From c44f4dcbea210e7802deda1909a3ec70aa6b6460 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Oct 15 2014 07:12:11 +0000 Subject: Stop dogtag when updating its configuration in ipa-upgradeconfig. Modifying CS.cfg when dogtag is running may (and does) result in corrupting this file. https://fedorahosted.org/freeipa/ticket/4569 Reviewed-By: Jan Cholasta --- diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 7f785e6..a1f085b 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -233,8 +233,10 @@ def upgrade_pki(ca, fstore): if not installutils.get_directive(configured_constants.CS_CFG_PATH, 'proxy.securePort', '=') and \ os.path.exists(paths.PKI_SETUP_PROXY): - ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' - ,'-pki_instance_name=pki-ca','-subsystem_type=ca']) + # update proxy configuration with stopped dogtag to prevent corruption + # of CS.cfg + ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib', + '-pki_instance_name=pki-ca','-subsystem_type=ca']) root_logger.debug('Proxy configuration updated') else: root_logger.debug('Proxy configuration up-to-date') @@ -1204,28 +1206,30 @@ def main(): ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) ca.backup_config() - # migrate CRL publish dir before the location in ipa.conf is updated - ca_restart = migrate_crl_publish_dir(ca) + with installutils.stopped_service(configured_constants.SERVICE_NAME, + configured_constants.PKI_INSTANCE_NAME): + # migrate CRL publish dir before the location in ipa.conf is updated + ca_restart = migrate_crl_publish_dir(ca) + + if ca.is_configured(): + crl = installutils.get_directive(configured_constants.CS_CFG_PATH, + 'ca.crl.MasterCRL.enableCRLUpdates', '=') + sub_dict['CLONE']='#' if crl.lower() == 'true' else '' + + ds_serverid = dsinstance.realm_to_serverid(api.env.realm) + ds_dirname = dsinstance.config_dirname(ds_serverid) + + upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf") + upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf") + upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) + if subject_base: + upgrade( + sub_dict, + os.path.join(ds_dirname, "certmap.conf"), + os.path.join(ipautil.SHARE_DIR, "certmap.conf.template") + ) + upgrade_pki(ca, fstore) - if ca.is_configured(): - crl = installutils.get_directive(configured_constants.CS_CFG_PATH, - 'ca.crl.MasterCRL.enableCRLUpdates', - '=') - sub_dict['CLONE']='#' if crl.lower() == 'true' else '' - - ds_serverid = dsinstance.realm_to_serverid(api.env.realm) - ds_dirname = dsinstance.config_dirname(ds_serverid) - - upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf") - upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf") - upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) - if subject_base: - upgrade( - sub_dict, - os.path.join(ds_dirname, "certmap.conf"), - os.path.join(ipautil.SHARE_DIR, "certmap.conf.template") - ) - upgrade_pki(ca, fstore) update_dbmodules(api.env.realm) uninstall_ipa_kpasswd() diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 2c91220..1ae3963 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1699,6 +1699,9 @@ def backup_config(dogtag_constants=None): if dogtag_constants is None: dogtag_constants = dogtag.configured_constants() + if services.knownservices.dogtag.is_running(): + raise RuntimeError("Dogtag must be stopped when creating backup of %s" + % dogtag_constants.CS_CFG_PATH) shutil.copy(dogtag_constants.CS_CFG_PATH, dogtag_constants.CS_CFG_PATH + '.ipabkp')