[Freeipa-devel] [PATCHES] 0287 and 0288 for Proxy upgrade

Thu, 06 Oct 2011 18:28:13 -0700 

Not yet ready for prime time.
I've tested the changes to updateinstance by hand, so I know they work. I'm having problems with the python import setup. 

RPM build fails with:


install/tools/ipa-upgradeconfig:36: [F0401] Unable to import 'installutils'



And, if I uncomment the import for http utils,  I get an error at run 
time as well.  That confuses me, as I am able to import installutils at 
runtime.




From 84c7617d408ff55e409ed93c88c59ec073959f54 Mon Sep 17 00:00:00 2001
From: Adam Young <ayo...@redhat.com>
Date: Thu, 6 Oct 2011 20:37:57 -0400
Subject: [PATCH 287/288] Make nss_mod config options change a public function

---
 ipapython/services.py             |   48 +++++++++++++++++++++++++++++++++++++
 ipaserver/install/httpinstance.py |    4 +-
 2 files changed, 50 insertions(+), 2 deletions(-)
 create mode 100644 ipapython/services.py

diff --git a/ipapython/services.py b/ipapython/services.py
new file mode 100644
index 0000000000000000000000000000000000000000..c27c4865f1f86100ae4924239b9212e305384223
--- /dev/null
+++ b/ipapython/services.py
@@ -0,0 +1,48 @@
+# Authors: Alexander Bokovoy <aboko...@redhat.com>
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# authconfig is an entry point to platform-provided AuthConfig implementation
+# (instance of ipapython.platform.base.AuthConfig)
+authconfig = None
+
+# knownservices is an entry point to known platform services
+# (instance of ipapython.platform.base.KnownServices) 
+knownservices = None
+
+# service is a class to instantiate ipapython.platform.base.PlatformService
+service = None
+
+# restore context default implementation  that does nothing
+def restore_context_default(filepath):
+    return
+
+# Restore security context for a path
+# If the platform has security features where context is important, implement your own
+# version in platform services
+restore_context = restore_context_default
+
+# Default implementation of backup and replace hostname that does nothing
+def backup_and_replace_hostname_default(fstore, statestore, hostname):
+    return
+
+# Backup and replace system's hostname
+# Since many platforms have their own way how to store system's hostname, this method must be
+# implemented in platform services
+backup_and_replace_hostname = backup_and_replace_hostname_default
+
+from ipapython.platform.redhat import *
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index dbb0dd500891441e06087b3ddeeb91429e358f84..a485991c95d5c800b212ddcf99eeee3ba5e48f8a 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -76,7 +76,7 @@ class HTTPInstance(service.Service):
         self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
         self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
         self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
-        self.step("enabling mod_nss renegotiate", self.__enable_mod_nss_renegotiate)
+        self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
         self.step("adding URL rewriting rules", self.__add_include)
         self.step("configuring httpd", self.__configure_http)
         self.step("setting up ssl", self.__setup_ssl)
@@ -166,7 +166,7 @@ class HTTPInstance(service.Service):
     def __set_mod_nss_nickname(self, nickname):
         installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
 
-    def __enable_mod_nss_renegotiate(self):
+    def enable_mod_nss_renegotiate(self):
         installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
         installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False)
 
-- 
1.7.6


From fe28296030abe227e7d3787d7a151ec88619779d Mon Sep 17 00:00:00 2001
From: Adam Young <ayo...@redhat.com>
Date: Thu, 6 Oct 2011 20:37:18 -0400
Subject: [PATCH 288/288] upgrade pki proxy setup Does not yet use
 httpinstance

---
 install/tools/ipa-upgradeconfig |   19 +++++++++++++++++--
 1 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 1b08382e40788b9be80d538607bd605320279d8e..91534c2feb71959be2874b156f92ca15e1b4d822 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -25,12 +25,15 @@ Upgrade configuration files to a newer template.
 
 import sys
 try:
-    from ipapython import ipautil
+    from ipapython import ipautil,sysrestore
+    from ipaserver.install import installutils
+#    from ipaserver.install import  httpinstance
     import krbV
     import re
     import os
     import shutil
     import fileinput
+    import installutils
 except ImportError:
     print >> sys.stderr, """\
 There was a problem importing one of the required Python modules. The
@@ -135,6 +138,18 @@ def check_certs():
             print "Missing Certification Authority file."
             print "You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt"
 
+def upgrade_pki():
+    NSS_CONF = "/etc/httpd/conf.d/nss.conf"
+    installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
+    installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False)
+#    fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+#    http = httpinstance.HTTPInstance(fstore)
+#    http.enable_mod_nss_renegotiate()
+    if not installutils.get_directive('/etc/pki-ca/CS.cfg',
+                                      'proxy.securePort', '='):
+        ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib'
+                     ,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
+
 def main():
     """
     Get some basics about the system. If getting those basics fail then
@@ -162,7 +177,7 @@ def main():
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
-
+    upgrade_pki()
 try:
     if __name__ == "__main__":
         sys.exit(main())
-- 
1.7.6


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel





















					Reply via email to