Improve PKI subsystem detection

The dogtaginstance.is_installed() method currently relies on the presence of the directory /var/lib/pki/pki-tomcat/{ca|kra}, even if it is empty. An unwanted consequence is ipa-server-upgrade wrongly assuming the KRA is installed and crashing when trying to upgrade a not-installed component. The fix relies on the command "pki-server subsystem-show {ca|kra}" to detect if a subsystem is installed. The command does not require PKI to be running (hence can be called anytime) and is delivered by the pki-server package which is already required by ipa server pkg. Fixes: https://pagure.io/freeipa/issue/8596
freeipa · Nov 26, 2020 · 968a7f5 · 968a7f5
1 parent 0da6a57
commit 968a7f5
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
@@ -177,8 +177,13 @@ def is_installed(self):
 
         Returns True/False
         """
-        return os.path.exists(os.path.join(
-            paths.VAR_LIB_PKI_TOMCAT_DIR, self.subsystem.lower()))
+        try:
+            ipautil.run(
+                ['pki-server', 'subsystem-show', self.subsystem.lower()])
+            # if the command is successful, the subsystem is installed
+            return True
+        except ipautil.CalledProcessError:
+            return False
 
     def spawn_instance(self, cfg_file, nolog_list=()):
         """