[Pki-devel] [PATCH] PKI TRAC Ticket #899 - RFE - ipa-server should keep backup of CS.cfg
Fraser Tweedale
ftweedal at redhat.com
Wed Jul 9 09:15:43 UTC 2014
On Tue, Jul 08, 2014 at 07:49:29PM +0800, Ade Lee wrote:
> Fraser,
>
> What is likely needed is a rule permitting the pki_tomcat_t type to
> create links in the config directory.
>
> To get the exact rule needed, please do the following:
>
> 1. set selinux to permissive mode (setenforce 0)
> 2. clear the audit log - cat /dev/null > /var/log/audit/audit.log
> 3. start the server (with the original script). Make sure to remove the
> copy you have placed there.
> 4. The instance should start.
> 5. Check to see what rule is needed:
>
> audit2allow -R -i /var/log/audit/audit.log
> audit2allow -R /var/log/audit/audit.log
>
> 6. File a BZ against selinux-policy in Fedora 20/rawhide, providing the
> above output. In 10.x, our selinux policy is managed by the system
> selinux policy.
>
> Ade
Thanks for the tips Ade.
I have filed a bug[1]. I also blogged about this experience[2].
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1117673
[2] http://blog-ftweedal.rhcloud.com/2014/07/diagnosing-a-dogtag-selinux-issue/
Cheers,
Fraser
>
> On Tue, 2014-07-08 at 17:55 +1000, Fraser Tweedale wrote:
> > There seems to be an selinux issue with this change. When I spawned
> > a new instance, it was not premitted to create the CS.cfg.bak
> > symlink on startup (and startup failed as a result).
> >
> > It's the end of the day and I didn't get to the bottom of it (I have
> > little prior experience with selinux) but it seems specifically
> > related to symlinks - when I changed the `ln -s' to a `cp' in
> > scripts/operations:1569 everything works OK.
> >
> > So I'll leave it that for today; if anyone has any pointers (or
> > patches) that would be great, otherwise I'll press on tomorrow
> > morning.
> >
> > Cheers,
> >
> > Fraser
> >
> > On Fri, Jun 27, 2014 at 08:58:55PM -0700, Matthew Harmsen wrote:
> > > Please review the attached patch for:
> > >
> > > * PKI TRAC Ticket #899 - RFE - ipa-server should keep backup of CS.cfg
> > > <https://fedorahosted.org/pki/ticket/899>
> > >
> > > This patch is based upon a previously reviewed patch for the Dogtag 9
> > > architecture utilized by the IPA_v2_RHEL_6_ERRATA_BRANCH, but was modified
> > > and tested to work with the Dogtag 10.2 architecture.
> > >
> > > CAVEAT 1:
> > >
> > > Although this patch contains changes to multiple PKI subsystem's
> > > 'CS.cfg' configuration files, an upgrade script should not be
> > > specifically required for legacy instances since the parameter that
> > > is added, 'archive.configuration_file=true', is presumed even if the
> > > parameter is missing (as it would be on any legacy instance). In
> > > this case, it would only be necessary to add this parameter to a
> > > legacy instance's CS.cfg, and set the value to 'false' in order to
> > > turn off 'CS.cfg' configuration file archival (explicit instructions
> > > detailing this are found in the 'operations' script). However, if
> > > this is desired for completeness, I don't mind adding it.
> > >
> > > CAVEAT 2:
> > >
> > > I had originally made the effort to attempt to have specific crucial
> > > WARNING messages echoed to the display as well as to the journal. I
> > > believe that this would be beneficial, as, for example, it would
> > > immediately notify an admin that since an error had occurred,
> > > 'CS.cfg' backups would be discontinued until the error was
> > > corrected. My idea was to echo these WARNING messages explicitly to
> > > stderr via redirecting them (>&2), and adding the parameter
> > > 'StandardError=journal+console' under the [Service] section of the
> > > 'pki-tomcatd at pki-tomcat.service' file. Unfortunately, I was never
> > > able to make this work - both stdout and stderr messages were stored
> > > in the journal, but were never displayed to the screen when typing
> > > 'systemctl restart pki-tomcatd at pki-tomcat.service' (even after a
> > > 'systemctl daemon-reload' had been performed).
