[Freeipa-devel] [PATCH] 412 Remove entitlement support

Alexander Bokovoy abokovoy at redhat.com
Thu Jul 11 15:02:49 UTC 2013


On Thu, 27 Jun 2013, Martin Kosek wrote:
>On 06/27/2013 12:32 PM, Jan Cholasta wrote:
>> On 26.6.2013 14:03, Tomas Babej wrote:
>>> On 06/19/2013 10:31 AM, Petr Vobornik wrote:
>>>> On 06/19/2013 10:13 AM, Martin Kosek wrote:
>>>>> Entitlements code was not tested nor supported upstream since
>>>>> version 3.0. Remove the associated code.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/3739
>>>>>
>>>>> ----
>>>>>
>>>>> As agreed on Triage meeting, I plan to push this patch to ipa-3-2 and
>>>>> master
>>>>> branches.
>>>>>
>>>>> Martin
>>>>>
>>>>
>>>>
>>>> ACK on Web UI part.
>>>
>>> ACK on the IPA part
>>>
>>> Tomas
>>>
>>
>> ipa-upgradeconfig fails for me when upgrading from version with entitlement
>> plugin to version without entitlement plugin:
>>
>> 2013-06-26T22:22:43Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with
>> options: {'debug': False, 'quiet': True}
>> 2013-06-26T22:22:43Z DEBUG Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> 2013-06-26T22:22:43Z DEBUG importing all plugin modules in
>> '/usr/lib/python2.7/site-packages/ipalib/plugins'...
>> <snip>
>> 2013-06-26T22:22:43Z DEBUG importing plugin module
>> '/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py'
>> 2013-06-26T22:22:43Z DEBUG   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 614,
>> in run_script
>>     return_value = main_function()
>>
>>   File "/usr/sbin/ipa-upgradeconfig", line 872, in main
>>     api.finalize()
>>
>>   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 674, in
>> finalize
>>     self.__do_if_not_done('load_plugins')
>>
>>   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 454, in
>> __do_if_not_done
>>     getattr(self, name)()
>>
>>   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 613, in
>> load_plugins
>>     self.import_plugins('ipalib')
>>
>>   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 655, in
>> import_plugins
>>     __import__(fullname)
>>
>>   File "/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py", line 180,
>> in <module>
>>     class entitle(LDAPObject):
>>
>>   File "/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py", line 184,
>> in entitle
>>     container_dn = api.env.container_entitlements
>>
>> 2013-06-26T22:22:43Z DEBUG The ipa-upgradeconfig command failed, exception:
>> AttributeError: 'Env' object has no attribute 'container_entitlements'
>>
>> Honza
>>
>
>This happens because we run ipa-upgradeconfig in %post while there was still
>entitlements plugin. I think that clean solution for this plugin (and also for
>other future occurrences of this issue) is to run upgrade/server restart
>process only in %posttrans.
>
>In the end, I iterated to the attached patch. With this spec change, I was able
>to upgrade from FreeIPA 3.2 to current master version without any entitlements
>related upgrade error.
>
>Adding Alexander and Rob to CC to double-check this upgrade-related change, I
>want to be sure I didn't do something stupid.
The patch needed rebase and it also had formatting errors.
I've fixed the patch (attached) and tested it, all works.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From b5e4b46a2a7c22de69cbd3841b7ce2625771018e Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek at redhat.com>
Date: Thu, 11 Jul 2013 17:35:26 +0300
Subject: [PATCH 2/2] Run server upgrade and restart in posttrans

Running server upgrade or restart in %post or %postun may cause issues when
there are still parts of old FreeIPA software (like entitlements plugin).

https://fedorahosted.org/freeipa/ticket/3739
---
 freeipa.spec.in | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index f2847e1..05b43bc 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -468,13 +468,22 @@ rm -rf %{buildroot}
 # END
 if [ $1 -gt 1 ] ; then
     /bin/systemctl condrestart certmonger.service 2>&1 || :
-    /usr/sbin/ipa-upgradeconfig --quiet >/dev/null || :
 fi
 
 %posttrans server
 # This must be run in posttrans so that updates from previous
 # execution that may no longer be shipped are not applied.
 /usr/sbin/ipa-ldap-updater --upgrade --quiet >/dev/null || :
+/usr/sbin/ipa-upgradeconfig --quiet >/dev/null || :
+
+# Restart IPA processes. This must be also run in postrans so that plugins
+# and software is in consistent state
+python -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
+# NOTE: systemd specific section
+if [  $? -eq 0 ]; then
+    /bin/systemctl try-restart ipa.service >/dev/null 2>&1 || :
+fi
+# END
 
 %preun server
 if [ $1 = 0 ]; then
@@ -484,14 +493,6 @@ if [ $1 = 0 ]; then
 # END
 fi
 
-%postun server
-if [ "$1" -ge "1" ]; then
-# NOTE: systemd specific section
-    /bin/systemctl --quiet is-active ipa.service >/dev/null && \
-    /bin/systemctl try-restart ipa.service >/dev/null 2>&1 || :
-# END
-fi
-
 %pre server
 # Stop ipa_kpasswd if it exists before upgrading so we don't have a
 # zombie process when we're done.
@@ -511,6 +512,8 @@ fi
 %post server-trust-ad
 %{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
 				winbind_krb5_locator.so /dev/null 90
+
+%posttrans server-trust-ad
 python -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
 if [  $? -eq 0 ]; then
 # NOTE: systemd specific section
@@ -816,6 +819,10 @@ fi
 %endif  # ! %{ONLY_CLIENT}
 
 %changelog
+* Thu Jul 11 2013 Martin Kosek <mkosek at redhat.com> - 3.2.99-5
+- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency
+  issues when there are still old parts of software (like entitlements plugin)
+
 * Wed Jul 10 2013 Ana Krivokapic <akrivoka at redhat.com> - 3.2.99-4
 - Bump minimum version of 389-ds-base to 1.3.1.3 for user password change fix.
 
-- 
1.8.3.1



More information about the Freeipa-devel mailing list