Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS: Remove pkispawn cruft #484

Closed
wants to merge 2 commits into from
Closed

FIPS: Remove pkispawn cruft #484

wants to merge 2 commits into from

Conversation

stlaz
Copy link
Contributor

@stlaz stlaz commented Feb 20, 2017
edited by pvoborni

pkispawn leaves some ugly files after its successful run. This patch:
a) makes sure the files are removed (say no to __del__ in DogtagInstance)
b) prevents special requirements for DM password in FIPS as this was for some reason used to create an NSS database for pkispawn

@MartinBasti
Copy link
Contributor 

************* Module ipaserver.install.cainstance
ipaserver/install/cainstance.py:685: [E1101(no-member), CAInstance.import_ra_cert] Instance of 'CAInstance' has no 'ra_agent_db' member)
ipaserver/install/cainstance.py:685: [E1101(no-member), CAInstance.import_ra_cert] Instance of 'CAInstance' has no 'ra_agent_pwd' member)
ipaserver/install/cainstance.py:831: [E1101(no-member), CAInstance.__request_ra_certificate] Instance of 'CAInstance' has no 'ra_agent_db' member)
ipaserver/install/cainstance.py:834: [E1101(no-member), CAInstance.__request_ra_certificate] Instance of 'CAInstance' has no 'ra_agent_pwd' member)
************* Module ipaserver.install.dogtaginstance
ipaserver/install/dogtaginstance.py:78: [E0602(undefined-variable), export_kra_agent_pem] Undefined variable 'tempfile')

tiran
tiran reviewed Feb 20, 2017
View reviewed changes
ipaserver/install/dogtaginstance.py Outdated
@@ -171,6 +167,15 @@ def spawn_instance(self, cfg_file, nolog_list=()):
except ipautil.CalledProcessError as e:
self.handle_setup_error(e)

def _clean_pkispawn_files(self):
if self.tmp_agent_db is None:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are skipping the removal of /root/.dogtag/pki-tomcat/{subsystem}, too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, it was my impression that this one would not exist if pkispawnwas not run, I can just remove this check and run removal of both trees.

tiran
tiran reviewed Feb 20, 2017
View reviewed changes
Copy link
Member

@tiran tiran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are not cleanup up /root/.dogtag if tmp_agent_db is None.

@stlaz
Copy link
Contributor Author

stlaz commented Feb 20, 2017

Hm, originally had this over the nsslib removal patchset but the rebase was not as successful as I thought, will fix the issues.

@tiran
Copy link
Member

tiran commented Feb 20, 2017

Or you could always clean up /root/.dogtag and remove the tmp dir when the var is not None.

By the way do you clean up /root/.dogtag during update?

@stlaz
Remove ra_db argument from CAInstance init
89a7de3 
The ra_db argument to CAInstance init is a constant so it can
be removed. This constant corresponds to the default CertDB directory
and since CertDB now passes passwords to its inner NSSDatabase instance
we do need to care about having our own run_certutil() method.

https://fedorahosted.org/freeipa/ticket/5695
@stlaz
Copy link
Contributor Author

stlaz commented Feb 20, 2017

Always tend to forget about the upgrade part, will do, thanks 👍

@tiran
Copy link
Member

tiran commented Feb 20, 2017

pylint needs some attention, too.

************* Module ipaserver.install.cainstance
ipaserver/install/cainstance.py:685: [E1101(no-member), CAInstance.import_ra_cert] Instance of 'CAInstance' has no 'ra_agent_db' member)
ipaserver/install/cainstance.py:685: [E1101(no-member), CAInstance.import_ra_cert] Instance of 'CAInstance' has no 'ra_agent_pwd' member)
ipaserver/install/cainstance.py:831: [E1101(no-member), CAInstance.__request_ra_certificate] Instance of 'CAInstance' has no 'ra_agent_db' member)
ipaserver/install/cainstance.py:834: [E1101(no-member), CAInstance.__request_ra_certificate] Instance of 'CAInstance' has no 'ra_agent_pwd' member)
************* Module ipaserver.install.dogtaginstance
ipaserver/install/dogtaginstance.py:78: [E0602(undefined-variable), export_kra_agent_pem] Undefined variable 'tempfile')

@stlaz
Copy link
Contributor Author

stlaz commented Feb 20, 2017

All should be fixed now.

@tkrizek
Copy link
Contributor

tkrizek commented Feb 23, 2017

Works as expected.

@tkrizek tkrizek added the ack Pull Request approved, can be merged label Feb 23, 2017
@pvoborni
Copy link
Member

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/728a6bd4229ba170b2e94f216127b19d5d94e2ba
https://fedorahosted.org/freeipa/changeset/a39effed7603d66acd238e3142f4df8081ff7bc8

@pvoborni pvoborni added the pushed Pull Request has already been pushed label Feb 23, 2017
@pvoborni pvoborni closed this Feb 23, 2017
@stlaz stlaz deleted the remove_pkispawn_cruft branch September 11, 2017 10:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiran tiran tiran left review comments

Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
5 participants
@stlaz @MartinBasti @tiran @tkrizek @pvoborni