certupdate: update config when deployment becomes CA-ful #4861
Conversation
frasertweedale
added
ipa-4-8
|
Don't merge this yet. I think the next problem is that IPA RA cert is not present on the CA-less replicas after promoting deployment from CA-less to CA-ful. Need to investigate further, but out of time today. |
frasertweedale
force-pushed
the
fix/7188-caless-to-caful-replica-config
branch
2 times, most recently
from
eee1f53
to
8138a86
Compare
frasertweedale
added
needs review
|
Ready for review now. Test steps in PR description. |
frasertweedale
added
ipa-next
|
I'm suggesting ipa-next to be conservative, because there is a substantial new behaviour in |
There was a problem hiding this comment.
Hi @frasertweedale
Thanks for the PR. I have a few comments:
- if the server where the CA is installed is in SElinux enforcing mode, ipa-certupdate fails on the replica in fetch_key. Probably an AVC on the CA server while getting the key with /ipa/keys/ra/ipaCert.
- after the /etc/ipa/default.conf file has been updated, a restart of httpd is required, otherwise ipa cert-show commands fail.
|
@flo-renaud thanks, I am developing on f31 and it worked. I'll investigate on f32 next week. Cheers! |
| role_servrole=u'CA server', | ||
| status='enabled', | ||
| ) | ||
| ca_servers = [server['server_server'] for server in resp['result']] |
There was a problem hiding this comment.
This is also going to require that the current principal has read access to roles. Today this works:
kinit someuser
ipa-certupdate
but ca_servers will be an empty list and I don't know what impact that will have.
There was a problem hiding this comment.
Oh, I see it will skip things. Still perhaps not expected but at least it won't break anything.
There was a problem hiding this comment.
@rcritten yes, empty result is handled. But also, unprivileged users can read serverrole objects with default ACLs.
There was a problem hiding this comment.
Yeah, I must have run ipa server-find instead or something to verify. So yeah, this is fine.
freeipa-pr-ci
added
the
needs rebase
frasertweedale
force-pushed
the
fix/7188-caless-to-caful-replica-config
branch
from
8138a86
to
0b80587
Compare
|
I still need to investigate the failures described by @flo-renaud. |
frasertweedale
force-pushed
the
fix/7188-caless-to-caful-replica-config
branch
from
0b80587
to
ebd0b57
Compare
@flo-renaud I was unable to reproduce this behaviour on f32. I encountered no issues with SELinux, and If you are still experiencing the issue could you please provide more details about your environment, transcript of steps, and any relevant logs. Thanks for reviewing and testing this change! |
frasertweedale
removed
the
needs rebase
|
Hi @frasertweedale
Logs for the cert-show issue: on (replica) |
|
@flo-renaud thank you, I have reproduced the issue. |
Enhance cainstance.update_ipa_conf() to allow specifying the ca_host. This will be used to update replica configurations when a CA-less deployment gets promoted to CA-ful. Part of: https://pagure.io/freeipa/issue/7188
After upgrading a deployment from CA-less to CA-ful it is necessary to install the RA Agent credential on non-CA servers. To facilitate this, extract this behaviour from CAInstance so that it is callable from other code. Several other methods became @staticmethod as a result of this change. This makes those methods callable without an instance of CAInstance and also documents that those methods do not use 'self'. Part of: https://pagure.io/freeipa/issue/7188
When a deployment gets promoted from CA-less to CA-ful other replicas still have enable_ra=False in default.conf, and do not have the ra-agent key and certificate. Enhance ipa-certupdate to detect when the deployment has become CA-ful; retrieve the ra-agent credential and update default.conf. The rationale for adding this behaviour to ipa-certupdate is that it is already necessary to use this command to update local trust stores with the new CA certificate(s). So by using ipa-certupdate we avoid introducing additional steps for administrators. It is necessary to choose a CA master to use as the ca_host. We use the first server returned by LDAP. A better heuristic might be to choose a master in the same location but this is just left as a comment unless or until the need is proven. Finally, defer the httpd service restart until after the possible update of default.conf so that the IPA API executes with the new configuration. This change also addresses the case of a CA server being removed from the topology, i.e. ipa-certupdate detects when non-CA replicas are pointing at the removed server, and chooses a new ca_host. HOW TO TEST: 1. Install a CA-less server (first server). 2. Install a CA-less replica. 3. Run 'ipa-ca-install' on first server, promoting deployment from CA-less to CA-ful. 4. Run 'ipa-certupdate' on second server. 5. Exceute 'ipa cert-show 5' on second server. Should succeed, because ra-agent credential was retrieved and default.conf updated at step freeipa#4. Fixes: https://pagure.io/freeipa/issue/7188
frasertweedale
force-pushed
the
fix/7188-caless-to-caful-replica-config
branch
from
ebd0b57
to
6688d2e
Compare
|
@flo-renaud I pushed an update that should avoid having to explicitly restart |
|
Hi @frasertweedale |
flo-renaud
added
ack
|
@flo-renaud thank you so much for your thorough testing. |
Another aged-in-oak branch I've had sitting around for years.
When a deployment gets promoted from CA-less to CA-ful other
replicas still have enable_ra=False in default.conf, and do not have
the ra-agent key and certificate. Enhance ipa-certupdate to detect
when the deployment has become CA-ful; retrieve the ra-agent
credential and update default.conf.
The rationale for adding this behaviour to ipa-certupdate is that it
is already necessary to use this command to update local trust
stores with the new CA certificate(s). So by using ipa-certupdate
we avoid introducing additional steps for administrators.
It is necessary to choose a CA master to use as the ca_host. We use
the first server returned by LDAP. A better heuristic might be to
choose a master in the same location but this is just left as a
comment unless or until the need is proven.
This change also addresses the case of a CA server being removed
from the topology, i.e. ipa-certupdate detects when non-CA replicas
are pointing at the removed server, and chooses a new ca_host.
HOW TO TEST:
Install a CA-less server (first server).
Install a CA-less replica.
Run 'ipa-ca-install' on first server, promoting deployment from
CA-less to CA-ful.
Run 'ipa-certupdate' on second server.
Exceute 'ipa cert-show 5' on second server. Should succeed,
because ra-agent credential was retrieve and default.conf
updated at step Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup #4.
Fixes: https://pagure.io/freeipa/issue/7188