[freeipa/f15] Fix FreeIPA installation problems
Martin Kosek
mkosek at fedoraproject.org
Wed Jan 11 10:18:46 UTC 2012
commit 92cb701d820b2449ac83b964e8d7e474cb735d6a
Author: Martin Kosek <mkosek at redhat.com>
Date: Wed Jan 11 11:15:56 2012 +0100
Fix FreeIPA installation problems
This release fixes:
- ipa-replica-install crashes due to invalid Python calls
- ipa-server-install and ipa-dns-install may fail to produce log
- ipa-server-install crash due to sslget problem (#771357)
freeipa-2.1.4-logging.patch | 138 ++++++++++++++++++++++++++
freeipa-2.1.4-replica-install-services.patch | 72 +++++++++++++
freeipa-2.1.4-replication-addentry.patch | 93 +++++++++++++++++
freeipa.spec | 22 +++-
4 files changed, 320 insertions(+), 5 deletions(-)
---
diff --git a/freeipa-2.1.4-logging.patch b/freeipa-2.1.4-logging.patch
new file mode 100644
index 0000000..f9f7fb3
--- /dev/null
+++ b/freeipa-2.1.4-logging.patch
@@ -0,0 +1,138 @@
+From 402867038f8664e88e2d9ca42f2c77a46a0be7ae Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek at redhat.com>
+Date: Mon, 2 Jan 2012 16:49:59 +0100
+Subject: [PATCH 1/3] Make sure that install tools log
+
+When any log message is emitted before IPA install tools logging is
+configured, it may break and leave install tools log empty. This
+happens for example when
+
+ipa-server-install --ip-address=$IP_ADDRESS
+
+is run.
+
+This patch makes sure that logging is right in these cases.
+
+https://fedorahosted.org/freeipa/ticket/2214
+---
+ install/tools/ipa-ca-install | 1 +
+ install/tools/ipa-dns-install | 1 +
+ install/tools/ipa-replica-install | 1 +
+ install/tools/ipa-server-install | 2 +
+ ipaserver/install/installutils.py | 43 +++++++++++++++++++++++++++++++++++++
+ 5 files changed, 48 insertions(+), 0 deletions(-)
+
+diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
+index 445b0621419b7aa5b4616e154d9f8193a5d517fb..c813659f34f4471132b83fd4159b69b76f5ce487 100755
+--- a/install/tools/ipa-ca-install
++++ b/install/tools/ipa-ca-install
+@@ -70,6 +70,7 @@ def get_dirman_password():
+ return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
+
+ def main():
++ installutils.bootstrap_logging()
+ safe_options, options, filename = parse_options()
+ installutils.standard_logging_setup("/var/log/ipareplica-ca-install.log", options.debug)
+ logging.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
+diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
+index d81b6a2e804a815d5bece8426a286e3190f6dee3..25c1bb0cac251d098e3744afd7b7eeab32a3fe6b 100755
+--- a/install/tools/ipa-dns-install
++++ b/install/tools/ipa-dns-install
+@@ -82,6 +82,7 @@ def parse_options():
+ return safe_options, options
+
+ def main():
++ bootstrap_logging()
+ safe_options, options = parse_options()
+
+ if os.getegid() != 0:
+diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
+index dbc736764f38489df15900c4540a381764d0c261..7310d286292f571ef25b57b29d2a213f4bd855a1 100755
+--- a/install/tools/ipa-replica-install
++++ b/install/tools/ipa-replica-install
+@@ -286,6 +286,7 @@ def check_bind():
+ sys.exit(1)
+
+ def main():
++ installutils.bootstrap_logging()
+ safe_options, options, filename = parse_options()
+ installutils.standard_logging_setup("/var/log/ipareplica-install.log", options.debug)
+ logging.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
+diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
+index 8f156e8dde7fbc4cfde00a0f6a2fc8e23403cc73..755f2772780010c62fdc642125107843bef61668 100755
+--- a/install/tools/ipa-server-install
++++ b/install/tools/ipa-server-install
+@@ -562,6 +562,8 @@ def main():
+ global installation_cleanup
+ ds = None
+
++ bootstrap_logging()
++
+ safe_options, options = parse_options()
+
+ if os.getegid() != 0:
+diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
+index 0a36c354e1d2f901bfdef51c151d035ba8ee64ca..d0f611c611847d02f3d264d669a2e90689f5a87b 100644
+--- a/ipaserver/install/installutils.py
++++ b/ipaserver/install/installutils.py
+@@ -314,7 +314,47 @@ def port_available(port):
+
+ return rv
+
++class BufferingHandler(logging.Handler):
++ log_queue = []
++
++ def __init__(self):
++ logging.Handler.__init__(self)
++ self.level = logging.DEBUG
++
++ def emit(self, record):
++ self.log_queue.append(record)
++
++ def flush(self):
++ pass
++
++def bootstrap_logging():
++ """
++ Bootstrap logging and create special handler which will buffer any log
++ emitted before standard_logging_setup is called. These will be later
++ processed when the logging is set up.
