IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Spawn PKI: Execute more steps early

Browse Source 
Move several steps to an earlier phase of CA spawn. RA and ACME agent
ACLs are now configured while the server is down. This avoids yet
another restart and saves between 11 and 50 seconds per installation.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Christian Heimes 2020-09-28 07:30:30 +02:00
parent 8882680ee1
commit 942fe07eb5
1 changed files with 16 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
ipaserver/install/cainstance.py
View File

@ -399,22 +399,35 @@ class CAInstance(DogtagInstance):
self.step("creating installation admin user", self.setup_admin)
self.step("configuring certificate server instance",
self.__spawn_instance)
# Config file and ACL modifications require either restart or
# offline update of Dogtag.
self.step("stopping certificate server instance to update CS.cfg",
self.stop_instance)
self.step("backing up CS.cfg", self.safe_backup_config)
self.step("Add ipa-pki-wait-running", self.add_ipa_wait)
self.step("secure AJP connector", self.secure_ajp_connector)
self.step("reindex attributes", self.reindex_task)
self.step("exporting Dogtag certificate store pin",
self.create_certstore_passwdfile)
self.step("stopping certificate server instance to update CS.cfg",
self.stop_instance)
self.step("backing up CS.cfg", self.safe_backup_config)
self.step("disabling nonces", self.__disable_nonce)
self.step("set up CRL publishing", self.__enable_crl_publish)
self.step("enable PKIX certificate path discovery and validation",
self.enable_pkix)
self.step("authorizing RA to modify profiles",
configure_profiles_acl)
self.step("authorizing RA to manage lightweight CAs",
configure_lightweight_ca_acls)
self.step("Ensure lightweight CAs container exists",
ensure_lightweight_cas_container)
if self.clone and not promote:
self.step(
"Ensuring backward compatibility",
self.__dogtag10_migration)
if promote:
self.step("destroying installation admin user",
self.teardown_admin)
self.step("deploying ACME service", self.setup_acme)
# Materialize config changes and new ACLs
self.step("starting certificate server instance",
self.start_instance)
if promote:
@ -433,26 +446,14 @@ class CAInstance(DogtagInstance):
else:
self.step("importing RA certificate from PKCS #12 file",
self.__import_ra_cert)
if not ra_only:
if not self.clone:
self.step("publishing the CA certificate",
self.__export_ca_chain)
self.step("adding RA agent as a trusted user", self.__create_ca_agent)
self.step("authorizing RA to modify profiles", configure_profiles_acl)
self.step("authorizing RA to manage lightweight CAs",
configure_lightweight_ca_acls)
self.step("Ensure lightweight CAs container exists",
ensure_lightweight_cas_container)
if self.clone and not promote:
self.step(
"Ensuring backward compatibility",
self.__dogtag10_migration)
self.step("configure certificate renewals", self.configure_renewal)
self.step("Configure HTTP to proxy connections",
self.http_proxy)
# This restart is needed for ACL reload in CA, do not remove it
self.step("restarting certificate server", self.restart_instance)
self.step("updating IPA configuration", update_ipa_conf)
self.step("enabling CA instance", self.__enable_instance)
if not promote: