Add an installation trigger to force FreeIPA upgrade when tomact 9.0.31
or later is installed. A tomcat package upgrade might happen
independently of FreeIPA upgrade and thus would require to upgrade
FreeIPA configuration before IPA itself could be restarted. The upgrade
code in ipactl will not be able to tell the difference because no
changes are there for FreeIPA version. Instead, if upgrade wasn't done
yet (ipa-pki-proxy.conf does not contain secret=... options), force
ipa-server-upgrade run.
We cannot simply run ipa-server-upgrade in the trigger itself because
that would make it inherit a security context used by rpm. Instead,
start a transient systemd service which will isolate ipa-server-upgrade
in a clean and detached execution environment with the service manager
as its parent process.
Add an installation trigger to force FreeIPA upgrade when tomact 9.0.31 or later is installed. A tomcat package upgrade might happen independently of FreeIPA upgrade and thus would require to upgrade FreeIPA configuration before IPA itself could be restarted. The upgrade code in
ipactlwill not be able to tell the difference because no changes are there for FreeIPA version. Instead, if upgrade wasn't done yet (ipa-pki-proxy.conf does not contain secret=... options), force ipa-server-upgrade run.We cannot simply run ipa-server-upgrade in the trigger itself because that would make it inherit a security context used by rpm. Instead, start a transient systemd service which will isolate ipa-server-upgrade in a clean and detached execution environment with the service manager as its parent process.
Related: https://pagure.io/freeipa/issue/8221 Signed-off-by: Alexander Bokovoy abokovoy@redhat.com