From c7bf31948feee147e99daf3110ea0b277135e494 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Fri, 11 Feb 2022 15:04:19 +0100 Subject: [PATCH] ipa-4.9.8-3 - Resolves: rhbz#2050540 Unable to join RHEL 8.5 Replica to RHEL 7.9 Master for migration purposes - Resolves: rhbz#2051582 Enable ipa-ccache-sweep.timer during server installation - Resolves: rhbz#2051844 ipa-join tests are failing due to changes in expected output Signed-off-by: Florence Blanc-Renaud --- ...rride-the-port-in-import_included_pr.patch | 104 ++++++++++++++++ ...-errors-from-behind-the-debug-option.patch | 115 ++++++++++++++++++ ...ache-sweep-timer-during-installation.patch | 47 +++++++ ...sweep.timer-enabled-by-default-durin.patch | 71 +++++++++++ freeipa.spec | 15 ++- 5 files changed, 351 insertions(+), 1 deletion(-) create mode 100644 0017-Don-t-always-override-the-port-in-import_included_pr.patch create mode 100644 0018-Remove-ipa-join-errors-from-behind-the-debug-option.patch create mode 100644 0019-Enable-the-ccache-sweep-timer-during-installation.patch create mode 100644 0020-Test-ipa-ccache-sweep.timer-enabled-by-default-durin.patch diff --git a/0017-Don-t-always-override-the-port-in-import_included_pr.patch b/0017-Don-t-always-override-the-port-in-import_included_pr.patch new file mode 100644 index 0000000..592f5b5 --- /dev/null +++ b/0017-Don-t-always-override-the-port-in-import_included_pr.patch @@ -0,0 +1,104 @@ +From edb216849e4f47d6cae95981edf0c3fe2653fd7a Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 28 Jan 2022 16:46:35 -0500 +Subject: [PATCH] Don't always override the port in import_included_profiles + +I can only guess to the original purpose of this override. I +believe it was because this is called in the installer prior +to Apache being set up. The expectation was that this would +only be called locally. It predates the RestClient class. + +RestClient will attempt to find an available service. In this +case, during a CA installation, the local server is not +considered available because it lacks an entry in +cn=masters. So it will never be returned as an option. + +So by overriding the port to 8443 the remote connection will +likely fail because we don't require that the port be open. + +So instead, instantiate a RestClient and see what happens. + +There are several use-cases: + +1. Installing an initial server. The RestClient connection + should fail, so we will fall back to the override port and + use the local server. If Apache happens to be running with + a globally-issued certificate then the RestClient will + succeed. In this case if the connected host and the local + hostname are the same, override in that case as well. + +2. Installing as a replica. In this case the local server should + be ignored in all cases and a remote CA will be picked with + no override done. + +3. Switching from CA-less to CA-ful. The web server will be + trusted but the RestClient login will fail with a 404. Fall + back to the override port in this case. + +The motivation for this is trying to install an EL 8.x replica +against an EL 7.9 server. 8.5+ includes the ACME service and +a new profile is needed which doesn't exist in 7. This was +failing because the RestClient determined that the local server +wasn't running a CA so tried the remote one (7.9) on the override +port 8443. Since this port isn't open: failure. + +Chances are that adding the profile is still going to fail +because again, 7.9 lacks ACME capabilities, but it will fail in +a way that allows the installation to continue. + +I suspect that all of the overrides can similarly handled, or +handled directly within the RestClient class, but for the sake +of "do no harm" I'm only changing this instance for now. + +https://pagure.io/freeipa/issue/9100 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/cainstance.py | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 8c8bf1b3a7bcf8a9c50183579b874a5710a32ac3..ad206aad411b42336e86e0b651a948fccd3a75ac 