Fix some privilege separation regressions #471
Conversation
| if sysupgrade.get_upgrade_state('http', 'export_kra_agent_pem'): | ||
| sysupgrade.remove_upgrade_state('http', 'export_kra_agent_pem') | ||
|
|
||
| if os.path.exists(paths.KRA_AGENT_PEM): |
There was a problem hiding this comment.
By the way who takes care of renewal of kra-agent.pem file? certmonger only tracks the cert in NSSDB.
Request ID '20170215101245':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/var/lib/ipa/radb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/var/lib/ipa/radb/pwdfile.txt'
certificate: type=NSSDB,location='/var/lib/ipa/radb',nickname='ipaCert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.EXAMPLE
subject: CN=IPA RA,O=IPA.EXAMPLE
expires: 2019-02-03 15:26:21 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
There was a problem hiding this comment.
It's a separate issue. I created https://fedorahosted.org/freeipa/ticket/6680 to track it.
|
LGTM |
|
Upgrade still fails when run for the first time during edit: This is CA-full upgrade |
|
@HonzaCholasta, we got merge conflicts. |
The NSS database directory is created with mode 640, which causes the IPA client to fail to connect to any IPA server, because it is unable to read trusted CA certificates from the NSS database. Create the directory with mode 644 to fix the issue. https://fedorahosted.org/freeipa/ticket/5959
Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as /var/lib/ipa/radb is not populated in CA-less. Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in CA-less, as it might be an incorrect certificate from previous CA-ful install, and is not necessary anyway. https://fedorahosted.org/freeipa/ticket/5959
update_ca_renewal_master uses ipaCert certmonger tracking information to decide whether the local server is the CA renewal master or not. The information is lost when migrating from /etc/httpd/alias to /var/lib/ipa/radb in update_ra_cert_store. Make sure update_ra_cert_store is executed after update_ca_renewal_master so that correct information is used. https://fedorahosted.org/freeipa/ticket/5959
|
@stlaz, not sure what's going on there, but not my fault, these failures happen even without this PR. |
ipaserver/install/server/upgrade.py
Outdated
| """ | ||
| ipa_memcached = service.SimpleServiceInstance('ipa_memcached') | ||
|
|
||
| enabled = not ipa_memcached.restore_state("enabled") | ||
| ipa_memcached.restore_state("running") | ||
|
|
||
| if enabled is not None and not enabled: |
There was a problem hiding this comment.
Totally OT: enabled will never be None so the first part of the condition is redundant.
ipaserver/install/server/upgrade.py
Outdated
| """ | ||
| ipa_memcached = service.SimpleServiceInstance('ipa_memcached') | ||
|
|
||
| enabled = not ipa_memcached.restore_state("enabled") | ||
| ipa_memcached.restore_state("running") |
There was a problem hiding this comment.
Does the same problem exist with kpasswd which is where this copy-paste code has its origin?
There was a problem hiding this comment.
No one complained since the code was added in 2012, so I guess it doesn't.
|
Note that |
Before the KRA agent PEM file is exported in server upgrade, the sysupgrade state file is consulted. This causes the KRA agent PEM file not to be exported to the new location if the upgrade was executed in the past. Do not consult the sysupgrade state file to decide whether to upgrade the KRA agent PEM file or not, the existence of the file is enough to make this decision. https://fedorahosted.org/freeipa/ticket/6675
Make sure ipa_memcached is not running and no stale state is left in the sysupgrade state file on server upgrade. https://fedorahosted.org/freeipa/ticket/5959
|
The raised issues seem to have been fixed. ACK. |
client install: create /etc/ipa/nssdb with correct mode
The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.
Create the directory with mode 644 to fix the issue.
server upgrade: fix upgrade in CA-less
Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as
/var/lib/ipa/radb is not populated in CA-less.
Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in
CA-less, as it might be an incorrect certificate from previous CA-ful
install, and is not necessary anyway.
server upgrade: fix upgrade from pre-4.0
update_ca_renewal_master uses ipaCert certmonger tracking information to
decide whether the local server is the CA renewal master or not. The
information is lost when migrating from /etc/httpd/alias to
/var/lib/ipa/radb in update_ra_cert_store.
Make sure update_ra_cert_store is executed after update_ca_renewal_master
so that correct information is used.
server upgrade: always upgrade KRA agent PEM file
Before the KRA agent PEM file is exported in server upgrade, the sysupgrade
state file is consulted. This causes the KRA agent PEM file not to be
exported to the new location if the upgrade was executed in the past.
Do not consult the sysupgrade state file to decide whether to upgrade the
KRA agent PEM file or not, the existence of the file is enough to make this
decision.
https://fedorahosted.org/freeipa/ticket/5959
https://fedorahosted.org/freeipa/ticket/6675