From 1c59d31bde251becf46ee0e7498b3383d38af216 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Mon, 20 Nov 2023 10:48:30 +0100 Subject: [PATCH] ipa-4.11.0-3 - Resolves: RHEL-14428 healthcheck reports nsslapd-accesslog-logbuffering is set to 'off' Signed-off-by: Florence Blanc-Renaud --- ...ected-output-for-ipahealthcheck.meta.patch | 48 +++++++ ...nsslapd-accesslog-logbuffering-WARN-.patch | 132 ++++++++++++++++++ ...ected-output-for-ipahealthcheck.ipa..patch | 45 ++++++ freeipa.spec | 8 +- 4 files changed, 232 insertions(+), 1 deletion(-) create mode 100644 0009-ipatests-fix-expected-output-for-ipahealthcheck.meta.patch create mode 100644 0010-ipatests-ignore-nsslapd-accesslog-logbuffering-WARN-.patch create mode 100644 0011-ipatests-fix-expected-output-for-ipahealthcheck.ipa..patch diff --git a/0009-ipatests-fix-expected-output-for-ipahealthcheck.meta.patch b/0009-ipatests-fix-expected-output-for-ipahealthcheck.meta.patch new file mode 100644 index 0000000..eba1717 --- /dev/null +++ b/0009-ipatests-fix-expected-output-for-ipahealthcheck.meta.patch @@ -0,0 +1,48 @@ +From 411107e1d1fa64b15978b7c69522613fbf3aa827 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Fri, 29 Sep 2023 10:31:00 +0200 +Subject: [PATCH] ipatests: fix expected output for + ipahealthcheck.meta.services + +ipa-healthcheck commit 31be12b introduced a change in the output +message when pki-tomcatd is not running. +With versions <= 0.12, the service name is displayed as +pki_tomcatd (with an underscore), but with 0.13+ it is +pki-tomcatd (with a dash). + +Fixes: https://pagure.io/freeipa/issue/9460 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + ipatests/test_integration/test_ipahealthcheck.py | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py +index 35fcfe10508589ded021207a4eba4fb0143495b4..5d79f2b529e819a291228776c4cc278463f02e59 100644 +--- a/ipatests/test_integration/test_ipahealthcheck.py ++++ b/ipatests/test_integration/test_ipahealthcheck.py +@@ -454,6 +454,11 @@ class TestIpaHealthCheck(IntegrationTest): + assert data[0]["result"] == "SUCCESS" + assert data[0]["kw"]["status"] is True + ++ version = tasks.get_healthcheck_version(self.master) ++ # With healthcheck newer versions, the error msg for PKI tomcat ++ # contains the string pki-tomcatd instead of pki_tomcatd ++ always_replace = parse_version(version) >= parse_version("0.13") ++ + for service in svc_list: + restart_service(self.master, service) + returncode, data = run_healthcheck( +@@ -466,7 +471,7 @@ class TestIpaHealthCheck(IntegrationTest): + for check in data: + if check["check"] != service: + continue +- if service != 'pki_tomcatd': ++ if service != 'pki_tomcatd' or always_replace: + service = service.replace('_', '-') + assert check["result"] == "ERROR" + assert check["kw"]["msg"] == "%s: not running" % service +-- +2.41.0 + diff --git a/0010-ipatests-ignore-nsslapd-accesslog-logbuffering-WARN-.patch b/0010-ipatests-ignore-nsslapd-accesslog-logbuffering-WARN-.patch new file mode 100644 index 0000000..553c2cc --- /dev/null +++ b/0010-ipatests-ignore-nsslapd-accesslog-logbuffering-WARN-.patch @@ -0,0 +1,132 @@ +From 7e76329f76b7605ac6ec255c53b3c15d368a63f7 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 13 Nov 2023 09:48:09 -0500 +Subject: [PATCH] ipatests: ignore nsslapd-accesslog-logbuffering WARN in + healthcheck + +Log buffering is disabled in the integration tests so we can have all +the logs at the end. This is causing a warning to show in the 389-ds +checks and causing tests to fail that expect all SUCCESS. + +Add an exclude for this specific key so