> > >
> > > -- Matt
> >
> > > From 22242207fd6403dd65f777691ae1bfd0a2aed678 Mon Sep 17 00:00:00 2001
> > > From: Matthew Harmsen <mharmsen at redhat.com>
> > > Date: Fri, 27 Jun 2014 20:35:04 -0700
> > > Subject: [PATCH] Backup and Archive CS.cfg
> > >
> > > * PKI TRAC Ticket #899 - RFE - ipa-server should keep backup of CS.cfg
> > > ---
> > > base/ca/shared/conf/CS.cfg.in | 1 +
> > > base/kra/shared/conf/CS.cfg.in | 1 +
> > > base/ocsp/shared/conf/CS.cfg.in | 1 +
> > > base/server/scripts/operations | 211 +++++++++++++++++++++++++++++++++-
> > > base/tks/shared/conf/CS.cfg.in | 1 +
> > > base/tps-tomcat/shared/conf/CS.cfg.in | 1 +
> > > 6 files changed, 215 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
> > > index 90fb2d2..4ab8974 100644
> > > --- a/base/ca/shared/conf/CS.cfg.in
> > > +++ b/base/ca/shared/conf/CS.cfg.in
> > > @@ -159,6 +159,7 @@ accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluato
> > > accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator
> > > accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator
> > > accessEvaluator.impl.user_origreq.class=com.netscape.cms.evaluators.UserOrigReqAccessEvaluator
> > > +archive.configuration_file=true
> > > auths._000=##
> > > auths._001=## new authentication
> > > auths._002=##
> > > diff --git a/base/kra/shared/conf/CS.cfg.in b/base/kra/shared/conf/CS.cfg.in
> > > index d8b5951..5febae8 100644
> > > --- a/base/kra/shared/conf/CS.cfg.in
> > > +++ b/base/kra/shared/conf/CS.cfg.in
> > > @@ -135,6 +135,7 @@ CrossCertPair.ldap=internaldb
> > > accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator
> > > accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator
> > > accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator
> > > +archive.configuration_file=true
> > > auths._000=##
> > > auths._001=## new authentication
> > > auths._002=##
> > > diff --git a/base/ocsp/shared/conf/CS.cfg.in b/base/ocsp/shared/conf/CS.cfg.in
> > > index ace7f54..9f92ebf 100644
> > > --- a/base/ocsp/shared/conf/CS.cfg.in
> > > +++ b/base/ocsp/shared/conf/CS.cfg.in
> > > @@ -121,6 +121,7 @@ CrossCertPair.ldap=internaldb
> > > accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator
> > > accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator
> > > accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator
> > > +archive.configuration_file=true
> > > auths._000=##
> > > auths._001=## new authentication
> > > auths._002=##
> > > diff --git a/base/server/scripts/operations b/base/server/scripts/operations
> > > index bfd2de8..bff3573 100644
> > > --- a/base/server/scripts/operations
> > > +++ b/base/server/scripts/operations
> > > @@ -1413,6 +1413,189 @@ verify_symlinks()
> > > return 0
> > > }
> > >
> > > +backup_instance_configuration_files()
> > > +{
> > > + declare -a pki_subsystems=('ca'
> > > + 'kra'
> > > + 'ocsp'
> > > + 'tks'
> > > + 'tps')
> > > +
> > > + # Utilize an identical timestamp on archives for each PKI subsystem
> > > + # residing within the same instance to mark a common archival time
> > > + timestamp=`date +%Y%m%d%H%M%S`
> > > +
> > > + # Automatically enable timestamped archives
> > > + #
> > > + # NOTE: To disable this feature for a particular PKI subsystem
> > > + # within an instance, edit that PKI subsystem's 'CS.cfg' file
> > > + # within the instance:
> > > + #
> > > + # If the 'archive.configuration_file' parameter exists,
> > > + # change it to 'archive.configuration_file=false'.
> > > + #
> > > + # However, if the 'archive.configuration_file' parameter does
> > > + # not exist, simply add 'archive.configuration_file=false'
> > > + # to the 'CS.cfg'.
> > > + #
> > > + # In either case, it is unnecessary to restart the instance,
> > > + # as each instance's 'CS.cfg' file is always processed every
> > > + # time an instance is restarted.
> > > + #
> > > + backup_errors=0
> > > + for pki in "${pki_subsystems[@]}"
> > > + do
> > > + config_dir=${PKI_INSTANCE_PATH}/conf/${pki}
> > > +
> > > + # Check to see if this PKI subsystem exists within this instance
> > > + if [ ! -d ${config_dir} ] ; then
> > > + continue
> > > + fi
> > > +
> > > + # Compute uppercase representation of this PKI subsystem
> > > + PKI=${pki^^}
> > > +
> > > + # Backup parameters
> > > + pki_instance_configuration_file=${config_dir}/CS.cfg
> > > + backup_file=${config_dir}/CS.cfg.bak
> > > + saved_backup_file=${config_dir}/CS.cfg.bak.saved
> > > +
> > > + # Check for an empty 'CS.cfg'
> > > + #
> > > + # NOTE: 'CS.cfg' is always a regular file
> > > + #
> > > + if [ ! -s ${pki_instance_configuration_file} ] ; then
> > > + # Issue a warning that the 'CS.cfg' is empty
> > > + echo "WARNING: The '${pki_instance_configuration_file}' is empty!"
