Commit Graph

222 Commits

Author SHA1 Message Date
Stanislav Laznicka
7cbd9bd429 Encrypt httpd key stored on disk
This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.

A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.

https://pagure.io/freeipa/issue/7421

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-23 12:48:46 +01:00
Christian Heimes
66a32d8931 NSS: Force restore of SELinux context
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
492e3c9b1e NSSDB: Let certutil decide its default db type
CertDB no longer makes any assumptions about the default db type of a NSS
DB. Instead it let's certutil decide when dbtype is set to 'auto'. This
makes it much easier to support F27 and F28 from a single code base.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Stanislav Laznicka
b21941360c
Move HTTPD cert/key pair to /var/lib/ipa/certs
This moves the HTTPD certificates from their default location
to IPA-specific one. This should be especially helpful from
the container perspective.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
805aea2443
Use mod_ssl instead of mod_nss for Apache TLS for new installs
Change some built-in assumptions that Apache has an NSS certificate
database.

Configure mod_ssl instead of mod_nss. This is mostly just changing
the directives used with some slight syntactical differences.

Drop mod_nss-specific methods and functions.

There is some mention of upgrades here but this is mostly a
side-effect of removing things necessary for the initial install.

TODO:
 - backup and restore
 - use user-provided PKCS#12 file for the certificate and key

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Christian Heimes
90a75f0d43 Use system-wide crypto-policies on Fedora
HTTPS connections from IPA framework and bind named instance now use
system-wide crypto-policies on Fedora.

For HTTPS the 'DEFAULT' crypto policy also includes unnecessary ciphers
for PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA,
they are explicitly excluded.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1179925
See: https://bugzilla.redhat.com/show_bug.cgi?id=1179220
Fixes: https://pagure.io/freeipa/issue/4853
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-20 17:01:52 +01:00
Stanislav Laznicka
f31797c70a Have all the scripts run in python 3 by default
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-15 18:43:12 +01:00
Timo Aaltonen
e6c707b168 ipaplatform, ipa.conf: Use paths variables in ipa.conf.template
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-09 09:14:22 +01:00
Christian Heimes
1785a3e17b Replace wsgi package conflict with config file
Instead of a package conflict, freeIPA now uses an Apache config file to
enforce the correct wsgi module. The workaround only applies to Fedora
since it is the only platform that permits parallel installation of
Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
Debian doesn't permit installation of both variants.

See: https://pagure.io/freeipa/issue/7161
Fixes: https://pagure.io/freeipa/issue/7394
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-09 08:28:11 +01:00
Christian Heimes
2391c75e3d Replace hard-coded paths with path constants
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.

The fix simplifies Darix's port of freeIPA on openSuSE.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-08 09:32:12 +01:00
Michal Reznik
0cef510763 paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants
Add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants which will be
used in test_external_ca test suite.

https://pagure.io/freeipa/issue/7302

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-01-09 10:17:01 +01:00
Christian Heimes
929c77c784 Travis: Add workaround for missing IPv6 support
Latest Travis CI image lacks IPv6 address on localhost. Add some
diagnostics and skip IPv6 tests in ipa-server-install when TRAVIS is
detected.

The hack will be removed as soon as it is no longer required to pass
automated testing.

https://pagure.io/freeipa/issue/7323

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-12-14 14:04:19 +01:00
Rob Crittenden
d7aa7945e8 Run server upgrade in ipactl start/restart
During a distro upgrade, e.g. F-26 to F-27, networking may not
be available which will cause the upgrade to fail. Despite this
the IPA service can be subsequently restarted running new code
with old data.

This patch relies on the existing version-check cdoe to determine
when/if an upgrade is required and will do so during an ipactl
start or restart.

The upgrade is now run implicitly in the spec file and will
cause the server to be stopped after the package is installed
if the upgrade fails.

Fixes: https://pagure.io/freeipa/issue/6968

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-12 12:08:35 +01:00
Christian Heimes
0071744929 Support sqlite NSSDB
Prepare CertDB and NSSDatabase to support sqlite DB format. NSSDatabase
will automatically detect and use either old DBM or new SQL format. Old
databases are not migrated yet.

https://pagure.io/freeipa/issue/7049

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-16 12:17:01 +01:00
Christian Heimes
6a09704088 ipa-custodia: use Dogtag's alias/pwdfile.txt
/etc/pki/pki-tomcat/password.conf contains additional passwords like
replicadb. ipa-custodia does not need these passwords.
/etc/pki/pki-tomcat/alias/pwdfile.txt holds the passphrase for Tomcat's
NSSDB. The file also simplifies implementation because it removes
another temporary file.

pwdfile.txt is created by CAInstance.create_certstore_passwdfile()

Related: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-11-16 08:48:15 +01:00
Christian Heimes
a48f6511f6 Use namespace-aware meta importer for ipaplatform
Instead of symlinks and build-time configuration the ipaplatform module
is now able to auto-detect platforms on import time. The meta importer
uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE'
on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora".

