[Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18

Thu Aug 16 07:12:23 UTC 2012

On 08/16/2012 07:53 AM, Ade Lee wrote:
> On Wed, 2012-08-15 at 23:41 -0400, Ade Lee wrote:
>> On Wed, 2012-08-15 at 16:34 +0200, Martin Kosek wrote:
>>> On 08/15/2012 03:54 PM, Ade Lee wrote:
>>>> On Wed, 2012-08-15 at 13:24 +0200, Martin Kosek wrote:
>>>>> On 08/08/2012 10:05 PM, Ade Lee wrote:
>>>>>> Hi, 
>>>>>>
>>>>>> Dogtag 10 is being released on f18, and has a number of changes that
>>>>>> will affect IPA.  In particular, the following changes will affect
>>>>>> current IPA code. 
>>>>>>
>>>>>> * The directory layout of the dogtag instance has changed.  Instead of
>>>>>> using separate tomcat instances to host different subsystems, the
>>>>>> standard dogtag installation will allow one to install a CA. KRA, OCSP
>>>>>> and TKS within the same instance.  There have been corresponding changes
>>>>>> in the directory layout, as well as the default instance name
>>>>>> (pki-tomcat instead of pki-ca), and startup daemon (pki-tomcatd, instead
>>>>>> of pki-cad, pki-krad etc.) 
>>>>>>
>>>>>> * The default instance will use only four ports (HTTPS, HTTP, AJP and
>>>>>> tomcat shutdown port) rather than the 6 previously used.  The default
>>>>>> ports will be changed to the standard tomcat ports.  As these ports are
>>>>>> local to the ipa server machine, this should not cause too much
>>>>>> disruption. 
>>>>>>
>>>>>> * There is a new single step installer written in python.
>>>>>> (pkispawn/destroy) vs. pkicreate/pkisilent/pkiremove.
>>>>>>
>>>>>> * Dogtag 10 runs on tomcat7 - with a new corresponding version of
>>>>>> tomcatjss.
>>>>>>
>>>>>> The attached patch integrates all the above changes in IPA installation
>>>>>> and maintenance code.  Once the patch is applied, users will be able to:
>>>>>>
>>>>>> 1. run ipa-server-install to completion on f18 with dogtag 10.
>>>>>> 2. install a new replica on f18 on dogtag 10.
>>>>>> 3. upgrade an f17 machine with an existing IPA instance to f18/ dogtag
>>>>>> 10 - and have that old-style dogtag instance continue to run correctly.
>>>>>> This will require the installation of the latest version of tomcatjss as
>>>>>> well as the installation of tomcat6.  The old-style instance will
>>>>>> continue to use tomcat6.
>>>>>> 4. in addition, the new cert renewal code has been patched and should
>>>>>> continue to work.
>>>>>>
>>>>>> What is not yet completed / supported:
>>>>>>
>>>>>> 1. Installation with an external CA is not yet completed in the new
>>>>>> installer.  We plan to complete this soon.
>>>>>>
>>>>>> 2. There is some IPA upgrade code that has not yet been touched
>>>>>> (install/tools/ipa-upgradeconfig).
>>>>>>
>>>>>> 3. A script needs to be written to allow admins to convert their
>>>>>> old-style dogtag instances to new style instances, as well as code to
>>>>>> periodically prompt admins to do this.
>>>>>>
>>>>>> 4. Installation of old-style instances using pkicreate/pkisilent on
>>>>>> dogtag 10 will no longer be supported, and will be disabled soon.
>>>>>>
>>>>>> 5.  The pki-selinux policy has been updated to reflect these changes,
>>>>>> but is still in flux.  In fact, it is our intention to place the dogtag
>>>>>> selinux policy in the base selinux policy for f18.  In the meantime, it
>>>>>> may be necessary to run installs in permissive mode.
>>>>>>
>>>>>> The dogtag 10 code will be released shortly into f18.  Prior to that
>>>>>> though, we have placed the new dogtag 10 and tomcatjss code in a
>>>>>> developer repo that is located at 
>>>>>> http://nkinder.fedorapeople.org/dogtag-devel/
>>>>>>
>>>>>> Testing can be done on both f18 and f17 - although the target platform -
>>>>>> and the only platform for which official builds will be created is f18.
>>>>>>
>>>>>> Thanks, 
>>>>>> Ade
>>>>>>
>>>>>
>>>>> Hi Ade,
>>>>>
>>>>> Thanks for the patch, I started with review and integration tests (currently
>>>>> running on Fedora 17 with Nathan's repo).
>>>>>
>>>>> Installation on single master was smooth, it worked just fine, even with
>>>>> enforced SELinux, without any error - kudos to you and the whole dogtag team.
>>>>> The resulting logs and the structure of your log directory seems improved. I
>>>>> believe that the brand new Python installers will make it easier to debug
