replica install: improvements in the handling of CA-related IPA config entries

When a CA-less replica is installed, its IPA config file should be updated so
that ca_host points to nearest CA master and all certificate requests are
forwarded to it. A subsequent installation of CA subsystem on the replica
should clear this entry from the config so that all certificate requests are
handled by freshly installed local CA.

https://fedorahosted.org/freeipa/ticket/5506

Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Martin Babinsky 2015-12-02 12:22:45 +01:00 committed by Martin Basti
parent 95d659b634
commit a497288b3e
3 changed files with 25 additions and 17 deletions

View File

@ -7,8 +7,6 @@ from __future__ import print_function
import sys
import os.path
from six.moves.configparser import RawConfigParser
from ipaserver.install import cainstance, dsinstance, bindinstance
from ipapython import ipautil, certdb
from ipaplatform import services
@ -236,20 +234,6 @@ def install_step_1(standalone, replica_config, options):
if standalone:
ca.start('pki-tomcat')
# Update config file
try:
parser = RawConfigParser()
parser.read(paths.IPA_DEFAULT_CONF)
parser.set('global', 'enable_ra', 'True')
parser.set('global', 'ra_plugin', 'dogtag')
parser.set('global', 'dogtag_version', '10')
with open(paths.IPA_DEFAULT_CONF, 'w') as f:
parser.write(f)
except IOError as e:
print("Failed to update /etc/ipa/default.conf")
root_logger.error(str(e))
sys.exit(1)
# We need to restart apache as we drop a new config file in there
services.knownservices.httpd.restart(capture_output=True)

View File

@ -41,7 +41,7 @@ import shlex
import pipes
from six.moves import urllib
from six.moves.configparser import ConfigParser
from six.moves.configparser import ConfigParser, RawConfigParser
from ipalib import api
from ipalib import pkcs10, x509
@ -429,6 +429,7 @@ class CAInstance(DogtagInstance):
self.step("importing IPA certificate profiles",
import_included_profiles)
self.step("adding default CA ACL", ensure_default_caacl)
self.step("updating IPA configuration", update_ipa_conf)
self.start_creation(runtime=210)
@ -1343,6 +1344,7 @@ class CAInstance(DogtagInstance):
self.track_servercert)
self.step("Configure HTTP to proxy connections",
self.http_proxy)
self.step("updating IPA configuration", update_ipa_conf)
self.step("Restart HTTP server to pick up changes",
self.__restart_http_instance)
@ -1768,6 +1770,21 @@ def ensure_default_caacl():
api.Backend.ldap2.disconnect()
def update_ipa_conf():
"""
Update IPA configuration file to ensure that RA plugins are enabled and
that CA host points to localhost
"""
parser = RawConfigParser()
parser.read(paths.IPA_DEFAULT_CONF)
parser.set('global', 'enable_ra', 'True')
parser.set('global', 'ra_plugin', 'dogtag')
parser.set('global', 'dogtag_version', '10')
parser.remove_option('global', 'ca_host')
with open(paths.IPA_DEFAULT_CONF, 'w') as f:
parser.write(f)
if __name__ == "__main__":
standard_logging_setup("install.log")
ds = dsinstance.DsInstance()

View File

@ -483,6 +483,9 @@ def install_check(installer):
fd.write("enable_ra=True\n")
fd.write("ra_plugin=dogtag\n")
fd.write("dogtag_version=10\n")
if not config.setup_ca:
fd.write("ca_host={0}\n".format(config.master_host_name))
else:
fd.write("enable_ra=False\n")
fd.write("ra_plugin=none\n")
@ -1174,6 +1177,10 @@ def promote(installer):
ipaconf.setOption('enable_ra', 'True'),
ipaconf.setOption('ra_plugin', 'dogtag'),
ipaconf.setOption('dogtag_version', '10')]
if not options.setup_ca:
gopts.append(ipaconf.setOption('ca_host', config.ca_host_name))
opts = [ipaconf.setSection('global', gopts)]
ipaconf.changeConf(target_fname, opts)