The meta importer is able to handle namespace packages and the
ipaplatform package has been turned into a namespace package in order to
support external platform specifications.

https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-15 14:17:24 +01:00
Christian Heimes
8bbeedc93f
Backup ipa-custodia conf and keys
https://pagure.io/freeipa/issue/7247

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-13 18:10:54 +01:00
Fraser Tweedale
3e33857827
Remove caJarSigningCert profile and related code
The caJarSigningCert profile was used for issuing the object signing
certificate for signing the Firefox auto-configuration extension
(XPI).  We removed the extension and object signing certificate some
time ago, so remove the profile and the related code that sets it
up.

Fixes: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-01 12:39:19 +01:00
Christian Heimes
b29db07c3b Use os.path.isfile() and isdir()
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.

The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-20 12:27:19 +02:00
Stanislav Laznicka
9b8b7afeb4
p11-kit: add serial number in DER format
This causes Firefox to report our CA certificate as not-trustworthy.
We were previously doing this correctly, however it slipped as an
error due to certificate refactoring.

https://pagure.io/freeipa/issue/7210

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-10-17 16:43:15 +02:00
Rob Crittenden
acd72cc8f5 Use 389-ds provided method for file limits tuning
Previously IPA would set the LimitNOFILE value to 8192 to increase
the number of concurrent clients. 389-ds-base does this by default
as of 1.3.7.0.

Remove the IPA-specific tuning and rely on the out-of-the-box
389-ds-base tuning.

Bump the required version of 389-ds-base to 1.3.7.0.

Any other tuning added by 389-ds-base will result in a
dirsrv.systemd.rpmsave file which admins will need to merge
in manually, like typical .rpmsave config changes.

https://pagure.io/freeipa/issue/6994

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-17 14:59:06 +02:00
Petr Vobornik
b0184d10ab
browser config: cleanup after removal of Firefox extension
Firefox extension which served for configuring Kerberos auth in Firefox
until version which banned self-signed extensions was removed in commit
6c53765ac1.

Given that configure.jar, even older Firefox config tool, was removed
sometime before that, there is no use for signtool tool. It is good
because it is removed from Fedora 27 anyway. So removing last unused
function which calls it.

The removal of FF extension was not exactly clean so removing also
browserconfig.html which only purpose was to use the extension. Therefore
also related JS files are removed. This removal requires unauthorized.html
to be updated so that it doesn't point to non-existing page. And given that
it now points only to single config page, we can change link in UI login page
to this page (ssbrowser.html). While at it, improving buttons in ssbrowser.html.

Btw, commit 6c53765ac1 removed also generation of
krb.js. It had one perk - with that info ssbrowser.html could display real
Kerberos domain instead of only 'example.com'.  I don't have time to revert this
change so removing traces of krb.js as well.

https://pagure.io/freeipa/issue/7135

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-09-21 10:27:14 +02:00
Felipe Barreto
bf0b74bec4
Checks if Dir Server is installed and running before IPA installation
In cases when IPA is installed in two steps (external CA), it's
necessary to check (in the second step) if Dir. Server is
running before continue with the installation. If it's not,
start Directory Server.

https://pagure.io/freeipa/issue/6611

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-09-21 10:24:06 +02:00
Alexander Bokovoy
dc47a4b85f
Make sure upgrade also checks for IPv6 stack
- Add check for IPv6 stack to upgrade process
 - Change IPv6 checker to also check that localhost resolves to ::1

Part of fixes https://pagure.io/freeipa/issue/7083

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-09-19 17:33:24 +02:00
Stanislav Laznicka
e537686bcc Don't write p11-kit EKU extension object if no EKU
b5732efd introduced a regression because it tries to write EKU
that's actually in the CA cert instead of using the LDAP information.
However, when no EKU is available,
IPACertificate.extended_key_usage_bytes still returned at least
EKU_PLACEHOLDER OID to keep the behavior the same as in previous
versions. This caused the EKU_PLACEHOLDER to be written in the
ipa.p11-kit file which made Firefox report FreeIPA Web UI as
improperly configured.

https://pagure.io/freeipa/issue/7119

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-09-19 09:42:07 +02:00
Felipe Volpone
0b7d9c5a7b
Removing part of circular dependency of ipalib in ipaplaform
After commit cac3475, ipa-backup is broken due to circular
dependencies. This fixes it, removing circular dependency
of ipalib. The ipalib.constants.IPAAPI_USER is now passed
as parameter to the function that use it.

https://pagure.io/freeipa/issue/7108

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-08-30 15:51:39 +02:00
Martin Babinsky
a2de6a17c5 Move tmpfiles.d configuration handling back to spec file
Since ipaapi user is now created during RPM install and not in runtime,
we may switch back to shipping tmpfiles.d configuration directly in RPMs
and not create it in runtime, which is a preferred way to handle drop-in
configuration anyway.

This also means that the drop-in config will be shipped in /usr/lib
instead of /etc according to Fedora packaging guidelines.

