Server Upgrade: enable DS global lock during upgrade

https://fedorahosted.org/freeipa/ticket/4925

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

freeipa.spec.in

@@ -33,7 +33,7 @@ Source0:        freeipa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.3.8
+BuildRequires:  389-ds-base-devel >= 1.3.3.9
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= 2.1.12-5
 BuildRequires:  systemd-units
@@ -108,7 +108,7 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.3.8
+Requires: 389-ds-base >= 1.3.3.9
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -143,7 +143,7 @@ Requires: zip
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.76.8
-Requires(pre): 389-ds-base >= 1.3.3.8
+Requires(pre): 389-ds-base >= 1.3.3.9
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl

ipaserver/install/dsinstance.py

@@ -36,6 +36,7 @@ import ldap
 from ipaserver.install import ldapupdate
 from ipaserver.install import replication
 from ipaserver.install import sysupgrade
+from ipaserver.install import upgradeinstance
 from ipalib import api
 from ipalib import certstore
 from ipalib import errors
@@ -504,10 +505,8 @@ class DsInstance(service.Service):
         conn.unbind()
 
     def apply_updates(self):
-        ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password,
-                                   sub_dict=self.sub_dict)
-        files = ld.get_all_files(ldapupdate.UPDATES_DIR)
-        ld.update(files)
+        data_upgrade = upgradeinstance.IPAUpgrade(self.realm)
+        data_upgrade.create_instance()
         installutils.store_version()
 
 

ipaserver/install/upgradeinstance.py

@@ -25,6 +25,7 @@ import random
 import traceback
 from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import *
+from ipapython import ipaldap
 
 from ipaserver.install import installutils
 from ipaserver.install import schemaupdate
@@ -170,6 +171,7 @@ class IPAUpgrade(service.Service):
         self.upgradefailed = False
         self.serverid = serverid
         self.schema_files = schema_files
+        self.realm = realm_name
 
     def __start_nowait(self):
         # Don't wait here because we've turned off port 389. The connection
@@ -184,6 +186,7 @@ class IPAUpgrade(service.Service):
         self.step("stopping directory server", self.__stop_instance)
         self.step("saving configuration", self.__save_config)
         self.step("disabling listeners", self.__disable_listeners)
+        self.step("enabling DS global lock", self.__enable_ds_global_write_lock)
         self.step("starting directory server", self.__start_nowait)
         if self.schema_files:
             self.step("updating schema", self.__update_schema)
@@ -223,9 +226,31 @@ class IPAUpgrade(service.Service):
             else:
                 self.backup_state('nsslapd-security', security)
 
+            try:
+                global_lock = config_entry['nsslapd-global-backend-lock'][0]
+            except KeyError:
+                pass
+            else:
+                self.backup_state('nsslapd-global-backend-lock', global_lock)
+
+    def __enable_ds_global_write_lock(self):
+        ldif_outfile = "%s.modified.out" % self.filename
+        with open(ldif_outfile, "wb") as out_file:
+            ldif_writer = ldif.LDIFWriter(out_file)
+            with open(self.filename, "rb") as in_file:
+                parser = ModifyLDIF(in_file, ldif_writer)
+
+                parser.remove_value("cn=config", "nsslapd-global-backend-lock")
+                parser.add_value("cn=config", "nsslapd-global-backend-lock",
+                                 "on")
+                parser.parse()
+
+        shutil.copy2(ldif_outfile, self.filename)
+
     def __restore_config(self):
         port = self.restore_state('nsslapd-port')
         security = self.restore_state('nsslapd-security')
+        global_lock = self.restore_state('nsslapd-global-backend-lock')
 
         ldif_outfile = "%s.modified.out" % self.filename
         with open(ldif_outfile, "wb") as out_file:
@@ -240,6 +265,12 @@ class IPAUpgrade(service.Service):
                     parser.remove_value("cn=config", "nsslapd-security")
                     parser.add_value("cn=config", "nsslapd-security", security)
 
+                # disable global lock by default
+                parser.remove_value("cn=config", "nsslapd-global-backend-lock")
+                if global_lock is not None:
+                    parser.add_value("cn=config", "nsslapd-global-backend-lock",
+                                     global_lock)
+
                 parser.parse()
 
         shutil.copy2(ldif_outfile, self.filename)