ipa-4.9.8-3

- Resolves: rhbz#2050540 Unable to join RHEL 8.5 Replica to RHEL 7.9 Master for migration purposes - Resolves: rhbz#2051582 Enable ipa-ccache-sweep.timer during server installation - Resolves: rhbz#2051844 ipa-join tests are failing due to changes in expected output Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
2022-02-11 15:04:19 +01:00 · 2022-02-11 15:04:19 +01:00 · c7bf31948f
commit c7bf31948f
parent b412308f26
5 changed files with 351 additions and 1 deletions
--- a/0017-Don-t-always-override-the-port-in-import_included_pr.patch
+++ b/0017-Don-t-always-override-the-port-in-import_included_pr.patch
@ -0,0 +1,104 @@
+From edb216849e4f47d6cae95981edf0c3fe2653fd7a Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Fri, 28 Jan 2022 16:46:35 -0500
+Subject: [PATCH] Don't always override the port in import_included_profiles
+
+I can only guess to the original purpose of this override. I
+believe it was because this is called in the installer prior
+to Apache being set up. The expectation was that this would
+only be called locally. It predates the RestClient class.
+
+RestClient will attempt to find an available service. In this
+case, during a CA installation, the local server is not
+considered available because it lacks an entry in
+cn=masters. So it will never be returned as an option.
+
+So by overriding the port to 8443 the remote connection will
+likely fail because we don't require that the port be open.
+
+So instead, instantiate a RestClient and see what happens.
+
+There are several use-cases:
+
+1. Installing an initial server. The RestClient connection
+   should fail, so we will fall back to the override port and
+   use the local server. If Apache happens to be running with
+   a globally-issued certificate then the RestClient will
+   succeed. In this case if the connected host and the local
+   hostname are the same, override in that case as well.
+
+2. Installing as a replica. In this case the local server should
+   be ignored in all cases and a remote CA will be picked with
+   no override done.
+
+3. Switching from CA-less to CA-ful. The web server will be
+   trusted but the RestClient login will fail with a 404. Fall
+   back to the override port in this case.
+
+The motivation for this is trying to install an EL 8.x replica
+against an EL 7.9 server. 8.5+ includes the ACME service and
+a new profile is needed which doesn't exist in 7. This was
+failing because the RestClient determined that the local server
+wasn't running a CA so tried the remote one (7.9) on the override
+port 8443. Since this port isn't open: failure.
+
+Chances are that adding the profile is still going to fail
+because again, 7.9 lacks ACME capabilities, but it will fail in
+a way that allows the installation to continue.
+
+I suspect that all of the overrides can similarly handled, or
+handled directly within the RestClient class, but for the sake
+of "do no harm" I'm only changing this instance for now.
+
+https://pagure.io/freeipa/issue/9100
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ ipaserver/install/cainstance.py | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 8c8bf1b3a7bcf8a9c50183579b874a5710a32ac3..ad206aad411b42336e86e0b651a948fccd3a75ac 100644
+--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
+@@ -1953,7 +1953,35 @@ def import_included_profiles():
+         cn=['certprofiles'],
+     )
+ 
+-    api.Backend.ra_certprofile.override_port = 8443
+    # At this point Apache may or may not be running with a valid
+    # certificate. The local server is not yet recognized as a full
+    # CA yet so it isn't discoverable. So try to do some detection
+    # on what port to use, 443 (remote) or 8443 (local) for importing
+    # the profiles.
+    #
+    # api.Backend.ra_certprofile invokes the RestClient class
+    # which will discover and login to the CA REST API. We can
+    # use this information to detect where to import the profiles.
+    #
+    # If the login is successful (e.g. doesn't raise an exception)
+    # and it returns our hostname (it prefers the local host) then
+    # we override and talk locally.
+    #
+    # Otherwise a NetworkError means we can't connect on 443 (perhaps
+    # a firewall) or we get an HTTP error (valid TLS certificate on
+    # Apache but no CA, login fails with 404) so we override to the
+    # local server.
+    #
+    # When override port was always set to 8443 the RestClient could
+    # pick a remote server and since 8443 isn't in our firewall profile
+    # setting up a new server would fail.
+    try:
+        with api.Backend.ra_certprofile as profile_api:
+            if profile_api.ca_host == api.env.host:
+                api.Backend.ra_certprofile.override_port = 8443
+    except (errors.NetworkError, errors.RemoteRetrieveError) as e:
+        logger.debug('Overriding CA port: %s', e)
+        api.Backend.ra_certprofile.override_port = 8443
+ 
+     for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES:
+         dn = DN(('cn', profile_id),
+-- 
+2.34.1
+
--- a/0018-Remove-ipa-join-errors-from-behind-the-debug-option.patch
+++ b/0018-Remove-ipa-join-errors-from-behind-the-debug-option.patch
@ -0,0 +1,115 @@
+From 7c5540bb47799b4db95673d22f61995ad5c56440 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 31 Jan 2022 17:31:50 -0500
+Subject: [PATCH] Remove ipa-join errors from behind the debug option
+
+This brings it inline with the previous XML-RPC output which
+only hid the request and response from the output and not
+any errors returned.
