ipa-4.11.0-3

- Resolves: RHEL-14428 healthcheck reports nsslapd-accesslog-logbuffering is set to 'off' Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
2023-11-20 10:48:30 +01:00 · 2023-11-20 10:48:30 +01:00 · 1c59d31bde
commit 1c59d31bde
parent 80c7b3b6fc
4 changed files with 232 additions and 1 deletions
--- a/0009-ipatests-fix-expected-output-for-ipahealthcheck.meta.patch
+++ b/0009-ipatests-fix-expected-output-for-ipahealthcheck.meta.patch
@ -0,0 +1,48 @@
+From 411107e1d1fa64b15978b7c69522613fbf3aa827 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Fri, 29 Sep 2023 10:31:00 +0200
+Subject: [PATCH] ipatests: fix expected output for
+ ipahealthcheck.meta.services
+
+ipa-healthcheck commit 31be12b introduced a change in the output
+message when pki-tomcatd is not running.
+With versions <= 0.12, the service name is displayed as
+pki_tomcatd (with an underscore), but with 0.13+ it is
+pki-tomcatd (with a dash).
+
+Fixes: https://pagure.io/freeipa/issue/9460
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipatests/test_integration/test_ipahealthcheck.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
+index 35fcfe10508589ded021207a4eba4fb0143495b4..5d79f2b529e819a291228776c4cc278463f02e59 100644
+--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
+@@ -454,6 +454,11 @@ class TestIpaHealthCheck(IntegrationTest):
+             assert data[0]["result"] == "SUCCESS"
+             assert data[0]["kw"]["status"] is True
+ 
+        version = tasks.get_healthcheck_version(self.master)
+        # With healthcheck newer versions, the error msg for PKI tomcat
+        # contains the string pki-tomcatd instead of pki_tomcatd
+        always_replace = parse_version(version) >= parse_version("0.13")
+
+         for service in svc_list:
+             restart_service(self.master, service)
+             returncode, data = run_healthcheck(
+@@ -466,7 +471,7 @@ class TestIpaHealthCheck(IntegrationTest):
+             for check in data:
+                 if check["check"] != service:
+                     continue
+-                if service != 'pki_tomcatd':
+                if service != 'pki_tomcatd' or always_replace:
+                     service = service.replace('_', '-')
+                 assert check["result"] == "ERROR"
+                 assert check["kw"]["msg"] == "%s: not running" % service
+-- 
+2.41.0
+
--- a/0010-ipatests-ignore-nsslapd-accesslog-logbuffering-WARN-.patch
+++ b/0010-ipatests-ignore-nsslapd-accesslog-logbuffering-WARN-.patch
@ -0,0 +1,132 @@
+From 7e76329f76b7605ac6ec255c53b3c15d368a63f7 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 13 Nov 2023 09:48:09 -0500
+Subject: [PATCH] ipatests: ignore nsslapd-accesslog-logbuffering WARN in
+ healthcheck
+
+Log buffering is disabled in the integration tests so we can have all
+the logs at the end. This is causing a warning to show in the 389-ds
+checks and causing tests to fail that expect all SUCCESS.
+
+Add an exclude for this specific key so tests will pass again.
+
+We may eventually want a more sophisiticated mechanism to handle
+excludes, or updating the config in general, but this is fine for now.
+
+Fixes: https://pagure.io/freeipa/issue/9400
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+Reviewed-By: Michal Polovka <mpolovka@redhat.com>
+---
+ .../test_integration/test_ipahealthcheck.py   | 28 +++++++++++++++++++
+ .../test_replica_promotion.py                 |  5 +++-
+ 2 files changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
+index 5d79f2b529e819a291228776c4cc278463f02e59..278f75abdd772a59178a61e2ab63e3178fef2518 100644
+--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
+@@ -10,6 +10,7 @@ from __future__ import absolute_import
+ from configparser import RawConfigParser, NoOptionError
+ from datetime import datetime, timedelta, timezone
+ UTC = timezone.utc
+import io
+ import json
+ import os
+ import re
+@@ -209,6 +210,28 @@ def run_healthcheck(host, source=None, check=None, output_type="json",
+     return result.returncode, data
+ 
+ 
+def set_excludes(host, option, value,
+                 config_file='/etc/ipahealthcheck/ipahealthcheck.conf'):
+    """Mark checks that should be excluded from the results
+
+       This will set in the [excludes] section on host:
+           option=value
+    """
+    EXCLUDES = "excludes"
+
+    conf = host.get_file_contents(config_file, encoding='utf-8')
+    cfg = RawConfigParser()
+    cfg.read_string(conf)
+    if not cfg.has_section(EXCLUDES):
+        cfg.add_section(EXCLUDES)
+    if not cfg.has_option(EXCLUDES, option):
+        cfg.set(EXCLUDES, option, value)
+    out = io.StringIO()
+    cfg.write(out)
+    out.seek(0)
+    host.put_file_contents(config_file, out.read())
+
+
+ @pytest.fixture
+ def restart_service():
+     """Shut down and restart a service as a fixture"""
+@@ -266,6 +289,7 @@ class TestIpaHealthCheck(IntegrationTest):
+             setup_dns=True,
+             extra_args=['--no-dnssec-validation']
+         )
+        set_excludes(cls.master, "key", "DSCLE0004")
+ 
+     def test_ipa_healthcheck_install_on_master(self):
+         """
+@@ -558,6 +582,7 @@ class TestIpaHealthCheck(IntegrationTest):
+                               setup_dns=True,
+                               extra_args=['--no-dnssec-validation']
+                               )
+        set_excludes(self.replicas[0], "key", "DSCLE0004")
+ 
+         # Init a user on replica to assign a DNA range
+         tasks.kinit_admin(self.replicas[0])
+@@ -698,6 +723,7 @@ class TestIpaHealthCheck(IntegrationTest):
+                 'output_type=human'
+             ])
+         )
+        set_excludes(self.master, "key", "DSCLE0004", config_file)
+         returncode, output = run_healthcheck(
+             self.master, failures_only=True, config=config_file
+         )
+@@ -713,6 +739,7 @@ class TestIpaHealthCheck(IntegrationTest):
+                 'output_file=%s' % HC_LOG,
+             ])
+         )
+        set_excludes(self.master, "key", "DSCLE0004")
+         returncode, _unused = run_healthcheck(
+             self.master, config=config_file
+         )
+@@ -2408,6 +2435,7 @@ class TestIpaHealthCLI(IntegrationTest):
+             cls.master, setup_dns=True, extra_args=['--no-dnssec-validation']
+         )
+         tasks.install_packages(cls.master, HEALTHCHECK_PKG)
+        set_excludes(cls.master, "key", "DSCLE0004")
+ 
+     def test_indent(self):
+         """
+diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
+index d477c3a20df80f16d47a55c9359ce165049dd907..b71f2d5d7e1517ab73d79b62477a3377839b0b7a 100644
+--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
+@@ -13,7 +13,7 @@ import pytest
+ 
+ from ipatests.test_integration.base import IntegrationTest
+ from ipatests.test_integration.test_ipahealthcheck import (
+-    run_healthcheck, HEALTHCHECK_PKG
+    run_healthcheck, set_excludes, HEALTHCHECK_PKG
+ )
+ from ipatests.pytest_ipa.integration import tasks
+ from ipatests.pytest_ipa.integration.tasks import (
+@@ -983,6 +983,9 @@ class TestHiddenReplicaPromotion(IntegrationTest):
+         # manually install KRA to verify that hidden state is synced
+         tasks.install_kra(cls.replicas[0])
+ 
+        set_excludes(cls.master, "key", "DSCLE0004")
+        set_excludes(cls.replicas[0], "key", "DSCLE0004")
+
+     def _check_dnsrecords(self, hosts_expected, hosts_unexpected=()):
+         domain = DNSName(self.master.domain.name).make_absolute()
+         rset = [
+-- 
+2.41.0
+
--- a/0011-ipatests-fix-expected-output-for-ipahealthcheck.ipa..patch
+++ b/0011-ipatests-fix-expected-output-for-ipahealthcheck.ipa..patch
@ -0,0 +1,45 @@
+From faf8be455a6ab4f5b1bed00a611e655535ed31e7 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 14 Nov 2023 13:21:30 -0500
+Subject: [PATCH] ipatests: fix expected output for ipahealthcheck.ipa.host
+
+ipa-healthcheck commit e69589d5 changed the output when a service
+keytab is missing to not report the GSSAPI error but to report
+that the keytab doesn't exist at all. This distinguishes from real
+Kerberos issues like kvno.
+
+Fixes: https://pagure.io/freeipa/issue/9482
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+Reviewed-By: Michal Polovka <mpolovka@redhat.com>
+---
+ ipatests/test_integration/test_ipahealthcheck.py | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
+index 278f75abdd772a59178a61e2ab63e3178fef2518..785e9abbae3b807f100a3d875e0c0b23f868be83 100644
+--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
+@@ -635,9 +635,15 @@ class TestIpaHealthCheck(IntegrationTest):
+         ipahealthcheck.ipa.host when GSSAPI credentials cannot be obtained
+         from host's keytab.
+         """
+-        msg = (
+-            "Minor (2529639107): No credentials cache found"
+-        )
+        version = tasks.get_healthcheck_version(self.master)
+        if parse_version(version) >= parse_version("0.15"):
+            msg = (
+                "Service {service} keytab {path} does not exist."
+            )
+        else:
+            msg = (
+                "Minor (2529639107): No credentials cache found"
+            )
+ 
+         with tasks.FileBackup(self.master, paths.KRB5_KEYTAB):
+             self.master.run_command(["rm", "-f", paths.KRB5_KEYTAB])
+-- 
+2.41.0
+
--- a/freeipa.spec
+++ b/freeipa.spec
@ -223,7 +223,7 @@

