[Freeipa-devel] [PATCH] - Add DRM to IPA

Ade Lee alee at redhat.com
Wed Aug 13 18:05:51 UTC 2014 

New patch attached which all the issues noted below. Rebased to master.

Please review,
Thanks,

Ade

On Mon, 2014-08-11 at 16:54 +0200, Petr Viktorin wrote:
> On 08/09/2014 01:36 AM, Rob Crittenden wrote:
> > Ade Lee wrote:
> >> Attached is a new patch.  I believe I have addressed all the issues
> >> raided by pviktori, edewata and rcrit.
> Arrrrr!
> >> Please let me know if I missed something!
> >>
> >> Incidentally, to get all this to work, you should use the latest Dogtag
> >> 10.2 build, which also contains a fix for pkidestroy that is not yet
> >> merged in.  A COPR build is currently underway at:
> >>
> >> http://copr.fedoraproject.org/coprs/vakwetu/dogtag/build/24804/
> >
> > Some whitespace issues:
> >
> > Applying: Add a DRM to IPA
> > /home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3774: trailing
> > whitespace.
> >          This relies on the DRM client to generate a wrapping key
> > /home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3292: new blank line
> > at EOF.
> > +
> > warning: 2 lines add whitespace errors.
> > lying: Add a DRM to IPA
> > /home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3774: trailing
> > whitespace.
> >          This relies on the DRM client to generate a wrapping key
> > /home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3292: new blank line
> > at EOF.
> > +
> > warning: 2 lines add whitespace errors.
> >
fixed 

> > I do hope you're planning on adding a minimum build dep at some point?
> >

yes - as soon as we have an official-ish dogtag build.

> > Still seeing AVCs during install:
> >
> > ----
> > time->Fri Aug  8 19:13:35 2014
> > type=SYSCALL msg=audit(1407539615.743:1503): arch=c000003e syscall=1
> > success=no exit=-13 a0=3 a1=210cb30 a2=2d a3=7fff1caa83f0 items=0
> > ppid=12121 pid=12307 auid=4294967295 uid=994 gid=993 euid=994 suid=994
> > fsuid=994 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295
> > comm="cp" exe="/usr/bin/cp" subj=system_u:system_r:pki_tomcat_t:s0
> > key=(null)
> > type=AVC msg=audit(1407539615.743:1503): avc:  denied  { setfscreate }
> > for  pid=12307 comm="cp" scontext=system_u:system_r:pki_tomcat_t:s0
> > tcontext=system_u:system_r:pki_tomcat_t:s0 tclass=process
> > ----
> > time->Fri Aug  8 19:13:35 2014
> > type=SYSCALL msg=audit(1407539615.743:1504): arch=c000003e syscall=190
> > success=no exit=-13 a0=4 a1=7fff1caa8590 a2=210c8f0 a3=2d items=0
> > ppid=12121 pid=12307 auid=4294967295 uid=994 gid=993 euid=994 suid=994
> > fsuid=994 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295
> > comm="cp" exe="/usr/bin/cp" subj=system_u:system_r:pki_tomcat_t:s0
> > key=(null)
> > type=AVC msg=audit(1407539615.743:1504): avc:  denied  { relabelfrom }
> > for  pid=12307 comm="cp" name="CS.cfg.bak.20140808191335" dev="dm-0"
> > ino=430828 scontext=system_u:system_r:pki_tomcat_t:s0
> > tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
> > ----
> > time->Fri Aug  8 19:13:35 2014
> > type=SYSCALL msg=audit(1407539615.744:1505): arch=c000003e syscall=88
> > success=no exit=-13 a0=7fffd3c0daa7 a1=7fffd3c0daea a2=0 a3=7fffd3c0b9b0
> > items=0 ppid=12121 pid=12308 auid=4294967295 uid=994 gid=993 euid=994
> > suid=994 fsuid=994 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295
> > comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:pki_tomcat_t:s0
> > key=(null)
> > type=AVC msg=audit(1407539615.744:1505): avc:  denied  { create } for
> > pid=12308 comm="ln" name="CS.cfg.bak"
> > scontext=system_u:system_r:pki_tomcat_t:s0
> > tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=lnk_file
> >

Rob, please open BZ against selinux-policy for these.  Interestingly, 
audit2allow doesn't provide me with any output for these AVC's.

