specific instance) it is assumed to be the main IPA service.

https://fedorahosted.org/freeipa/ticket/2375
https://fedorahosted.org/freeipa/ticket/2610





All service start/restart currently go through ipapython/platform so
move the "wait for service to start" code there as well.

A dictionary of known services and ports to wait on is defined in base.py
This is referenced by the platforms by instance name to determine what
to wait for. For the case of dirsrv if we get that as a plain name
(no specific instance) it is assumed to be the main IPA service.

https://fedorahosted.org/freeipa/ticket/2375
https://fedorahosted.org/freeipa/ticket/2610







Configure automount using autofs or sssd.
2012-06-25T21:24:34+00:00

Rob Crittenden
rcritten@redhat.com

2012-05-29T18:20:38+00:00

f4d2f2a65b799e200c2f98164e1a0ac4e9b07376

This script edits nsswitch.conf to use either ldap (autofs) or
sss (sssd) to find automount maps.

NFSv4 services are started so Kerberos encryption and/or integrity can
be used on the maps.

https://fedorahosted.org/freeipa/ticket/1233
https://fedorahosted.org/freeipa/ticket/2193





This script edits nsswitch.conf to use either ldap (autofs) or
sss (sssd) to find automount maps.

NFSv4 services are started so Kerberos encryption and/or integrity can
be used on the maps.

https://fedorahosted.org/freeipa/ticket/1233
https://fedorahosted.org/freeipa/ticket/2193







If SELinux is enabled ensure we also have restorecon.
2012-05-31T12:07:05+00:00

Rob Crittenden
rcritten@redhat.com

2012-05-31T11:59:33+00:00

9e877585e213a9fccec8ff9b3dcb876b2ec65696

We don't have a specific requires on the policycoreutils package. It
gets pulled in as a dependency on the server anyway, but checking
there is like a belt and suspenders.

On the client we don't require SELinux at all. If SELinux is enabled
however we need to set things up properly. This is provided by the
policycoreutils package so fail if that isn't available.

https://fedorahosted.org/freeipa/ticket/2368





We don't have a specific requires on the policycoreutils package. It
gets pulled in as a dependency on the server anyway, but checking
there is like a belt and suspenders.

On the client we don't require SELinux at all. If SELinux is enabled
however we need to set things up properly. This is provided by the
policycoreutils package so fail if that isn't available.

https://fedorahosted.org/freeipa/ticket/2368