++ """
++ root_logger = logging.getLogger()
++ root_logger.setLevel(logging.DEBUG)
++ root_logger.addHandler(BufferingHandler())
++
+ def standard_logging_setup(log_filename, debug=False, filemode='w'):
++ """
++ Set up logging. bootstrap_logging() should be called earlier if there
++ is a chance that a log is emitted before this setup.
++ """
++ root_logger = logging.getLogger()
++ log_queue = []
++
++ if root_logger.handlers:
++ # Remove any handlers that may have been set and which may cause
++ # problems with logging in install utils
++ handler_list = list(logging.getLogger().handlers)
++
++ for handler in handler_list:
++ if isinstance(handler, BufferingHandler):
++ log_queue.extend(handler.log_queue)
++ root_logger.removeHandler(handler)
++
+ old_umask = os.umask(077)
+ # Always log everything (i.e., DEBUG) to the log
+ # file.
+@@ -335,6 +375,9 @@ def standard_logging_setup(log_filename, debug=False, filemode='w'):
+ console.setFormatter(formatter)
+ logging.getLogger('').addHandler(console)
+
++ for log_record in log_queue:
++ root_logger.handle(log_record)
++
+ def get_password(prompt):
+ if os.isatty(sys.stdin.fileno()):
+ return getpass.getpass(prompt)
+--
+1.7.7.5
+
diff --git a/freeipa-2.1.4-replica-install-services.patch b/freeipa-2.1.4-replica-install-services.patch
new file mode 100644
index 0000000..a00895a
--- /dev/null
+++ b/freeipa-2.1.4-replica-install-services.patch
@@ -0,0 +1,72 @@
+From a018ba4013ad18eb75bdfd50887ef12ad2d77972 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek at redhat.com>
+Date: Wed, 11 Jan 2012 10:07:03 +0100
+Subject: [PATCH 3/3] Prevent service restart failures in ipa-replica-install
+
+Call restart() methods of appropriate services instead of calling
+the system service restart command directly as service() method
+has a capability to wait until the service is fully up. Without
+this patch ipa-replica-install crashed on F-16 because krb5kdc
+service was started before dirsrv service was fully up.
