[Freeipa-devel] [PATCH] 391-395, 398 Fedora 19 build and install fixes

Fri Mar 29 08:04:13 UTC 2013

On 03/29/2013 08:13 AM, Tomas Babej wrote:
> On 03/28/2013 03:04 PM, Martin Kosek wrote:
>> On 03/28/2013 10:20 AM, Martin Kosek wrote:
>>> On 03/27/2013 10:42 AM, Tomas Babej wrote:
>>>> On Tue 26 Mar 2013 06:49:59 PM CET, Martin Kosek wrote:
>>>>> On 03/26/2013 06:32 PM, Tomas Babej wrote:
>>>>>> On 03/26/2013 05:38 PM, Martin Kosek wrote:
>>>>>>> On 03/21/2013 11:59 AM, Martin Kosek wrote:
>>>>>>>> This set of patches (details in commit messages) allow build and
>>>>>>>> installation
>>>>>>>> of FreeIPA in Fedora 19. I tested server and replica install
>>>>>>>> (master on f18,
>>>>>>>> replica on f19) and both worked fine.
>>>>>>>>
>>>>>>>> The patches are compatible with Fedora 18 (I tested).
>>>>>>>>
>>>>>>>> If your Fedora 19 does not have bind-9.9.2-11.P1.fc19, you may need
>>>>>>>> to get that
>>>>>>>> from koji:
>>>>>>>>
>>>>>>>> Bug 920713 - named timeouts when started via systemd
>>>>>>>>
>>>>>>>> Also, to fix trusts and ipa-adtrust-install, I had to use my custom
>>>>>>>> build of
>>>>>>>> 389-ds-base as current builds do not accepts Kerberos tickets
>>>>>>>> greater than 2048
>>>>>>>> bytes. This is the bug I filed:
>>>>>>>>
>>>>>>>> Bug 923879 - 389-ds-base cannot handle Kerberos tickets with PAC
>>>>>>>>
>>>>>>>> Martin
>>>>>>>>
>>>>>>> Sending rebased patches (there was a conflic in spec changelog).
>>>>>>>
>>>>>>> Martin
>>>>>>>
>>>>>> This still needs the following rebase (changelog is not in
>>>>>> chronological order):
>>>>>>
>>>>>> -* Wed Mar 13 2013 Martin Kosek <mkosek at redhat.com> - 3.1.99-2
>>>>>> +* Tue Mar 26 2013 Martin Kosek <mkosek at redhat.com> - 3.1.99-2
>>>>> Right, I will fix that.
>>>>>
>>>>>> The build on F19 went OK, however, IPA installation on F19 fails with
>>>>>> the
>>>>>> following error:
>>>>>>
>>>>>> [snip]
>>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3
>>>>>> minutes 30 seconds
>>>>>>     [1/20]: creating certificate server user
>>>>>>     [2/20]: configuring certificate server instance
>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>>> IOError: [Errno 2] No such file or directory:
>>>>>> '/root/.pki/pki-tomcat/ca_admin_cert.p12'
>>>>> What pki-ca version do you use? There were some related fixes for bugs
>>>>> I found in pki-ca component (see Bug 919476). I used
>>>>> pki-ca-10.0.1-2.1.fc19.noarch
>>>>>
>>>> The version is the same.
>>>>
>>>>> If you have this version or higher, what is the root cause of the
>>>>> failure? Is there any useful info in ipaserver-install.log?
>>>>>
>>>> I haven't been able to identify the cause. There seems to be an issue with
>>>> certmonger as well,
>>>> since consenquent uninstallation fails with:
>>>>
>>>>
>>> [snip]
>>>> 2013-03-26T17:03:19Z INFO The ipa-server-install command failed, exception:
>>>> IOError: [Errno 2] No such file or directory:
>>>> '/root/.pki/pki-tomcat/ca_admin_cert.p12'
>>>>
>>>>> Thanks,
>>>>> Martin
>>>>>
>>>>>>
>>>>>> Patches work fine on F18.
>>>>>>
>>>>>> Tomas
>>>>
>>> Tomas is investigating the Fedora 19 failure, it was most probably caused by
>>> improperly upgraded VM. Sending updated and rebased patchset addressing issues
>>> found so far.
>>>
>>> I also reopened BIND bug as BIND does not start after reboot due to wrong
>>> tmpfiles.d configuration:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=920713
>>> But this should not affect the patches as the fix would need to be done only in
>>> bind packages.
>>>
>>> Martin
>>>
>> Attaching one more fix for PKI CA installation, installer in F19 seems more
>> sensitive to the certificate downloaded via sslget from pki-ca. It may contain
>> DOS line endings which breaks certutil cert import and crashes the install.
>> Patch 398 fixes it - tested both on F18 and F19.
>>
>> Martin
> Patches work fine both on F18 and F19 and indeed fix the discovered issues.
> 
> There's still the following problem that *can* occur(not 100% reproducible)
> when installing rpms:
> 
> [snip]
>   Installing : freeipa-server-3.1.99GITa9b9b77-0.fc19.x86_64 4/7
>   Installing : freeipa-server-selinux-3.1.99GITa9b9b77-0.fc19.x86_64 5/7
> libsemanage.semanage_exec_prog: Child process /sbin/load_policy did not exit
> cleanly.
> libsemanage.semanage_reload_policy: load_policy returned error code -1.
> libsemanage.semanage_exec_prog: Child process /sbin/load_policy did not exit
> cleanly.
> libsemanage.semanage_reload_policy: load_policy returned error code -1.
> semodule:  Failed!
>   Installing : freeipa-server-trust-ad-3.1.99GITa9b9b77-0.fc19.x86_64 6/7
> 
> Consenquently, it causes the following failure during ipa-server-install:
> 
> [12/14]: configuring SELinux for httpd
> WARNING: could not set the following SELinux boolean(s):
>   httpd_can_network_connect -> on
>   httpd_manage_ipa -> on
> The web interface may not function correctly until the booleans
> are successfully changed with the command:
> /usr/sbin/setsebool -P httpd_can_network_connect=on httpd_manage_ipa=on
> Try updating the policycoreutils and selinux-policy packages.
>   [13/14]: restarting httpd
> ...
> 
> However, this looks like a bug in SELinux policy, probably. The workaround
> (manual setting of SELinux booleans) is printed out by ipa-server-install script,
> so I would not consider it as a blocker for this patchset.

I filed a Bugzilla for this issue:
https://bugzilla.redhat.com/show_bug.cgi?id=929062

We will see what's the real root cause of it.

> 
> ACK.
> 
> Tomas

Pushed to master.

Martin