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -1953,7 +1953,35 @@ def import_included_profiles(): + cn=['certprofiles'], + ) + +- api.Backend.ra_certprofile.override_port = 8443 ++ # At this point Apache may or may not be running with a valid ++ # certificate. The local server is not yet recognized as a full ++ # CA yet so it isn't discoverable. So try to do some detection ++ # on what port to use, 443 (remote) or 8443 (local) for importing ++ # the profiles. ++ # ++ # api.Backend.ra_certprofile invokes the RestClient class ++ # which will discover and login to the CA REST API. We can ++ # use this information to detect where to import the profiles. ++ # ++ # If the login is successful (e.g. doesn't raise an exception) ++ # and it returns our hostname (it prefers the local host) then ++ # we override and talk locally. ++ # ++ # Otherwise a NetworkError means we can't connect on 443 (perhaps ++ # a firewall) or we get an HTTP error (valid TLS certificate on ++ # Apache but no CA, login fails with 404) so we override to the ++ # local server. ++ # ++ # When override port was always set to 8443 the RestClient could ++ # pick a remote server and since 8443 isn't in our firewall profile ++ # setting up a new server would fail. ++ try: ++ with api.Backend.ra_certprofile as profile_api: ++ if profile_api.ca_host == api.env.host: ++ api.Backend.ra_certprofile.override_port = 8443 ++ except (errors.NetworkError, errors.RemoteRetrieveError) as e: ++ logger.debug('Overriding CA port: %s', e) ++ api.Backend.ra_certprofile.override_port = 8443 + + for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES: + dn = DN(('cn', profile_id), +-- +2.34.1 + diff --git a/0018-Remove-ipa-join-errors-from-behind-the-debug-option.patch b/0018-Remove-ipa-join-errors-from-behind-the-debug-option.patch new file mode 100644 index 0000000..9e18029 --- /dev/null +++ b/0018-Remove-ipa-join-errors-from-behind-the-debug-option.patch @@ -0,0 +1,115 @@ +From 7c5540bb47799b4db95673d22f61995ad5c56440 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 31 Jan 2022 17:31:50 -0500 +Subject: [PATCH] Remove ipa-join errors from behind the debug option + +This brings it inline with the previous XML-RPC output which +only hid the request and response from the output and not +any errors returned. + +https://pagure.io/freeipa/issue/9103 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Peter Keresztes Schmidt +--- + client/ipa-join.c | 27 +++++++++------------------ + 1 file changed, 9 insertions(+), 18 deletions(-) + +diff --git a/client/ipa-join.c b/client/ipa-join.c +index d98739a9abfb01ecf619187483bfc6677957d498..5888a33bf221eb5d455b2adcfa0f33b38f0969ca 100644 +--- a/client/ipa-join.c ++++ b/client/ipa-join.c +@@ -743,8 +743,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response + + json_str = json_dumps(json, 0); + if (!json_str) { +- if (debug) +- fprintf(stderr, _("json_dumps() failed\n")); ++ fprintf(stderr, _("json_dumps() failed\n")); + + rval = 17; + goto cleanup; +@@ -758,8 +757,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response + CURLcode res = curl_easy_perform(curl); + if (res != CURLE_OK) + { +- if (debug) +- fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res)); ++ fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res)); + + rval = 17; + goto cleanup; +@@ -769,8 +767,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response + curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &resp_code); + + if (resp_code != 200) { +- if (debug) +- fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code); ++ fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code); + + if (!quiet && resp_code == 401) + fprintf(stderr, _("JSON-RPC call was unauthorized. Check your credentials.\n")); +@@ -848,8 +845,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) { + + j_root = json_loads(payload, 0, &j_error); + if (!j_root) { +- if (debug) +- fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text); ++ fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text); + + rval = 17; + goto cleanup; +@@ -864,8 +860,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) { + + *j_result_obj = json_object_get(j_root, "result"); + if (!