> > > + echo " ${PKI} backups will be discontinued until this"
> > > + echo " issue has been resolved!"
> > > + $((backup_errors++))
> > > + continue
> > > + fi
> > > +
> > > + # Make certain that a previous attempt to backup 'CS.cfg' has not failed
> > > + # (i. e. - 'CS.cfg.bak.saved' exists)
> > > + #
> > > + # NOTE: 'CS.cfg.bak.saved' is always a regular file
> > > + #
> > > + if [ -f ${saved_backup_file} ] ; then
> > > + # 'CS.cfg.bak.saved' is a regular file or a symlink
> > > + echo "WARNING: Since the file '${saved_backup_file}' exists, a"
> > > + echo " previous backup attempt has failed! ${PKI} backups"
> > > + echo " will be discontinued until this issue has been resolved!"
> > > + $((backup_errors++))
> > > + continue
> > > + fi
> > > +
> > > + # If present, compare 'CS.cfg' to 'CS.cfg.bak' to see if it is necessary
> > > + # to backup 'CS.cfg'. 'CS.cfg.bak' may be a regular file, a
> > > + # symlink, or a dangling symlink
> > > + #
> > > + # NOTE: 'CS.cfg.bak' may be a regular file, a symlink, or a
> > > + # dangling symlink
> > > + #
> > > + if [ -f ${backup_file} ] ; then
> > > + # 'CS.cfg.bak' is a regular file or a symlink
> > > + cmp --silent ${pki_instance_configuration_file} ${backup_file}
> > > + rv=$?
> > > + if [ $rv -eq 0 ] ; then
> > > + # 'CS.cfg' is identical to 'CS.cfg.bak';
> > > + # no need to archive or backup 'CS.cfg'
> > > + continue
> > > + fi
> > > +
> > > + # Since it is known that the previous 'CS.cfg.bak' file exists, and
> > > + # and it is either a symlink or a regular file, save the previous
> > > + # 'CS.cfg.bak' to 'CS.cfg.bak.saved'
> > > + #
> > > + # NOTE: If switching between simply creating backups to generating
> > > + # timestamped archives, the previous 'CS.cfg.bak' that
> > > + # existed as a regular file will NOT be archived!
> > > + #
> > > + if [ -h ${backup_file} ] ; then
> > > + # 'CS.cfg.bak' is a symlink
> > > + # (i. e. - copy the timestamped archive to a regular file)
> > > + cp ${backup_file} ${saved_backup_file}
> > > +
> > > + # remove the 'CS.cfg.bak' symlink
> > > + rm ${backup_file}
> > > + else
> > > + # 'CS.cfg.bak' is a regular file
> > > + # (i. e. - simply rename the regular file)
> > > + mv ${backup_file} ${saved_backup_file}
> > > + fi
> > > + elif [ -h ${backup_file} ] ; then
> > > + # 'CS.cfg.bak' is a dangling symlink
> > > + echo "WARNING: The file '${backup_file}' is a dangling symlink"
> > > + echo " which suggests that the previous backup file has"
> > > + echo " been removed! ${PKI} backups will be discontinued"
> > > + echo " until this issue has been resolved!"
> > > + $((backup_errors++))
> > > + continue
> > > + fi
> > > +
> > > + # Check 'CS.cfg' for 'archive.configuration_file' parameter
> > > + # to see if timestamped archives should be disabled
> > > + archive_configuration_file="true"
> > > + line=`grep -e '^[ \t]*archive.configuration_file[ \t]*=' ${pki_instance_configuration_file}`
> > > + if [ "${line}" != "" ] ; then
> > > + archive_configuration_file=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
> > > + fi
> > > +
> > > + # Backup 'CS.cfg'
> > > + if [ "${archive_configuration_file}" != "true" ] ; then
> > > + # Always backup 'CS.cfg' to 'CS.cfg.bak'
> > > + cp -b ${pki_instance_configuration_file} ${backup_file}
> > > + else
> > > + # Archive parameters
> > > + archive_dir=${config_dir}/archives
> > > + archived_file=${archive_dir}/CS.cfg.bak.${timestamp}
> > > +
> > > + # If not present, create an archives directory for this 'CS.cfg'
> > > + if [ ! -d ${archive_dir} ] ; then
> > > + mkdir -p ${archive_dir}
> > > + fi
> > > +
> > > + # Archive 'CS.cfg' to 'CS.cfg.bak.${timestamp}'
> > > + cp -a ${pki_instance_configuration_file} ${archived_file}
> > > + if [ ! -s ${archived_file} ] ; then
> > > + # Issue a warning that the archived backup failed
> > > + echo "WARNING: Failed to archive '${pki_instance_configuration_file}' to '${archived_file}'!"
