diff options
| author | Martin Babinsky <mbabinsk@redhat.com> | 2016-01-05 13:00:24 +0100 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2016-01-11 09:08:26 +0100 |
| commit | bef0f4c5c38e7ff6415e8f8c96dc306ef7f0ce56 (patch) | |
| tree | ef54c170d0201b9911246524671d4fc2f0bc23c9 | |
| parent | 129d97c10be570c3327445337c534e57a8c12ef6 (diff) | |
prevent crash of CA-less server upgrade due to absent certmonger
ipa-server-upgrade tests whether certmonger service is running before
attempting to upgrade IPA master. This causes the upgrader to always fail when
there is no CA installer and certmonger is not needed, effectively preventing
CA-less IPA master to upgrade succefuly.
This test is now skipped if CA is not enabled.
https://fedorahosted.org/freeipa/ticket/5519
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
| -rw-r--r-- | ipaserver/install/server/upgrade.py | 30 |
1 files changed, 28 insertions, 2 deletions
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index f37a8fea5..20379f19c 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -291,6 +291,24 @@ def setup_firefox_extension(fstore): http.setup_firefox_extension(realm, domain) +def is_ca_enabled(): + """ + check whether there is an active CA master + :return: True if there is an active CA in topology, False otherwise + """ + ldap2 = api.Backend.ldap2 + was_connected = ldap2.isconnected() + + if not was_connected: + ldap2.connect() + + try: + return api.Command.ca_is_enabled()['result'] + finally: + if not was_connected: + ldap2.disconnect() + + def ca_configure_profiles_acl(ca): root_logger.info('[Authorizing RA Agent to modify profiles]') @@ -1477,7 +1495,10 @@ def upgrade_configuration(): http = httpinstance.HTTPInstance(fstore) http.configure_selinux_for_httpd() http.change_mod_nss_port_from_http() - http.configure_certmonger_renewal_guard() + + if is_ca_enabled(): + http.configure_certmonger_renewal_guard() + http.enable_and_start_oddjobd() ds.configure_dirsrv_ccache() @@ -1629,7 +1650,12 @@ def upgrade_check(options): print(unicode(e)) sys.exit(1) - if not services.knownservices.certmonger.is_running(): + try: + ca_is_enabled = is_ca_enabled() + except Exception as e: + raise RuntimeError("Cannot connect to LDAP server: {0}".format(e)) + + if not services.knownservices.certmonger.is_running() and ca_is_enabled: raise RuntimeError('Certmonger is not running. Start certmonger and run upgrade again.') if not options.skip_version_check: |