ipa-4.12.2-10

- Resolves: RHEL-73022 A slow HSM can cause IPA server installation to fail setting up certificate tracking Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
2025-01-28 13:36:13 +01:00 · 2025-01-28 13:36:13 +01:00 · e62b5538d9
commit e62b5538d9
parent 85a695e7ee
2 changed files with 167 additions and 1 deletions
--- a/0051-Apply-certmonger_timeout-to-start_tracking-and-reque.patch
+++ b/0051-Apply-certmonger_timeout-to-start_tracking-and-reque.patch
@ -0,0 +1,162 @@
 From 9f30edef463237ba48efe45406626eb325bf6c39 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Wed, 22 Jan 2025 13:19:43 -0500
 Subject: [PATCH] Apply certmonger_timeout to start_tracking and request_cert
 We've seen that with some slow HSMs the default DBus timeout
 the HSM doesn't respond quickly enough to certmonger start
 tracking requests which fails the entire installation.
 A first attempt was made to bump up the default to 30 seconds
 which turned out to not be long enough.
 There is already a certmonger timeout defined in the API but it
 is 300 seconds so I was hesitant to use it. It could delay the
 actual failure of a blown install by 5 minutes. But it also gives
 the end user the flexibility to be able to control success over
 an installation so we'll go ahead and use it.
 Fixes: https://pagure.io/freeipa/issue/9725
 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
 ---
 client/man/default.conf.5           | 10 ++++++++--
 ipalib/install/certmonger.py        |  7 +++++--
 ipaserver/install/cainstance.py     |  5 ++++-
 ipaserver/install/dogtaginstance.py | 18 ++++++++++++++++++
 ipaserver/install/service.py        |  4 +++-
 5 files changed, 38 insertions(+), 6 deletions(-)
 diff --git a/client/man/default.conf.5 b/client/man/default.conf.5
 index 3846de50c5d851471ea3ceed9fc38cb687c719e4..e0aec21f725d88ce2ba3cf52901fb15575892cde 100644
 --- a/client/man/default.conf.5
 +++ b/client/man/default.conf.5
@@ -20,7 +20,7 @@
 .SH "NAME"
 default.conf \- IPA configuration file
 .SH "SYNOPSIS"
 -/etc/ipa/default.conf, ~/.ipa/default.conf, /etc/ipa/server.conf, /etc/ipa/cli.conf
 +/etc/ipa/default.conf, ~/.ipa/default.conf, /etc/ipa/server.conf, /etc/ipa/cli.conf, /etc/ipa/installer.conf, /etc/ipa/cli_installer.conf
 .SH "DESCRIPTION"
 The \fIdefault.conf \fRconfiguration file is used to set system\-wide defaults to be applied when running IPA clients and servers.
@@ -75,7 +75,7 @@ Specifies the hostname of the dogtag CA server. The default is the hostname of t
 Specifies the insecure CA end user port. The default is 8080.
 .TP
 .B certmonger_wait_timeout <seconds>
 -The time to wait for a certmonger request to complete during installation. The default value is 300 seconds.
 +The time to wait for a certmonger request to complete during installation. The default value is 300 seconds. To tune create/add to /etc/ipa/installer.conf.
 .TP
 .B context <context>
 Specifies the context that IPA is being executed in. IPA may operate differently depending on the context. The current defined contexts are cli, server and dns. Additionally this value is used to load /etc/ipa/\fBcontext\fR.conf to provide context\-specific configuration. For example, if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server, add the verbose option to \fI/etc/ipa/cli.conf\fR.
@@ -263,6 +263,12 @@ system\-wide IPA client configuration file
 .TP
 .I /etc/ipa/server.conf
 system\-wide IPA server configuration file
 +.TP
 +.I /etc/ipa/installer.conf
 +IPA configuration used while installing an IPA server or replica
 +.TP
 +.I /etc/ipa/cli_installer.conf
 +IPA configuration used while installing an IPA client
 .SH "EXAMPLES"
 .TP
 An example of a context-specific configuration file is \fB/etc/ipa/dns.conf\fR to be used to increase debug output of the IPA DNSSEC daemons.
 diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py
 index efc1ba4f42eab98df5fac51bafa3acc83ae91831..675b2c96ce8ebe4f06822ad587a4bca734a1be09 100644
 --- a/ipalib/install/certmonger.py
 +++ b/ipalib/install/certmonger.py
@@ -477,7 +477,8 @@ def request_cert(
         request_parameters['cert-perms'] = perms[0]
         request_parameters['key-perms'] = perms[1]
 -    result = cm.obj_if.add_request(request_parameters, timeout=30)
 +    result = cm.obj_if.add_request(request_parameters,
 +                                   timeout=api.env.certmonger_wait_timeout)
     try:
         if result[0]:
             request = _cm_dbus_object(cm.bus, cm, result[1], DBUS_CM_REQUEST_IF,
@@ -581,7 +582,9 @@ def start_tracking(
     if nss_user:
         params['nss-user'] = nss_user
 -    result = cm.obj_if.add_request(params, timeout=30)
 +    logger.debug("start tracking %s", params)
 +    result = cm.obj_if.add_request(params,
 +                                   timeout=api.env.certmonger_wait_timeout)
     try:
         if result[0]:
             request = _cm_dbus_object(cm.bus, cm, result[1], DBUS_CM_REQUEST_IF,
 diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
 index e03a8c863e14782679e19c6887f5e220131e4234..76718036dbd317651edc98ce631405e42bf814d7 100644
 --- a/ipaserver/install/cainstance.py
 +++ b/ipaserver/install/cainstance.py
@@ -513,7 +513,10 @@ class CAInstance(DogtagInstance):
         if ra_only:
             runtime = None
         else:
 -            runtime = 180
 +            if self.tokenname:
 +                runtime = "HSM dependent"
 +            else:
 +                runtime = 180
         try:
             self.start_creation(runtime=runtime)
 diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
 index 32a52dbedaa34b24c2658460f0ae889e7a37aa64..002053ed797beec829d324e80fc55b57cabf04be 100644
 --- a/ipaserver/install/dogtaginstance.py
 +++ b/ipaserver/install/dogtaginstance.py
@@ -575,6 +575,24 @@ class DogtagInstance(service.Service):
             except RuntimeError as e:
                 logger.error(
                     "certmonger failed to start tracking certificate: %s", e)
 +            except dbus.exceptions.DBusException as e:
 +                if e._dbus_error_name == "org.freedesktop.DBus.Error.NoReply":
 +                    logger.error(
 +                        "Timeout encountered starting tracking of '%s'."
 +                        "This timeout can be tuned using "
 +                        "certmonger_wait_timeout in /etc/ipa/installer.conf.",
 +                        nickname
 +                    )
 +                if self.hsm_enabled:
 +                    logger.error(
 +                        "On an initial install failure this may leave "
 +                        "certificates and keys on the HSM token. These "
 +                        "need to be manually cleaned per your HSM-specific "
 +                        "documentation before installing IPA again. On a "
 +                        "replica install no clean-up should be done (it will "
 +                        "destroy your installation."
 +                    )
 +                raise
     def stop_tracking_certificates(self):
         """
 diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
 index cf0f64ab9794111761adf735bc488269bd1814fc..7755a4f2ff5e33e61f85dc24b71fd05a1837cd5a 100644
 --- a/ipaserver/install/service.py
 +++ b/ipaserver/install/service.py
@@ -59,6 +59,8 @@ def print_msg(message, output_fd=sys.stdout):
 def format_seconds(seconds):
     """Format a number of seconds as an English minutes+seconds message"""
 +    if type(seconds) is not int:
 +        return seconds
     parts = []
     minutes, seconds = divmod(seconds, 60)
     if minutes:
@@ -660,7 +662,7 @@ class Service:
                 else:
                     end_message = "Done configuring %s." % self.service_desc
 -        if runtime is not None and runtime > 0:
 +        if runtime is not None or (type(runtime) is int and runtime > 0):
             self.print_msg('%s. Estimated time: %s' % (start_message,
                                                       format_seconds(runtime)))
         else:
 -- 
 2.48.1
--- a/freeipa.spec
+++ b/freeipa.spec
@ -224,7 +224,7 @@
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        9%{?rc_version:.%rc_version}%{?dist}
+Release:        10%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 License:        GPL-3.0-or-later
@ -298,6 +298,7 @@ Patch0047:      0047-ipatests-skip-test_ipahealthcheck_ds_configcheck-for.patch
 Patch0048:      0048-ipatests-restart-dirsrv-after-time-jumps.patch
 Patch0049:      0049-ipa-otpd-do-not-pass-OIDC-client-secret-if-there-is-.patch
 Patch0050:      0050-Migrate-Keycloak-tests-to-JDK-21-and-Keycloak-26.patch
 Patch0051:      0051-Apply-certmonger_timeout-to-start_tracking-and-reque.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@ -1913,6 +1914,9 @@ fi
 %endif
 %changelog
 * Tue Jan 28 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-10
 - Resolves: RHEL-73022 A slow HSM can cause IPA server installation to fail setting up certificate tracking
 * Tue Jan 21 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-9
 - Resolves: RHEL-74465 kinit with external idp user is failing
 - Resolves: RHEL-75656 Include latest fixes in python3-ipatests package