+
+https://fedorahosted.org/freeipa/ticket/2139
+---
+ install/tools/ipa-replica-install | 21 ++++++++++++++++-----
+ 1 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
+index 7310d286292f571ef25b57b29d2a213f4bd855a1..9c637202917fc67da68cea61ebc1b41169bbf2db 100755
+--- a/install/tools/ipa-replica-install
++++ b/install/tools/ipa-replica-install
+@@ -155,6 +155,8 @@ def install_krb(config, setup_pkinit=False):
+ ldappwd_filename, kpasswd_filename,
+ setup_pkinit, pkcs12_info)
+
++ return krb
++
+ def install_ca_cert(config):
+ cafile = config.dir + "/ca.crt"
+ if not ipautil.file_exists(cafile):
+@@ -188,6 +190,8 @@ def install_http(config, auto_redirect):
+ print "error copying files: " + str(e)
+ sys.exit(1)
+
++ return http
++
+ def install_bind(config, options):
+ api.Backend.ldap2.connect(bind_dn="cn=Directory Manager",
+ bind_pw=config.dirman_password)
+@@ -442,8 +446,8 @@ def main():
+ cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name))
+ cs.add_cert_to_service()
+
+- install_krb(config, setup_pkinit=options.setup_pkinit)
+- install_http(config, auto_redirect=options.ui_redirect)
++ krb = install_krb(config, setup_pkinit=options.setup_pkinit)
++ http = install_http(config, auto_redirect=options.ui_redirect)
+ if CA:
+ CA.import_ra_cert(dir + "/ra.p12")
+ CA.fix_ra_perms()
+@@ -457,9 +461,16 @@ def main():
+ service.print_msg("Applying LDAP updates")
+ ds.apply_updates()
+
+- ipaservices.knownservices.dirsrv.restart()
+- ipaservices.knownservices.krb5kdc.restart()
+- ipaservices.knownservices.httpd.restart()
++ # Restart ds and krb after configurations have been changed
++ service.print_msg("Restarting the directory server")
++ ds.restart()
++
++ service.print_msg("Restarting the KDC")
++ krb.restart()
++
++ # Restart httpd to pick up the new IPA configuration
++ service.print_msg("Restarting the web server")
++ http.restart()
+
+ if options.setup_dns:
+ install_bind(config, options)
+--
+1.7.7.5
+
diff --git a/freeipa-2.1.4-replication-addentry.patch b/freeipa-2.1.4-replication-addentry.patch
new file mode 100644
index 0000000..1b89234
--- /dev/null
+++ b/freeipa-2.1.4-replication-addentry.patch
@@ -0,0 +1,93 @@
+From e14b13000890ff13cb9c062e6a32e1e127587bc7 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek at redhat.com>
+Date: Wed, 11 Jan 2012 10:06:39 +0100
+Subject: [PATCH 2/3] Fix LDAP add calls in replication module
+
+Replace conn.add_s(entry) with conn.addEntry(entry) to avoid
+function calls with an invalid number of parameters.
+
+https://fedorahosted.org/freeipa/ticket/2139
+---
+ ipaserver/install/replication.py | 22 +++++++++++-----------
+ 1 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
+index a6bd7af37bb7c6761841d68ff733276045a7ddab..8f0f226dbacc0ee3b84357c059c91936af034fed 100644
+--- a/ipaserver/install/replication.py
++++ b/ipaserver/install/replication.py
+@@ -225,8 +225,8 @@ class ReplicationManager(object):
+ ent.setValues("sn", "replication manager pseudo user")
+
+ try:
+- conn.add_s(ent)
+- except ldap.ALREADY_EXISTS:
++ conn.addEntry(ent)
++ except errors.DuplicateEntry:
+ conn.modify_s(dn, [(ldap.MOD_REPLACE, "userpassword", pw)])
+ pass
+
+@@ -275,7 +275,7 @@ class ReplicationManager(object):
+ entry.setValues('nsds5replicabinddn', [replica_binddn])
+ entry.setValues('nsds5replicalegacyconsumer', "off")
+
+- conn.add_s(entry)
++ conn.addEntry(entry)
+
+ def setup_changelog(self, conn):
+ dn = "cn=changelog5, cn=config"
+@@ -285,8 +285,8 @@ class ReplicationManager(object):
