[freeipa/f16] Introduce systemd upgrade script

abbra abbra at fedoraproject.org
Wed Nov 30 11:03:01 UTC 2011 

commit 04c165687f2c362da9e675812258a373b83ec7cd
Author: Alexander Bokovoy <abokovoy at redhat.com>
Date:   Wed Nov 30 12:57:51 2011 +0200

    Introduce systemd upgrade script
    
    As user has no means to recover existing FreeIPA install after
    upgrading from SysV to systemd, introduce upgrade script.
    
    The upgrade script does following:
    - restores symlinks in FreeIPA's Dogtag installation
    - converts FreeIPA directory server instances to systemd
    - converts FreeIPA directory server configuration to be compatible
      with systemd services
    - converts FreeIPA KDC configuration to be compatible
      with systemd services
    - re-enables FreeIPA
    
    Script does nothing if FreeIPA is already active systemd service

 freeipa-systemd-upgrade |   73 +++++++++++++++++++++++++++++++++++++++++++++++
 freeipa.spec            |   21 +++++++++++++-
 2 files changed, 93 insertions(+), 1 deletions(-)
---
diff --git a/freeipa-systemd-upgrade b/freeipa-systemd-upgrade
new file mode 100755
index 0000000..c0b840c
--- /dev/null
+++ b/freeipa-systemd-upgrade
@@ -0,0 +1,73 @@
+#! /usr/bin/python -E
+from ipaserver.install.krbinstance import update_key_val_in_file
+from ipapython import ipautil, config
+from ipapython import services as ipaservices
+import os, platform
+
+def convert_java_link(foo, topdir, filepaths):
+    cwd = os.getcwd()
+    os.chdir(topdir)
+    for filepath in filepaths:
+        # All this shouldn't happen because java system upgrade should properly
+        # move files and symlinks but if this is a broken link
+        if os.path.islink(filepath):
+            print "    Checking %s ... " % (filepath),
+            if not os.path.exists(filepath):
+                rpath = os.path.realpath(filepath)
+                # .. and it points to jss in /usr/lib
+                if rpath.find('/usr/lib/') != -1  and rpath.find('jss') != -1:
+                    base = os.path.basename(rpath)
+                    bitness = platform.architecture()[0][:2]
+                    # rewrite it to /usr/lib64 for x86_64 platform
+                    if bitness == '64':
+                        npath = "/usr/lib%s/jss/%s" % (bitness, base)
+                        os.unlink(filepath)
+                        os.symlink(npath, filepath)
+                        print "%s -> %s" % (filepath, npath)
+                    else:
+                        print "Ok"
+                else:
+                    print "Ok"
+            else:
+                print "Ok"
+    os.chdir(cwd)
+
+# 0. Init config
+try:
+    config.init_config()
+except IPAConfigError, e:
+    # No configured IPA install, no need to upgrade anything
+    exit(0)
+
+# 1. Convert broken symlinks, if any, in /var/lib/pki-ca
+if os.path.exists('/var/lib/pki-ca/common/lib'):
+    print "Analyzing symlinks in PKI-CA install"
+    os.path.walk('/var/lib/pki-ca/common/lib', convert_java_link, None)
+
+try:
+    print "Found IPA server for domain %s" % (config.config.default_realm)
+    print "Converting services setup to systemd"
+    # 1. Upgrade /etc/sysconfig/dirsrv for systemd
+    print "    Upgrade /etc/sysconfig/dirsrv"
+    update_key_val_in_file("/etc/sysconfig/dirsrv", "KRB5_KTNAME", "/etc/dirsrv/ds.keytab")
+    update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab")
+    # 2. Upgrade /etc/sysconfig/krb5kdc for systemd
+    print "    Upgrade /etc/sysconfig/krb5kdc"
+    replacevars = {'KRB5REALM':config.config.default_realm}
+    appendvars = {}
+    ipautil.config_replace_variables("/etc/sysconfig/krb5kdc",
+       replacevars=replacevars, appendvars=appendvars)
+    ipaservices.restore_context("/etc/sysconfig/krb5kdc")
+    # 3. Enable DS instances:
+    realm = config.config.default_realm.upper().replace('.','-')
+    print "    Re-enable Directory server instances PKI-IPA and %s " % (realm)
+    ipaservices.knownservices.dirsrv.enable(realm)
+    ipaservices.knownservices.dirsrv.enable("PKI-IPA")
+    # 4. Enable FreeIPA
+    print "    Re-enable IPA service"
+    ipaservices.knownservices.ipa.enable()
+except:
+    pass
+
+finally:
+    print "Finished."
diff --git a/freeipa.spec b/freeipa.spec
index e4dd824..cc855a6 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -14,13 +14,14 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 
 Name:           freeipa
 Version:        2.1.3
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
 License:        GPLv3+
 URL:            http://www.freeipa.org/
 Source0:        freeipa-%{version}.tar.gz
+Source1:        freeipa-systemd-upgrade
 Patch0:         freeipa-2.1.3-systemd.patch.gz
 Patch1:         freeipa-2.1.3-wait_for_socket.patch.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -218,6 +219,7 @@ package.
 %setup -n freeipa-%{version} -q
 %patch0 -p1
 %patch1 -p1
+cp %{SOURCE1} init/systemd/
 