> > The new estimated time was dead on :-)
> >
> > There was a fairly long wait after "Done configuring DRM server
> > (pki-tomcatd)." and the install was done. I thought we always displayed
> > text when restarting (e.g. handled by the service wrapper) but I guess
> > not. It would be nice to know what is going on.
> >
done 

> > Re-running ipa-drm-install results in a scary error:
> >
> > ]# ipa-drm-install
> > Usage: ipa-drm-install [options] [replica_file]
> >
> > ipa-drm-install: error: DRM is already installed.
> >
> > Your system may be partly configured.
> > Run /usr/sbin/ipa_drm_install.py --uninstall to clean up.
> 
> Right, you don't want to override handle_error here. Instead, wrap the 
> body of run() in
> 
>      try:
>          ....
>      except:
>          self.log.error(self.FAIL_MESSAGE)
>          raise
> 
> (Yes, bare `except` and bare `raise`)
> 
> I used self.log.error() instead of print, because I think at least the 
> "Your system may be partly configured." part of the FAIL_MESSAGE should 
> end up in the log, not just on screen.
> 
done

> > And now onto the code...
> >
> > class drm
> >
> > _create_pem_file isnt' exactly descriptive and there is no method
> > documentation.
> >
done

> > _setup. Just a nit: do you want to hardcode the port? I think I'd prefer
> > it come via the constructor and default to 443.
> >

done

> > It may be worth beefing up the return value docs ala what John did in
> > the dogtag section. I notice, for example, you always return a tuple and
> > one value as None in store_secret. I assume there is a reason for that
> > but it isn't obvious. This happens elsewhere too.
> >
done

> > Should the copyright dates on existing files be changed? I don't think
> > they should be, but I'm hardly an expert.
> >
> > I just did a cursory look-see in the code and things generally looked
> > ok. I'm hoping Petr^3 will take a closer look.
> >
> > rob
> >
> 
> I also see a scary error I can't make heads or tails of when trying to 
> install DRM on a replica:
> 
> $ sudo ipa-drm-install
> 
> Your system may be partly configured.
> Run /usr/sbin/ipa_drm_install.py --uninstall to clean up.
> 
> HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded 
> with url: /ca/rest/securityDomain/domainInfo (Caused by <class 
> 'socket.error'>: [Errno 111] Connection refused)

Do you have a replica CA installed?  The replica is trying to reach the
local replica CA install on localhost/ port 8080.

Is port 8080 somehow blocked in your local machine?
Can you get to http://localhost:8080/ca/rest/securityDomain/domainInfo ?


> pviktori at vm-234:~/freeipa{master}e819ca8∗$
> 
> The traceback is:
> 
> ipa.ipaserver.install.ipa_drm_install.DRMInstaller: DEBUG:   File 
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 168, in 
> execute
>      self.validate_options()
>    File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_drm_install.py", 
> line 180, in validate_options
>      self.installing_replica = dogtaginstance.is_installing_replica("KRA")
>    File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
> line 82, in is_installing_replica
>      info = get_security_domain()
>    File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
> line 71, in get_security_domain
>      info = domain_client.get_security_domain_info()
>    File "/usr/lib/python2.7/site-packages/pki/system.py", line 95, in 
> get_security_domain_info
>      response = self.connection.get('/rest/securityDomain/domainInfo')
>    File "/usr/lib/python2.7/site-packages/pki/client.py", line 60, in get
>      data=payload)
>    File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 
> 347, in get
>      return self.request('GET', url, **kwargs)
>    File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 
> 335, in request
>      resp = self.send(prep, **send_kwargs)
>    File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 
> 438, in send
>      r = adapter.send(request, **kwargs)
>    File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 
> 327, in send
>      raise ConnectionError(e)
> 
> Perhaps I'm doing something wrong here?
> 
> 
> Regarding the code I just have a bunch of nitpicks:
> 
> There are some more logger calls that use `%` for interpolation:
> - ipa-ca-install.install_replica
done