tests will pass again. + +We may eventually want a more sophisiticated mechanism to handle +excludes, or updating the config in general, but this is fine for now. + +Fixes: https://pagure.io/freeipa/issue/9400 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Michal Polovka +--- + .../test_integration/test_ipahealthcheck.py | 28 +++++++++++++++++++ + .../test_replica_promotion.py | 5 +++- + 2 files changed, 32 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py +index 5d79f2b529e819a291228776c4cc278463f02e59..278f75abdd772a59178a61e2ab63e3178fef2518 100644 +--- a/ipatests/test_integration/test_ipahealthcheck.py ++++ b/ipatests/test_integration/test_ipahealthcheck.py +@@ -10,6 +10,7 @@ from __future__ import absolute_import + from configparser import RawConfigParser, NoOptionError + from datetime import datetime, timedelta, timezone + UTC = timezone.utc ++import io + import json + import os + import re +@@ -209,6 +210,28 @@ def run_healthcheck(host, source=None, check=None, output_type="json", + return result.returncode, data + + ++def set_excludes(host, option, value, ++ config_file='/etc/ipahealthcheck/ipahealthcheck.conf'): ++ """Mark checks that should be excluded from the results ++ ++ This will set in the [excludes] section on host: ++ option=value ++ """ ++ EXCLUDES = "excludes" ++ ++ conf = host.get_file_contents(config_file, encoding='utf-8') ++ cfg = RawConfigParser() ++ cfg.read_string(conf) ++ if not cfg.has_section(EXCLUDES): ++ cfg.add_section(EXCLUDES) ++ if not cfg.has_option(EXCLUDES, option): ++ cfg.set(EXCLUDES, option, value) ++ out = io.StringIO() ++ cfg.write(out) ++ out.seek(0) ++ host.put_file_contents(config_file, out.read()) ++ ++ + @pytest.fixture + def restart_service(): + """Shut down and restart a service as a fixture""" +@@ -266,6 +289,7 @@ class TestIpaHealthCheck(IntegrationTest): + setup_dns=True, + extra_args=['--no-dnssec-validation'] + ) ++ set_excludes(cls.master, "key", "DSCLE0004") + + def test_ipa_healthcheck_install_on_master(self): + """ +@@ -558,6 +582,7 @@ class TestIpaHealthCheck(IntegrationTest): + setup_dns=True, + extra_args=['--no-dnssec-validation'] + ) ++ set_excludes(self.replicas[0], "key", "DSCLE0004") + + # Init a user on replica to assign a DNA range + tasks.kinit_admin(self.replicas[0]) +@@ -698,6 +723,7 @@ class TestIpaHealthCheck(IntegrationTest): + 'output_type=human' + ]) + ) ++ set_excludes(self.master, "key", "DSCLE0004", config_file) + returncode, output = run_healthcheck( + self.master, failures_only=True, config=config_file + ) +@@ -713,6 +739,7 @@ class TestIpaHealthCheck(IntegrationTest): + 'output_file=%s' % HC_LOG, + ]) + ) ++ set_excludes(self.master, "key", "DSCLE0004") + returncode, _unused = run_healthcheck( + self.master, config=config_file + ) +@@ -2408,6 +2435,7 @@ class TestIpaHealthCLI(IntegrationTest): + cls.master, setup_dns=True, extra_args=['--no-dnssec-validation'] + ) + tasks.install_packages(cls.master, HEALTHCHECK_PKG) ++ set_excludes(cls.master, "key", "DSCLE0004") + + def test_indent(self): + """ +diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py +index d477c3a20df80f16d47a55c9359ce165049dd907..b71f2d5d7e1517ab73d79b62477a3377839b0b7a 100644 +--- a/ipatests/test_integration/test_replica_promotion.py ++++ b/ipatests/test_integration/test_replica_promotion.py +@@ -13,7 +13,7 @@ import pytest + + from ipatests.test_integration.base import IntegrationTest + from ipatests.test_integration.test_ipahealthcheck import ( +- run_healthcheck, HEALTHCHECK_PKG ++ run_healthcheck, set_excludes, HEALTHCHECK_PKG + ) + from