 %build
 export CFLAGS="$CFLAGS %{optflags}"
@@ -294,6 +296,8 @@ mkdir -p %{buildroot}%{_unitdir}
 for i in ipa.service ipa_kpasswd.service ; do
     install -m 644 init/systemd/$i %{buildroot}%{_unitdir}/$i
 done
+mkdir -p %{buildroot}%{_libexecdir}
+install -m 755 init/systemd/freeipa-systemd-upgrade %{buildroot}%{_libexecdir}/freeipa-systemd-upgrade
 rm -f %{buildroot}%{_initrddir}/ipa_kpasswd
 %endif
 
@@ -316,6 +320,11 @@ rm -rf %{buildroot}
 # Use systemd scheme, update systemd as service units have changed
     /bin/systemctl --system daemon-reload 2>&1 || :
 if [ $1 -gt 1 ] ; then
+    # When upgrade is performed from SysV to systemd, ipa.service will be inactive
+    # due to https://bugzilla.redhat.com/show_bug.cgi?id=752846
+    # FreeIPA existing setup cannot be used without upgrade script
+    /bin/systemctl --quiet is-active ipa.service >/dev/null || \
+        /usr/libexec/freeipa-systemd-upgrade || :
     /usr/sbin/ipa-upgradeconfig || :
     /usr/sbin/ipa-ldap-updater --upgrade >/dev/null 2>&1 || :
 fi
@@ -403,6 +412,7 @@ fi
 # Use systemd scheme
 %attr(644,root,root) %{_unitdir}/ipa.service
 %attr(644,root,root) %{_unitdir}/ipa_kpasswd.service
+%{buildroot}%{_libexecdir}/freeipa-systemd-upgrade
 %dir %{python_sitelib}/ipaserver
 %{python_sitelib}/ipaserver/*
 %dir %{_usr}/share/ipa
@@ -531,6 +541,15 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Wed Nov 30 2011 Alexander Bokovoy <abokovoy at redhat.com> - 2.1.3-6
+- Introduce upgrade script to recover existing configuration after systemd migration
+  as user has no means to recover FreeIPA from systemd migration
+- Upgrade script:
+  - recovers symlinks in Dogtag instance install
+  - recovers systemd configuration for FreeIPA's directory server instances
+  - recovers freeipa.service
+  - migrates directory server and KDC configs to use proper keytabs for systemd services
+
 * Wed Oct 26 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.1.3-5
 - Rebuilt for glibc bug#747377

More information about the scm-commits mailing list