This partially reverts commit 38c66896de.

https://pagure.io/freeipa/issue/7053

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2017-08-30 13:05:23 +02:00
Stanislav Laznicka
6f8d90d97a client: make ipa-client-install py3 compatible
This commit enables ipa-client-install to be installable in
Python 3 and makes it run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-02 16:13:18 +02:00
Stanislav Laznicka
b5732efda6 x509: Make certificates represented as objects
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Jan Cholasta
07229c8ff6 logging: do not use ipa_log_manager to create module-level loggers
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
7a482b7c72 logging: do not log into the root logger
Deprecate `ipa_log_manager.root_logger` and replace all calls to it with
module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Martin Basti
663f227a5c adtrust: move SELinux settings to constants
SELinux is platform dependend, moving boolean setting to platform module.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-26 08:32:05 +02:00
Martin Basti
1a6de32c9e httpd: move SELinux settings to constants
SELinux is platform dependend, moving boolean setting to platform module.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-26 08:32:05 +02:00
Jan Cholasta
11b8a34346 client install: fix client PKINIT configuration
Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.

Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.

Make sure both bundles are exported in all installation code paths.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Petr Vobornik
3a4c8e39c3
restore: restart/reload gssproxy after restore
So that gssproxy picks up new configuration and therefore related
usages like authentication of CLI against server works

https://pagure.io/freeipa/issue/6902

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-04-28 14:56:02 +02:00
Martin Babinsky
68c6a4d4e1 Stop requesting anonymous keytab and purge all references of it
anonymous kinit using keytab never worked so we may safely remove all
code that requests/uses it.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-04-28 08:38:12 +00:00
Stanislav Laznicka
ddbbb1c58e Move the compat plugin setup at the end of install
The compat plugin was causing deadlocks with the topology plugin. Move
its setup at the end of the installation and remove the
cn=topology,cn=ipa,cn=etc subtree from its scope.

https://pagure.io/freeipa/issue/6821

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-24 17:11:51 +02:00
Michal Reznik
2493f81204 - added krb5kdc.log to pytest logging
KRB5KDC_LOG = '/var/log/krb5kdc.log' added to paths
host.collect_log(paths.KRB5KDC_LOG) added to tasks.py

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-04-12 17:34:32 +02:00
David Kupka
a726e98f03 Create system users for FreeIPA services during package installation
Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.

https://pagure.io/freeipa/issue/6743

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-11 17:51:49 +02:00
Martin Basti
fd597f83ae collect audit.log for easier selinux investigation
Audit log contains useful information about selinux issues

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-04-06 10:08:54 +02:00
Jan Cholasta
3de09709cc tasks: run systemctl daemon-reload after httpd.service.d updates
Run `systemctl daemon-reload` after
`/etc/systemd/system/httpd.service.d/ipa.conf` is created or deleted,
otherwise systemd will not merge the file into httpd.service and therefore
required environment variables will not be set for httpd.

This fixes authentication failures ("No valid Negotiate header in server
response") due to missing `GSS_USE_PROXY=yes` in httpd environment.

https://pagure.io/freeipa/issue/6773

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-21 16:38:06 +01:00
Timo Aaltonen
e20ad9c251 ipaplatform/debian/paths: Add some missing values.
Rename KRA_AGENT_PEM -> OLD_KRA_AGENT_PEM, add CERTMONGER_DOGTAG_SUBMIT.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-15 09:53:08 +01:00
Jan Cholasta
f037bfa483 httpinstance: disable system trust module in /etc/httpd/alias
Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled. This is problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias
  (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https
  (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).

Disable the system trust module on install and upgrade to prevent the
system trust store to be used in /etc/httpd/alias and fix all of the above
issues.

https://pagure.io/freeipa/issue/6132

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-14 17:12:19 +01:00
Timo Aaltonen
c194f74b12 ipaplatform/debian/paths: Rename IPA_KEYTAB to OLD_IPA_KEYTAB.
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-14 17:09:10 +01:00
Timo Aaltonen
71db8c264e ipaplatform/debian/paths: Add IPA_HTTPD_KDCPROXY.
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-14 17:09:10 +01:00
Timo Aaltonen
1a47fcd3ee ipaplatform/debian/services: Fix is_running arguments.
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-14 17:09:10 +01:00
Stanislav Laznicka
5d3a0e6758 Don't allow standalone KRA uninstalls
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.

https://pagure.io/freeipa/issue/6538

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-13 16:27:23 +01:00
Jan Cholasta
5d489ac560 pylint_plugins: add forbidden import checker
Add new pylint AST checker plugin which implements a check for imports
forbidden in IPA. Which imports are forbidden is configurable in pylintrc.

Provide default forbidden import configuration and disable the check for
existing forbidden imports in our code base.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-10 13:04:59 +01:00
Tomas Krizek
ecb450308d
server install: require IPv6 stack to be enabled
Add checks to install and replica install to verify IPv6 stack
is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...).

https://pagure.io/freeipa/issue/6608

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-09 16:50:21 +01:00
Christian Heimes
80be181629 Move csrgen templates into ipaclient package
csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.

https://pagure.io/freeipa/issue/6714

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-08 15:59:26 +01:00