Broken build on F15
by Adam Young
This might b e old news, I haven't gone back through mail yet, but the
recent change for F16 and systemd breaks the build. The RPM spec file
has a file ommited that is only used on F16. I got things to build with
the following change:
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index eaf0ee2..262636e 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -508,9 +508,7 @@ fi
%{_datadir}/pki/scripts/pki_apache_initscript
%dir %{_localstatedir}/lock/pki
%dir %{_localstatedir}/run/pki
-%if 0%{?fedora} >= 16
%{_bindir}/pkicontrol
-%endif
%files -n pki-symkey
It includes the file in F15, but does not use it. I am about to test
if the installed RPMs work on an F15 system.
12 years, 7 months
patch for systemd changes
by Ade Lee
This is to fix BZ 699809 - Convert certificate system to use systemd
https://bugzilla.redhat.com/show_bug.cgi?id=699809
This patch has most of what is fneeded
There is some extra stuff in the spec file for pki-core for symkey -- I needed
this just to get a build going. I will remove this on commit. The fix for
this issue will be provided by mharmsen in a separate bug.
Whats missing:
Some logic in spec files to upgrade existing instance. Will add that in a
separate patch.
Please review and ack.
Thanks,
Ade
12 years, 7 months
Re: [Pki-devel] [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
by Adam Young
On 08/29/2011 05:58 PM, Simo Sorce wrote:
> On Fri, 2011-08-26 at 22:28 -0400, Adam Young wrote:
>> On 08/26/2011 08:57 PM, Adam Young wrote:
>>> On 08/26/2011 06:30 PM, Simo Sorce wrote:
>>>> On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote:
>>>>> On 08/26/2011 02:34 PM, Simo Sorce wrote:
>>>>>> On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
>>>>>>> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
>>>>>>>> On 08/25/2011 05:24 PM, Adam Young wrote:
>>>>>>>>> Uses the updated version of pkicreate which makes an ipa specific
>>>>>>>>> proxy config file.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Freeipa-devel mailing list
>>>>>>>>> Freeipa-devel(a)redhat.com
>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>>>> The test for the proxy file in /etc/httpd/conf.d was "isfile' but
>>>>>>>> since the file is actually a symlink, it needs to be "islink".
>>>>>>>> This
>>>>>>>> one checks for either.
>>>>>>> Nack, install fails after configuring the http service.
>>>>>>> Restart bails out
>>>>>>>
>>>>>>> using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the
>>>>>>> way (it
>>>>>>> was suppressing the error output) I get an permission denied error
>>>>>>> trying to open /etc/httpd/conf.d/proxy-ipa.conf
>>>>>>> That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file
>>>>>>> owned
>>>>>>> by pkiuser:pkiuser with permission 660 (therefore not readable by the
>>>>>>> apache user).
>>>>>> Ok it turns out permissions are not the real issue as the file is read
>>>>>> while apache is till root, it's a selinux issue.
>>>>>> Apache starts if I setenforce 0
>>>>>>
>>>>>> Still a NAck of course, it needs to work with selinux in enforcing
>>>>>> mode
>>>>>>
>>>>>> Simo.
>>>>>>
>>>>> This version owns the proxy config file. It works with setenforce 0,
>>>>> but does not work with SELinux, so, preemptive-nack. But I will be gone
>>>>> for a week, so if someone wants to pick this up and run with it, start
>>>>> from here.
>>>> The previous patch with the corrected isfile vs islink issue works fine
>>>> as long as the SELinux policy is fixed to allow access
>>>> to /etc/pki-ca/proxy-ipa.conf
>>>>
>>>> I have tested a mastyer and then replica install with no issues after I
>>>> loaded a custom SeLinux policy that allow that.
>>>>
>>>> So tentative ACK to the former patch.
>>>> I will discuss with Ade how to resolve the SELinux issue and willpush to
>>>> master once that is solved.
>>>>
>>>> Simo.
>>>>
>>> Previous patch is based on a change for PKI-CA that we are not going
>>> to push, so we can't go with that. The file
>>> /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use.
>>> Whatever the issue is with this patch it has to be fairly minor. The
>>> difference in approach is that this one includes the conf file and
>>> places it in /etc/httpd/conf.d. The problem is possibly the fact that
>>> this one uses localhost instead of the FQDN, although I did test it
>>> both ways prior to adding it to the RPM, and it worked with localhost
>>> and SELinux in enforcing mode.
