diff --git a/0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch b/0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch new file mode 100644 index 0000000..57b003d --- /dev/null +++ b/0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch @@ -0,0 +1,74 @@ +From fa7b54356d9b8c0d7b3b5788f527ef3eecdf58b8 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 21 Mar 2018 10:33:32 +0200 +Subject: [PATCH] upgrade: Run configuration upgrade under empty ccache + collection + +Use temporary empty DIR-based ccache collection to prevent upgrade +failures in case KCM: or KEYRING: ccache type is used by default in +krb5.conf and is not available. We don't need any user credentials +during upgrade procedure but kadmin.local would attempt to resolve +default ccache and if that's not available, kadmin.local will fail. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818 +Signed-off-by: Alexander Bokovoy +--- + ipaserver/install/server/upgrade.py | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index a38f4115c..5212a2749 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -11,6 +11,7 @@ import shutil + import pwd + import fileinput + import sys ++from contextlib import contextmanager + from augeas import Augeas + import dns.exception + from ipalib import api, x509 +@@ -1926,6 +1927,30 @@ def upgrade_check(options): + logger.warning("Upgrade without version check may break your system") + + ++@contextmanager ++def empty_ccache(): ++ # Create temporary directory and use it as a DIR: ccache collection ++ # instead of whatever is a default in /etc/krb5.conf ++ # ++ # In Fedora 28 KCM: became a default credentials cache collection ++ # but if KCM daemon (part of SSSD) is not running, libkrb5 will fail ++ # to initialize. This causes kadmin.local to fail. ++ # Since we are in upgrade, we cannot kinit anyway (KDC is offline). ++ # Bug https://bugzilla.redhat.com/show_bug.cgi?id=1558818 ++ kpath_dir = tempfile.mkdtemp(prefix="upgrade_ccaches", dir=paths.IPA_CCACHES) ++ kpath = "DIR:{dir}s".format(dir=kpath_dir) ++ old_path = os.getenv('KRB5CCNAME') ++ try: ++ os.environ['KRB5CCNAME'] = kpath ++ yield ++ finally: ++ if old_path: ++ os.environ['KRB5CCNAME'] = old_path ++ for f in os.listdir(kpath_dir): ++ os.remove(os.path.join(kpath_dir, f)) ++ os.rmdir(kpath_dir) ++ ++ + def upgrade(): + realm = api.env.realm + schema_files = [os.path.join(paths.USR_SHARE_IPA_DIR, f) for f +@@ -1950,7 +1975,8 @@ def upgrade(): + + print('Upgrading IPA services') + logger.info('Upgrading the configuration of the IPA services') +- upgrade_configuration() ++ with empty_ccache(): ++ upgrade_configuration() + logger.info('The IPA services were upgraded') + + # store new data version after upgrade +-- +2.14.3 + diff --git a/0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch b/0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch deleted file mode 100644 index b5dfe11..0000000 --- a/0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch +++ /dev/null @@ -1,88 +0,0 @@ -From c25c5c1c85d4ee3aaea7c62a32134c0af56b9004 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 21 Mar 2018 10:33:32 +0200 -Subject: [PATCH] upgrade: Run configuration upgrade under file-based ccache - -Use anonymous file-based ccache to prevent upgrade failures -in case KCM: or KEYRING: ccache type is used by default -in krb5.conf and is not available. We don't need any user -credentials during upgrade procedure but kadmin.local -would attempt to resolve default ccache and if that's not -available, kadmin.local will fail. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818 -Signed-off-by: Alexander Bokovoy ---- - ipaserver/install/server/upgrade.py | 39 +++++++++++++++++++++++++++++++++++-- - 1 file changed, 37 insertions(+), 2 deletions(-) - -diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py -index a38f4115c..00389a914 100644 ---- a/ipaserver/install/server/upgrade.py -+++ b/ipaserver/install/server/upgrade.py -@@ -11,10 +11,11 @@ import shutil - import pwd - import fileinput - import sys -+from contextlib import contextmanager - from augeas import Augeas - import dns.exception - from ipalib import api, x509 --from ipalib.install import certmonger, sysrestore -+from ipalib.install import certmonger, sysrestore, kinit - import SSSDConfig - import ipalib.util - import ipalib.errors -@@ -1926,6 +1927,32 @@ def upgrade_check(options): - logger.warning("Upgrade without version check may break your system") - - -+@contextmanager -+def anonymous_ccache(): -+ kpath = os.path.join(paths.IPA_CCACHES, -+ "upgrade_ccache_{}".format(os.getpid())) -+ -+ try: -+ logger.debug('Obtaining anonymous creds in ccache %s', kpath) -+ kinit.kinit_armor( -+ kpath, -+ pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], -+ ) -+ kdestroy = True -+ except RuntimeError: -+ logger.error("Failed to obtain anonymous creds cache") -+ kdestroy = False -+ old_path = os.getenv('KRB5CCNAME') -+ try: -+ os.environ['KRB5CCNAME'] = kpath -+ yield -+ finally: -+ if old_path: -+ os.environ['KRB5CCNAME'] = old_path -+ if kdestroy: -+ installutils.remove_ccache(kpath) -+ -+ - def upgrade(): - realm = api.env.realm - schema_files = [os.path.join(paths.USR_SHARE_IPA_DIR, f) for f -@@ -1950,7 +1977,15 @@ def upgrade(): - - print('Upgrading IPA services') - logger.info('Upgrading the configuration of the IPA services') -- upgrade_configuration() -+ # Use anonymous file-based ccache to prevent upgrade failures -+ # in case KCM: or KEYRING: ccache type is used by default -+ # in krb5.conf and is not available. We don't need any user -+ # credentials during upgrade procedure but kadmin.local -+ # would attempt to resolve default ccache and if that's not -+ # available, kadmin.local will fail. -+ # Bug https://bugzilla.redhat.com/show_bug.cgi?id=1558818 -+ with anonymous_ccache(): -+ upgrade_configuration() - logger.info('The IPA services were upgraded') - - # store new data version after upgrade --- -2.14.3 - diff --git a/freeipa.spec b/freeipa.spec index 2c7d13d..311dda4 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -100,7 +100,7 @@ Name: freeipa Version: %{VERSION} -Release: 5%{?dist} +Release: 6%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -110,7 +110,7 @@ Source0: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc Patch0001: 0001-Processing-of-server-roles-should-ignore-errors.Empt.patch Patch0002: 0002-Update-template-directory-with-new-variables-when-up.patch -Patch0003: 0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch +Patch0003: 0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch Patch0004: 0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch # For the timestamp trick in patch application @@ -1720,6 +1720,9 @@ fi %endif # with_ipatests %changelog +* Tue Mar 21 2018 Alexander Bokovoy - 4.6.90.pre1-6 +- Change upgrade code to use DIR-based ccache and no kinit (#1558818) + * Tue Mar 20 2018 Alexander Bokovoy - 4.6.90.pre1-5 - Apply upstream fix for #1558354 - Run upgrade under file-based ccache (#1558818)