> > > + $((backup_errors++))
> > > + continue
> > > + fi
> > > +
> > > + # Always create 'CS.cfg.bak' by linking to this archived file
> > > + ln -s ${archived_file} ${backup_file}
> > > +
> > > + # Report that 'CS.cfg' has been successfully archived
> > > + echo "SUCCESS: Successfully archived '${archived_file}'"
> > > + fi
> > > +
> > > + # Check that a non-empty 'CS.cfg.bak' symlink or regular file exists
> > > + if [ ! -s ${backup_file} ] ; then
> > > + # Issue a warning that the backup failed
> > > + echo "WARNING: Failed to backup '${pki_instance_configuration_file}' to '${backup_file}'!"
> > > + $((backup_errors++))
> > > + continue
> > > + else
> > > + # Report that 'CS.cfg' has been successfully backed up
> > > + echo "SUCCESS: Successfully backed up '${backup_file}'"
> > > + fi
> > > +
> > > + # Since 'CS.cfg' was backed up successfully, remove 'CS.cfg.bak.saved'
> > > + if [ -f ${saved_backup_file} ] ; then
> > > + rm ${saved_backup_file}
> > > + fi
> > > + done
> > > +
> > > + if [ ${backup_errors} -ne 0 ]; then
> > > + return 1
> > > + fi
> > > +
> > > + return 0
> > > +}
> > > +
> > > start_instance()
> > > {
> > > rv=0
> > > @@ -1453,8 +1636,34 @@ start_instance()
> > > return 6
> > > else
> > > # 0 success
> > > - return 0
> > > +
> > > + # Always create a backup of each PKI subsystem's 'CS.cfg' file
> > > + # within an instance.
> > > + #
> > > + # For every backup failure detected within a PKI subsystem within
> > > + # an instance, a warning message will be issued, and an error code
> > > + # of 1 will be returned.
> > > + #
> > > + # Note that until they have been resolved, every previous backup
> > > + # failures of any PKI subsystem within an instance will also issue
> > > + # a warning message and return an error code of 1. Backups of that
> > > + # particular instance's PKI subsystem will be suspended until this
> > > + # error has been addressed.
> > > + #
> > > + # By default, unless they have been explicitly disabled,
> > > + # a timestamped archive of each PKI subsystem's 'CS.cfg' file
> > > + # within an instance will also be created. Note that a single
> > > + # timestamp will be utlized across each PKI subsystem within
> > > + # an instance for each invocation of this function.
> > > + #
> > > + # When enabled, any timestamped archive failures also issue a
> > > + # warning message and return an error code of 1.
> > > + #
> > > + backup_instance_configuration_files
> > > + rv=$?
> > > fi
> > > +
> > > + return $?
> > > }
> > >
> > > # function used in debian to find the correct jdk
> > > diff --git a/base/tks/shared/conf/CS.cfg.in b/base/tks/shared/conf/CS.cfg.in
> > > index 4d32f6e..bd2858d 100644
> > > --- a/base/tks/shared/conf/CS.cfg.in
> > > +++ b/base/tks/shared/conf/CS.cfg.in
> > > @@ -112,6 +112,7 @@ CrossCertPair.ldap=internaldb
> > > accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator
> > > accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator
> > > accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator
> > > +archive.configuration_file=true
> > > auths._000=##
> > > auths._001=## new authentication
> > > auths._002=##
> > > diff --git a/base/tps-tomcat/shared/conf/CS.cfg.in b/base/tps-tomcat/shared/conf/CS.cfg.in
> > > index b4b1941..57a7866 100644
> > > --- a/base/tps-tomcat/shared/conf/CS.cfg.in
> > > +++ b/base/tps-tomcat/shared/conf/CS.cfg.in
> > > @@ -4,6 +4,7 @@ _002=##
> > > accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator
> > > accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator
> > > accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator
> > > +archive.configuration_file=true
> > > applet._000=#########################################
> > > applet._001=# applet information
> > > applet._002=# SAF Key:
> > > --
> > > 1.9.3
> > >
> >
> > > _______________________________________________
> > > Pki-devel mailing list
> > > Pki-devel at redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-devel
> >
> > _______________________________________________
> > Pki-devel mailing list
> > Pki-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel
>
>
More information about the Pki-devel
mailing list