+
+https://pagure.io/freeipa/issue/9103
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+Reviewed-By: Peter Keresztes Schmidt <carbenium@outlook.com>
+---
+ client/ipa-join.c | 27 +++++++++------------------
+ 1 file changed, 9 insertions(+), 18 deletions(-)
+
+diff --git a/client/ipa-join.c b/client/ipa-join.c
+index d98739a9abfb01ecf619187483bfc6677957d498..5888a33bf221eb5d455b2adcfa0f33b38f0969ca 100644
+--- a/client/ipa-join.c
+++ b/client/ipa-join.c
+@@ -743,8 +743,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
+ 
+     json_str = json_dumps(json, 0);
+     if (!json_str) {
+-        if (debug)
+-            fprintf(stderr, _("json_dumps() failed\n"));
+        fprintf(stderr, _("json_dumps() failed\n"));
+ 
+         rval = 17;
+         goto cleanup;
+@@ -758,8 +757,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
+     CURLcode res = curl_easy_perform(curl);
+     if (res != CURLE_OK)
+     {
+-        if (debug)
+-            fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
+        fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
+ 
+         rval = 17;
+         goto cleanup;
+@@ -769,8 +767,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
+     curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &resp_code);
+ 
+     if (resp_code != 200) {
+-        if (debug)
+-            fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
+        fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
+ 
+         if (!quiet && resp_code == 401)
+             fprintf(stderr, _("JSON-RPC call was unauthorized. Check your credentials.\n"));
+@@ -848,8 +845,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
+ 
+     j_root = json_loads(payload, 0, &j_error);
+     if (!j_root) {
+-        if (debug)
+-            fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
+        fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
+ 
+         rval = 17;
+         goto cleanup;
+@@ -864,8 +860,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
+ 
+     *j_result_obj = json_object_get(j_root, "result");
+     if (!*j_result_obj) {
+-        if (debug)
+-            fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
+        fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
+ 
+         rval = 17;
+         goto cleanup;
+@@ -897,8 +892,7 @@ jsonrpc_parse_join_response(const char *payload, join_info *join_i, bool quiet)
+                        &tmp_hostdn,
+                        "krbprincipalname", &tmp_princ,
+                        "krblastpwdchange", &tmp_pwdch) != 0) {
+-        if (debug)
+-            fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
+        fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
+ 
+         rval = 17;
+         goto cleanup;
+@@ -941,8 +935,7 @@ join_krb5_jsonrpc(const char *ipaserver, const char *hostname, char **hostdn, co
+                              "nshardwareplatform", uinfo.machine);
+ 
+     if (!json_req) {
+-        if (debug)
+-            fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
+        fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
+ 
+         rval = 17;
+         goto cleanup;
+@@ -990,8 +983,7 @@ jsonrpc_parse_unenroll_response(const char *payload, bool* result, bool quiet) {
+ 
+     if (json_unpack_ex(j_result_obj, &j_error, 0, "{s:b}",
+                        "result", result) != 0) {
+-        if (debug)
+-            fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
+        fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
+ 
+         rval = 20;
+         goto cleanup;
+@@ -1021,8 +1013,7 @@ jsonrpc_unenroll_host(const char *ipaserver, const char *host, bool quiet) {
+                             host);
+ 
+     if (!json_req) {
+-        if (debug)
+-            fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
+        fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
+ 
+         rval = 17;
+         goto cleanup;
+-- 
+2.34.1
+
--- a/0019-Enable-the-ccache-sweep-timer-during-installation.patch
+++ b/0019-Enable-the-ccache-sweep-timer-during-installation.patch
@ -0,0 +1,47 @@
+From 9b6d0bb1245c4891ccc270f360d0f72a4b1444c1 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 7 Feb 2022 10:39:55 -0500
+Subject: [PATCH] Enable the ccache sweep timer during installation
+
+The timer was only being enabled during package installation
+if IPA was configured. So effectively only on upgrade.
+
+Add as a separate installation step after the ccache directory
+is configured.
