Add logging to ipa-upgradeconfig

Log to the same file as ipa-ldap-updater --upgrade, /var/log/ipaupgrade.log Will output basic stauts information if executed from the command-line. https://fedorahosted.org/freeipa/ticket/2696
2025-01-28 09:06:44 -06:00 · 2012-06-18 16:41:06 -04:00 · 2012-06-18 16:41:06 -04:00 · c9954878b8
commit c9954878b8
parent 6f4121ccbb
3 changed files with 40 additions and 9 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@ -440,7 +440,7 @@ if [ $1 = 1 ]; then
 fi
 %endif
 if [ $1 -gt 1 ] ; then
-    /usr/sbin/ipa-upgradeconfig || :
+    /usr/sbin/ipa-upgradeconfig >/dev/null 2>&1 || :
 fi

 %posttrans server
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@ -152,19 +152,20 @@ def upgrade(sub_dict, filename, template, add=False):
    new = int(find_version(template))

    if old < 0 and not add:
-        print "%s not found." % filename
+        root_logger.error("%s not found." % filename)
        sys.exit(1)

    if new < 0:
-        print "%s not found." % template
+        root_logger.error("%s not found." % template)

    if old < new or (add and old == 0):
        backup_file(filename, new)
        update_conf(sub_dict, filename, template)
-        print "Upgraded %s to version %d" % (filename, new)
+        root_logger.info("Upgraded %s to version %d", filename, new)

 def check_certs():
    """Check ca.crt is in the right place, and try to fix if not"""
+    root_logger.info('[Verifying that root certificate is published]')
    if not os.path.exists("/usr/share/ipa/html/ca.crt"):
        ca_file = "/etc/httpd/alias/cacert.asc"
        if os.path.exists(ca_file):
@ -174,8 +175,10 @@ def check_certs():
            finally:
                os.umask(old_umask)
        else:
-            print "Missing Certification Authority file."
-            print "You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt"
+            root_logger.error("Missing Certification Authority file.")
+            root_logger.error("You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt")
+    else:
+        root_logger.debug('Certificate file exists')

 def upgrade_pki(fstore):
    """
@ -184,7 +187,9 @@ def upgrade_pki(fstore):

    This requires enabling SSL renegotiation.
    """
+    root_logger.info('[Verifying that CA proxy configuration is correct]')
    if not os.path.exists('/etc/pki-ca/CS.cfg'):
+        root_logger.debug('No CA detected in /etc/pki-ca')
        return

    http = httpinstance.HTTPInstance(fstore)
@ -194,6 +199,9 @@ def upgrade_pki(fstore):
            os.path.exists('/usr/bin/pki-setup-proxy'):
        ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib'
                     ,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
+        root_logger.debug('Proxy configuration updated')
+    else:
+        root_logger.debug('Proxy configuration up-to-date')

 def update_dbmodules(realm, filename="/etc/krb5.conf"):
    newfile = []
@ -201,6 +209,7 @@ def update_dbmodules(realm, filename="/etc/krb5.conf"):
    found_realm = False
    prefix = ''

+    root_logger.info('[Verifying that KDC configuration is using ipa-kdb backend]')
    st = os.stat(filename)
    fd = open(filename)

@ -208,7 +217,7 @@ def update_dbmodules(realm, filename="/etc/krb5.conf"):
    fd.close()

    if '    db_library = ipadb.so\n' in lines:
-        # Already updated
+        root_logger.debug('dbmodules already updated in %s', filename)
        return

    for line in lines:
@ -234,32 +243,42 @@ def update_dbmodules(realm, filename="/etc/krb5.conf"):
    fd = open(filename, 'w')
    fd.write("".join(newfile))
    fd.close()
+    root_logger.debug('%s updated', filename)

 def cleanup_kdc(fstore):
    """
    Clean up old KDC files if they exist. We need to remove the actual
    file and any references in the uninstall configuration.
    """
+    root_logger.info('[Checking for deprecated KDC configuration files]')
    for file in ['kpasswd.keytab', 'ldappwd']:
        filename = '/var/kerberos/krb5kdc/%s' % file
        installutils.remove_file(filename)
        if fstore.has_file(filename):
            fstore.untrack_file(filename)
+            root_logger.debug('Uninstalling %s', filename)

 def upgrade_ipa_profile(realm):
    """
    Update the IPA Profile provided by dogtag
    """
+    root_logger.info('[Verifying that CA service certificate profile is updated]')
    ca = cainstance.CAInstance(realm, certs.NSS_DIR)
    if ca.is_configured():
        if ca.enable_subject_key_identifier():
+            root_logger.debug('Subject Key Identifier updated, restarting CA')
            ca.restart()
+        else:
+            root_logger.debug('Subject Key Identifier already set.')
+    else:
+        root_logger.debug('CA is not configured')

 def upgrade_httpd_selinux(fstore):
    """
    Update SElinux configuration for httpd instance in the same way as the
    new server installation does.
    """
+    root_logger.info('[Verifying the Apache SELinux configuration]')
    http = httpinstance.HTTPInstance(fstore)
    http.configure_selinux_for_httpd()

@ -275,8 +294,11 @@ def enable_psearch_for_named():
    """
    changed = False

+    root_logger.info('[Enabling persistent search in DNS]')
+
    if not bindinstance.named_conf_exists():
        # DNS service may not be configured
+        root_logger.debug('DNS not configured')
        return

    try:
@ -296,6 +318,7 @@ def enable_psearch_for_named():
            else:
                changed = True
        sysupgrade.set_upgrade_state('named.conf', 'psearch_enabled', True)
+        root_logger.debug('Persistent search enabled')

    # make sure number of connections is right
    minimum_connections = 2
@ -319,12 +342,15 @@ def enable_psearch_for_named():
                try:
                    bindinstance.named_conf_set_directive('connections',
                                                          minimum_connections)
+                    root_logger.debug('Connections set to %d', minimum_connections)
                except IOError, e:
                    root_logger.error('Cannot update connections in %s: %s',
                            bindinstance.NAMED_CONF, e)
                else:
                    changed = True

+    if not changed:
+        root_logger.debug('No changes made')
    return changed

 def main():
@ -339,7 +365,9 @@ def main():

    safe_options, options = parse_options()

-    standard_logging_setup(None, debug=options.debug)
+    standard_logging_setup('/var/log/ipaupgrade.log', verbose=True,
+        debug=options.debug, console_format='%(message)s',
+        filemode='a')

    fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')

--- a/install/tools/man/ipa-upgradeconfig.8
+++ b/install/tools/man/ipa-upgradeconfig.8
@ -16,7 +16,7 @@
 .\" 
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\" 
-.TH "ipa-upgradeconfig" "8" "Sep 9 2010" "freeipa" ""
+.TH "ipa-upgradeconfig" "8" "Jun 18 2012" "freeipa" ""
 .SH "NAME"
 ipa\-upgradeconfig \- Upgrade the IPA Apache configuration
 .SH "SYNOPSIS"
@ -29,6 +29,9 @@ It examines the VERSION value in the head of \fI/etc/httpd/conf.d/ipa.conf\fR an
 It also will convert a CA configured to be accessible via ports 9443, 9444, 9445 and 9446 to be proxied by the IPA web server on ports 80 and 443.

 This is not intended to be run by an end\-user. It is executed when the IPA rpms are upgraded. This must be run as the root user.
+.SH "OPTIONS"
+\fB\-d\fR, \fB\-\-debug\fR
+Enable debug logging when more verbose output is needed
 .SH "EXIT STATUS"
 0 if the update was successful or there was nothing to do