Improve PKI subsystem detection

The dogtaginstance.is_installed() method currently relies on the presence of the directory /var/lib/pki/pki-tomcat/{ca|kra}, even if it is empty. An unwanted consequence is ipa-server-upgrade wrongly assuming the KRA is installed and crashing when trying to upgrade a not-installed component. The fix relies on the command "pki-server subsystem-show {ca|kra}" to detect if a subsystem is installed. The command does not require PKI to be running (hence can be called anytime) and is delivered by the pki-server package which is already required by ipa server pkg. Fixes: https://pagure.io/freeipa/issue/8596 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-01-26 16:16:31 -06:00 · 2020-11-25 09:53:54 +01:00 · 2020-11-25 09:53:54 +01:00 · 930453b65e
commit 930453b65e
parent cfa1d69bdb
1 changed files with 8 additions and 2 deletions
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@ -177,8 +177,14 @@ class DogtagInstance(service.Service):

        Returns True/False
        """
-        return os.path.exists(os.path.join(
-            paths.VAR_LIB_PKI_TOMCAT_DIR, self.subsystem.lower()))
+        try:
+            result = ipautil.run(
+                ['pki-server', 'subsystem-show', self.subsystem.lower()],
+                capture_output=True)
+            # parse the command output
+            return 'Enabled: True' in result.output
+        except ipautil.CalledProcessError:
+            return False

    def spawn_instance(self, cfg_file, nolog_list=()):
        """