summaryrefslogtreecommitdiffstats
path: root/ipaserver/install
diff options
context:
space:
mode:
authorStanislav Laznicka <slaznick@redhat.com>2017-01-04 08:41:26 +0100
committerJan Cholasta <jcholast@redhat.com>2017-03-01 09:43:41 +0000
commit1e89d28aaf3a0a4b48fc09a5d98262f1000c52a3 (patch)
tree248502cb320ef6806399861d66b602deda792889 /ipaserver/install
parent2a1494c9aef2e2b5c06e427e689787e5a2c4dc7f (diff)
downloadfreeipa-1e89d28aaf3a0a4b48fc09a5d98262f1000c52a3.tar.gz
freeipa-1e89d28aaf3a0a4b48fc09a5d98262f1000c52a3.tar.xz
freeipa-1e89d28aaf3a0a4b48fc09a5d98262f1000c52a3.zip
Don't run kra.configure_instance if not necessary
If kra should not be set up, don't run the code as it would only prolong the installations. Previously, krainstance configuration would be performed just to export the client certificate and private key to authenticate to certificate server. This is now performed somewhere else therefore there's no need to run KRAInstance.configure_instance. The kra.install() method still performs actions on replicas and we're keeping it in server installer to conform to the installers design. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver/install')
-rw-r--r--ipaserver/install/kra.py15
-rw-r--r--ipaserver/install/krainstance.py65
2 files changed, 39 insertions, 41 deletions
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index 6f5c22bc7..5a7a6ef2d 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -69,6 +69,8 @@ def install_check(api, replica_config, options):
def install(api, replica_config, options):
if replica_config is None:
+ if not options.setup_kra:
+ return
realm_name = api.env.realm
dm_password = options.dm_password
host_name = api.env.host
@@ -76,9 +78,10 @@ def install(api, replica_config, options):
pkcs12_info = None
master_host = None
- ra_only = not options.setup_kra
promote = False
else:
+ if not replica_config.setup_kra:
+ return
krafile = os.path.join(replica_config.dir, 'kracert.p12')
if options.promote:
custodia = custodiainstance.CustodiaInstance(
@@ -103,7 +106,6 @@ def install(api, replica_config, options):
pkcs12_info = (krafile,)
master_host = replica_config.kra_host_name
- ra_only = not replica_config.setup_kra
promote = options.promote
kra = krainstance.KRAInstance(realm_name)
@@ -111,18 +113,15 @@ def install(api, replica_config, options):
subject_base=subject_base,
pkcs12_info=pkcs12_info,
master_host=master_host,
- ra_only=ra_only,
promote=promote)
_service.print_msg("Restarting the directory server")
ds = dsinstance.DsInstance()
ds.restart()
+ kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH)
- if not ra_only:
- kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH)
-
- # Restart apache for new proxy config file
- services.knownservices.httpd.restart(capture_output=True)
+ # Restart apache for new proxy config file
+ services.knownservices.httpd.restart(capture_output=True)
def uninstall(standalone):
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 7a6c2d2fa..1fc69bd68 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -77,7 +77,7 @@ class KRAInstance(DogtagInstance):
def configure_instance(self, realm_name, host_name, dm_password,
admin_password, pkcs12_info=None, master_host=None,
subject_base=None, subject=None,
- ra_only=False, promote=False):
+ promote=False):
"""Create a KRA instance.
To create a clone, pass in pkcs12_info.
@@ -99,38 +99,37 @@ class KRAInstance(DogtagInstance):
self.realm = realm_name
self.suffix = ipautil.realm_to_suffix(realm_name)
- if not ra_only:
- # Confirm that a KRA does not already exist
- if self.is_installed():
- raise RuntimeError(
- "KRA already installed.")
- # Confirm that a Dogtag 10 CA instance already exists
- ca = cainstance.CAInstance(self.realm)
- if not ca.is_installed():
- raise RuntimeError(
- "KRA configuration failed. "
- "A Dogtag CA must be installed first")
-
- if promote:
- self.step("creating installation admin user", self.setup_admin)
- self.step("configuring KRA instance", self.__spawn_instance)
- if not self.clone:
- self.step("create KRA agent",
- self.__create_kra_agent)
- if not ra_only:
- if promote:
- self.step("destroying installation admin user", self.teardown_admin)
- self.step("restarting KRA", self.restart_instance)
- self.step("configure certmonger for renewals",
- self.configure_certmonger_renewal)
- self.step("configure certificate renewals", self.configure_renewal)
- self.step("configure HTTP to proxy connections",
- self.http_proxy)
- if not self.clone:
- self.step("add vault container", self.__add_vault_container)
- self.step("apply LDAP updates", self.__apply_updates)
-
- self.step("enabling KRA instance", self.__enable_instance)
+ # Confirm that a KRA does not already exist
+ if self.is_installed():
+ raise RuntimeError(
+ "KRA already installed.")
+ # Confirm that a Dogtag 10 CA instance already exists
+ ca = cainstance.CAInstance(self.realm)
+ if not ca.is_installed():
+ raise RuntimeError(
+ "KRA configuration failed. "
+ "A Dogtag CA must be installed first")
+
+ if promote:
+ self.step("creating installation admin user", self.setup_admin)
+ self.step("configuring KRA instance", self.__spawn_instance)
+ if not self.clone:
+ self.step("create KRA agent",
+ self.__create_kra_agent)
+ if promote:
+ self.step("destroying installation admin user",
+ self.teardown_admin)
+ self.step("restarting KRA", self.restart_instance)
+ self.step("configure certmonger for renewals",
+ self.configure_certmonger_renewal)
+ self.step("configure certificate renewals", self.configure_renewal)
+ self.step("configure HTTP to proxy connections",
+ self.http_proxy)
+ if not self.clone:
+ self.step("add vault container", self.__add_vault_container)
+ self.step("apply LDAP updates", self.__apply_updates)
+
+ self.step("enabling KRA instance", self.__enable_instance)
try:
self.start_creation(runtime=126)