ipatests.pytest_ipa.integration import tasks + from ipatests.pytest_ipa.integration.tasks import ( +@@ -983,6 +983,9 @@ class TestHiddenReplicaPromotion(IntegrationTest): + # manually install KRA to verify that hidden state is synced + tasks.install_kra(cls.replicas[0]) + ++ set_excludes(cls.master, "key", "DSCLE0004") ++ set_excludes(cls.replicas[0], "key", "DSCLE0004") ++ + def _check_dnsrecords(self, hosts_expected, hosts_unexpected=()): + domain = DNSName(self.master.domain.name).make_absolute() + rset = [ +-- +2.41.0 + diff --git a/0011-ipatests-fix-expected-output-for-ipahealthcheck.ipa..patch b/0011-ipatests-fix-expected-output-for-ipahealthcheck.ipa..patch new file mode 100644 index 0000000..bd27617 --- /dev/null +++ b/0011-ipatests-fix-expected-output-for-ipahealthcheck.ipa..patch @@ -0,0 +1,45 @@ +From faf8be455a6ab4f5b1bed00a611e655535ed31e7 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 14 Nov 2023 13:21:30 -0500 +Subject: [PATCH] ipatests: fix expected output for ipahealthcheck.ipa.host + +ipa-healthcheck commit e69589d5 changed the output when a service +keytab is missing to not report the GSSAPI error but to report +that the keytab doesn't exist at all. This distinguishes from real +Kerberos issues like kvno. + +Fixes: https://pagure.io/freeipa/issue/9482 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Michal Polovka +--- + ipatests/test_integration/test_ipahealthcheck.py | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py +index 278f75abdd772a59178a61e2ab63e3178fef2518..785e9abbae3b807f100a3d875e0c0b23f868be83 100644 +--- a/ipatests/test_integration/test_ipahealthcheck.py ++++ b/ipatests/test_integration/test_ipahealthcheck.py +@@ -635,9 +635,15 @@ class TestIpaHealthCheck(IntegrationTest): + ipahealthcheck.ipa.host when GSSAPI credentials cannot be obtained + from host's keytab. + """ +- msg = ( +- "Minor (2529639107): No credentials cache found" +- ) ++ version = tasks.get_healthcheck_version(self.master) ++ if parse_version(version) >= parse_version("0.15"): ++ msg = ( ++ "Service {service} keytab {path} does not exist." ++ ) ++ else: ++ msg = ( ++ "Minor (2529639107): No credentials cache found" ++ ) + + with tasks.FileBackup(self.master, paths.KRB5_KEYTAB): + self.master.run_command(["rm", "-f", paths.KRB5_KEYTAB]) +-- +2.41.0 + diff --git a/freeipa.spec b/freeipa.spec index 1548f41..80b384f 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -223,7 +223,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 2%{?rc_version:.%rc_version}%{?dist} +Release: 3%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -255,6 +255,9 @@ Patch0005: 0005-Allow-password-policy-minlength-to-be-removed-like-o.patch Patch0006: 0006-ipatests-Skip-the-test-failing-due-to-FIPS-policy.patch Patch0007: 0007-The-PKI-JSON-API-the-revocation-reason-key-may-be-ca.patch Patch0008: 0008-WIP-Get-the-PKI-version-from-the-remote-to-determine.patch +Patch0009: 0009-ipatests-fix-expected-output-for-ipahealthcheck.meta.patch +Patch0010: 0010-ipatests-ignore-nsslapd-accesslog-logbuffering-WARN-.patch +Patch0011: 0011-ipatests-fix-expected-output-for-ipahealthcheck.ipa..patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1747,6 +1750,9 @@ fi %endif %changelog +* Mon Nov 20 2023 Florence Blanc-Renaud - 4.11.0-3 +- Resolves: RHEL-14428 healthcheck reports nsslapd-accesslog-logbuffering is set to 'off' + * Mon Nov 6 2023 Florence Blanc-Renaud - 4.11.0-2 - Resolves: RHEL-14292 Backport latest test fixes in python3-ipatests - Resolves: RHEL-15443 Server install: failure to install with externally signed CA because of timezone issue