*j_result_obj) { +- if (debug) +- fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n")); ++ fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n")); + + rval = 17; + goto cleanup; +@@ -897,8 +892,7 @@ jsonrpc_parse_join_response(const char *payload, join_info *join_i, bool quiet) + &tmp_hostdn, + "krbprincipalname", &tmp_princ, + "krblastpwdchange", &tmp_pwdch) != 0) { +- if (debug) +- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); ++ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); + + rval = 17; + goto cleanup; +@@ -941,8 +935,7 @@ join_krb5_jsonrpc(const char *ipaserver, const char *hostname, char **hostdn, co + "nshardwareplatform", uinfo.machine); + + if (!json_req) { +- if (debug) +- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); ++ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); + + rval = 17; + goto cleanup; +@@ -990,8 +983,7 @@ jsonrpc_parse_unenroll_response(const char *payload, bool* result, bool quiet) { + + if (json_unpack_ex(j_result_obj, &j_error, 0, "{s:b}", + "result", result) != 0) { +- if (debug) +- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); ++ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); + + rval = 20; + goto cleanup; +@@ -1021,8 +1013,7 @@ jsonrpc_unenroll_host(const char *ipaserver, const char *host, bool quiet) { + host); + + if (!json_req) { +- if (debug) +- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); ++ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); + + rval = 17; + goto cleanup; +-- +2.34.1 + diff --git a/0019-Enable-the-ccache-sweep-timer-during-installation.patch b/0019-Enable-the-ccache-sweep-timer-during-installation.patch new file mode 100644 index 0000000..328c1ff --- /dev/null +++ b/0019-Enable-the-ccache-sweep-timer-during-installation.patch @@ -0,0 +1,47 @@ +From 9b6d0bb1245c4891ccc270f360d0f72a4b1444c1 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 7 Feb 2022 10:39:55 -0500 +Subject: [PATCH] Enable the ccache sweep timer during installation + +The timer was only being enabled during package installation +if IPA was configured. So effectively only on upgrade. + +Add as a separate installation step after the ccache directory +is configured. + +Fixes: https://pagure.io/freeipa/issue/9107 + +Signed-off-by: Rob Crittenden +Reviewed-By: Alexander Bokovoy +--- + ipaserver/install/httpinstance.py | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py +index 732bb58d49addcb2a9f7698d577527257a17fe66..50ccf5e5031c37171cebe6f20232f3bd645cedeb 100644 +--- a/ipaserver/install/httpinstance.py ++++ b/ipaserver/install/httpinstance.py +@@ -140,6 +140,8 @@ class HTTPInstance(service.Service): + self.step("publish CA cert", self.__publish_ca_cert) + self.step("clean up any existing httpd ccaches", + self.remove_httpd_ccaches) ++ self.step("enable ccache sweep", ++ self.enable_ccache_sweep) + self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) + if not self.is_kdcproxy_configured(): + self.step("create KDC proxy config", self.create_kdcproxy_conf) +@@ -177,6 +179,11 @@ class HTTPInstance(service.Service): + [paths.SYSTEMD_TMPFILES, '--create', '--prefix', paths.IPA_CCACHES] + ) + ++ def enable_ccache_sweep(self): ++ ipautil.run( ++ [paths.SYSTEMCTL, 'enable', 'ipa-ccache-sweep.timer'] ++ ) ++ + def __configure_http(self): + self.update_httpd_service_ipa_conf() + self.update_httpd_wsgi_conf() +-- +2.34.1 + diff --git a/0020-Test-ipa-ccache-sweep.timer-enabled-by-default-durin.patch b/0020-Test-ipa-ccache-sweep.timer-enabled-by-default-durin.patch new file mode 100644 index 0000000..3eabe4b --- /dev/null +++ b/0020-Test-ipa-ccache-sweep.timer-enabled-by-default-durin.patch @@ -0,0 +1,71 @@ +From 0d9eb3d515385412abefe9c33e0099ea14f33cbc Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Wed, 9 Feb 2022 18:56:21 +0530 +Subject: [PATCH] Test