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel(a)redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> Failure seems to be from this step in the install log:
>>
>>
>>
>> After configuration, the server can be operated by the command:
>>
>> /sbin/service pki-cad restart pki-ca
>>
>>
>> 2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED
>> run_command("/sbin/service p
>> ki-cad restart pki-ca"), exit status=126 output="Stopping pki-ca: [ OK ]
>> /usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied"
>>
>>
>> And in the Audit log:
>>
>>
>> type=AVC msg=audit(1314409907.089:2397): avc: denied { transition }
>> for pid=21040 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0
>> ino=35449 scontext=system_u:system_r:kernel_t:s0
>> tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
>> type=AVC msg=audit(1314410048.272:2398): avc: denied { transition }
>> for pid=21124 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0
>> ino=35449 scontext=system_u:system_r:kernel_t:s0
>> tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
>
> I guess these AVCs were due to mislabeling of your development system.
> I tried multiple times w/o any issues.
>
> I added a few minor corrections.
>
> a) actually copying the file to /etc/httpd/conf.d was missing, I do that
> as an additional final configuration step in cainstance.py
> b) renamed the file to ipa-pki-proxy.conf, the orginal name was fine as
> a dogtag file, but as an ipa file it lacked context
> c) I added an httpd server restart in ipa-ca-install as that script does
> not otherwise restart apache and we need it to read the new conf file
> that was just dropped down.
>
> This was tested and pushed to master.
>
> Simo.
>
Thanks Simo. Considering that this happend a few days back, I'm
guessing that it hasn't blown up on anyone yet.
12 years, 7 months
Progress on systemd on f-16
by Ade Lee
Hey guys,
So - with Rich's help - I'm made a lot of progress getting dogtag to
come up under systemd. I've pretty much got it working - and now just
need to confirm with knoxy that this is the way we want to do it - and
then package it up.
Here is the basic setup:
/lib/systemd/system/pki-cad.target
-- is the native systemd init file for pki-cad used to manage all
instances
-- will not change
-- to be delivered by pki-ca
-- file attached
/lib/systemd/system/pki-cad@.service
-- is a template file for each individual instance
-- systemd will substitute the relevant instance name for each %i when
invoked
-- will not change
-- delivered by pki-ca
-- file attached
/etc/systemd/system/pki-cad.target.wants
-- directory created by pki-ca rpm install
-- contains symlinks that will be created for each instance that is
created by pkicreate.
For example, if pkicreate is used to create an instance pki-ca, then the
following symbolic link needs to be created by pkicreate under
the /etc/systemd/system/pki-cad.target.wants directory --
ln -s /lib/systemd/system/pki-cad@.service pki-cad(a)pki-ca.service
Thats it!
With the above setup, we can do the following:
systemctl start pki-cad(a)pki-ca.service (or stop, restart, status)
-- for an individual instance
systemctl start pki-cad.target (or stop, restart, status)
-- for all instances in a single command
******************************************************
The new files are attached and the devil is in the details.
Basically, I modified the tomcat systemd files proposed by the systemd
guys in https://bugzilla.redhat.com/show_bug.cgi?id=719283 and
substituted my own config file to read environment variables.
(/etc/sysconfig/pki/ca/pki-ca.systemd).
This file - which cannot be like a bash script like environment file
because systemd does not use bash to parse the file as noted here --
http://patrakov.blogspot.com/2011/01/writing-systemd-service-files.html
also will need to be created by pkicreate when the instance is created.
Right now, the file contains all the parameters that were set in the
registry before -- some may no longer be necessary - plus some
parameters that would have been set in the system V tomcat6 init script.
This is the part that needs co-ordination with knoxy - as I am unsure
how he plans to change his scripts to do the systemd stuff.
The other part that has not even been addressed here at all yet is
selinux. Right now all this is working in permissive mode - and the
resulting java process is unconfined_java_t. I suspect I may need to
add an intermediate script to runcon to the correct context.
And we may need to consider how to get back all that useful information
we used to report in service pki-cad status. My guess is this can go in
that intermediate script.
********************************************
Anyways, I'll be out for a couple days - so I'll pick this up when I get
back.
Ade
12 years, 8 months