 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        2%{?rc_version:.%rc_version}%{?dist}
+Release:        3%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system

 License:        GPL-3.0-or-later
@ -255,6 +255,9 @@ Patch0005:      0005-Allow-password-policy-minlength-to-be-removed-like-o.patch
 Patch0006:      0006-ipatests-Skip-the-test-failing-due-to-FIPS-policy.patch
 Patch0007:      0007-The-PKI-JSON-API-the-revocation-reason-key-may-be-ca.patch
 Patch0008:      0008-WIP-Get-the-PKI-version-from-the-remote-to-determine.patch
+Patch0009:      0009-ipatests-fix-expected-output-for-ipahealthcheck.meta.patch
+Patch0010:      0010-ipatests-ignore-nsslapd-accesslog-logbuffering-WARN-.patch
+Patch0011:      0011-ipatests-fix-expected-output-for-ipahealthcheck.ipa..patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@ -1747,6 +1750,9 @@ fi
 %endif

 %changelog
+* Mon Nov 20 2023 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-3
+- Resolves: RHEL-14428 healthcheck reports nsslapd-accesslog-logbuffering is set to 'off'
+
 * Mon Nov 6 2023 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-2
 - Resolves: RHEL-14292 Backport latest test fixes in python3-ipatests
 - Resolves: RHEL-15443 Server install: failure to install with externally signed CA because of timezone issue