ipa-ccache-sweep.timer enabled by default during + installation + +This test checks that ipa-ccache-sweep.timer is enabled by default +during the ipa installation. + +related: https://pagure.io/freeipa/issue/9107 + +Signed-off-by: Mohammad Rizwan +Reviewed-By: Alexander Bokovoy +--- + .../test_integration/test_installation.py | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index f2d372c0c0356f244971a2af808db45dd6c8cb5b..63edbaa2bb4dbae174c6ab8c8f193cc24cc45b14 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -475,7 +475,7 @@ class TestInstallCA(IntegrationTest): + + # Tweak sysrestore.state to drop installation section + self.master.run_command( +- ['sed','-i', r's/\[installation\]/\[badinstallation\]/', ++ ['sed', '-i', r's/\[installation\]/\[badinstallation\]/', + os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)]) + + # Re-run installation check and it should fall back to old method +@@ -485,7 +485,7 @@ class TestInstallCA(IntegrationTest): + + # Restore installation section. + self.master.run_command( +- ['sed','-i', r's/\[badinstallation\]/\[installation\]/', ++ ['sed', '-i', r's/\[badinstallation\]/\[installation\]/', + os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)]) + + # Uninstall and confirm that the old method reports correctly +@@ -690,6 +690,7 @@ def get_pki_tomcatd_pid(host): + break + return(pid) + ++ + def get_ipa_services_pids(host): + ipa_services_name = [ + "krb5kdc", "kadmin", "named", "httpd", "ipa-custodia", +@@ -1309,6 +1310,20 @@ class TestInstallMasterKRA(IntegrationTest): + def test_install_master(self): + tasks.install_master(self.master, setup_dns=False, setup_kra=True) + ++ def test_ipa_ccache_sweep_timer_enabled(self): ++ """Test ipa-ccache-sweep.timer enabled by default during installation ++ ++ This test checks that ipa-ccache-sweep.timer is enabled by default ++ during the ipa installation. ++ ++ related: https://pagure.io/freeipa/issue/9107 ++ """ ++ result = self.master.run_command( ++ ['systemctl', 'is-enabled', 'ipa-ccache-sweep.timer'], ++ raiseonerr=False ++ ) ++ assert 'enabled' in result.stdout_text ++ + def test_install_dns(self): + tasks.install_dns(self.master) + +-- +2.34.1 + diff --git a/freeipa.spec b/freeipa.spec index 2831c3e..1cffad7 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -198,7 +198,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 2%{?rc_version:.%rc_version}%{?dist} +Release: 3%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -234,6 +234,10 @@ Patch0013: 0013-Added-test-automation-for-SHA384withRSA-CSR-support.patch Patch0014: 0014-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-g.patch Patch0015: 0015-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled.patch Patch0016: 0016-ipatests-add-case-for-hardened-only-ticket-policy.patch +Patch0017: 0017-Don-t-always-override-the-port-in-import_included_pr.patch +Patch0018: 0018-Remove-ipa-join-errors-from-behind-the-debug-option.patch +Patch0019: 0019-Enable-the-ccache-sweep-timer-during-installation.patch +Patch0020: 0020-Test-ipa-ccache-sweep.timer-enabled-by-default-durin.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1725,6 +1729,15 @@ fi %endif %changelog +* Fri Feb 11 2022 Florence Blanc-Renaud - 4.9.8-3 +- Resolves: rhbz#2050540 Unable to join RHEL 8.5 Replica to RHEL 7.9 Master for migration purposes + - Don't always override the port in import_included_profiles +- Resolves: rhbz#2051582 Enable ipa-ccache-sweep.timer during server installation + - Test ipa-ccache-sweep.timer enabled by default during installation + - Enable the ccache sweep timer during installation +- Resolves: rhbz#2051844 ipa-join tests are failing due to changes in expected output + - Remove ipa-join errors from behind the debug option + * Thu Feb 03 2022 Florence Blanc-Renaud - 4.9.8-2 - Resolves: rhbz#2040619 - Changing default pac type to 'nfs:NONE and MS-PAC' doesnot display error 'ipa: ERROR: no modifications to be performed' - Config plugin: return EmptyModlist when no change is applied