[Freeipa-devel] [PATCH] 391-395, 398 Fedora 19 build and install fixes

Thu Mar 28 14:04:02 UTC 2013

On 03/28/2013 10:20 AM, Martin Kosek wrote:
> On 03/27/2013 10:42 AM, Tomas Babej wrote:
>> On Tue 26 Mar 2013 06:49:59 PM CET, Martin Kosek wrote:
>>> On 03/26/2013 06:32 PM, Tomas Babej wrote:
>>>> On 03/26/2013 05:38 PM, Martin Kosek wrote:
>>>>> On 03/21/2013 11:59 AM, Martin Kosek wrote:
>>>>>> This set of patches (details in commit messages) allow build and
>>>>>> installation
>>>>>> of FreeIPA in Fedora 19. I tested server and replica install
>>>>>> (master on f18,
>>>>>> replica on f19) and both worked fine.
>>>>>>
>>>>>> The patches are compatible with Fedora 18 (I tested).
>>>>>>
>>>>>> If your Fedora 19 does not have bind-9.9.2-11.P1.fc19, you may need
>>>>>> to get that
>>>>>> from koji:
>>>>>>
>>>>>> Bug 920713 - named timeouts when started via systemd
>>>>>>
>>>>>> Also, to fix trusts and ipa-adtrust-install, I had to use my custom
>>>>>> build of
>>>>>> 389-ds-base as current builds do not accepts Kerberos tickets
>>>>>> greater than 2048
>>>>>> bytes. This is the bug I filed:
>>>>>>
>>>>>> Bug 923879 - 389-ds-base cannot handle Kerberos tickets with PAC
>>>>>>
>>>>>> Martin
>>>>>>
>>>>> Sending rebased patches (there was a conflic in spec changelog).
>>>>>
>>>>> Martin
>>>>>
>>>> This still needs the following rebase (changelog is not in
>>>> chronological order):
>>>>
>>>> -* Wed Mar 13 2013 Martin Kosek <mkosek at redhat.com> - 3.1.99-2
>>>> +* Tue Mar 26 2013 Martin Kosek <mkosek at redhat.com> - 3.1.99-2
>>>
>>> Right, I will fix that.
>>>
>>>>
>>>> The build on F19 went OK, however, IPA installation on F19 fails with
>>>> the
>>>> following error:
>>>>
>>>> [snip]
>>>> Configuring certificate server (pki-tomcatd): Estimated time 3
>>>> minutes 30 seconds
>>>>    [1/20]: creating certificate server user
>>>>    [2/20]: configuring certificate server instance
>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>> IOError: [Errno 2] No such file or directory:
>>>> '/root/.pki/pki-tomcat/ca_admin_cert.p12'
>>>
>>> What pki-ca version do you use? There were some related fixes for bugs
>>> I found in pki-ca component (see Bug 919476). I used
>>> pki-ca-10.0.1-2.1.fc19.noarch
>>>
>>
>> The version is the same.
>>
>>> If you have this version or higher, what is the root cause of the
>>> failure? Is there any useful info in ipaserver-install.log?
>>>
>>
>> I haven't been able to identify the cause. There seems to be an issue with
>> certmonger as well,
>> since consenquent uninstallation fails with:
>>
>>
> [snip]
>> 2013-03-26T17:03:19Z INFO The ipa-server-install command failed, exception:
>> IOError: [Errno 2] No such file or directory:
>> '/root/.pki/pki-tomcat/ca_admin_cert.p12'
>>
>>> Thanks,
>>> Martin
>>>
>>>>
>>>>
>>>> Patches work fine on F18.
>>>>
>>>> Tomas
>>>
>>
>>
> 
> Tomas is investigating the Fedora 19 failure, it was most probably caused by
> improperly upgraded VM. Sending updated and rebased patchset addressing issues
> found so far.
> 
> I also reopened BIND bug as BIND does not start after reboot due to wrong
> tmpfiles.d configuration:
> https://bugzilla.redhat.com/show_bug.cgi?id=920713
> But this should not affect the patches as the fix would need to be done only in
> bind packages.
> 
> Martin
> 

Attaching one more fix for PKI CA installation, installer in F19 seems more
sensitive to the certificate downloaded via sslget from pki-ca. It may contain
DOS line endings which breaks certutil cert import and crashes the install.
Patch 398 fixes it - tested both on F18 and F19.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-391-4-clean-spec-file-for-Fedora-19.patch
Type: text/x-patch
Size: 2909 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130328/91b2f1f4/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-392-4-remove-build-warnings.patch
Type: text/x-patch
Size: 14329 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130328/91b2f1f4/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-393-4-remove-syslog.target-from-ipa.server.patch
Type: text/x-patch
Size: 1887 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130328/91b2f1f4/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-394-4-put-pid-file-to-named.conf.patch
Type: text/x-patch
Size: 3802 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130328/91b2f1f4/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-395-4-update-mod_wsgi-socket-directory.patch
Type: text/x-patch
Size: 1095 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130328/91b2f1f4/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-398-4-normalize-ra-agent-certificate.patch
Type: text/x-patch
Size: 1351 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130328/91b2f1f4/attachment-0005.bin>