Updates and VERSION tag in config files
by Christian Heimes
Hi,
files like /etc/httpd/conf.d/ipa.conf have a VERSION tag. FreeIPA's
updater does not rewrite the file unless the VERSION tag in the template
is higher than the VERSION tag of the existing file. In case the VERSION
tag is equal or higher, the updater does not overwrite the config file.
Is there any particular reason for this behavior? Why does FreeIPA not
simply overwrite the file every time? FreeIPA doesn't support
customization of our config files. For example ipa.conf contains a
warning "This file may be overwritten on upgrades".
We could simplify the installer by removing the version check and always
overwriting FreeIPA own config files.
Pro:
It would reduce code size and maintenance cost while making it simpler
to test the updater. Bug https://pagure.io/freeipa/issue/7454 didn't
show up earlier, because the code path was never executed in tests. As a
nice side effect, ipa-server-update would be able to 'repair' broken
config files, too.
Con:
It makes it harder to maintain customizations of Apache config file. But
that's not supported any way.
Regards,
Christian
--
Christian Heimes
Senior Software Engineer, Identity Management and Platform Security
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander
6 years, 2 months
[freeipa PR#1689][opened] ipa-replica-install: make sure that certmonger picks the right master
by flo-renaud
URL: https://github.com/freeipa/freeipa/pull/1689
Author: flo-renaud
Title: #1689: ipa-replica-install: make sure that certmonger picks the right master
Action: opened
PR body:
"""
During ipa-replica-install, http installation first creates a service
principal for http/hostname (locally on the soon-to-be-replica), then
waits for this entry to be replicated on the master picked for the
install.
In a later step, the installer requests a certificate for HTTPd. The local
certmonger first tries the master defined in xmlrpc_uri (which is
pointing to the soon-to-be-replica), but fails because the service is not
up yet. Then certmonger tries to find a master by using the DNS and looking
for a ldap service. This step can pick a different master, where the
principal entry has not always be replicated yet.
As the certificate request adds the principal if it does not exist, we can
end by re-creating the principal and have a replication conflict.
The replication conflict later causes kerberos issues, preventing
from installing a new replica.
The proposed fix forces xmlrpc_uri to point to the same master as the one
picked for the installation, in order to make sure that the master already
contains the principal entry.
https://pagure.io/freeipa/issue/7041
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1689/head:pr1689
git checkout pr1689
6 years, 2 months
[freeipa PR#1711][opened] install: configure dogtag status request timeout
by frasertweedale
URL: https://github.com/freeipa/freeipa/pull/1711
Author: frasertweedale
Title: #1711: install: configure dogtag status request timeout
Action: opened
PR body:
"""
Configure the status request timeout, i.e. the connect/data timeout
on the HTTP request to get the status of Dogtag.
This configuration is needed in "multiple IP address" scenarios
where this server's hostname has multiple IP addresses but the HTTP
server is only listening on one of them. Without a timeout, if a
"wrong" IP address is tried first, it will take a long time to
timeout, exceeding the overall timeout hence the request will not be
re-tried. Setting a shorter timeout allows the request to be
re-tried.
Note that HSMs cause different behaviour so this value might not be
suitable for when we implement HSM support. It is known that a
value of 5s is too short in HSM environment.
This fix requires pki-core >= 10.6.0, which is already required by
the spec file.
Fixes: https://pagure.io/freeipa/issue/7425
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1711/head:pr1711
git checkout pr1711
6 years, 2 months