>>>>> issues with dogtag installation when they come.  When I tried our unit tests or
>>>>> some simple cert operation, it worked fine as well.
>>>>>
>>>>> Now the bad news, or rather few issues and suggestions I found:
>>>>>
>>>>> 1) As we already discussed on IRC, tomcat 7 was not pulled automatically on
>>>>> Fedora 17 when I updated pki-ca, you somewhere miss a Requires.
>>>>>
>>>> We have a dogtag patch that is currently in review that will address
>>>> this.  Once this is in, tomcatjss >=7.0.0 will be required for f17+,
>>>> rather than f18+
>>>>
>>>>> 2) I had installed IPA with dogtag10 on master. However, CA installation on a
>>>>> replica (ipa-ca-install) with dogtag9 failed - is this expectable?
>>>>>
>>>> Yes.  The current IPA patch is designed to work with dogtag 10 only,
>>>> which will be officially available on f18+.  So if you update to dogtag
>>>> 10, you must have this patch and visa versa.  We probably need to add
>>>> the relevant requires to IPA to enforce this.
>>>>
>>>> If you have an existing dogtag 9 instance, and you upgrade to the new
>>>> dogtag 10 and patched IPA, then that instance will continue to work.
>>>> But any new instances would be created using dogtag 10.
>>>>
>>>>> 3) I had installed IPA with dogtag10 on master. Replica had dogtag10 as well
>>>>> and I got the following error:
>>>>>
>>>>> # ipa-ca-install /home/mkosek/replica-info-vm-114.idm.lab.bos.redhat.com.gpg
>>>>> ...
>>>>> Configuring certificate server: Estimated time 3 minutes 30 seconds
>>>>>   [1/14]: creating certificate server user
>>>>>   [2/14]: configuring certificate server instance
>>>>>
>>>>> Your system may be partly configured.
>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>>
>>>>> Unexpected error - see /var/log/ipareplica-ca-install.log for details:
>>>>> IOError: [Errno 2] No such file or directory:
>>>>> '/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12'
>>>>>
>>>>> Root cause:
>>>>> ...
>>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>>>>> 625, in __spawn_instance
>>>>>     "/root/cacert.p12")
>>>>> ...
>>>>>
>>>> I need to look into this.  I had fixed ipa-replica-install, rather than
>>>> ipa-ca-install to create replicas.  I didn't know ipa-ca-install
>>>> existed!  Should not be too bad to fix though - most likely just need to
>>>> move files to the right place.
>>>
>>> Ok, thanks! Btw. CA on replica can be either installed during
>>> ipa-replica-install time (when --setup-ca option is passed, you probably used
>>> that one) and the aforementioned ipa-ca-install run after ipa-replica-install.
>>>
>> I will be testing this out again.  As ipa-ca-install uses the same code
>> as ipa-replica-install, I would have expected it to work.  Did you try
>> it with selinux in permissive mode?
>>
> OK -- I tested this out and realized that between the time I initially
> tested this and your tests, we had changed a URL
> from /ca/pki/installer/installToken to /ca/rest/installer/installToken,
> but I forgot to update ipa-pki-proxy.conf. 
> 
> The new patch has been rebased and changes the relevant patch.  With
> this, the CA replica installs correctly.

Umh, where can I find the new rebased patch? :-)

> 
> There was one issue that I encountered.  I have seen this once before
> and will need to investigate further.  IPA sometimes restarts the dogtag
> instance by doing systemctl stop pki-tomcatd.target.  and then systemctl
> start pki-tomcatd.target.   I have noticed that occasionally the start
> invocation fails, while the stop and restart invocations succeed just
> fine.  This makes absolutely no sense because restart is essentially
> just stop and then start.
> 
> I think this is actually a bug in systemd.  If I reboot the machine, it
> all works perfectly.  If we can't figure out whats going on with
> systemd, we can always replace this start/stop with starting/stopping
> the service directly.  (pki-tomcatd at pki-tomcat.service).  That seems to
> work all the time with no problems.
> 
> I suggest we leave this fix (if needed) for a separate patch.

Ok, I will see if I hit this issue again. Btw. is it recommended in systemd to
use target units this way? I thought that only service files are meant to be
used for manipulation with a service. As you said yourself, using service unit
file for restart worked every time.

Martin