> - ipaserver.install.installutils.check_entropy
> 
done 

> There are some more hardcoded paths. We've just moved these to the 
> platform module recently, and the move wasn't totally thorough, so these 
> are not entirely your fault. Still, they should be fixed:
> ipaserver.install.cainstance.CAInstance.stop_tracking_agent_certificate
> (/etc/httpd/alias)
done
> ipaserver.install.dogtaginstance.HTTPD_CONFD (later when you use it, use 
> os.path.join() instead of adding strings)
done
> ipaserver.install.ipa_replica_prepare.ReplicaPrepare.copy_misc_files 
> (/etc/ipa/default.conf)
done
> ipaserver.install.cainstance.CAInstance.uninstall: 
> "-pki_instance_root=/var/lib" (not touched directly by your change but 
> it would be nice to fix)
done

> ipaserver.install.drminstance.DRMInstance.__spawn_instance: 
> "/var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12", 
> "/root/kracert.p12", "/tmp"
done

> ipa-server-install, summary message: "/root/cacert.p12", "/root/drmcert.p12"
done

> ipaserver.install.dogtaginstance.DogtagInstance.ADMIN_CERT_PATH
done

> ipaserver.install.dogtaginstance.check_inst: 
> '/usr/share/pki/%s/conf/server.xml' (note, constants for template paths 
> have a _TEMPLATE suffix by convention)
done

> ipaserver.install.dogtaginstance.DogtagInstance.spawn_instance: 
> "/usr/sbin/pkispawn"
done
> ipaserver.install.dogtaginstance.DogtagInstance.uninstall: 
> "/usr/sbin/pkidestroy"
done

> ipa_drm_install.DRMInstaller.FAIL_MESSAGE: Just use `ipa-drm-install` as 
> the command; the Python module you mention is not executable.
done

> ipaserver.install.installutils.check_entropy: 
> "/proc/sys/kernel/random/entropy_avail"
> 
done

> CAInstance.__init__, DRMInstance.__init__: These docstrings are unnecessary.

done
> ipa_drm_install.DRMInstall.__init__ just calls the superclass, so it's 
> not necessary to override it.

done

> In ipa_drm_install.DRMInstall.add_options, when adding --uninstall, 
> don't give the empty string (see --no-host-dns).
> 
done
> For ipa_drm_install.DRMInstaller's INSTALLER_START_MESSAGE and 
> FAIL_MESSAGE, you can use textwrap.dedent() for nicer indentation:
> https://docs.python.org/2/library/textwrap.html#textwrap.dedent
> 
done

> In ipa_drm_install.DRMInstaller.__init__, AFAICS setting 
> "installing_replica" and "replica_file" is not needed, and the values 
> are misleading until validate_options sets the the correct values.
> 
done

> In ipa_drm_install.DRMInstaller.validate_options:
> Instead of `ra_plugin is not None and ra_plugin == "dogtag"` you can use 
> just `ra_plugin == "dogtag"`.
> Same with `if dogtag_version is not None and dogtag_version >= 10:` (you 
> explicitly convert the value to int earlier, so it can't be None here).
> Instead of `if len(self.args) < 1:` just use `if not self.args:`.

All done

> The tool should also error out if more than one replica file is given, 
> or if file(s) are given for non-replica master or for uninstalling.
> 
done.

> The commit message is slightly wrong; ipa-drm-install does not ask for a 
> replica file when it's needed and not given.

> And, please link to the ticket and design page in the commit message.
> 
done

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-2-Add-a-DRM-to-IPA.patch
Type: text/x-patch
Size: 159241 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140813/f333de77/attachment.bin>

More information about the Freeipa-devel mailing list