[Freeipa-devel] [PATCH] - Add DRM to IPA

Rob Crittenden rcritten at redhat.com
Fri Aug 8 23:36:24 UTC 2014 

Ade Lee wrote:
> Attached is a new patch.  I believe I have addressed all the issues
> raided by pviktori, edewata and rcrit.
> 
> Please let me know if I missed something!
> 
> Incidentally, to get all this to work, you should use the latest Dogtag
> 10.2 build, which also contains a fix for pkidestroy that is not yet
> merged in.  A COPR build is currently underway at: 
> 
> http://copr.fedoraproject.org/coprs/vakwetu/dogtag/build/24804/

Some whitespace issues:

Applying: Add a DRM to IPA
/home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3774: trailing
whitespace.
        This relies on the DRM client to generate a wrapping key
/home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3292: new blank line
at EOF.
+
warning: 2 lines add whitespace errors.
lying: Add a DRM to IPA
/home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3774: trailing
whitespace.
        This relies on the DRM client to generate a wrapping key
/home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3292: new blank line
at EOF.
+
warning: 2 lines add whitespace errors.

I do hope you're planning on adding a minimum build dep at some point?

Still seeing AVCs during install:

----
time->Fri Aug  8 19:13:35 2014
type=SYSCALL msg=audit(1407539615.743:1503): arch=c000003e syscall=1
success=no exit=-13 a0=3 a1=210cb30 a2=2d a3=7fff1caa83f0 items=0
ppid=12121 pid=12307 auid=4294967295 uid=994 gid=993 euid=994 suid=994
fsuid=994 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295
comm="cp" exe="/usr/bin/cp" subj=system_u:system_r:pki_tomcat_t:s0
key=(null)
type=AVC msg=audit(1407539615.743:1503): avc:  denied  { setfscreate }
for  pid=12307 comm="cp" scontext=system_u:system_r:pki_tomcat_t:s0
tcontext=system_u:system_r:pki_tomcat_t:s0 tclass=process
----
time->Fri Aug  8 19:13:35 2014
type=SYSCALL msg=audit(1407539615.743:1504): arch=c000003e syscall=190
success=no exit=-13 a0=4 a1=7fff1caa8590 a2=210c8f0 a3=2d items=0
ppid=12121 pid=12307 auid=4294967295 uid=994 gid=993 euid=994 suid=994
fsuid=994 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295
comm="cp" exe="/usr/bin/cp" subj=system_u:system_r:pki_tomcat_t:s0
key=(null)
type=AVC msg=audit(1407539615.743:1504): avc:  denied  { relabelfrom }
for  pid=12307 comm="cp" name="CS.cfg.bak.20140808191335" dev="dm-0"
ino=430828 scontext=system_u:system_r:pki_tomcat_t:s0
tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Fri Aug  8 19:13:35 2014
type=SYSCALL msg=audit(1407539615.744:1505): arch=c000003e syscall=88
success=no exit=-13 a0=7fffd3c0daa7 a1=7fffd3c0daea a2=0 a3=7fffd3c0b9b0
items=0 ppid=12121 pid=12308 auid=4294967295 uid=994 gid=993 euid=994
suid=994 fsuid=994 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295
comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:pki_tomcat_t:s0
key=(null)
type=AVC msg=audit(1407539615.744:1505): avc:  denied  { create } for
pid=12308 comm="ln" name="CS.cfg.bak"
scontext=system_u:system_r:pki_tomcat_t:s0
tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=lnk_file

The new estimated time was dead on :-)

There was a fairly long wait after "Done configuring DRM server
(pki-tomcatd)." and the install was done. I thought we always displayed
text when restarting (e.g. handled by the service wrapper) but I guess
not. It would be nice to know what is going on.

Re-running ipa-drm-install results in a scary error:

]# ipa-drm-install
Usage: ipa-drm-install [options] [replica_file]

ipa-drm-install: error: DRM is already installed.

Your system may be partly configured.
Run /usr/sbin/ipa_drm_install.py --uninstall to clean up.

And now onto the code...

class drm

_create_pem_file isnt' exactly descriptive and there is no method
documentation.

_setup. Just a nit: do you want to hardcode the port? I think I'd prefer
it come via the constructor and default to 443.

It may be worth beefing up the return value docs ala what John did in
the dogtag section. I notice, for example, you always return a tuple and
one value as None in store_secret. I assume there is a reason for that
but it isn't obvious. This happens elsewhere too.

Should the copyright dates on existing files be changed? I don't think
they should be, but I'm hardly an expert.

I just did a cursory look-see in the code and things generally looked
ok. I'm hoping Petr^3 will take a closer look.

rob

More information about the Freeipa-devel mailing list