+
+Fixes: https://pagure.io/freeipa/issue/9107
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/install/httpinstance.py | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
+index 732bb58d49addcb2a9f7698d577527257a17fe66..50ccf5e5031c37171cebe6f20232f3bd645cedeb 100644
+--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
+@@ -140,6 +140,8 @@ class HTTPInstance(service.Service):
+         self.step("publish CA cert", self.__publish_ca_cert)
+         self.step("clean up any existing httpd ccaches",
+                   self.remove_httpd_ccaches)
+        self.step("enable ccache sweep",
+                  self.enable_ccache_sweep)
+         self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
+         if not self.is_kdcproxy_configured():
+             self.step("create KDC proxy config", self.create_kdcproxy_conf)
+@@ -177,6 +179,11 @@ class HTTPInstance(service.Service):
+             [paths.SYSTEMD_TMPFILES, '--create', '--prefix', paths.IPA_CCACHES]
+         )
+ 
+    def enable_ccache_sweep(self):
+        ipautil.run(
+            [paths.SYSTEMCTL, 'enable', 'ipa-ccache-sweep.timer']
+        )
+
+     def __configure_http(self):
+         self.update_httpd_service_ipa_conf()
+         self.update_httpd_wsgi_conf()
+-- 
+2.34.1
+
--- a/0020-Test-ipa-ccache-sweep.timer-enabled-by-default-durin.patch
+++ b/0020-Test-ipa-ccache-sweep.timer-enabled-by-default-durin.patch
@ -0,0 +1,71 @@
+From 0d9eb3d515385412abefe9c33e0099ea14f33cbc Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Wed, 9 Feb 2022 18:56:21 +0530
+Subject: [PATCH] Test ipa-ccache-sweep.timer enabled by default during
+ installation
+
+This test checks that ipa-ccache-sweep.timer is enabled by default
+during the ipa installation.
+
+related: https://pagure.io/freeipa/issue/9107
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ .../test_integration/test_installation.py     | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
+index f2d372c0c0356f244971a2af808db45dd6c8cb5b..63edbaa2bb4dbae174c6ab8c8f193cc24cc45b14 100644
+--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
+@@ -475,7 +475,7 @@ class TestInstallCA(IntegrationTest):
+ 
+         # Tweak sysrestore.state to drop installation section
+         self.master.run_command(
+-            ['sed','-i', r's/\[installation\]/\[badinstallation\]/',
+            ['sed', '-i', r's/\[installation\]/\[badinstallation\]/',
+              os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
+ 
+         # Re-run installation check and it should fall back to old method
+@@ -485,7 +485,7 @@ class TestInstallCA(IntegrationTest):
+ 
+         # Restore installation section.
+         self.master.run_command(
+-            ['sed','-i', r's/\[badinstallation\]/\[installation\]/',
+            ['sed', '-i', r's/\[badinstallation\]/\[installation\]/',
+              os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
+ 
+         # Uninstall and confirm that the old method reports correctly
+@@ -690,6 +690,7 @@ def get_pki_tomcatd_pid(host):
+             break
+     return(pid)
+ 
+
+ def get_ipa_services_pids(host):
+     ipa_services_name = [
+         "krb5kdc", "kadmin", "named", "httpd", "ipa-custodia",
+@@ -1309,6 +1310,20 @@ class TestInstallMasterKRA(IntegrationTest):
+     def test_install_master(self):
+         tasks.install_master(self.master, setup_dns=False, setup_kra=True)
+ 
+    def test_ipa_ccache_sweep_timer_enabled(self):
+        """Test ipa-ccache-sweep.timer enabled by default during installation
+
+        This test checks that ipa-ccache-sweep.timer is enabled by default
+        during the ipa installation.
+
+        related: https://pagure.io/freeipa/issue/9107
+        """
+        result = self.master.run_command(
+            ['systemctl', 'is-enabled', 'ipa-ccache-sweep.timer'],
+            raiseonerr=False
+        )
+        assert 'enabled' in result.stdout_text
+
+     def test_install_dns(self):
+         tasks.install_dns(self.master)
+ 
+-- 
+2.34.1
+
--- a/freeipa.spec
+++ b/freeipa.spec
@ -198,7 +198,7 @@

 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        2%{?rc_version:.%rc_version}%{?dist}
+Release:        3%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system

 License:        GPLv3+
@ -234,6 +234,10 @@ Patch0013:      0013-Added-test-automation-for-SHA384withRSA-CSR-support.patch
 Patch0014:      0014-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-g.patch
 Patch0015:      0015-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled.patch
 Patch0016:      0016-ipatests-add-case-for-hardened-only-ticket-policy.patch
+Patch0017:      0017-Don-t-always-override-the-port-in-import_included_pr.patch
+Patch0018:      0018-Remove-ipa-join-errors-from-behind-the-debug-option.patch
+Patch0019:      0019-Enable-the-ccache-sweep-timer-during-installation.patch
+Patch0020:      0020-Test-ipa-ccache-sweep.timer-enabled-by-default-durin.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@ -1725,6 +1729,15 @@ fi
 %endif

 %changelog
+* Fri Feb 11 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-3
+- Resolves: rhbz#2050540 Unable to join RHEL 8.5 Replica to RHEL 7.9 Master for migration purposes
+  - Don't always override the port in import_included_profiles
+- Resolves: rhbz#2051582 Enable ipa-ccache-sweep.timer during server installation
+  - Test ipa-ccache-sweep.timer enabled by default during installation
+  - Enable the ccache sweep timer during installation
+- Resolves: rhbz#2051844 ipa-join tests are failing due to changes in expected output
+  - Remove ipa-join errors from behind the debug option
+
 * Thu Feb 03 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-2
 - Resolves: rhbz#2040619 - Changing default pac type to 'nfs:NONE and MS-PAC' doesnot display error 'ipa: ERROR: no modifications to be performed'
  - Config plugin: return EmptyModlist when no change is applied