+ entry.setValues('cn', "changelog5")
+ entry.setValues('nsslapd-changelogdir', dirpath)
+ try:
+- conn.add_s(entry)
+- except ldap.ALREADY_EXISTS:
++ conn.addEntry(entry)
++ except errors.DuplicateEntry:
+ return
+
+ def setup_chaining_backend(self, conn):
+@@ -308,11 +308,11 @@ class ReplicationManager(object):
+ entry.setValues('nsmultiplexorbinddn', self.repl_man_dn)
+ entry.setValues('nsmultiplexorcredentials', self.repl_man_passwd)
+
+- self.conn.add_s(entry)
++ self.conn.addEntry(entry)
+ done = True
+- except ldap.ALREADY_EXISTS:
++ except errors.DuplicateEntry:
+ benum += 1
+- except ldap.LDAPError, e:
++ except errors.ExecutionError, e:
+ print "Could not add backend entry " + dn, e
+ raise
+
+@@ -376,7 +376,7 @@ class ReplicationManager(object):
+ entry.setValues("objectclass", ["account", "simplesecurityobject"])
+ entry.setValues("uid", "passsync")
+ entry.setValues("userPassword", password)
+- conn.add_s(entry)
++ conn.addEntry(entry)
+
+ # Add it to the list of users allowed to bypass password policy
+ extop_dn = "cn=ipa_pwd_extop,cn=plugins,cn=config"
+@@ -470,7 +470,7 @@ class ReplicationManager(object):
+ if iswinsync:
+ self.setup_winsync_agmt(entry, win_subtree)
+
+- a_conn.add_s(entry)
++ a_conn.addEntry(entry)
+
+ entry = a_conn.waitForEntry(entry)
+
+@@ -746,7 +746,7 @@ class ReplicationManager(object):
+ entry.setValues("ipaConfigString", "winsync:%s" % self.hostname)
+
+ try:
+- self.conn.add_s(entry)
++ self.conn.addEntry(entry)
+ except Exception, e:
+ logging.info("Failed to create public entry for winsync replica")
+
+--
+1.7.7.5
+
diff --git a/freeipa.spec b/freeipa.spec
index 5f287b3..f91f4ca 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
Name: freeipa
Version: 2.1.4
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -22,6 +22,9 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{version}.tar.gz
Patch0: freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch
+Patch1: freeipa-2.1.4-logging.patch
+Patch2: freeipa-2.1.4-replication-addentry.patch
+Patch3: freeipa-2.1.4-replica-install-services.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -73,7 +76,7 @@ Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
Requires: %{name}-server-selinux = %{version}-%{release}
-Requires(pre): 389-ds-base >= 1.2.10-0.4.a4
+Requires(pre): 389-ds-base >= 1.2.10-0.6.a6
Requires: openldap-clients
Requires: nss
Requires: nss-tools
@@ -93,9 +96,9 @@ Requires: python-pyasn1 >= 0.0.9a
Requires: selinux-policy >= 3.9.16-38
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.21
-Requires: pki-ca >= 9.0.15
-Requires: pki-silent >= 9.0.15
-Requires: pki-setup >= 9.0.15
+Requires: pki-ca >= 9.0.17
+Requires: pki-silent >= 9.0.17
+Requires: pki-setup >= 9.0.17
Requires: dogtag-pki-common-theme
Requires: dogtag-pki-ca-theme
Requires(preun): python initscripts chkconfig
@@ -211,6 +214,9 @@ package.
%prep
%setup -n freeipa-%{version} -q
%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
%build
export CFLAGS="$CFLAGS %{optflags}"
@@ -518,6 +524,12 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog
+* Wed Jan 11 2012 Martin Kosek <mkosek at redhat.com> - 2.1.4-3
+- Fix ipa-replica-install crashes
+- Fix ipa-server-install and ipa-dns-install logging
+- Set minimum version of dogtag-pki to 9.0.0-9 to fix sslget problem
+ caused by FEDORA-2011-17400 update (#771357)
+
* Wed Dec 21 2011 Alexander Bokovoy <abokovoy at redhat.com> - 2.1.4-2
- Rebuild slapi plugins against re-enterant version of libldap
More information about the scm-commits
mailing list